Slashdot Mirror

According to virustotal.com it says:

ClamAV Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documen... . Symantec reputation Suspicious.Insight

Sounds like malware to me.

https://www.clamav.net/

The fact is, researching new viruses and maintaining up-to-date signatures requires constant work, which means the need for paid employees. This is really something that should be a collaboration between all the governments of the world and provide for free, thus facilitating far greater FOSS anti-virus solutions. As it is, it's just not something that's interesting enough for anyone to want to do as a hobby. Add to that the fact that those of us running FOSS operating systems don't use anti-virus software in the first place. I think the last time I had an anti-virus application running on my own machine was in the late 90s.

If you truly believe this are you using ClamAV?

Did you know that, as well as openDNS, Cisco has acquired and virtually abandoned:

SpamCop.net - 2007
Snort - 2013
ClamAV - 2013

All great projects when Cisco bought them and now circling the drain.

Truecrypt was a community project as is its successor. Not to mention Linux and the like. There is no question this model works at this point.

Well actually there is: if the model works then after all this time why is there no competitive product? The answer is that the model is really really slow at making progress and even the most widely used projects are woefully under resourced.

At the point that you ask who specifically will do it the answer is always "somebody will" or "the community will", but ultimately this is wrong. The ability to audit and verify is fantastic but unless the right people actually do it there is little benefit. What project is verified secure?

We need something similar for anti-virus/general security software for non technical-people.

We already have such things, they just aren't that good.

Let the community have an option that we can rely on as being non-backdoored

Who are you begging to let the community have it? If you want it then go for it, start it yourself or pay somebody to do it, that's the open source model. Not just beg somebody else to do it for you.

I have to admit I'm not an expert but I believe they are just using: http://www.clamav.net/lang/en/ to implement File Quarantine.

Clam AntiVirus - http://www.clamav.net/

There's also the GPL-licensed ClamAV, which has a Windows version called Immunet which isn't half-bad.

You're probably thinking of ClamAV http://www.clamav.net/

http://www.clamav.net/ Used this around 5 years back when I was in Uni. I recommended it for the university mail server whch was running linux. Worked pretty well..the number of malware on email dropped to zero in a day..not sure about its effectiveness in the modern day but it is a cross platform with the windows equivalent being immunet (runs the same engine)

What about false positives?

do you remember 9/1?

OK, the usual caveats apply about logic bombs hidden in open source, but still, at least when the source is open you have a fighting chance at discerning a backdoor.

http://www.clamav.net/lang/en/

There's a Windows version, too (Immunet):
http://www.clamav.net/lang/en/about/win32/

OK, the usual caveats apply about logic bombs hidden in open source, but still, at least when the source is open you have a fighting chance at discerning a backdoor.

http://www.clamav.net/lang/en/

There's a Windows version, too (Immunet):
http://www.clamav.net/lang/en/about/win32/

Maybe it's because I'm using MailScanner and ClamAV.

ClamAV's main use is the Unix/Linux/BSD version for running on mail servers, but it also has the cool mode of scanning directory trees on a samba file servers for Windows clients. The virus definition databases it uses are updated multiple times a day and are automatically downloaded. I have several customers that have been using it for years, it does catch the bad wares and moves bad files to a holding directory. It understands the common archival and compression, executable, and document formats.

http://www.clamav.net/lang/en/about/

or suddenly realize that it's too much trouble to replace them with.... ehm... Norton? McAfee?

ClamAV? ClamWin? Works for me :)

I have had fine results from ClamAV for windows. The underlying engine is GPL and cross-platform, and it uses a peer-to-peer network to share virus signatures between users, so your virus definitions are always up-to-date. This requires negligible bandwidth.

I'm uncertain how it avoids corrupt data being shared, but it seems to work well- I've ran several suspicious executables on virtual machines to test it, and it quarantined each of them. Strangely, it also gives the standard AV false alarm on many key generators.

That shouldn't be a problem here, since we all only run properly licensed software, right? ;)

ClamAV for Windows is a great alternative to AVG/Symantec, and it's also, of course, free of charge. I use the Linux version on my Linux boxes and the Windows versions on the Windows boxes I maintain.

...if they know of a good virus candidate?

http://www.clamav.net/

Virus scan on a Linux box? Huh? What am I missing here?

You can use ClamAV on OSX or Linux. In case you get an usb drive that you might have to connect to a Windows PC at some point. No use being a carrier.

Read the story.

TFA is unclear.
Just go to the primary source (and note that the warning dates back from october 2009)

They didn't just disable new updates. They disabled the Antivirus engine altogether.

There isn't such a thing as the ability to remotely disable the engine. There's no such thing as a built-in remote kill switch.

Simply : Up to .94, ClamAv can't have signature much longer that 900-something bytes long in incremental update.
Up until now, they haven't needed such long and complex signature yet.
But now they need to be able to ship such signatures (they enable more complex detection algorithms).
Thus 2010-04-15's update contains a longer signature.

If you don't update the signatures and use an older file or pull the whole signature file instead of the incremental backup, the outdated ClamAV will still work.
If you update, the signatures will cause ClamAv to output an error message.

That's all of it.

Given that :
- .94 is two generation old (current is not .95, but .96)
- that the warnings are dating back from october (ample time for admins to react)
- that they always insist (and even display warning messages from clamav it self) that the best protection is to always use the latest clamav version
- they need the ability to do longer than-900 signature soon, it's important for complex detections.
- non-incremental updates are not an option due to the excessive stress they would put onto the mirror server ...their action doesn't seem illogical.

The alternative would be to keep refraining from using the long signatures, although they are needed for complex detections. On the grounds that there are still a couple of admins still using .94 despite all of the above.

Or start distributing long signature in full signature files and kill their mirror servers.

If you had joined their announce mailing list and you would have know about this issue 4 times over the last six months.

And they also sent out 4 separate e-mails to their announce mailing list over the last six months with the most recent last week. See the archives at http://lists.clamav.net/mailman/listinfo/clamav-announce.

I mentioned this in a reply above....

Is there reason that you were subscribed to their announce mailing list? If so, you would have know about this issue months ago. Plenty of time to upgrade/test/deploy even in the most restrictive environments.

See http://lists.clamav.net/mailman/listinfo/clamav-announce for the archives and subscribing information.

Join their announce mailing list at http://lists.clamav.net/mailman/listinfo/clamav-announce and you will be notified about these type of things.

Any reason that you did not do what the organization requested?

From http://www.clamav.net/lang/en/download/sources/ it states:

Please subscribe to our freshmeat project page or clamav-announce to receive notifications of new stable releases and RCs.

They sent out a couple of notices about what was going to happen.

I will give the poster a little leeway in that this notice is only on the source download page and not the parent download page or the other distribution download pages.

http://lists.clamav.net/mailman/listinfo/clamav-announce

Uh, it HAS been filling your log files with warnings about upgrading for months, if not years. It's pretty f'ing explicit:

LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***

--Quentin

So you had 6 months to upgrade and you didn't, and now are going to complain when shit doesn't work?

No, but they'll complain (rightfully so) when the developers issue a "killswitch" command causing the software to quit working. So it's not like the servers disappear and stuff broke from obsolescence, they issued a command to the servers and had the software shut itself down (documented here).

It's quite a bit more extreme than just shutting down one of their servers. They issued a final "signature" update that literally caused each installation of that version to stop functioning.

From the announcement :

Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year.

The method SourceFire chose to use was to encode a kill command in the ClamAV updates. If they had simply "shut down the [update] server" ClamAV would have continued to work, just without new signatures.

See their announcement at http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/

ClamAV is using Amazons EC2 Cloud. Real-time (upon execution) scanning, scanning on install, and scanning on service startup, as well as removal/quarantine. You do have to be connected however for the hash and heuristics checks to work. But best practices are much better than any AV any day. Don't use IE, don't run as admin, it is that simple: http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html -rich

I use ClamAV and now they have Windows client. http://www.clamav.net/

because all antivirus software is made by people who are governed by the laws of the united states...

As a Ubuntu user, I can say precisely 0% of the software on my PC is pirated AND I have no issues with malware, viruses, trojans, etc. (according to ClamAV anyway). In fact, probably 99% of the software I run is free & open source. The only proprietary software I use for the time being is Adobe Flash and the ATI Radeon driver, both legally obtained.

I know we'd all like to say that there is no link between illegally copied software (I refuse to use the word "pirated") and malware, but I'm sure we've all seen instances where relatives' PCs got infected by software downloaded from Kazaa, etc.

What really surprises me is that, when given the choice between maybe catching viruses or getting prosecuted for downloading/installing illegal software and using the free and legal open source equivalent, so many people still choose to download their software illegally. I have to say, as a full-time user and software developer, Ubuntu's offering is really, really well put-together and a pleasure to use.

What about this?

Except that Linux and Mac users aren't immune to viruses, they just aren't the big target. {...} As those OS's {...} gain position in large targets (corporate servers), they too will become larger targets.

Given the huge proportion of *servers* already running some flavour of Unix or another, POSIX-compatible environment *are indeed* a pretty juicy target for evil-doers since a long time.
Even more so because they are *servers* (thus run mostly unattended, are connected to the interweb with a "phat pipe", and might contain a lot more interesting private data).

And indeed there are efforts to attack machines running Linux and other unices. Lots of efforts.

The only problem is that the standard way unix-like OSes are organised makes them much more difficult to attack.
- For one nobody runs everything as root, unlike Windows where 99.99% of the machines only have 1 single "administrator" account.
- Files aren't executable by default, but require further step to be validated as such (except for the recent exploit of shortcut formats featured on /.)
- The unix-like world is much more diverse than the Windows world. People are complaining of the byzantine complexity of Vista flavours. But technically, under the hood they are the same beast, with a different set of limitations put on by the marketing department. The same exploit would work against any of them. Whereas, in the OSS world only, you have countless different distributions of Linux (*several* of which are widespread) and multiple versions in the *BSD family. Next to that you have also big variations in the commercial unices. You can't just have "one kernel exploit to rule them all".
- And in addition to that, most of the users happen to be a lot more technically educated (although *that* is something that can get diluted once Linux gets popular).

Thus to be able to gain access to juicy bits requires much more complicated and contrived means, in a territory which offers a lot less exploitable bits.

A widespread virus outbreak on windows is something really simple and sometime entirely automatic, like Code Red.
Pwning a unix machine often requires a multi-staged approach and is most of the time something done by hand, trying to adapt the steps to the peculiar combination of factors found on the target.

In fact, if you are working in a secure environment, *every machine* must have antivirus software installed, if it's available for the OS.

Well, someone has still to be able to detect and notify which of the other bozos has an infected machine.

Most of the servers at your ISP will probably run Linux or some other unix-like OS. Nonetheless these machine will have at least one antivirus software (and sometimes several) in order to be able to stop infected e-mails, or be able to detect if you start to send contamined mails.

Norton AV for Mac. {...} McAfee offers Linux/Solaris as well as Windows too.

Well, if you want to give example of AV running on Linux, then you should have kept with the opensource spirit and also cited ClamAV which is quite widespread on email servers, has a very fast response time in case of new threat (and also a couple of handy plug-ins for desktop use).
And is entirely free and open-source.

In addition to detecting viruses (mostly other OS'), a proper shielding of an unix box should also comprise good root-kit detection softwares, such as rkhunter and chkrootkit.

you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.

Or something to do with shellfish ...

So use protection.

Or top truncating titles into something ambiguous, I guess.

Granted; its not aimed at the "desktop market" and as such won't have those fancy screens with a big "scan now" button. I can see that this will put some people off. But for all of us who don't care for those fancy pancy features and focus at functionality I'd suggest looking at ClamAV for Windows.

I've been using this on my computer at work for some time now and I have to say that it is a lot less irritating than most other products. There is one caveat; be sure to grab the PThreads DLL since ClamAV depends on it.

I mention this because there is a windows client that uses the same FOSS engine -- ClamWin.

And if you want clamd for windows use this "official" Win32 distribution, always an engine version behind, but is much better suited to servers and knowledgeable users than clamwin:

http://w32.clamav.net/ ...

Slow Down Cowboy!

Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.

It's been 8 minutes since you last successfully posted a comment

• Comodo - Still in beta, lots of false positives. Configuration is all in local text files, so some level of remote management is possible, but they certainly don't provide the tools for it.
• PC Tools - Requires interaction from the user to do updates, so not a contender.
• ClamAV is free of course, but does not provide a scan-on-access monitor. More suitable for mail servers than workstations.
• Winpooch - uses the ClamAV engine for on-access scanning, project seems dead, never tried it.
• Spyware Terminator - Also does AV using the ClamAV engine. I'd never heard of this one before today, and unfortunately their site design looks a little on the fly-by-night side. They offer a corporate edition with central administration for the wacky price of $2 per seat per year.

In addition to the other tools mentionned by /.ers, there are 2 root-kit checking tools that are worth mentioning :
- chkrootkit
- rkhunter

They are scripts that scan the system for known root kits, weird behaviours and hidden files in unusual places.
They can both be used to scan an offline system (booted from a live-cd and the system mounted under some directory),
and a live online system (they check the system for suspicious behaviour that may reveal a root-kit trying to hide it self - for example the "ps" command doesn't show the same processes as the "/proc" directory could mean a root-kitted "ps").

They are available in a lot of distributions (Debian Etch has them in the repository - probably the corresponding Ubuntu has them too) and the packages usually come with "cron" entries that can automatically scan the system and email a report to the administrator.
They are also downloadable and installable from their websites and feature configuration files that cover the most frequent distributions.

You should install them, run some initially check, (eventually edit the script to remove some false positive, i.e.: hidden files about which the script complains but which are normal part of the system), and add crontab entries to do daily checks and e-mail you positive results.
This will help you against having your server rootkited.

-----------------------

Another tool worth mentioning is ClamAV.
That's an open-source signature-based virus scanner, whose maker have been praised for their very fast response time in case of new emerging threats.
You could set it up to periodically check files in the directories that are served. (/srv/www, /srv/ftp, etc.)
The scanner is not very fast, but supports some specialized-hardware acceleration (it might be worth considering it if the server is rather important, and gets significant mail-traffic too). Some teams are also working on GPGPU hardware acceleration (mentioned in nVidia's book "CPUGems 3").

This will help you get some protection against website that you're hosting that may have been hacked into (with bugs in PHP pages, for exemple) and are now serving malwares.

-----------------------

Because the way malware evolve, you may have to upgrade the above softwares to later versions than those shipped with your OS.
Some distribution propose it in their security updates.
For Debian, keep in mind that this kind of "later version requirement" packages go in the "volatile" repository and not the "security" one, modify your sources accordingly.
("security" : we keep the exact same version for stability reasons and only patch critical errors.
"volatile" : for security reasons, some packages (mostly various scan engines) may require updating to a later versions.
"volatile-sloppy" : warning, the packages are really different. b0rkage of config files may ensure (mostly software like gaim/pidgin).

This is a page with a top 100 of various security tools which may also inspire you (for example they mention a webserver scanner called Nikto).

Also, always keep in mind that a compromised machine is not a machine that you can trust. Thus in addition to creating new entries in you crontab, you should also test your machine offline as part of the security checks.
For example, occasionnaly, when you have to take your server offline for planned updates (rebooting to newer kernel version or non hot-plugable hardware upgrades) you may want to scan your system while booting on a LiveCD in case the root-kit are efficient enough to go undetected once they are active.
(That is, if the conditions allow you to perform such a scan : the machine is physically accessible, you can plan in the

In addition to the other tools mentionned by /.ers, there are 2 root-kit checking tools that are worth mentioning :
- chkrootkit
- rkhunter

They are scripts that scan the system for known root kits, weird behaviours and hidden files in unusual places.
They can both be used to scan an offline system (booted from a live-cd and the system mounted under some directory),
and a live online system (they check the system for suspicious behaviour that may reveal a root-kit trying to hide it self - for example the "ps" command doesn't show the same processes as the "/proc" directory could mean a root-kitted "ps").

They are available in a lot of distributions (Debian Etch has them in the repository - probably the corresponding Ubuntu has them too) and the packages usually come with "cron" entries that can automatically scan the system and email a report to the administrator.
They are also downloadable and installable from their websites and feature configuration files that cover the most frequent distributions.

You should install them, run some initially check, (eventually edit the script to remove some false positive, i.e.: hidden files about which the script complains but which are normal part of the system), and add crontab entries to do daily checks and e-mail you positive results.
This will help you against having your server rootkited.

-----------------------

Another tool worth mentioning is ClamAV.
That's an open-source signature-based virus scanner, whose maker have been praised for their very fast response time in case of new emerging threats.
You could set it up to periodically check files in the directories that are served. (/srv/www, /srv/ftp, etc.)
The scanner is not very fast, but supports some specialized-hardware acceleration (it might be worth considering it if the server is rather important, and gets significant mail-traffic too). Some teams are also working on GPGPU hardware acceleration (mentioned in nVidia's book "CPUGems 3").

This will help you get some protection against website that you're hosting that may have been hacked into (with bugs in PHP pages, for exemple) and are now serving malwares.

-----------------------

Because the way malware evolve, you may have to upgrade the above softwares to later versions than those shipped with your OS.
Some distribution propose it in their security updates.
For Debian, keep in mind that this kind of "later version requirement" packages go in the "volatile" repository and not the "security" one, modify your sources accordingly.
("security" : we keep the exact same version for stability reasons and only patch critical errors.
"volatile" : for security reasons, some packages (mostly various scan engines) may require updating to a later versions.
"volatile-sloppy" : warning, the packages are really different. b0rkage of config files may ensure (mostly software like gaim/pidgin).

This is a page with a top 100 of various security tools which may also inspire you (for example they mention a webserver scanner called Nikto).

Also, always keep in mind that a compromised machine is not a machine that you can trust. Thus in addition to creating new entries in you crontab, you should also test your machine offline as part of the security checks.
For example, occasionnaly, when you have to take your server offline for planned updates (rebooting to newer kernel version or non hot-plugable hardware upgrades) you may want to scan your system while booting on a LiveCD in case the root-kit are efficient enough to go undetected once they are active.
(That is, if the conditions allow you to perform such a scan : the machine is physically accessible, you can plan in the

First, there's open source, which is great if you can remember to scan your hard drive every now and then. (I keep waiting for someone to bundle this on a boot CD.)

Then, for more sophisticated protection, there's avast and AVG. Of course, these mostly focus on anti-virus.

I recommend Avast, and I use Clamwin, because the only place a virus scanner really helps someone with good online habits is when you've downloaded a file which you know is suspect, and you'd like to scan it prior to use.

On the anti-spyware front, there's Spybot S&D, which has been known about for ages, and is still good.

The reason McAfee sucks isn't necessarily anything to do with its relative security, vs Norton/Symantec or anyone else. It's that the others are so much smaller and lighter -- McAfee and Symantec are both bloated performance hogs -- something you really can't afford on something that runs in the background 24/7 -- and Norton in particular is buggy as all hell -- something you really can't afford on something that controls every file access and network connection.

And all of them are completely unnecessary, now that there's so much out there as good or better, and free (for home use, at least).

The reason for the subject "My god" is that you're on Slashdot and you need to be told. I thought it was public knowledge already; guess not.

There's actually two versions:

ClamAV for Windows, a simple command-line utility
ClamWin, which I use. It has a GUI and scans on demand. It can also run scheduled scans/updates. While it is far less intrusive than most antivirus programs, it does put an icon in the system tray for doing the scheduled stuff, and there's no option not to run it at startup. It can be removed easily enough by removing the startup entry using autoruns or regedit, though.

I wonder what the natural progression would be like? Trojans perhaps? It helps to be prepared.

And how will they compete with Free software anti-virus?