Hook for Clamwin ??? DONE using Fluffy! Details in post

This forum contains features that has been archived. This section contains implemented features, duplicate requests, and requests which we have decided not to implement.
Post Reply
User avatar
Lechuga
New user
New user
Posts: 16
Joined: 2004-04-30 12:32
Location: Madrid, Spain

Hook for Clamwin ??? DONE using Fluffy! Details in post

Post by Lechuga » 2004-05-14 10:17

Martin,

Do you think you could code a hook for Clamwin into 3.0 RC2/3???

You can run it as a command line scanner and it returns an exit code, and I quote from the author:
for command line parameters please run "clamscan.exe --help". You need to specify at least "--database=c:\program files\clamwin\db" (that is if you installed clamwin in c:\program files\clamwin).

You can use --remove option to tell clamscan to remove the infected file and use "Check file for deletion" option. However more preferable is "Use Return Values".

The return values are:
0 - everything is ok
1 - virus found
anything else - an error
Cheers!

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-05-14 17:01

Not in 3.0... If I add such a feature 3.0 will be delayed... Only important bugfixes will be made to 3.0. But this featuere will be added to 3.2.

Martin

User avatar
Lechuga
New user
New user
Posts: 16
Joined: 2004-04-30 12:32
Location: Madrid, Spain

Post by Lechuga » 2004-05-14 18:43

geek wrote:Not in 3.0... If I add such a feature 3.0 will be delayed... Only important bugfixes will be made to 3.0. But this featuere will be added to 3.2.

Martin
I understand, but I don't know if I can wait that long.

nwkit
Normal user
Normal user
Posts: 133
Joined: 2004-04-19 03:57
Location: Canada

Post by nwkit » 2004-05-14 18:57

you could try the fluffy virus/spam filter proxy thing...and use the free version of avg...as said in anotehr post...

http://smtpfilter.sourceforge.net/

User avatar
Lechuga
New user
New user
Posts: 16
Joined: 2004-04-30 12:32
Location: Madrid, Spain

Post by Lechuga » 2004-05-14 20:22

Yeah, I made that post myself. But AVG has a "Resident Shield" that blocks Fluffy when it writes the file in order to scan it and hence blocks all incoming mail.

Since writing my post on Fluffy I have also found that the author has dropped fluffy and is busy coding a commercial replacement. I thought of modifying Fluffy myself (as I know enough VB and have the product to recompile it) in order to use Clamwin but the source code to the latest version is not available and I don't know what fixes there have been between versions.

EDIT: Take that back. Thank God for CVS!

nwkit
Normal user
Normal user
Posts: 133
Joined: 2004-04-19 03:57
Location: Canada

Post by nwkit » 2004-05-14 20:48

oh...hehe...didn't read who wrote it...hehe..my bad..


what's cvs? hehe...

lemme know when you can get fluffy working...im still looking for some virus protectino thing...

User avatar
Lechuga
New user
New user
Posts: 16
Joined: 2004-04-30 12:32
Location: Madrid, Spain

Post by Lechuga » 2004-05-14 21:09

CVS = Concurrent Version System. In non-geek lingo-bingo: A place where programmers store the code used to generate their programs. It keeps track of updated versions and allows multiple programmers to work on the same project. A repository to store software code.

I now have the source code to Fluffly 1.5.2 and will make the changes to suit Clamwin. I have also downloaded Clamwin version .34 (much improved over previous .33).

More news tonight or tomorrow morning (its 21:00 over here in sunny Spain 8) ).

nwkit
Normal user
Normal user
Posts: 133
Joined: 2004-04-19 03:57
Location: Canada

Post by nwkit » 2004-05-14 21:45

let me know how it goes... :)

it's partly cloudy with snow on ground still in Calgary... >.<

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-05-14 23:12

understand, but I don't know if I can wait that long.
To bad. I'm sure you also understand that I won't delay and destabilze a release because of requirements from one single user. :?

User avatar
Lechuga
New user
New user
Posts: 16
Joined: 2004-04-30 12:32
Location: Madrid, Spain

Post by Lechuga » 2004-05-15 01:12

Ok. I think I have trained Fluffy to use Clamscan/Clamwin. Now I need to get a virus mailed to me... Shouldn't take long (grin).

polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Post by polarunion » 2004-05-15 06:26

keep us up to date on how that works out for you. i too am looking for a virus solution. I'm getting killed with them.. i have to check my server about 2 times daily and clear the ones that are being executed on the system whenver someone opens a message. norton has kept them at bay - for now.

User avatar
Lechuga
New user
New user
Posts: 16
Joined: 2004-04-30 12:32
Location: Madrid, Spain

Post by Lechuga » 2004-05-15 11:17

It works! Clamwin and Fluffy now protect my mail server from virus attacks... 8)

Some basic instructions on how to get it going.

1. Make sure your machine logs in automatically (autologin). You can use tweakui to set this up.

2. Install Clamwin and configure the database update, etc. Use the default settings. Make sure its Clamwin version .34 (or newer).

3. Install Fluffy 1.4 Full Installation from http://sourceforge.net/project/showfile ... e_id=77868

4. After installation and before rebooting overwrite the existing fluffy.exe with mine (available from http://www.ebunda.com/free/dl/fluffy.zip ; source code in http://www.ebunda.com/free/dl/fluffy-src.zip ). Then reboot.

5. Add fluffy to the startup folder, so that it starts automatically.

6. Configure fluffy to use Clamwin.

User avatar
Lechuga
New user
New user
Posts: 16
Joined: 2004-04-30 12:32
Location: Madrid, Spain

Post by Lechuga » 2004-05-15 12:22

Lechuga wrote:It works! Clamwin and Fluffy now protect my mail server from virus attacks... 8)
Obviously this is no replacement for anti-virus scanners and personal firewall software on your desktop computer. It just adds an additional level of protection.

calvi
Normal user
Normal user
Posts: 65
Joined: 2004-03-17 23:34
Location: Melbourne, Australia

Post by calvi » 2004-06-14 04:17

Just to let everyone know that ASSP now has built in Clamwin antivirus, as of version 1.0.10d released recently.

If you are looking to use ASSP for anto spam you can now use it for antivirus as well. Very nice as it picks up viruses in front of the SMTP server.

For me it means I don't need antivirus support in hMailserver but of course that does not mean that others would not still like it, and there is no harm in having it supported in two places.

It does mean that there should be an option in hMailserver to enable/disable this feature however.

JC.

nwkit
Normal user
Normal user
Posts: 133
Joined: 2004-04-19 03:57
Location: Canada

Post by nwkit » 2004-06-14 19:56

there is a downside of the assp virus blocking though...hopefully the future version of hmailserver being released soon will scan compressed files...
It can not scan inside compressed file attachments. In some cases CLAMAV's database includes signatures for the archived viri, but many compressed viri will pass through undetected.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-06-14 20:35

The first version will not scanned in compressed files. It will however be possible that I implement that in 3.3. I think it wouldn't be extreme amount of work to unzip/unrar files and scan the files in them.. Not sure though.. :\

calvi
Normal user
Normal user
Posts: 65
Joined: 2004-03-17 23:34
Location: Melbourne, Australia

Post by calvi » 2004-06-15 00:35

This is always going to be a difficult task to implement properly.

Consider the following.

1. There is some risk that opening the file exposes the computer to the virus.
2. CPU resources are used by decompressing files, DOS attacks could be initiated by sending alot of compressed attachments.
3. How many formats do you support, ie zip,arj,rar,gzip,tar etc.....
4. The compressed file may be password protected, less likely in a virus but how hard would it be for someone to password protect, then send the password in an email, perhaps even in a image to prevent automatic reading of it, and yes there are people DUMB enough to open it up.

I consider adding AV to my SMTP gateway just another belt/brace. At the moment ASSP picks up 99% of viruses just by blocking spam and attachments. I have system wide antivirus to pick up anything left that gets through, and of course to protect against people who bring it in on floppies, surfing the web etc. Adding Clamwin to ASSP will hopefully reduce the transmission to 99.9% but there will always be some that slip through.

In hMailserver its worth having AV for the following reasons.

1. For those who are not running, or don't want to run ASSP or other AV gateways.
2. Its an important feature these days when comparing to other MTA's.
3. It will be easier for less technical users to setup, ie works out of the box.

I would get it in there without compressed file support first . It's alot better than nothing and you can then focus on improving it later. I know the ASSP developer has done the same and is now looking at options to scan compressed files.

Just my 2c worth anyway.

JC

calvi
Normal user
Normal user
Posts: 65
Joined: 2004-03-17 23:34
Location: Melbourne, Australia

Post by calvi » 2004-06-16 00:31

Just to let people know I just found in my mail system a password protected compressed virus with a gif file attached as the password pretending to be a funny joke.

Now did I have premonition or did someone read my post and think it was a good idea?

I think neither, it just proves that they are doing it already and no AV system is ever going to be able to pick up everything.

These sort of things need to be thought about because trying to uncompress them on the fly in a AV gateway will throw up errors. Perhaps we should treat any protected compressed files as viruses?

polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Post by polarunion » 2004-06-25 18:23

Lechuga: I'm curious to know how your experience with Fluffy is going.

I think I'm through with ASSP. It's far too CPU intensive. Have you monitored your system with fluffy and watched how it handled larger attachments - 2Mb+?

Also, what's the software based on? Hopefully not perl.

Post Reply