dennispe at inetnw
Oct 15, 2009, 9:05 PM
Post #23 of 36
(2750 views)
Permalink
|
Richard Chapman wrote:
> I am interested in Tom's list of unofficial signatures - but haven't
> found the recommended way to use the signatures. Do I need to download
> them periodically - or do I just add an additional freshclam
> DataBaseMirror directive. In either case - exactly what is the url to
> download from - or to add to the freshclam directive?
>
> Thanks
> Richard.
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
You can the the winnow series at Steve's server using rsync. I didn't care for
any of the canned scripts so wrote my own, but the process is pretty much the same.
Create a text file with a list of signature files you wish to copy from the
site, one line for each file.
Run rsync:
WorkingDirectory="/usr/local/share/clamav/tmp"
SaneServer="rsync://rsync.sanesecurity.net/sanesecurity/"
SaneList="/usr/local/share/clamav/tmp/sane.list"
rsync -a --quiet --files-from=${SaneList} $SaneServer $WorkingDirectory
chown clamav:clamav ${WorkingDirectory}/*
This will pull down a copy of all the signature files in your list and place
them in a working directory. Because of the way rsync runs, the next time you
run it it will bring down only the changed parts of any files that have been
modified since the last download. I also change ownership of the files to my
local clamav account (which is not clamav for security/privacy reasons).
This is done in a script, of course. That script then uses clamscan to test them
for corruption and then moves them into the clamav working dir:
cd $WorkingDirectory
clamscan --quiet -d winnow_phish_complete.ndb clam.txt && \
rsync -ogt winnow_phish_complete.ndb $clamavWorkingDir || \
echo "winnow_phish_complete.ndb is corrupt"
clam.txt is a simple text file that has no virus content. The purpose is to see
if clamscan can load and use the signature file being tested. If the test
succeeds rsync is used to do an atomic move of the sig file to the clamav
working directory otherwise an error message is printed. Ownership and
permissions are preserved when the move is done (-ogt).
I use a local Unix socket to communicate with clamd and a perl script is called
at this point telling clamd to reload the signatures. I think you can use kill
to signal clamd as well, but the perl script provides a bit more feedback. This
reload step is done only after all files in the sane.list are downloaded and
tested so that it runs just once.
The script I use has a bit more finesse than this simple overview. I use a
randomizer to prevent this process from running at the same minute past the hour
each time it's run. It runs at time + rand(30). This avoids to the degree
possible my process hitting Steve's server farm at the same moment many others
around the world hit it. Hopefully nobody sets such cron processes to cardinal
points on the clock dial:
00, 05, 10, 15... Very bad form :)
I also maintain a local copy of the downloaded files in sane.list so that rsync
has a local version to compare to - this prevents a download if the file on the
server has not changed since the previous run, and also limits the downloaded
part to those bits within the file that have changed since the previous
download. This saves bandwidth at the expense of cpu time, but my experience is
bandwidth costs more.
If Steve puts all is changes at the end of the file then this can be very
efficient. If changes are scattered around the files then not so much. When
files were compressed there was not much advantage regardless of where in the
file the changes are placed prior to compressing but that's no longer an issue.
I keep track of which files have changed so I don't have to use clamscan to test
files that have not changed, nor do I bother moving them and notifying clamd if
there are no changed files.
By virtue of the way cron works, if there is any corruption in any downloaded
file, which has not happened in a good long time, BTW, the error message that is
printed is sent to root as an email and I see it immediately.
These steps are repeated for the MSRBL files as well.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
|
1
