gbell | Do you guys run AV on your ubuntu machines? | 04:39 |
---|---|---|
blahdeblah | gbell: yes, but only for incoming mail | 04:43 |
gbell | ClamAV? | 05:14 |
gbell | @blahdeblah ClamAV? | 05:14 |
meetingology | gbell: Error: "blahdeblah" is not a valid command. | 05:14 |
blahdeblah | gbell: just use names; no @ needed | 05:15 |
blahdeblah | gbell: And yes, ClamAV :-) | 05:15 |
gbell | blahdeblah: Last dodgy attachment I ran through ClamAV came up blank. AV is so technically challenging - they run virtual machines - that I don't know how an OS project could measure up. | 05:30 |
blahdeblah | Totally true; I believe VirusTotal has an API nowadays; it would be worth checking out whether there are any filters for postfix/spamassassin which allow checking of file hashes against its API (similar to razor/pyzor, but for AV rather than spam)... | 05:31 |
gbell | file hashes don't work with modern viruses that mutate. | 05:32 |
blahdeblah | and yet VirusTotal is still a useful and viable service | 05:32 |
gbell | Don't you upload the entire binary to VirusTotal? | 05:33 |
blahdeblah | They recently added hash checking via API, I believe | 05:33 |
gbell | Interesting... you can send a hash to 'rescan' a file (I guess that just means getting the results again). https://www.virustotal.com/en/documentation/public-api/ | 05:39 |
gbell | My Win7 Virtualbox instance just got infected today. First time ever. I'm hoping they didn't crawl my SMB shares (linux host) and infect other stuff. | 05:39 |
bradm | gbell: Sophos has a linux agent, at $WORK[-1] we had exim piping things through it first before delivery. not sure how feasible that is for home though, no idea on pricing. | 05:41 |
bradm | https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx | 05:41 |
bradm | there you go, free. | 05:42 |
blahdeblah | bradm: That might even be worth having a play with | 05:45 |
bradm | blahdeblah: my knowledge on how it runs is several years old, so I couldn't comment on how good it is these days, but its free, what could you lose other than time? | 05:45 |
bradm | you could probably even run both clamav and sophos via spamassassin or something, not sure how well the free version plays with others though | 05:46 |
blahdeblah | gbell: Do you know anything about the infection vector on your Win7 box? One thing we used to do at $job - 1 was run an AV filter on the local squid proxy; it had surprisingly little impact, and still picked up quite a few drive-by downloads. | 05:46 |
blahdeblah | bradm: I use amavis, and that definitely supports setups like that | 05:47 |
bradm | blahdeblah: depends on how well the sophos agent does integration I guess | 05:47 |
blahdeblah | pretty sure it's supported out of the box with amavis | 05:48 |
bradm | thats great then, should work nicely. | 05:49 |
bradm | ah, they want name and email details to download it | 05:50 |
blahdeblah | understandable; they need to be able to spam you, right? :-) | 05:51 |
bradm | totally. | 05:58 |
gbell | blahdeblah: yeah, downloaded/installed 7zip, resedit and chromium today. I think it was one of the first two. | 06:24 |
gbell | oh, fun, the 7zip I downloaded (from their site) shows up on Virustotal: https://www.virustotal.com/en/file/543457ec106a47cf74e0f6f84a40acefcc5d0faee909266745008fa9ab3a5681/analysis/ Could be a false-positive... the names of the malware are different than what MS Security said I had (Win32/Hadsruda!bit) | 06:28 |
gbell | Correction. resedit, not 7zip. | 06:32 |
blahdeblah | gbell: Malware names vary quite a lot from vendor to vendor | 07:27 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!