ClamAV Forced Upgrade Breaks Email Servers 299
An anonymous reader writes "A couple of weeks ago Sourcefire announced end-of-life for version 0.94 of its free ClamAV antivirus package (and in fact has been talking about it for six months). The method that Sourcefire chose to retire 0.94 was to shut down the server that provided its service. Those who had failed to upgrade are scrambling now. Many systems have no choice but to disable virus checking in order to continue to process email. I am very glad I saw the announcement last week!"
*Correction* (Score:5, Interesting)
The method SourceFire chose to use was to encode a kill command in the ClamAV updates. If they had simply "shut down the [update] server" ClamAV would have continued to work, just without new signatures.
See their announcement at http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/ [clamav.net]
Re:So you had 6 months to upgrade (Score:5, Interesting)
Kinda my attitude, too. Had this affect a bunch of servers yesterday. Started researching, found the cause, and solved the problem in 30 minutes on 35 or so servers. Totally my own damned fault for not staying upgraded. Worst impact was that messages were delayed on a few mail server for half an hour and uploads to a handful of webservers threw errors because of the way I scan them. Users tried again. Problem solved.
Re:Alternative (Score:5, Interesting)
It's more complicated than that.
Older versions of clamd were going to crash on signatures that newer versions would accept, and they have been prevented for at least 6 months from using that type of signature. They have posted since then for people to upgrade.
When they did was publish this type of signature (has to do with length, greater than about 900bytes), where the signature itself is an error message, so when the program dumped the signature the error would be displayed.
That's all, not a kill switch as such, but using a known bug to deliver a message, rather than have it just bomb out with a hex dump when they tried to use a larger signature.
Re:Alternative (Score:2, Interesting)
Yep, and when did they post that? 6 months ago. McAfee recently gave us 2 months notice at work that pre 8.x client would no longer be supported - not a problem as 7.1 was eol ages ago - since then there's been 8.0, 8.5 and currently 8.7 which we're moving to.
No big deal for those who properly manage their systems.
Who uses it anyway? (Score:2, Interesting)
I'd likely to be modded down by open source zealots, but using Clamav to solely protect Windows PCs from malware spread by e-mail is insane. ClamAV has one of the lowest malware detection rate amongst other commercial AV solutions. I tested my own sample of around 140 new viruses found on different Windows PCs during last six months and ClamAV could detect only 70 of them. That's ridiculous ... and fearful to say at least.