Hello,
Please advise if ClamAV performs monitoring of traffic, including encrypted traffic?
Regards,
Will
Please advise if ClamAV performs monitoring of traffic, including encrypted traffic?
Regards,
Will
Mailing List Archive
[clamav-users] ClamAV perform monitoring of traffic
Re: [clamav-users] ClamAV perform monitoring of traffic
[ In reply to ]
Hi there,
On Sat, 28 Nov 2020, Will Watters via clamav-users wrote:
> Please advise if ClamAV performs monitoring of traffic, including encrypted traffic?
Not unless you tell it to. I use it to scan mail traffic. To do that
I wrote a milter. The milter interfaces with the Mail Transfer Agent
(the MTA, Sendmail). It accepts traffic from the MTA as it comes in
on the wire and forms an opinion based on many factors about the mail.
One of these factors is whether or not ClamAV finds something in the
mail which matches a signature in one of the ClamAV databases. I use
several third-party databases in addition to the 'official' database,
mostly because I have a very low tolerance for spam and junk mail.
There are similar ways of scanning other traffic, but they're tricky
and the performance might not be what you'd hope for. To be able to
scan encrypted traffic you probably need to be able to decrypt it on
the fly. Depending on the encryption arrangements, that might be
anywhere between trivial and impossible. Mail traffic is very often
encrypted, but only when it passes between delivery 'hops'. When a
milter uses ClamAV to scan the traffic, the MTA has decrypted incoming
traffic before it hands it to the milter, outgoing traffic is scanned
before it's encrypted, so ClamAV scans only unencrypted traffic.
What sort of traffic would you want to scan?
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
On Sat, 28 Nov 2020, Will Watters via clamav-users wrote:
> Please advise if ClamAV performs monitoring of traffic, including encrypted traffic?
Not unless you tell it to. I use it to scan mail traffic. To do that
I wrote a milter. The milter interfaces with the Mail Transfer Agent
(the MTA, Sendmail). It accepts traffic from the MTA as it comes in
on the wire and forms an opinion based on many factors about the mail.
One of these factors is whether or not ClamAV finds something in the
mail which matches a signature in one of the ClamAV databases. I use
several third-party databases in addition to the 'official' database,
mostly because I have a very low tolerance for spam and junk mail.
There are similar ways of scanning other traffic, but they're tricky
and the performance might not be what you'd hope for. To be able to
scan encrypted traffic you probably need to be able to decrypt it on
the fly. Depending on the encryption arrangements, that might be
anywhere between trivial and impossible. Mail traffic is very often
encrypted, but only when it passes between delivery 'hops'. When a
milter uses ClamAV to scan the traffic, the MTA has decrypted incoming
traffic before it hands it to the milter, outgoing traffic is scanned
before it's encrypted, so ClamAV scans only unencrypted traffic.
What sort of traffic would you want to scan?
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV perform monitoring of traffic
[ In reply to ]
ClamAV scans files. Mail is one of those files it can scan. Attachments to those emails as well.
ClamAV doesn’t scan traffic. As in Network Traffic. For that, see Snort. (snort.org <http://snort.org/>)
--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com | https://www.snort.org
> On Nov 28, 2020, at 6:03 PM, Will Watters via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hello,
>
> Please advise if ClamAV performs monitoring of traffic, including encrypted traffic?
>
> Regards,
>
> Will
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
ClamAV doesn’t scan traffic. As in Network Traffic. For that, see Snort. (snort.org <http://snort.org/>)
--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com | https://www.snort.org
> On Nov 28, 2020, at 6:03 PM, Will Watters via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hello,
>
> Please advise if ClamAV performs monitoring of traffic, including encrypted traffic?
>
> Regards,
>
> Will
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
Attached Files:
-
smime.p7s (2.94 KB)