Adam Sweet’s Blog

I was bored this evening and I started playing around with some stuff I had lying around, like the USB Missile Launcher I bought in 2007, known as a Dream Cheeky Missle Launcher, for which I never found a GUI control tool under Linux. I never got that guy’s code to work before, it would always fall over when configuring or trying to compile. Tonight I realised it was just because I had stuff like automake, libgtk2.0-dev and libusb-dev missing and that the automake symlinks were version specific. The code compiled after I fixed that stuff and the app ran but some of the images were missing and it still wouldn’t control my Missiler Launcher, so I did a quick apt-cache search missile and found pyrocket. It works! I think I tried it before and it didn’t but now it does. My Missile Launcher works!

I discovered that my Sony Eye Toy webcam works and works well under Ubuntu, I tried in most Ubuntu releases since I was given a PS2 for Christmas a few years back but it never worked and most times I Googled, it wasn’t expected to work any time soon. Well now it works and the output looks very good. Fresh from this success, I decided to try another webcam I have lying around, made by Genius, I think Jono Bacon gave it to me last year. That never worked either but now it does. Output is pretty dark but I guess that’s down to the webcam’s sensor.

Another recent triumph was my USB Serial converter. I did a CCNA a few years back and it dawned on me that most modern PCs, desktop or laptop, don’t come with serial ports any more and pretty much every Cisco device uses a serial cable for (at least initial) configuration so I bought a cheap USB serial converter from Ebay straight from Hong Kong for about £3 including delivery. Came with a Windows driver CD, but didn’t work under Linux, even though there was a driver for the Prolific PL2303 chipset it used, so I had to buy some for ~£20 from Maplins which did work. It didn’t work from Dapper right through til the last time I checked which was some time around Hardy or Intepid, but now it works.

I don’t know whether this is the work of the Linux Driver Project, existing drivers getting tidied up and supporting more variations of hardware which uses the same chipsets or just natural maturation of the kernel and widening of the supported hardware base, but damn people, you work hard and you surprise me. Thank you.

At the weekend I was driving on an errand and I happened to pass PC World. While I’m not a fan of PC World particularly, I do like to drop in as I pass by to browse the laptops and netbooks, particularly the netbooks as it’s the only place you really get to compare one against another. I noticed they were selling the HP Mininote 2133 for £200. At first I thought they were just selling off the display model, but that was the stock price.

I bought a Dell Inspiron Mini 9 in December and was a little disappointed with it, aside from the fact that I waited 3 months for the Ubuntu version to have matching specs as the Windows version and for Dell to start offering accessories like a carry case as they did in US, I even phoned them and asked but they declined to say whether there were any plans to do so. Eventually I got pissed off, bought the Windows one and installed Ubuntu. There’s nothing wrong with the performance of the machine, I just can’t type accurately on the keyboard no matter how hard I try, some keys are just way too small for my fingers and the screen is just a little too pokey to make checking my mail comfortable. I wanted a ‘throw in the bag and forget I’m carrying it’ web browser, mail client and SSH client, so my three major use cases were immediately uncomfortable even when using Ubuntu Netbook Remix, which is very nice and is designed specifically for limited screen real-estate.

The HP Mininote was marketed as a school or business mini notebook and cost around £360 last time I looked. I think it was probably immediately overlooked by everybody looking for a netbook on that count, it’s not something you can buy the kids for Christmas or birthday or a geeky treat to oneself at that price. Also the 2133 uses a Via chipset and C7-M ULV processor (mine is the 772 specifically) which was Via’s netbook architecture while it developed it’s next gen netbook architecture, the Nano. While many are prejudiced against non-Intel PC hardware, I’m not. My first PC was a Via Cyrix 133MHz that my cousin built for me out of spares and it was f***ing awful in performance terms, not that I’m ungrateful of course, I wouldn’t be doing what I do now if it weren’t for that machine; and my main desktop was an AMD Athlon XP for four and half years. However while early netbooks used either the C7-M or Intel Celerons, as soon as the Intel Atom hit the manufacturers, the Via C7-M was immediately in the cold and was at least 3 years older in design. Time will tell us what the market thinks of the Nano, but I suspect that Via are already too late to the party. Interesting discussion on netbooks, including how Via missed the boat is at Ars Technica here.

The major selling points of the 2133 over all the other netbooks are:

• Higher screen resolution at 1280×768 (most netbooks are 1024×600)
• Excellent display quality
• 92% keyboard
• Build quality. While most netbooks are plastic, the Mininote 2133 has an aluminium outer chassis and anodised magnesium inner casing. The keyboard is coated to stop the keys collecting gunk or the transfers wearing off
• 1 Gb ethernet
• ExpressCard slot
• The screen has a protective outer shield
• The hard disk has an accelerometer which means the drive will park the heads if it detects that it has suddenly tilted or is falling.
• A button to disable the mouse pad and mouse buttons

All this alongside the usual netbook fare:

• 1.2 GHz Via C7-M CPU
• 1GB RAM
• Bluetooth 2.0
• Wireless b/g
• 5400 RPM 120 GB HD
• 0.3 MP webcam
• Available with SUSE Linux Enterprise Desktop 10.1 (which is pretty dated now), Windows Vista Home or Business

The Dell Mini 9 comes with 0.3 or 1.3 MP webcam, I chose 1.3 on mine (bigger is better right?), but as I’d read elsewhere that it would, the machine struggled to keep up with the webcam and the screen representation was blurry. I don’t know if this is a Linux driver issue or a CPU issue. The mouse buttons on the Mininote are on either side of the mouse pad, like the Acer Aspire One. I thought this might be horrible but it’s actually quite comfortable.

It turns out they didn’t have any more in stock in the store I was in, so I drove over to the one in the next town to get one and came home with my new toy. I bought the SLED version. First thing I noted was that the battery is completely discharged. I had to put it on the charger before it would do anything which put paid to playing with it in the car while I waited for Jenny to increase her collection of denims, or shoes or whatever it was this week. On boot up I went through a pretty detailed OEM setup, which asked some questions I couldn’t answer without a network connection, something about registering for updates.

On completion, I rebooted and got a SLED GDM login screen, logged in and got the Gnome desktop, with the SLED slab menu and single desktop panel. While it was attactive, being an Ubuntu user it was completely alien to me, so I completely re-laid out my desktop, adding an extra panel, moving the applets around and added the Gnome default menu. While doing so, my first thoughts formed:

• The machine was pretty sluggish.
• SLED’s version of the default Gnome menu is a complete mess full of pointless sub-menus and duplicate entries.
• YaST is shit and it’s icon tool-tips don’t adequately explain what each tool does.
• There seems to be another ‘Control Panel’ for no apparent reason. This seems to be a castrated version of Gnome’s Control Centre.
• There didn’t seem to be anywhere to configure the fonts or desktop appearance.
• It took me ages to work out how to do this registration thing so I could get updates. I didn’t know whether that meant software updates or product announcements by email.

My primary objectives with any new install is to set up my desktop environment how I like it, install security updates and then install additional software. To get security updates I needed to find this registration thing, it took ages but I found it in YaST. I’d already started Firefox to see what my webmail looked like on the screen and the default home page was the page to create a Novell login, so I’d already done that by the time I found the registration app. When I completed jumping through the registration hoops, an update manager applet whirred away for around 20 minutes making the machine barely usable before telling me I had 3 updates. It went away for another 20 minutes when I told it to install them. I rebooted and the update manager made my system slow for another 20 minutes before telling me I had another update. I installed, rebooted, waited for my machine to stop being slow again before being offered a few hundred updates, which again took 20 minutes. I rebooted again and got a usable desktop again as all updates were applied.

There are several software management tools, I tried a few of them but nothing allowed me to install extra software. I tried to install gnome-games but I kept getting asked for an installation DVD which didn’t come with the machine. I decided to add another package repo but after Googling I came to a Novell page which offered repos for the latest version of Banshee, OpenOffice.org and Firefox, repos for the OpenSUSE build service and links to the OpenSUSE repos accompanied by the warning that mixing SLED 10 and OpenSUSE packages should work but may lead to dependency hell. At this point, I began to regret buying the machine.

I decided to fuck everything, I had been willing to try SLED 10, even though it’s really old as I didn’t want to try something else, find nothing would work and then be left with no OS as the machine didn’t come with a restore disk. I’d already read the Ubuntu Laptop Testing Team page on the 2133 and it sounded troublesome but I tried 8.10 anyway. The screen corrupted and X locked up when displaying GDM, a known bug. I’d already had a recommendation that Mandriva 2009 worked, but I’d try that if I couldn’t get Ubuntu to work at all, so I tried the latest 9.04 alpha build. It installed fine and all of the hardware worked, I got none of the awkward bugs or workarounds described in the the testing team 2133 wiki page. More relieving than that was the the machine wasn’t slow any more, it wasn’t sprightly but it didn’t feel slow to use. It didn’t feel any slower than the Mini 9. I installed all of the updates available and the machine didn’t churn like it had under SLED. Quite interesting was the fact that for an alpha release I found it completely usable and largely un-broken. I think the only bug I came across so far was that Flashblock, the Firefox extension for blocking Flash media, kept forgetting it’s whitelist, but that was fixed after an update.

My HP Mininote 2133 Desktop under Ubuntu 9.04 alpha 5

The only issues of note with the Mininote 2133 that I have found so far are:

• You have to add acpi_osi="!Windows 2006" to Grub’s menu.lst and reboot to make CPU frequency scaling work. I did and it works. Saves on battery. The CPU will scale between 1.2 GHz at full speed and 800 MHz as shown above.
• The wireless works with Free drivers out of the box, but a proprietary driver is available and you need it if you use networks with a hidden SSID. I’ll stay with the Free drivers.
• The graphics performance is not great and the drivers aren’t very featureful.
• Battery life isn’t great. The SLED version comes with only a 3 cell battery, which should give you about 2 to 2 and a half hours battery life, which doesn’t seem to be much worse than the Mini 9 in my experience. I seem to get 90 minutes to 1 hour 45. You can get a 6 cell battery which protrudes downwards and props the laptop up a bit which some people seem to prefer.
• The machine runs hot as a result of the Via C7-M processor, not uncomfortably so, but it does make you wonder about the lifespan of the other components in that heat.

The first two points are informational only, they work as they are but you have to make some slight mods if you want absolute functionality. The last two I was already aware of. Ultimately, battery life will go through the roof, along with performance as netbook hardware develops, we’re just at the beginning of the upward curve at the moment.

The main point though I think is the graphics performance. The machine uses a Via Chrome9 HC graphics chip which pulls in 256MB of your system RAM, though I think 786 MB RAM is enough for most netbook use cases. However, the graphics drivers are an issue. You essentially have 3 choices. By default you get the openchrome driver from openchrome.org which is perfectly adequate but lacks features such as 3D acceleration, dual-head support and MPEG2 and MPEG4 acceleration. I don’t know whether this is a driver or a chipset limitation but playing Youtube videos is ok though not great, make them full-screen and they become pretty choppy. A quick, unscientific test by playing the same Youtube video on the Mininote and the  Mini 9 at the same time showed that the Mini 9 can play the video in full-screen with roughly the same performance as the Mininote can when playing the small embedded movie within the page. The Mini 9 only started to get noticeably choppy in full-screen, while the Mininote is a bit choppy playing the small embedded video. I recorded no stats, it was just naked eye observation. When your desktop background draws on the Mininote after logging in, you can see the background change colour in sequential re-draws, like a slow-ish VNC or RDP session, it’s not bad but just enough to be noticeable. That said, I’m not knocking the guys who work on openchrome, as it may be the chip itself, but in any case they’re doing a good job without too many hands on deck. If you use Via graphics chips and can code in C, then maybe you could help. Via has always been unhelpful towards the Linux community and despite setting up various Linux driver initiatives and making big announcements, they themselves still don’t seem to have come up with a release quality driver, so I doubt the openchrome guys are getting much assistance from Via. Writing graphics drivers with no help from the vendor has always proven to be a thankless task.

Via drivers are your other choice, they come in a variety of flavours, 3D or 2D and proprietary or open source. Currently they are all either beta or alpha quality and are built around Ubuntu 8.10, 8.04 or other select Linux variants, based on specific kernel versions. According to the openchrome wiki, the proprietary drivers do MPEG2, MPEG4 and 3D acceleration but the applications requiring MPEG acceleration must run as root, which is insecure and pretty crazy. The open source drivers from Via are the same with some stuff taken out including the MPEG acceleration.

I haven’t tried any of Via’s drivers, I’m not sure I will until there are 9.04 packages. At the moment, the openchrome drivers do the basics and that’s all I need. If I need to do multi-head then I guess I’ll have to try the Via drivers, I don’t expect to need 3D acceleration (if I’m honest, I use a few things like the Terminal Server Client Applet and VNC client password boxes which don’t like it), but better video playback and screen re-drawing would be nice.

What I haven’t really talked about yet though is what I think of this machine in use. You can probably guess though. It’s in the post’s title. I love it. It feels great to use. The chassis is solid, inflexible and hard, in fact it feels nice to run your fingernails against while you’re thinking (weird huh?). The keyboard is nice to use and feels great on your finger tips, the screen resolution makes the machine comfortable to use compared to any other netbooks I’ve played with. It’s not sluggish to use and you can do real work on it, unlike most netbooks. The ever militant Peter Cannon, bless him, pointed out that he’s seeing netbooks appear in the second hand market as many people bought them thinking they’d be a full featured laptop, just smaller and cheaper, then found that they were just a bit too under-powered to do anything other than browse the net (even though the clue is in the name). The HP Mininote is a step up terms of usability, it’s not a fast laptop but it is usable as a result of the higher res screen and the bigger keyboard. My next laptop might be an HP if the build quality and feel is this good. I remember the last time I was looking for a laptop, I showed Ade the one I eventually bought and he pointed out to me that I didn’t need anything so big and heavy as it would be awful to carry anywhere, I just needed a little one, like his tiny Samsung (I think). Almost immediately after purchasing the one I showed him, I agreed.

While Via isn’t the currect choice for netbook hardware, I can’t complain about the performance (though in SLED it was horrible, I can’t imagine Vista was great either). It won’t feel like this for more than a year or three though, I expect it to get bogged down sooner rather than later, but still it will be the same with all current netbooks. In any case, it’s easier to maintain Linux and keep it sprightly, with Windows you have to reinstall when it starts to feel sluggish.

It will be interesting to see what the Via Nano does to the Atom netbook market, but already the reason for the £160 price drop on the Mininote 2133 is that HP has replaced it with the Atom based Mininote 2140. It looks the same and provides the same functionality as the 2133 while addressing most of the complaints about the 2133, namely increased battery life and the machine runs cooler. The 2140 also offers a larger hard disk or an SSD and 2 different resolutions, either 1024×576 or 1366×768 with the latter yet to be released. On the other hand though, it will probably price itself out of the comfortable netbook price range again and people will buy the larger netbooks from the likes of Asus, Dell, MSI and Acer. (Side point, everyone I know who bought an Acer Aspire One loves it too).

For now though, I luuuurve my 2133. You should get one too while they’re cheap. Probably some photos to follow in an update.

Wikipedia articles:

HP Mininote 2133 and 2140

Dell Inspiron Mini Range

Acer Aspire One

Asus Eee PC

MSI Wind (aka Medion Akoya or Advent 4211)

UPDATE 30/04/2009:

• I hear that Vista is dreadful on the Mininote 2133, if you’re buying one I recommend using Ubuntu 9.04 (which is current at the moment).
• The Ubuntu Netbook Remix interface runs badly on the 2133 due to the openchrome graphics drivers being unable to do 2D acceleration. There are a few other Netbook Remix bugs too.
• Still no Ubuntu 9.04 drivers from Via. Their last release was 2nd December for 8.10 which just about 5 weeks after the Ubuntu release on October 30, so maybe they will release some 9.04 drivers in the next month. It would be nice to release them in time for the Ubuntu releases.
• The Via processor includes what is called Via Padlock for hardware encryption which supports AES encryption of data up 25 GB/s, SHA hashing of data up to 20GB/s and random number generation of up to 20 million random bits per second. This is supported by the Linux kernel and by OpenSSL but doesn’t seem to work under Ubuntu 9.04 (in the beta at least) (old Launchpad bug #119295). The padlock-aes and via-rng modules load fine but aren’t loaded by default. The padlock-sha kernel module crashes if you load it and configuring it to load at boot time results in the machine hanging during boot up (Launchpad bug #355384). With the working modules loaded, OpenSSL recognises that it is padlock ready but the CPU is not. Ubuntu forum discussion on Via Padlock.
• HP’s guide price for the 2140 starts at $449, which is pretty pricy for an Atom machine with a lower vertical resolution than pretty much every comparable machine out there at the moment. Cheapest I can find online is around £360 ex VAT as predicted.
• I still like my 2133, which is pretty good considering the honeymoon period is over.

I bought an HP Proliant ML115 G5 server recently, it was a bargain for a good amount of processing power, albeit in an entry level tower server. It will live at my house and I’ve already supplemented it with 4 GB RAM and will dropping in a pair of 1 TB disks on a 3Ware RAID controller, so I’m not troubled by the form-factor and otherwise low specs.

At the time of purchase though, I didn’t realise you could buy HP’s Lights Out remote management card and have HP refund you the cost. They won’t do this if you retrospectively buy the card though, they have to be on the same invoice, so I will have to make do with the onboard IPMI controller, which would have been fine as I’m pretty familiar with IPMI, if only I could get it to work on this machine.

As far as I’m aware, the HP LO card is similar in principle to IPMI, but a bit more intelligent. On every other IPMI controller I’ve used, there are a number of ‘channels’ with which you can communicate, one of which is a LAN channel to which you can assign an IP address. That way you can send IPMI commands over the network and remotely power on, power off, reboot and get hardware information whether the operating system is running or not. With some versions of IPMI, you can configure the BIOS, the bootloader and the Linux kernel to give you a serial console over the network so you can see remotely what you would see if you were standing in front of the machine in all cases.

However, with this IPMI controller there doesn’t seem to be a LAN channel which means I can’t do any of those things, at least in the range of channels I tried which was between 0 and 10, only channels 1 and 2 existed. Normally, channel 1 would have been the LAN channel.

It has to be said that HP don’t list this system as supported by Debian or Ubuntu, however it works fine under Debian Etch and Ubuntu 8.10 in every other way and I’ve yet to come across a hardware vendor which actually says it supports Linux across its hardware range, even when it works fine. They normally support a subset of hardware, which they have certified, created a knowledge base for and have provided support training for. My Dell XPS 1710 laptop for example works perfectly, but Dell don’t support Linux on it.

In fact, despite saying they do not support Debian on the ML115 G5, this page appears to show they do support Red Hat and SUSE. If they support Red Hat and SUSE, I  hope this may change once Debian Lenny is released and has been through their QA process. However the Debian Proliant Wiki is confident that the Debian will install successfully on this machine, as I can of course confirm, though no mention is made of the IPMI controller, as you would expect for a wiki about installer compatibility. I may try CentOS to see if it can see a LAN channel on the IPMI controller, just to set the address and then replace it with Debian afterwards. I’m not a fan of Red Hat/CentOS servers, I prefer that it’s reasonably easy to upgrade between Debian release. I don’t see that it’s that easy between Red Hat and CentOS releases. (UPDATE: CentOS can’t see a LAN channel on the IPMI controller either.)

HP do supply a bunch of Debian packages for Proliant hardware management, such as the HP Proliant Value Add Software which contains an HP version of ipmitool, the tool used to manage an IPMI controller from inside the OS. On Dell hardware there is a BIOS level tool to set the IP address on an IPMI controller, on Supermicro servers there was a bootable FreeDOS CD for uploading the firmware and then setting the IP address. In either case, you can also set the IP address of the LAN channel using ipmitool. Sadly, as I said the stock version if ipmitool in Debian Etch and Ubuntu 8.10 doesn’t seem to be able to see a LAN channel. The HP version of ipmitool shipped in the HP Proliant Value Add Software has to be compiled at installation time by debconf and it bails out with a bunch of compiler errors about missing files even though I have the kernel sources and headers installed for my kernel version.

I called HP’s Unix/Linux Proliant support line and explained the problem to the guy, asking if he either knows what the LAN channel is supposed to be, whether the IPMI controller some how relies on the LO card for remote access or whether there are known issues. Unfortunately, he didn’t really seem to know what I was on about and after putting me on hold for several minutes, offered me a Windows Server 2003 null management controller driver. When I reminded him that I had called the Unix/Linux Proliant support line because I use Linux, not Windows, he told me that Linux isn’t supported on this server even though Red Hat and SUSE are as noted above. At this point I explained that the controller is independant of the operating system, it is used for out of band management, ie whether the system is powered on or not, you communicate with the IPMI controller over the network. I forger what my man said to that but it implied that he couldn’t help me and feeling my irritation rise I decided to tell him not to worry about it and ended the call.

It strikes me sometimes that vendor support use their list of supported hardware/operating system/web browser/whatever as a get out clause when they don’t understand your problem. It’s an easy cut off when they encounter something they don’t know how to answer, even though the problem is not related to their hardware/operating system/web browser/whatever support list. That said, I appreciate that this was a quite a specific technical issue and the problem is necessarily to do with the support guy I called, but in his training and the resources available to him. If he could search for the specs of the IPMI controller in my server or cross-reference my server model, operating system and the IPMI controller, I’m sure he would have been able to be more helpful. I feel bad for call centre support people, they get a shit deal from management and customers alike.

Anyway, if you couldn’t tell, this post is me purely taking the opportunity to complain bitterly about unhelpful support and lack of vendor documentation, to create a central list of all the links I came across navigating the HP’s seemingly spaghetti linked website and to ask you if you have any ideas. Do you have any ideas where I’m going wrong? Will the IPMI controller ever work? Do you know how I can set an IP address on it under Linux?

Other Links:

HP for Proliant

HP Proliant Debian home page

Debian on HP Proliant PDF

Debian Linux on HP website and forum

I use ClamAV on my own mail servers, I’ve also used it at work alongside several commercial AV engines and every now and again there will be a viral attachment that none of the AV engines catch, especially when a new threat is released. As a Linux user, most virus and malware threats mean little to me, however if you are responsible for Windows users then you need to be on top of the game.

Even though viral email attachments aren’t the major attack vector for Windows PCs that they were a few years ago, a few times recently I’ve found the need to block viral emails which the major AV engines weren’t catching or they were sufficiently behind the curve that I’ve had to create my own signatures to block viral attachments while I waited for the AV vendors to catch up.

Enter ClamAV. ClamAV is an anti-virus toolkit for Unix and Windows. Aside from being an on-demand virus scanner, ClamAV comes with a suite of tools for creating your own anti-virus signatures which can then be used as part of the regular AV definitions when running a scan.

The first thing you need is something which you want to detect. It might be a virus, some other piece of malware or maybe just a nuisance application installer. It helps if you’re not running Windows so you don’t infect yourself with whatever it is you are trying to detect and running the following commands will be easy for you. If you have an email with your attachment or file in, you need to save the attachment to your PC. If it’s still on the mail server, either download the mail and save the file or if you have shell access to the server, copy the entire mail file itself to your PC which is easy if you’re using maildirs. If you use mboxes you need to take a copy of the mail somehow so it’s in a file of it’s own (look at csplit for example).

If you have a file containing the email rather than having saved the attachment from within your mail client, you need to split the text and attachment parts out from each other. The following script does this for you. You need Perl and the MIME::Parser module from CPAN (sudo cpan install MIME::Parser for Ubuntu users).

#!/usr/bin/perl
use MIME::Parser;
$file = $ARGV[0];
my $parser = new MIME::Parser;
mkdir(”/tmp/$$”);
$parser->output_under(”/tmp/$$/”);
$parser->output_prefix(”msg”);
$entity = $parser->parse_open(”$file”);
$entity->dump_skeleton;

Save it as strip-attach.pl or something and make it executable. Then run it with an argument of the file to strip such as:

strip-attach.pl <mail file>

The output will give you the paths to the text portion and the attachment portion of the email. If you saved the email attachment to your PC from your mail client, you can start to pay attention now.

What you now have is the file you want to block. If it’s zipped, compressed or in any other kind of container then unzip it or extract it as ClamAV can see inside these archives if you configured it to do so and you have the right tools installed (like unzip under Linux for example).

Next create a signature of the file using ClamAV’s sigtool:

cat testfile | sigtool –hex-dump | head -c 2048 > customsig.ndb

In this case, testfile is your undesirable file and we have taken a signature of the first 2KB, otherwise the signature would be huge and therefore scanning would be inefficient. We have saved the generated signature in customsig.ndb. In theory, you need to take a signature of a unique portion of the file. You can also take a signature from an off-set within the file, it doesn’t have to be from the start of the file. See the ClamAV signature docs for more detail on how to create signatures.

You should edit customsig.ndb and prefix the content with the appropriate Name, Type and Offset in the following format:

Name:Type:Offset:malware hex output

Such as:

Trojan.Win32.Emold.A:1:*:4d5a80000100000004001000ffff000040010000000000004000000000000000000000000000000000000000

Name is the virus name. Type is one of the following:

• 0 = any file
• 1 = Portable Executable (ie Windows exe)
• 2 = OLE2 component (e.g. a VBA script)
• 3 = HTML (normalised)
• 4 = Mail file
• 5 = Graphics
• 6 = ELF
• 7 = ASCII text file (normalised)

Offset is either * or an offset in bytes from the beginning of the file to where the hex string occurs. This is best left as * unless you know your where in the file your hex string occurs. Read the Clamav documentation if this is the case.

For most purposes, a type of 0 (or 1 for a Windows exe), and an offset of * will suffice.

Either name the virus yourself if it’s just a file you don’t want on your network or it’s a new virus, or take a look at what other AV engines call a virus by submitting your suspicious file to somewhere like http://www.virustotal.com/. ClamAV has it’s own virus naming conventions as detailed in the docs.

My good friend and malware expert Barbie of Message Labs and Birmingham Perl Mongers gave a talk at LugRadio Live UK 2008 where he explained that the people that are first to identify a new virus are the people who name it, though different AV vendors often use the different names and the name which is popularised in the press is the one that sticks. If you detect a virus before anybody else, then name it as you like and then find a way of making sure everybody uses your chosen name. Fun and profit awaits you

Now, test the signature against your suspect file:

clamscan -d customsig.ndb testfile

It’s pretty inefficient to store one virus signature per file, so if you’re going to be doing this frequently or you want your signature to used as part of regular operations, you may as well start keeping your own virus db file as part of ClamAV itself. Simply copy your customsig.ndb to the directory used by ClamAV’s own signatures. On most Linux boxes that’s /var/lib/clamav/, though it might be something like /usr/local/share/clamav/ on FreeBSD or if you compiled ClamAV yourself. So restart ClamAV and run a regular scan without having to specify your custom sig:

clamscan testfile

And that’s it. Add each new signature line into the customsig.ndb file you put in ClamAV’s signatures directory but be sure to test it first from a standalone sig file so you know it works as expected without affecting the operation of the main ClamAV installation.

Having created sigs for files which the commercial AV engines weren’t catching, I submitted the suspicious file I was working on to the ClamAV team for detection within ClamAV. Now I guess you have to be a bit closer to the project and certainly more experienced than the novice I am to generate sigs and have them included in ClamAV, but there’s nothing stopping you submitting the suspicious files to the project by uploading them at http://www.clamav.org/sendvirus/.

I did exactly that and was quite pleased to get an email a few weeks later which said a signature for the file I submitted had been included in a ClamAV update, although the same file had been submitted by several other people.

Most people suggest advocacy or documentation as ways non-programmers can help a project, it just goes to show that there are many more ways to help a Free Software project than you might think if you’re not a programmer.

So, why would you want to use ClamAV? If you run mail servers then you should be using it already, regardless of whether you run a proprietary AV engine. ClamAV is free and plugs easily into most Unix style mail servers, either directly or though something like Amavis. ClamAV is pretty good at catching phishing emails too, which is something I’ve not seen much of from the major AV vendors. Details on dealing with phishing sigs are here.

A few years ago I worked at a college where Windows permissions were sufficiently lax that the students were able to install MSN Messenger (now known as Windows Live Messenger) on the PCs which were supposed to be for educational purposes only, as certain applications they needed to run required access to write to parts of the registry so they couldn’t be locked down any further without serious effort. We had a terrible time trying to keep up with removing it and stopping them downloading it. Had we known at the time, (ignoring the concept of actually trying to lock the machines down properly), we could have run ClamAV on a filtering proxy and created a signature which detected MSN Messenger or other unwanted installers, blocked them at the gate and run a scan across the user directories for saved copies brought in on memory sticks. While it’s fighting fires instead of solving the bigger problem, you could apply a simple fix to the major threats and it would buy you enough breathing space to solve the real problems.

Note that ClamAV is not an in memory, on-access, real-time background virus scanner, it won’t detect viruses in files as you open or execute them. You need to manually scan files to detect viruses, it’s not intended as a replacement for a desktop AV, it’s intended for gateway services like web and mail filtering or scheduled scanning.

Do I need to tell you any more? Go geddit tiger.

So, the financial world is collapsing around us. After house prices in UK have sky-rocketed for years, pricing core workers (doctors, nurses, ambulance crews, police and firefighters) and everyone beneath high earners out of the property market, we ‘re now in a situation where house prices are falling through the floor but interest rates are so high people can’t afford mortgages, houses are being re-possessed, the unemployment figures are at their highest in 10 years, the biggest financial institutions in the world are going bankrupt and everyone is feeling the pinch. The capitalist world is facing global recession, aka financial armageddon. The UK media are calling it the Credit Crunch. I don’t know what it’s being referred to elsewhere or how it’s effects are being felt outside of the UK and USA. Thankfully, it doesn’t appear to have affected the IT market too much yet, but it will. How much, I don’t know, the world relies on IT these days but it will pinch and some of us will be made redundant.

So where does this leave our beloved Linux, Open Source and Free Software communities? The major IT vendors and commercial software houses are sure to cut jobs. According to Greg Kroah-Hartman,  72.6% of kernel contributions are sponsored by major IT vendors (Intel, Red Hat, IBM, Novell etc). 17% are from amateurs and 10.2 are either unknown or independent consultants. There must be 0.2% somewhere else for those of you who are counting. I would imagine the contributions for something like GNOME would be a lot heavier in favour of amateurs and independent contributors.

I suspect, and I appreciate I am economically naive, that while the big vendors might have to cut jobs and some of them might well be technical jobs focused on the smaller markets (ie Linux), I would expect that a good proportion might be in rank and file clerical, sales, support, marketing and middle-management, not so much in technical engineering.

So, we might lose some Linux developers in the major companies, but note this: many people, when they use or work on anything other than the market-share leading operating system do so because they want to. Would leaving a job mean that somebody stops doing something they wanted to do in the first place? I don’t think so, but then it is possible that if you lose a job, you’re going to have to replace it as quickly as possible and that might be with something which doesn’t allow you the time or opportunity to contribute.

While companies all around the world are planning to shed jobs and cut costs, contributing to Linux, Open Source and Free Software only cost one thing: time. Human endeavour costs nothing and it’s that which means that Linux won’t go away in a bad financial climate or when when the biggest software vendor in the world tries to scare people away by claiming that it’s competitor violates it’s patents but won’t say what those patents are. If, hypothetically, the financial world came to a standstill tomorrow, Linux would keep going. Microsoft wouldn’t be able to pay their developers and neither would Red Hat, but you can’t develop Windows unless you work for Microsoft. You can develop on Linux whether you get paid or not because the code is free and Free. Both gratis and libre.

If you run a company or organisation and you need to reduce costs, Linux and all of it’s software costs nothing. Windows costs money, even when it comes on the computer and Microsoft Office costs hundreds. If your PCs are ageing and you need to replace them, Linux doesn’t require anywhere near the resources Windows does, the comparison between Linux and Windows Vista’s hardware requirements are almost laughable and Linux is still faster, which means that you don’t need to buy a new PC and your old PC will be faster under Linux. Linux doesn’t have a virus problem, or a malware problem so you don’t need to buy anti-virus. Linux doesn’t have to defragment it’s disks so you don’t have to do it. In Linux, all of the available software is installable from inside the one program, you don’t have to download all of your applications from a hundred different places and install each one independently. Linux will update all of your software in one go every time there is a newer version so you don’t have to go to Windows Update and then update Adobe Acrobat and Real Player and Nero and Winzip and Quicktime and iTunes and Flash and everything else, Linux will update them all at the same time if there is an update. Linux software doesn’t nag you to buy it. Linux software doesn’t have advertisements. Linux software doesn’t install an icon in your taskbar that sits there using up your RAM. Linux doesn’t have problems with porn pop-ups. Linux web browsers don’t have the security problems that Internet Explorer has…

Oh, I’m sorry, I digress. In these harsh financial times, which are about to get a lot harsher and stay that way for another 2 years or so, Linux will save you money and won’t stop getting better when money gets tight.

Credit crunch? What credit crunch? A healthy dose of idealism is all you need.