re: FreshClam Errors - Deprecated version No. I'm not in Tanzania. I'm in the U.S.
When I run that command I get this return: database.clamav.net is an alias for db.local.clamav.net. db.local.clamav.net is an alias for db.us.rr.clamav.net. followed by a series of IP Addresses. Are you thinking that I'm getting redirected somewhere? TAG On Tue, Oct 25, 2016 at 9:00 AM, <clamav-users-requ...@lists.clamav.net> wrote: > Send clamav-users mailing list submissions to > clamav-users@lists.clamav.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > or, via email, send a message with subject or body 'help' to > clamav-users-requ...@lists.clamav.net > > You can reach the person managing the list at > clamav-users-ow...@lists.clamav.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of clamav-users digest..." > > > Today's Topics: > > 1. Re: Last Seven daily Updates have been almost empty > (Joel Esler (jesler)) > 2. WSF viruses, and other issues (John T. Bryan) > 3. Re: WSF viruses, and other issues (Kris Deugau) > 4. Re: WSF viruses, and other issues (Steve basford) > 5. Freshclam Errors - Deprecated version? (TAGSIT QAF) > 6. Re: Freshclam Errors - Deprecated version? (Al Varnell) > 7. Install from source on Ubuntu 8.04 Hardy (Chris Nelson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 24 Oct 2016 16:24:52 +0000 > From: "Joel Esler (jesler)" <jes...@cisco.com> > To: ClamAV users ML <clamav-users@lists.clamav.net> > Subject: Re: [clamav-users] Last Seven daily Updates have been almost > empty > Message-ID: <d9211426-f4a9-408a-92ff-d0a73c39b...@cisco.com> > Content-Type: text/plain; charset="utf-8" > > We?re building a new daily now that should fix the issue. > > -- > Joel Esler | Talos: Manager| jes...@cisco.com<mailto:jes...@cisco.com> > > > > > > On Oct 24, 2016, at 2:56 AM, Al Varnell <alvarn...@mac.com<mailto:alva > rn...@mac.com>> wrote: > > Never quite sure when I should bring this up, but daily 22415 through > 22421 have included exactly one new signature and one dropped signature > (both in 22418). > > -Al- > -- > Al Varnell > Mountain View, CA > > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > ------------------------------ > > Message: 2 > Date: Mon, 24 Oct 2016 12:57:07 -0400 > From: "John T. Bryan" <j...@johnbryan.us> > To: <clamav-users@lists.clamav.net> > Subject: [clamav-users] WSF viruses, and other issues > Message-ID: <015601d22e17$a798f330$f6cad990$@johnbryan.us> > Content-Type: text/plain; charset="iso-8859-1" > > I?ve been running ClamAV now for some years as the virus-checking plug-in > on > my main multi-client mail server.? For a long time, I was very pleased with > it and how easily I was able to integrate it into the custom software back > when I first switched to it. > > Lately, however, ClamAV never seems to catch any of the viruses that are > coming at my server.? My custom-built spam-checking software is > inadvertently catching the majority of them after ClamAV has passed them.? > I > have noticed two primary patterns to the viruses that are coming through > these days: > > * ZIP files containing a WSF (Windows Script File) and possibly some small > distractor files > > * ZIP files containing a JavaScript file and possibly some small distractor > files > > As for the WSF files, my primary issue there is that ClamAV seems to refuse > to check them at all; I have added literally hundreds of signatures for > these to my local signatures file but ClamAV still does not identify them > as > viruses afterwards. > > As for the JavaScript files, these are being obfuscated in various ways, > mostly just by altering the names of variables in the script and similar > obvious non-semantic alterations.? The obfuscation is almost certainly > being > done by automated processes of some sort.? As a result, even multiple > copies > of the same script produce different signatures due to the non-semantic > changes in the script.? I have added literally thousands of these to my > signature files but, of course, I rarely see the same obfuscated version > again and virtually none of them are getting caught. > > The only malware that is being consistently caught these days is stuff > identified by the heuristics as OLE documents containing macros and spoofed > domains; I have had about a dozen of those in the last 30 days.? Alas, the > spoofed domains checking produces almost as many false positives as real > ones. > > I dutifully send a copy of each new false negative that shows up on my > server off to your evaluation team.? I have no idea if you?re even looking > at them but I do send them.? Hopefully that?s helping. > > As a programmer myself, I understand the difficulty in identifying an > obfuscated script, but is anything being done to address this?? And what > can > be done about the WSF files that aren?t being checked at all?? Not that I > expect it will matter much; the ones I have examined by hand appear to be > obfuscated in ways similar to the JavaScript files. > > Thanks! > > > > > ------------------------------ > > Message: 3 > Date: Mon, 24 Oct 2016 14:30:15 -0400 > From: Kris Deugau <kdeu...@vianet.ca> > To: ClamAV users ML <clamav-users@lists.clamav.net> > Subject: Re: [clamav-users] WSF viruses, and other issues > Message-ID: <580e5337.6030...@vianet.ca> > Content-Type: text/plain; charset=windows-1252 > > John T. Bryan wrote: > > I?ve been running ClamAV now for some years as the virus-checking > plug-in on > > my main multi-client mail server. For a long time, I was very pleased > with > > it and how easily I was able to integrate it into the custom software > back > > when I first switched to it. > > > > Lately, however, ClamAV never seems to catch any of the viruses that are > > coming at my server. My custom-built spam-checking software is > > inadvertently catching the majority of them after ClamAV has passed > them. I > > have noticed two primary patterns to the viruses that are coming through > > these days: > > > > * ZIP files containing a WSF (Windows Script File) and possibly some > small > > distractor files > > > > * ZIP files containing a JavaScript file and possibly some small > distractor > > files > > > > As for the WSF files, my primary issue there is that ClamAV seems to > refuse > > to check them at all; I have added literally hundreds of signatures for > > these to my local signatures file but ClamAV still does not identify > them as > > viruses afterwards. > > .wsf files are not pattern-matched as-is, they're decoded and normalized > first. Run clamscan --leave-temps foo.wsf, and inspect the files left > in /tmp/clamav* (or wherever ClamAV leaves its temporary working files) > for the actual content ClamAV does its matching against. > > Note that this actually strips off some of the obfuscation, making it a > little tricky if the pattern you're trying to match is, in and of > itself, the obfuscation. > > I'd guess you're just using hash signatures from sigtool --md5 (or > --sha1, or --sha256), since if you collect a number of examples from a > single run you *can* find similarities in the files to create > pattern-based sigs that match a range of files. > > I've posted one of the crude utilities I've been using under > http://www.deepnet.cx/~kdeugau/clamtools/. This takes several files, > grabs a more or less arbitrary block of 8K hex characters (based on the > $baseoffset and $fromstart variables - I keep the script open in a text > editor and change these as I go), and spits out a pattern, with ?? or > {nn} bits for variant character runs, formatted for a .ndb signature. I > tend to manually copy-paste an extract of that as a signature rather > than using the whole thing. You can use this on any set of files you > think are likely to be similar, and if they're not as similar as you > thought (or the segment you set it up to extract isn't) you'll get > either something like "{2345}abf3{3243}", or possibly a couple of blank > lines, as output. > > The other thing to try is an archive-contents filename signature. I > haven't had much luck with the newer "any archive type" version, but > I've had decent luck with the older-style .zip-only .zmd signature file. > I still see hits on some of those signatures I've added locally coming > up on several years after first adding them. > > -kgd > > > ------------------------------ > > Message: 4 > Date: Mon, 24 Oct 2016 19:49:36 +0100 > From: Steve basford <steveb_cla...@sanesecurity.com> > To: ClamAV users ML <clamav-users@lists.clamav.net> > Subject: Re: [clamav-users] WSF viruses, and other issues > Message-ID: > <157f806c600.27d5.3eaa884a23ece66aada06ae82ee56a > b...@sanesecurity.com> > Content-Type: text/plain; format=flowed; charset="UTF-8" > > Hi John, > > phish.ndb, rogue.ndb for most malware, > See foxhole sigs for other levels of detection. > > As well as .js, .wsf and .hta malware, now > seeing and detecting .lnk malware with an auto downloading PowerShell > command, which is nasty. > > Cheers, > > Steve > Twitter: @sanesecurity > > > > On 24 October 2016 17:57:52 "John T. Bryan" <j...@johnbryan.us> wrote: > > > Ive been running ClamAV now for some years as the virus-checking plug-in > on > > my main multi-client mail server.? For a long time, I was very pleased > with > > it and how easily I was able to integrate it into the custom software > back > > when I first switched to it. > > > > Lately, however, ClamAV never seems to catch any of the viruses that are > > coming at my server.? My custom-built spam-checking software is > > inadvertently catching the majority of them after ClamAV has passed > them.? I > > have noticed two primary patterns to the viruses that are coming through > > these days: > > > > * ZIP files containing a WSF (Windows Script File) and possibly some > small > > distractor files > > > > * ZIP files containing a JavaScript file and possibly some small > distractor > > files > > > > As for the WSF files, my primary issue there is that ClamAV seems to > refuse > > to check them at all; I have added literally hundreds of signatures for > > these to my local signatures file but ClamAV still does not identify > them as > > viruses afterwards. > > > > As for the JavaScript files, these are being obfuscated in various ways, > > mostly just by altering the names of variables in the script and similar > > obvious non-semantic alterations.? The obfuscation is almost certainly > being > > done by automated processes of some sort.? As a result, even multiple > copies > > of the same script produce different signatures due to the non-semantic > > changes in the script.? I have added literally thousands of these to my > > signature files but, of course, I rarely see the same obfuscated version > > again and virtually none of them are getting caught. > > > > The only malware that is being consistently caught these days is stuff > > identified by the heuristics as OLE documents containing macros and > spoofed > > domains; I have had about a dozen of those in the last 30 days.? Alas, > the > > spoofed domains checking produces almost as many false positives as real > > ones. > > > > I dutifully send a copy of each new false negative that shows up on my > > server off to your evaluation team.? I have no idea if youre even looking > > at them but I do send them.? Hopefully thats helping. > > > > As a programmer myself, I understand the difficulty in identifying an > > obfuscated script, but is anything being done to address this?? And what > can > > be done about the WSF files that arent being checked at all?? Not that I > > expect it will matter much; the ones I have examined by hand appear to be > > obfuscated in ways similar to the JavaScript files. > > > > Thanks! > > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > > > ------------------------------ > > Message: 5 > Date: Mon, 24 Oct 2016 20:56:04 -0700 > From: TAGSIT QAF <tagsit...@gmail.com> > To: clamav-users@lists.clamav.net > Subject: [clamav-users] Freshclam Errors - Deprecated version? > Message-ID: > <CAJLh0txUTY2Uja9-VCJ1Os6rVuD=W+zWookuHgyEk3cFrDOW8A@mail. > gmail.com> > Content-Type: text/plain; charset=UTF-8 > > Relative newbie with brand new install. I manually downloaded the latest > version of ClamAV directly from the site so I'm reasonably sure it > shouldn't be deprecated, yet I'm getting these errors: > > > etc/cron.daily/freshclam: > > ERROR: Can't get information about db.# tz zone descriptions (deprecated > version). > > ERROR: getpatch: Can't download daily-22421.cdiff from db.# tz zone > descriptions (deprecated version). > > ERROR: Can't get information about db.# tz zone descriptions (deprecated > version).ERROR: Can't download daily.cvd from db.# tz zone descriptions > (deprecated version). > > Any help would be appreciated. TAG > > PS Tried to look through old threads and didn't see this anywhere but I > only went back a few months. If' it's already been discussed, can you > kindly just direct me to where. > > > ------------------------------ > > Message: 6 > Date: Mon, 24 Oct 2016 22:08:58 -0700 > From: Al Varnell <alvarn...@mac.com> > To: ClamAV users ML <clamav-users@lists.clamav.net> > Subject: Re: [clamav-users] Freshclam Errors - Deprecated version? > Message-ID: <5c7a693a-922f-4d79-86ea-f8fb7aba2...@mac.com> > Content-Type: text/plain; charset="us-ascii" > > That doesn't look like any mirror site I've ever seen listed, but then > they have not gotten around to giving us back the mirror status page. > > Are you located in or close to Tanzania? > > What do you get with the following Command? > > host database.clamav.net > > -Al- > > On Mon, Oct 24, 2016 at 08:56 PM, TAGSIT QAF wrote: > > > > Relative newbie with brand new install. I manually downloaded the latest > > version of ClamAV directly from the site so I'm reasonably sure it > > shouldn't be deprecated, yet I'm getting these errors: > > > > > > etc/cron.daily/freshclam: > > > > ERROR: Can't get information about db.# tz zone descriptions (deprecated > > version). > > > > ERROR: getpatch: Can't download daily-22421.cdiff from db.# tz zone > > descriptions (deprecated version). > > > > ERROR: Can't get information about db.# tz zone descriptions (deprecated > > version).ERROR: Can't download daily.cvd from db.# tz zone descriptions > > (deprecated version). > > > > Any help would be appreciated. TAG > > > > PS Tried to look through old threads and didn't see this anywhere but I > > only went back a few months. If' it's already been discussed, can you > > kindly just direct me to where. > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 3573 bytes > Desc: not available > URL: <http://lists.clamav.net/pipermail/clamav-users/ > attachments/20161024/fc48448f/attachment-0001.bin> > > ------------------------------ > > Message: 7 > Date: Tue, 25 Oct 2016 10:41:51 -0500 > From: "Chris Nelson" <ch...@goapluscc.com> > To: <clamav-users@lists.clamav.net> > Subject: [clamav-users] Install from source on Ubuntu 8.04 Hardy > Message-ID: <B8324C012C98444BA472494D033181A5@apluschris01> > Content-Type: text/plain; charset="us-ascii" > > OS Ubuntu 8.04.3 Hardy - installed ClamAV 0.99.2 yesterday, and can't seem > to get the daemon / clamd to function. > Installed in /usr/local/sbin - previously had 0.97 and earlier but had the > mpool_malloc() loop issue so had to torch it. > > Here's what I get now when loading rc.local @boot: > -------clip > Mon Oct 24 19:52:54 2016 -> +++ Started at Mon Oct 24 19:52:54 2016 > Mon Oct 24 19:52:54 2016 -> Received 0 file descriptor(s) from systemd. > Mon Oct 24 19:52:54 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: > x86_64, CPU: x86_64) > Mon Oct 24 19:52:54 2016 -> Running as user clamav (UID 111, GID 121) > Mon Oct 24 19:52:54 2016 -> Log file size limited to 4294967295 bytes. > Mon Oct 24 19:52:54 2016 -> Reading databases from /var/lib/clamav > Mon Oct 24 19:52:54 2016 -> Not loading PUA signatures. > Mon Oct 24 19:52:54 2016 -> Bytecode: Security mode set to "TrustSigned". > Mon Oct 24 19:53:11 2016 -> Loaded 4990948 signatures. > > Mon Oct 24 19:53:14 2016 -> ERROR: LOCAL: Socket file > /var/run/clamav/clamd.ctl could not be bound: No such file or directory > -------end clip > > As I'm typically a apt-get package installer, I don't know where to start > looking to ident and resolve the problem for this? > I had previously been getting a simple segmentation fault error at the end > of load echoes from clamd when executing from command line, but fixed that, > I think. > > > If anyone knows a speedy way to inquire with ClamAV authors, please also > let > me know. I'll try the proper channels and see if I can get some insight > from them. > > > Thank you > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > ------------------------------ > > End of clamav-users Digest, Vol 143, Issue 20 > ********************************************* > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
