Also, we have shipped detection which detects the same things Fireeye was detecting and much more, also rewritten to be more efficient in the official ruleset.
Sent from my iPhone > On Dec 14, 2020, at 18:54, G.W. Haywood via clamav-users > <[email protected]> wrote: > > Hi there, > >> On Mon, 14 Dec 2020, Sandeep Talla wrote: >> >> ... *fireeye.ldb* file under the directory /var/lib/clamav/ ... >> ... Clamscam is not picking up the *fireeye.ldb* file when > > Clamscam. I like that. :) > >> we verify the Freshclam.log and clamav.log files. > > Freshclam will not update the Fireeye data unless it is both available > from a mirror which freshclam can recognize and the mirror location is > given in freshclam.conf using the 'DatabaseCustomURL' option. See the > man page for freshclam.conf for more information. Freshclam will not > mention the file in its logs unless it updates it. But freshclam only > updates the files, it does not affect whether or not clamd loads them, > and it has no effect on clamscan at all. > > I do not know what the 'clamav.log' file contains, perhaps it is only > found in Ubuntu systems. > > When clamd has reloaded its databases you will see that it writes in > its log the number of signatures which it has loaded. It's quite a > large number, of the order of ten million, but you should see that > after you have the Fireeye data in the correct location and clamd has > reloaded the data, there are 23 more signatures than the last time > clamd loaded the data. Below is an extract from my clamd server log. > I downloaded the file from the URL you gave, dropped it in the clamd > database directory, and issued a RELOAD command using telnet. As you > can see, there are 23 more signatures after the reload. > > pi4b530214:/var/log/clamav# >>> grep -i reload clamd.2.log | tail -n 3 > Mon Dec 14 22:42:18 2020 -> Database correctly reloaded (11352914 signatures) > Mon Dec 14 23:12:35 2020 -> got command RELOAD (7, 2), argument: Mon Dec 14 > 23:13:39 2020 -> Database correctly reloaded (11352937 signatures) > > What is the size of your fireeye.ldb file? Have you checked it with a > pager to make sure that it looks OK? It should be 26 lines of text. > Some of them are very long. > >> Are there any configuration settings that need to add for *clamd.conf* or >> *freshclam.conf* in order to pick up the fireeye.ldb file during clamscan? > > Freshclam.conf is irrelevant. Do you have in clamd.conf the option > > --official-db-only > > set to 'yes'? See the clamd man page for more information. > > If you run > > clamscan --debug some_test_file > > and pipe the output to a pager or through grep or something you see > listed in the (long) output all the databases which clamscan loads: > > ged@pi4b530214:~ $ clamscan --debug phish-test 2>&1 | grep loaded > LibClamAV debug: unrar support loaded from libclamunrar_iface.so.9 > LibClamAV debug: daily.info loaded > LibClamAV debug: daily.cfg loaded > ... > ... > LibClamAV debug: /EXPORTS/clamav/databases/all-clam.ldb loaded > ... > ... > > HTH > > -- > > 73, > Ged. > > _______________________________________________ > > clamav-users mailing list > [email protected] > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
