Hi, Please find the details requested >There are many different ways to solve your problem, but we need a lot more information from you. How do you receive these files?
Mainly, we get these virus via E-mail. We have Mail Gateways which are used for filtering mails for your customer mail servers. So, daily we get viruses which are not detected by ClamAV running on our Mail Gateways. >This is not unusual. Can you let us have your ClamAV configuration? [root@mailin-04 ~]# clamconf -n Checking configuration files in /etc Config file: clamd.d/scan.conf ------------------------------ LogFile = "/var/log/clamd.scan" LogTime = "yes" LogClean = "yes" LogSyslog = "yes" PidFile = "/var/run/clamd.scan/clamd.pid" LocalSocket = "/var/run/clamd.scan/clamd.sock" LocalSocketGroup = "mtagroup" User = "clamscan" OLE2BlockMacros = "yes" *** AllowSupplementaryGroups is DEPRECATED *** Config file: freshclam.conf --------------------------- DatabaseMirror = "database.clamav.net" mail/clamav-milter.conf not found Software settings ----------------- Version: 0.103.0 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON Database information -------------------- Database directory: /var/lib/clamav main.cld: version 59, sigs: 4564902, built on Mon Nov 25 19:26:15 2019 bytecode.cld: version 331, sigs: 94, built on Thu Sep 19 21:42:33 2019 daily.cld: version 26056, sigs: 4199611, built on Thu Jan 21 18:04:40 2021 bytecode.cvd: version 331, sigs: 94, built on Thu Sep 19 21:42:33 2019 [3rd Party] hackingteam.hsb: 435 sigs [3rd Party] porcupine.hsb: 121 sigs [3rd Party] rfxn.ndb: 2039 sigs [3rd Party] rfxn.hdb: 12927 sigs [3rd Party] securiteinfoascii.hdb: 90606 sigs main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 19:26:15 2019 [3rd Party] sanesecurity.ftm: 170 sigs [3rd Party] sigwhitelist.ign2: 10 sigs [3rd Party] blurl.ndb: 1558 sigs [3rd Party] junk.ndb: 60121 sigs [3rd Party] jurlbl.ndb: 1540 sigs [3rd Party] malwarehash.hsb: 771 sigs [3rd Party] phish.ndb: 28027 sigs [3rd Party] rogue.hdb: 372 sigs [3rd Party] scam.ndb: 12742 sigs [3rd Party] spamattach.hdb: 14 sigs [3rd Party] spamimg.hdb: 200 sigs [3rd Party] badmacro.ndb: 614 sigs [3rd Party] jurlbla.ndb: 1561 sigs [3rd Party] lott.ndb: 2335 sigs [3rd Party] shelter.ldb: 49 sigs [3rd Party] spam.ldb: 2 sigs [3rd Party] spear.ndb: 1 sig [3rd Party] spearl.ndb: 1 sig [3rd Party] malware.expert.hdb: 1 sig [3rd Party] malware.expert.fp: 1 sig [3rd Party] malware.expert.ldb: 1 sig [3rd Party] malware.expert.ndb: 1 sig [3rd Party] foxhole_filename.cdb: 2613 sigs [3rd Party] foxhole_generic.cdb: 212 sigs [3rd Party] foxhole_js.cdb: 48 sigs [3rd Party] foxhole_js.ndb: 4 sigs [3rd Party] winnow_bad_cw.hdb: 1 sig [3rd Party] winnow_extended_malware.hdb: 245 sigs [3rd Party] winnow_malware_links.ndb: 133 sigs [3rd Party] winnow_malware.hdb: 293 sigs [3rd Party] winnow_phish_complete_url.ndb: 54 sigs [3rd Party] winnow.attachments.hdb: 182 sigs [3rd Party] urlhaus.ndb: 8201 sigs [3rd Party] winnow_extended_malware_links.ndb: 1 sig [3rd Party] winnow_spam_complete.ndb: 26 sigs [3rd Party] winnow.complex.patterns.ldb: 3 sigs [3rd Party] MiscreantPunch099-Low.ldb: 1199 sigs [3rd Party] scamnailer.ndb: 1 sig [3rd Party] bofhland_cracked_URL.ndb: 40 sigs [3rd Party] bofhland_malware_attach.hdb: 1836 sigs [3rd Party] bofhland_malware_URL.ndb: 4 sigs [3rd Party] bofhland_phishing_URL.ndb: 72 sigs [3rd Party] phishtank.ndb: 9270 sigs [3rd Party] porcupine.ndb: 6805 sigs [3rd Party] securiteinfo.hdb: 127854 sigs [3rd Party] securiteinfohtml.hdb: 52920 sigs [3rd Party] securiteinfo.ign2: 142 sigs [3rd Party] customsig.ndb: 3 sigs [3rd Party] ebrandidc.ndb: 155 sigs [3rd Party] ebrandidc.hdb: 12 sigs Total number of signatures: 13758152 Platform information -------------------- uname: Linux 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 zlib version: 1.2.7 (1.2.7), compile flags: a9 platform id: 0x0a2179790800000002040805 Build information ----------------- GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5) CPPFLAGS: -I/usr/include/libprelude CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed -lprelude Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' sizeof(void*) = 8 Engine flevel: 121, dconf: 121 [root@mailin-04 ~]# >but please tell us more about your ClamAV installation - for example what operating system you're using to run it. For more >information about what information will be useful see some of my previous posts in the list archives, which can be found for >example at ClamAV is installed in our Mail Gateways as the Virus Scanner. ClamAV is integrated with MailScanner running on each mail gateway. [root@mailin-04 ~]# cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) >Perhaps you can put samples somewhere (safe) on the Web for us to see. I can put the viruses in a FTP server and share them with you. >You do not need to do that. You can submit the files to the ClamAV team, and for example to one of the third parties which >provide signatures, e.g. Sanesecurity or Securiteinfo. If you submit samples, then in addition to solving your own problem you >also provide a useful service to the community: Usually, I forward the virus mails to Sanesecurity. I hope that I have provided the sufficient information for you. Thanks for your support. Regards Chaminda Indrajith _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
