Chances are you are using a version of ClamAV older than 0.100 and/or using
wget/curl to get the updates rather than using the approved methods
(freshclam / cvdupdate).
https://www.clamav.net/documents/end-of-life-policy-eol
https://www.clamav.net/documents/freshclam-faq
Additionally, there are m
While verbose (-v) is helpful in some cases, you probably want to use the debug
option to get the large volume of LibClamAV messages. I find debug is far more
useful than verbose most times.
Maarten
Sent from a tiny keyboard
> On Apr 5, 2021, at 04:17, Vivek Patil via clamav-users
> wrote:
>
In all likelihood, it means that a GET or POST payload contained the
signature. Whether or not the request containing the signature was
successful in injecting it into your site is a question that only you will
be able to answer.
You can use sigtool to find the signature and again to decode the si
Use homebrew unless you absolutely need the release candidate version.
I installed ClamAV 0.103.3 via homebrew on my M1 Mac and it runs pretty
well.
On Wed, Sep 1, 2021 at 3:33 PM Vaughn A. Hart wrote:
> Hi Folks,
>
> So I figured out the issue. It looks like during the install/upgrade that
> n
It depends on the OS, but if you have something like AppArmor or
GrSecurity, you may need to grant the appropriate permissions there to
allow access even for root.
--Maarten
On Thu, Sep 9, 2021 at 2:34 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi!
>
>
To further Ged's point, these signatures that are hitting are extended
logical signatures. Phishing signatures have a very specific format that
are either solely looking at hostnames, host prefixes, link destinations
and alternate text, and displayed hostnames (
https://docs.clamav.net/manual/Signa
Hi Jeff,
You would want to add those .snapshot paths to "ExcludePath" directives
in your clamd.conf file for clamd / clamdscan or use the "--exclude-dir"
option for clamscan.
You'll probably want to write a wrapper script for clamscan to build up
the list of .snapshot directories to ignore at t
All versions of ClamAV prior to 0.103 are essentially EOL at this point.
The only options for Solaris 10 are likely to build from source, along with
all the prerequisites.
--Maarten
On Sat, Nov 6, 2021 at 7:54 AM Sunhux G via clamav-users <
clamav-users@lists.clamav.net> wrote:
>
> We're still o
Cody, it looks like you’re running ClamAV 0.101.2. That version is too old. If
you upgrade to 0.103.4, you should be able to start downloading the db files
again.
What kind of system are you on? Is ClamAV prepackaged for you or did you build
from source?
-Maarten
Sent from a tiny keyboard
>
"If you provided a description that suggests otherwise..." is a past tense
conditional referring to the form submission. That phrase is the equivalent
to this longer "If you put information in the description that suggests the
sample is not clean..."
On Thu, Nov 18, 2021 at 2:27 PM G.W. Haywood v
On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
clamav-users@lists.clamav.net> wrote:
> * Arnaud Jacques via clamav-users :
> > Is it just me, or?
>
> Same here:
>
> # clamdscan -V
> ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021
>
> # sigtool -l|tail
> Doc.Malware.Valyria-6923
On Wed, Nov 24, 2021 at 10:42 AM Maarten Broekman <
maarten.broek...@gmail.com> wrote:
>
>
> On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> * Arnaud Jacques via clamav-users :
>> > Is it just me, or?
>>
>> Same here:
>>
>> # clamds
I've opened https://github.com/Cisco-Talos/clamav/issues/389 for this
issue. The issue *shouldn't* be causing problems with scanning (it wasn't
causing a problem for me), but if it is please add a comment to the issue
to that effect.
--Maarten
On Wed, Nov 24, 2021 at 11:19 AM Maarten Broekman <
m
Running freshclam after the package is installed should pull any/all of the
files that are missing. That is probably the best way to do it.
--Maarten
On Mon, Jan 17, 2022 at 8:32 AM Nick Howitt via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi,
> I am trying to package ClamAV 0.103.5
On Mon, Jan 17, 2022 at 9:53 AM Andrew C Aitchison via clamav-users <
clamav-users@lists.clamav.net> wrote:
> On Mon, 17 Jan 2022, Nick Howitt via clamav-users wrote:
>
> > - not
> > have to install some uncommon download package and then download them.
> That
> > is making people jump through unn
Looks like the signature was dropped already because sigtool doesn't find
it anymore after I updated the databases through freshclam.
--Maarten
On Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Well yes, the fact that it was the only scanner wo
There's not a lot that you can do in Yara rules that you can't do in LDB
sigs... for what it's worth, here's a logical sig that detects the same
thing as the Yara rules...
mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb|
sigtool --decode-sigs
VIRUS NAME: MJB.JS.SendEmailFu
I would double-check to make sure python3 is using the correct CA bundle.
On recent python3 versions, that should be the certifi bundle.
$ which python3
/opt/homebrew/bin/python3
$ /opt/homebrew/bin/python3 --version
Python 3.9.10
$ python3 -m certifi
/opt/homebrew/lib/python3.9/site-packages/certi
What version of ClamAV are you using? July of last year sounds about when
EOL versions of ClamAV were blocked wholesale and the 'acceptable version'
was moved up and all prior versions were blocked. EOL has moved several
times since then as well. Currently, the current stable version 0.104 and I
do
1. You’re excluding root in the config so you won’t be able to prevent from
accessing malicious files.
1A. You shouldn’t run clamd as root. run it as another user (like “clamav” or
“clamd”)
2. You are limiting it to only scan files in /home on-access
2A. You would likely want it to scan the enti
On Tue, Mar 15, 2022 at 1:53 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi there,
>
> On Tue, 15 Mar 2022, Laurent S. via clamav-users wrote:
> >> using Yara's engine in clamav directly is something that has been
> >> brought up time and again. It is possible. My un
That's indicating that there is a link in the email that's displaying "
www.americanexpress.com" but is actually going to "www.amazonbusiness.com".
It's hard to help without seeing the original email code.
On Thu, Mar 17, 2022 at 12:55 PM Alex via clamav-users <
clamav-users@lists.clamav.net> wrot
The accepted way would be to supply a link to the VirusTotal scan that
didn't detect it.
--Maarten
On Mon, Mar 21, 2022 at 4:36 PM Jorge Bastos wrote:
> It's just the link :P
> How would you be able to test then? ;)
>
> ok won't send again.. but the default virus db doesn't seems to be
> enough
As Ged pointed out, the fact that /home is mounted as a separate
mount-point (even though it's the same device), leads the system to see
them as different filesystems (you can umount /home without umount'ing /)
As a result, your use of cross-fs=no tells clamscan to not cross filesystem
boundaries
If df is showing them separately, they are considered "separate"
filesystems by the OS even if the device is the same. This is a
'btrfs'-ism. It's one partition with multiple sub-volumes that are treated
as separate.
https://unix.stackexchange.com/questions/621771/fedora-shows-mounted-at-the-same-
I'm not sure if this IS the answer, but my guess would be that ClamAV needs
to access files in /usr/lib64... And it has to scan (and come back with an
OK result) before access is allowed... resulting in scans being blocked
which, in turn, results in ALL processes being blocked while waiting on the
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
There are examples of the wdb format a bit lower on the page. Essentially,
you would create a file "good_urls.wdb" in the same directory as the
existing ClamAV database files and put in an appropriate line to handle the
domains t
What version of ClamAV are you using?
What do the logs show?
If you are before 0.103, then your version is too old.
https://docs.clamav.net/faq/faq-eol.html
Maarten
Sent from a tiny keyboard
> On Jun 22, 2022, at 05:08, Kachare, Ganesh, Vodafone (External) via
> clamav-users wrote:
>
>
>
This is a new signature that was added today. It's rather complicated and,
with the "Test" in the name, I'm not sure it's meant to be published. We'll
have to wait to hear from the ClamAV folks on that matter, but you can
submit it as a false positive (for those Wordpress zips) using the False
posi
It's 100% a bad signature and should get removed.
I just checked the current version of the akismet plugin (
https://wordpress.org/plugins/akismet/) from WordPress and it is detected
by this signature but by nothing else:
https://virusscan.jotti.org/en-US/filescanjob/00ecsxf7es
https://www.virusto
Downloading the entire databases unnecessarily (using web browsers, etc) is
banned because it results in higher volumes of data transfer which, in turn,
costs more money. As such, using things other than freshclam or cvdupdate were
explicitly banned.
There’s not much else to say.
Maarten
A "PUA" is a "potentially unwanted application", not necessarily malicious.
You can disable PUA checks by ensuring that your clamd configuration has
"DetectPUA" set to no.
For reference, the signature is looking for bitwise math on CharCodeAt()
operations in HTML files.
VIRUS NAME: PUA.Win.Trojan
is sender, while keeping PUA
> checks still enabled for other cases.
>
> In the past I've not had great success searching entirely on my own.
>
> joe a.
>
> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
> > A "PUA" is a "potentially
That's the only thing I can think of. I had node 18.6.0 and I'm running
ClamAV 0.105.0. That detected the node binary as having the same virus.
However, when I upload and scan the binary with VirusTotal, their install
of ClamAV does not detect it.
Similarly, after I upgraded to node 18.7.0, my loc
gt;
> 6b8627f0b1327ffee606314125862e27 node-v18.7.0-darwin-arm64/bin/node
>
> so I wonder what's up there. As it isn't the same file that you have
> I didn't bother to scan it, but see below for 'strings' etc.
>
> On Tue, 2 Aug 2022, Maarten Broekm
> So how does Kaiji-10003917-0 to Kaiji-10003916-0 ? Does
> Kaiji-10003916-0 get thrown out, or does it get updated to
> Kaiji-10003917-0 ?
The way it was explained to me (years ago) is that they are separate
signatures, unrelated expect in that they are related to Kaiji. If 10003916-0
was upd
Your best bet would be to have freshclam running on one machine and have the
rest use the Ansible playbook to pull from that “freshclam machine”.
Or, if you want to keep it all Ansible, have the playbook pull the definitions
vis freshclam on one machine and then copy to all the others.
-Maart
I'm not sure if the safebrowsing.cld is included in the daily cdiff, but
the current safebrowsing.cld takes between 50 and 70 seconds to *load* into
clamscan, where a copy from February loads in <5 seconds.
safebrowsing data:
Old (fast): ClamAV-VDB:13 Feb 2019 13-16
-0500:48472:3041760:63:X:X:goo
te:
> Maarten,
>
> Thanks for reporting that. There is an ordering difference of the content
> in the latest GDB file which is affecting the load time, and we will be
> fixing that in the next safebrowsing CVD version.
>
> Dave R.
>
> On Wed, Mar 6, 2019 at 10:42 AM Maa
The new safebrowsing cvd (starting with version 48473) seems to be sorted
in a way that increases the load time of that file by several orders of
magnitude.
I have a previous version from February where the entries in the gdb
section are sorted like this:
S2:F:917787cff7b0993917209809ff3d94be
google
> MD5: 70c61f41e52b5a2134ff7e272f5a6df1
>
> SHA256 (safebrowsing.gdb) =
> 7f6645b8d865de3992be1ad5de215afd848acee4c021eed4818fdb760f76b57e
>
> Something must be different.
>
> Dave R.
>
> On Wed, Mar 6, 2019 at 5:39 PM Maarten Broekman via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> The
We've noticed a marked increase in scan times over the last couple of weeks
as well. From the look of it, there's something in the daily file that's
causing it. Whether this is similar to the safebrowsing issue (where the
ordering of entries in the file caused a 3000% increase in time) is unclear.
Given that the PhishTank signatures, specifically, have been causing the
performance issues, no. It's not unreasonable to want to pull them, and
only them, out. Having them in a separate db file would be highly
beneficial to those of us that don't want or need them at all. Barring
that, having a co
Having the Phishtank sigs as an additional optional database would be great
and, from my perspective, well worth the effort since we don't use them.
On Sun, Apr 7, 2019 at 9:44 AM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Tim,
>
>
>
> There are a couple of
Clearly the latest daily.cvd is performing better, but the remaining
"Phishtank" sigs are *not* a majority of the slowness.
I unpacked the current (?) cvd (ClamAV-VDB:09 Apr 2019 03-53
-0400:25414:1548262:63:X:X:raynman:1554796413) and then ran a test scan
with each part to see what the load times
et type 0,
> whereas we’d split the Phishtank.Phishing signatures up by target type to
> reduce scan times of files where the signatures won’t apply. It should
> also speed things up quite a bit for other file types to split those up by
> Target types.
>
>
>
> Further research
Are the "Phish" REPHISH signatures still in the daily or were they removed
as well? Those were causing part of the issue.
--Maarten
On Wed, Apr 17, 2019 at 5:24 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> An additional 3968 Phishtank.Phishing.PHISH_ID_??? signat
Gotcha. Those were slowing the scans down more than the 3000-someodd
PhishTank sigs the last time I tested (Apr 9th).
daily_Phish.ldb Time: 1.612 sec (0 m 1 s)
daily_Phishtank.ldb Time: 0.146 sec (0 m 0 s)
2515 daily_Phish.ldb
3516 daily_Phishtank.ldb
On Wed, Apr 17, 2019 at 7
One problem that we're running into is that we encounter web pages and cgi
scripts that are "inconsistently" normalized. I put "inconsistently" in
quotes because without fully knowing the way ClamAV normalizes files, it is
sometimes difficult to understand why two similar files might be normalized
I think the PUA version are just potentially unwanted things that exhibit
trojan-like behavior but aren't confirmed trojans.
As for the original question, it looks like it's only using the first part
of that to determine the group of PUAs to ignore.
These are the 'PUA' families (and associated si
I'd have to agree. Bandwidth is the least of the concern. Control is
paramount.
On Tue, Jul 30, 2019 at 7:26 AM Henrik K wrote:
>
> Control. Is it really necessary to go over basic IT management practises
> here?
>
> On Tue, Jul 30, 2019 at 05:13:50PM +, Joel Esler (jesler) via
> clamav-user
That's a hash signature. My guess is that there's 315 byte file inside the
jar that was marked. The 2.4 version of fop has a 315 byte class file
(PDFColorSpace.class) in it with a different MD5 hash. You might want to
unpack the fop.jar and see if any of the files there match. Chances are
some piec
For my install, I had multiple instances of clamd running (in order to have
different databases loaded for different purposes) and the systemd sockets
were throwing errors about other processes using them, which in turn caused
the additional instances of clamd service units to fail. However, the cl
This signature is hitting false positives. It seems to be a relatively old
signature, but the subsignatures seem to be rather generic so it's
difficult to know why this is supposed to be malicious.
VIRUS NAME: Doc.Downloader.Emotet-7196349-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2&3&
> On Mar 5, 2020, at 05:09, Ashish Poddar via clamav-users
> wrote:
>
>
> Hi all,
>
> We have a situation where we run a clamav daemon to scan files on a system.
> However, in the process, we only use about 10% CPU in the system. We would
> naturally like to increase this number. We were
You can pipe that to sigtool --decode-sigs to see what it is.
What I usually use is:
$ sigtool --find-sigs BAD_RULE | awk '{ print $NF }' | sigtool --decode-sigs
On Thu, Sep 10, 2020 at 9:55 PM Olivier via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi,
>
> I have a virus signature th
56 matches
Mail list logo