Re: [Clamav-users] Outdated Engine warning suppress
Veselin@ wrote: Hello, could you please advise if there is a way to run clamscan, suppressing the engine outdated warning: LibClamAV Warning: *** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *** I'm running Debian in a production environment, I cannot afford using the volatile repository, meaning that my engine will always be outdated. I would say that if you are running in a production environment, you cannot afford to have your antivirus tools be outdated. Either install it from volatile, build it from source, or find a 3rd party package that you can install. An antivirus tool is one thing that you need to keep current. -- Bowie ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Rejecting Executables in ZIP Files?
My question is what am I doing wrong or what do I need to do in order for Clamav to recognize that a archived attachment contains a banned file extension and to reject it immediately? If you really want to block dangerous runnable attachments, create a .zmd file (and you'll need a .rmd file) For example: Sanesecurity.Blocked.Zip.xxx.exe:0:\.(doc|xls|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe$:*:*:*:*:*:* [blocks certain .xxx.exe types, ie. uses double extension to fool users, eg .doc.exe, .jpg.exe] Here's a really quickly put together file (and I'm sure it can be greatly improved on), but if you really want to test it: http://www.sanesecurity.co.uk/clamav/blocked.zmd You'll need to create a .rmd version of this, to block items in .rar files. Totally overkill maybe, but the ClamAV engine can do it :) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Outdated Engine warning suppress
Veselin@ wrote: I'm running Debian in a production environment, I cannot afford using the volatile repository, On Wed, 15 Oct 2008, Bowie Bailey wrote: Either install it from volatile, build it from source, or find a 3rd party package that you can install. An antivirus tool is one thing that you need to keep current. If you are concerned about a new version of clamav 'failing', you may want to consider installing the volatile version separately, and keep the stable version as 'backup'. Then you could create a piece of code (in procmail, or wherever convenient) to check that the volatile ClamAV did not return an error. If it does, run the stable version, which you can store separately, but still use the same database. Naturally, until you discover the problem with the latest version, you'll take a performance hit, but this provides maximal AV protection for the system. Better than continuing to run on an out-dated engine. My 0.02 dollars. - Charles ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Outdated Engine warning suppress
On Wed, 15 Oct 2008 13:00:07 +0100, clamav-users-bounces wrote I'm running Debian in a production environment, I cannot afford using the volatile repository, meaning that my engine will always be outdated. I too run in a Production environment, and I cannot afford NOT to use the volatile repository. That's the nature of Spam/Viruses. It's a volatile world. Live with it. -- Bill Maidment Maidment Enterprises Pty Ltd www.maidment.vu One-armed Consultant to Elgas Ltd Phone: 02 9904 3364 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] clamscan of hqx files and
We are using clamav .94 on solaris 10. We are having problems scanning large hqx files using clamscan. I define large as over 1 Gig. The error we are receiving is LibClamAV Error: cli_malloc(): Can't allocate memory (8 bytes). The root cause is the server runs out of memory and then generates the error, but the process never ends and server is starved for memory. The same thing happens when running clamdscan where we direct the file to clamd. This does not happen when scanning large tar.gz or simple tar files. This is only happening with large hqx files. Smaller hqx files work fine. We are able to skip the files by limiting the size to scan using --max-filesize=, but then we will be skipping other large files that we would like to scan such as large zip files. We tried setting --max-scansize, but it does not seem to work in solaris 10. I tested the -max-scansize on a tar.gz file. Here is the size of compress file 242916 Oct 15 12:35 text.gz Here is the size of uncompressed file 4436290 Oct 15 12:35 text.gz /opt/clam/bin/clamscan -v /test/text.gz -i --tempdir=/tmp/clam/tmp --move=/tmp/clam/infected --max-files=1000 00 --max-filesize=99 --max-scansize=99 --max-recursion=25 --max-dir-recursion=50 /opt/clam/bin/clamscan -v /test/text.gz -i --tempdir=/tmp/clam/tmp --move=/tmp/clam/infected --max-files=1000 00 --max-filesize=4096m --max-scansize=4096m --max-recursion=25 --max-dir-recursion=50 Here is the summary I see when that indicates the entire file was scanned. --- SCAN SUMMARY --- Known viruses: 446121 Engine version: 0.94 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 4.46 MB Time: 4.420 sec (0 m 4 s) I also tried testing using the debug option. Not much additional information was provided. Most of the debug output involves reading the virus definition. Once the scan of the file occurs, there is the line indicating a file is larger than 400kb. Not quite sure where the 400kB came from. LibClamAV debug:* Submodule ENGINE: On LibClamAV debug:* SubmoduleENTCONV: On Scanning /test/text.gz LibClamAV debug: Recognized GZip file LibClamAV debug: in cli_scangzip() LibClamAV debug: in cli_scanscript() LibClamAV debug: cli_scanscript: exiting (file larger than 400 kB) LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 446121 Engine version: 0.94 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 4.46 MB Time: 4.330 sec (0 m 4 s) Any recommendations on what to do next Brian ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Outdated Engine warning suppress
Hello, could you please advise if there is a way to run clamscan, suppressing the engine outdated warning: LibClamAV Warning: *** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *** I'm running Debian in a production environment, I cannot afford using the volatile repository, meaning that my engine will always be outdated. Thank you. Veselin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamscan of hqx files and
On 2008-10-15 20:00, Sturgeon, Brian (CL Tech Sv) wrote: We are using clamav .94 on solaris 10. We are having problems scanning large hqx files using clamscan. I define large as over 1 Gig. The error we are receiving is LibClamAV Error: cli_malloc(): Can't allocate memory (8 bytes). Hi, I would need a way to reproduce the problem, but sending us that 1 Gig file is out of the question. Can you show me how to create such large create hqx files out of files I already have? (I can find / create 1G+ files, no problem). Please open a bugreport so that we can further track this issue. Some info to get started with: - how much memory do you have? - your 'ulimit -a' settings - use truss to get a system call trace, and attach it to the bugreport - if you know how to use gdb, put a breakpoint at cli_errmsg, and show us a stacktrace (see http://clamav.net/bugs) Why do you need to scan such large files? Does it have some sort of an archive inside it? The root cause is the server runs out of memory and then generates the error, but the process never ends and server is starved for memory. The same thing happens when running clamdscan where we direct the file to clamd. This does not happen when scanning large tar.gz or simple tar files. This is only happening with large hqx files. Smaller hqx files work fine. We are able to skip the files by limiting the size to scan using --max-filesize=, but then we will be skipping other large files that we would like to scan such as large zip files. We tried setting --max-scansize, but it does not seem to work in solaris 10. I tested the -max-scansize on a tar.gz file. Here is the size of compress file 242916 Oct 15 12:35 text.gz Here is the size of uncompressed file 4436290 Oct 15 12:35 text.gz /opt/clam/bin/clamscan -v /test/text.gz -i --tempdir=/tmp/clam/tmp --move=/tmp/clam/infected --max-files=1000 00 --max-filesize=99 --max-scansize=99 --max-recursion=25 --max-dir-recursion=50 /opt/clam/bin/clamscan -v /test/text.gz -i --tempdir=/tmp/clam/tmp --move=/tmp/clam/infected --max-files=1000 00 --max-filesize=4096m --max-scansize=4096m --max-recursion=25 --max-dir-recursion=50 Here is the summary I see when that indicates the entire file was scanned. The --max-scansize argument is in units of kilobytes, so --max-scansize=99 is equivalent to --max-scansize=976M, there is no bug here. I also tried testing using the debug option. Not much additional information was provided. Most of the debug output involves reading the virus definition. Once the scan of the file occurs, there is the line indicating a file is larger than 400kb. Not quite sure where the 400kB came from. The 400kb is the limit for the generic text scanner, and it doesn't limit scanning the file itself. The file was still scanned, but not with type-7 signatures. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] False positive? PUA.Script.Packed-1
It seems that PUA.Script.Packed-1 matches some code in jQuery http://jquery.com/ This caused problems for one of my users who tried to email a copy of a web page as a .mht attachment, which happened to include a copy of jQuery. http://www.independent.co.uk/news/obituaries/professor-brian-cox-english-scholar-poet-and-editor-of-critical-quarterly-whose-black-papers-sparked-debate-on-education-817250.html I've advised the user to email links instead of whole pages, but I'm wondering why jQuery is classed as a PUA - is this deliberate or is it a false positive? Tony. -- f.anthony.n.finch [EMAIL PROTECTED] http://dotat.at/ DOVER WIGHT PORTLAND PLYMOUTH: SOUTH 4 AT FIRST IN DOVER AND WIGHT, OTHERWISE WEST 3 OR 4, INCREASING 5 AT TIMES. SLIGHT OR MODERATE. OCCASIONAL DRIZZLE. MODERATE OR GOOD, OCCASIONALLY POOR AT FIRST AND LATER. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Virus in main.ndb?
I am using clamav 0.94. I copied /usr/local/share/clamav to /usr/local/share/clamav15102008 because there were problems in getting the newest database today. Then I checked /usr/local/share/clamav15102008 with Avira Antivir VDF version: 7.0.7.45 and got: ... /usr/local/share/clamav15102008/clamav-9b1f9101b552c3c73d3d329f9af51d34/main.ndb Date: 04.09.2008 Time: 23:58:36 Size: 15130379 ALERT: [HTML/Crypted.Gen] /usr/local/share/clamav15102008/clamav-9b1f9101b552c3c73d3d329f9af51d34/main.ndb Contains detection pattern of the HTML script virus HTML/Crypted.Gen ... What does that mean? -- GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/[EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus in main.ndb?
It means avira found one of our definitions and thought it was a virus? This isn't uncommon... On Wed, Oct 15, 2008 at 2:41 PM, Markus Egg [EMAIL PROTECTED] wrote: I am using clamav 0.94. I copied /usr/local/share/clamav to /usr/local/share/clamav15102008 because there were problems in getting the newest database today. Then I checked /usr/local/share/clamav15102008 with Avira Antivir VDF version: 7.0.7.45 and got: ... /usr/local/share/clamav15102008/clamav-9b1f9101b552c3c73d3d329f9af51d34/main.ndb Date: 04.09.2008 Time: 23:58:36 Size: 15130379 ALERT: [HTML/Crypted.Gen] /usr/local/share/clamav15102008/clamav-9b1f9101b552c3c73d3d329f9af51d34/main.ndb Contains detection pattern of the HTML script virus HTML/Crypted.Gen ... What does that mean? -- GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/[EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml -- http://www.volatileminds.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml