Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-10 Thread Sunny Marwah 
Same question again : Chrome don't open malicious links due to labeling
them dangerous as per "Safebrowsing". Then why ClamAV is not able to
identify such malicious links when "Safebrowsing" option is already enabled
??

On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
wrote:

> Our replies may be getting filtered by your email provider because you
> included a malicious link in the email chain. :D  I removed the link from
> this reply.
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  wrote:
>
>
> Still no reply on this matter.
>
> On Fri, Dec 7, 2018 at 6:17 PM Sunny Marwah 
> wrote:
>
>> Hi Al Varnell,
>>
>> Below is the URL which was mentioned in HTML template :
>>
>>
>> Chrome don't open it due to labeling it dangerous in as per
>> "Safebrowsing". Then why ClamAV is not able to identify when "Safebrowsing"
>> option is already enabled ??
>>
>> Looking to hear from you on this.
>>
>> Regards
>> Sunny
>>
>> On Fri, Dec 7, 2018 at 5:50 PM Al Varnell  wrote:
>>
>>> If you won't provide the URL to the rest of us users, then we can't help
>>> you. You'll have to wait to see if the development team gets back to you.
>>>
>>> -Al-
>>>
>>> On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
>>>
>>> Hi Al Varnell,
>>>
>>> I have already gone through
>>> https://www.clamav.net/documents/safebrowsing.
>>>
>>> That URL i have already shared with one of ClamAV development team
>>> members
>>>
>>> I did not understand your point what you said --- "You will probably
>>> need to obfuscate it in order to get it through the mail system, something
>>> like httx://".
>>>
>>> My purpose behind using ClamAV is to scan Linux server and plus HTML
>>> templates which we regularly receive on server.
>>>
>>> And the reason behind using "Safebrowing" option is to detect deceptive,
>>> Phishing URL's in HTML templates in the same way as Chrome warns us before
>>> opening such URL's. I want ClamAV to detect such files as "Infected" which
>>> contain deceptive, Phishing URL's.
>>>
>>> Waiting for your quick and needful response.
>>>
>>> Regards
>>> Sunny
>>>
>>> On Fri, Dec 7, 2018 at 5:22 PM Al Varnell  wrote:
>>>
 Have your read the explanation at <
 https://www.clamav.net/documents/safebrowsing>?

 Please provide the phishing URL that is failing. You will probably need
 to obfuscate it in order to get it through the mail system, something like
 httx://

 -Al-

 On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:

 Hello Micah & Team,

 Have not received any response on my last email.

 Also, i have enabled Safebrowsing option in freshclam.conf as suggested
 by you.

 Still i can see that ClamAV is not working properly. There is one file
 placed on server and there is one phishing URL available in that file. That
 URL is so deceptive that Chrome is not letting us open that URL due to
 labeling it as "Deceptive" URL.

 Why ClamAV is still not able to find that file as "Infected" in
 scanning even after enabling "Safebrowsing" option ??

 Waiting for your quick and needful response.

 Regards
 Sunny

 On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
 wrote:

> Hi Micah,
>
> Thanks for letting me know about enabling SafeBrowsing CVD option in
> ClamAV.
>
> Google safe browsing put a website in 3 categories mentioned below :
> 1 Secure
> 2 Info or Not secure
> 3 Not secure or Dangerous
>
> Curious to know how ClamAV will categorize the HTML file. Let's say,
> if any "Note secure or Dangerous" URL is found, will ClamAV will show it 
> as
> infected file in scanning summary ? If this is the case, i guess in case
> "Secure" URL is found, it will show as OK. And what if URL is found as
> "Info or Not secure" ?
>
> Regards
> Sunny
>
>
> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <
> micas...@cisco.com> wrote:
>
>> It may be worth mentioning that in addition to the [optional]
>> SafeBrowsing CVD that you can choose to include, ClamAV has just started
>> including PhishTank signatures late last month.
>>
>> For those who curious, see https://lists.gt.net/clamav/virusdb/.
>> PhishTank signatures are prefixed with Phishtank.Phishing.
>>
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>>
>>
>> On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:
>>
>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way
>> to dynamic (blacklisted one day and removed the next). ClamAV does 
>> malware
>> detection over the long haul and trying to keep up with fraudulent web
>> sites would be a full time job and better done by other means (e.g. 
>> Google
>> Safe Browsing).
>>
>> -Al-
>>
>> On Wed, Dec

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Dennis Peterson 
You were using curl (I did remember that after I posted as I'd helped you sort 
out curl options to do what you wanted) to explore what was available on the 
servers compared to what was on the DNS TXT record, and that was outside 
process. It also ignored cdiff files that may have been available in a version 
that matched the TXT record. The purpose of the cdiff files is to cut down on 
bandwidth.


dp

On 12/10/18 6:34 PM, Paul Kosinski wrote:

We ARE using freshclam to perform the actual update. And always have
been!

We've only been using curl (not wget, if that matters) to pull the first
few bytes of the cvd to see if its version number matches what the DNS
TXT query said.

We do this because, after the conversion to Cloudflare, we were getting
lots of FAILURES where *freshclam* said things were out of sync (and
eventually disabled all the mirrors).

And we have recently seen that our Web server sometimes can get the new
updates (from IAD) *hours* before our main LAN does (from BOS).

P.S. It's been quite frustrating getting some replies seemingly based on
assumptions that we are doing things we shouldn't, when we aren't in
fact doing those things. (Like not using freshclam.)



On Mon, 10 Dec 2018 16:46:42 -0800
Dennis Peterson  wrote:


Exactly right. We can't be blaming the ClamAV process when we don't
use the ClamAV process. People that don't use freshclam should have
no expectation of high reliability. In fact any expectations are
baseless when the wrong tools are employed.

dp

On 12/9/18 5:44 AM, Joel Esler (jesler) wrote:

As it should be.  No one should be downloading the daily and main,
(although thousands are), cdiffs were created for a reason.

Sent from my  iPhone


On Dec 9, 2018, at 06:58, Eric Tykwinski 
wrote:

  From back in archives, I think he’s using wget to just pull the
files, but freshclam would just pull the cdiffs and keep you up to
date on the next check.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Eric Tykwinski 
Paul,

Sorry some of this confusion is probably my fault trying to help without going 
back to the whole thread.

> On Dec 10, 2018, at 9:34 PM, Paul Kosinski  wrote:
> 
> We ARE using freshclam to perform the actual update. And always have
> been!
> 
> We've only been using curl (not wget, if that matters) to pull the first
> few bytes of the cvd to see if its version number matches what the DNS
> TXT query said.
> 
> We do this because, after the conversion to Cloudflare, we were getting
> lots of FAILURES where *freshclam* said things were out of sync (and
> eventually disabled all the mirrors).

Have you tried what I did below?  I.E. curl/wget/telnet whatever your flavor of 
the day, and pull the newest cdiff?
If you’re getting a 404, that’s definitely an issue.  

My guess is that it’s actually timing out though, and could be more of an issue 
troubleshooting.
Is it local, ie an IDP getting stuck scanning the files, or remotely freshclam 
itself is timing out on BOS pulling the update from ClamAV and caching it 
before you can download it.

> And we have recently seen that our Web server sometimes can get the new
> updates (from IAD) *hours* before our main LAN does (from BOS).

Those hours before are only checking the CVDs, which can and probably are 
cached on CloudFlare so not up to date.
My guess is that there are just more people in Boston using Clam, so the cache 
last the longest.

> P.S. It's been quite frustrating getting some replies seemingly based on
> assumptions that we are doing things we shouldn't, when we aren't in
> fact doing those things. (Like not using freshclam.)

I would agree, this has gone on a long time from my recollection, which is why 
I jumped in and started looking at it.
Definitely, I did hop on without all the facts and was just trying to figure 
out on the fly what’s going on, so my bad on that.

When in doubt, I usually pull a pcap on a server.  There’s a lot of factors 
that can come into play, but actually with clam only using http, this actually 
makes it a lot easier.

Sincerely,

Eric Tykwinski


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Paul Kosinski 
We ARE using freshclam to perform the actual update. And always have
been!

We've only been using curl (not wget, if that matters) to pull the first
few bytes of the cvd to see if its version number matches what the DNS
TXT query said.

We do this because, after the conversion to Cloudflare, we were getting
lots of FAILURES where *freshclam* said things were out of sync (and
eventually disabled all the mirrors).

And we have recently seen that our Web server sometimes can get the new
updates (from IAD) *hours* before our main LAN does (from BOS).

P.S. It's been quite frustrating getting some replies seemingly based on
assumptions that we are doing things we shouldn't, when we aren't in
fact doing those things. (Like not using freshclam.)



On Mon, 10 Dec 2018 16:46:42 -0800
Dennis Peterson  wrote:

> Exactly right. We can't be blaming the ClamAV process when we don't
> use the ClamAV process. People that don't use freshclam should have
> no expectation of high reliability. In fact any expectations are
> baseless when the wrong tools are employed.
> 
> dp
> 
> On 12/9/18 5:44 AM, Joel Esler (jesler) wrote:
> > As it should be.  No one should be downloading the daily and main,
> > (although thousands are), cdiffs were created for a reason.
> >
> > Sent from my  iPhone
> >
> >> On Dec 9, 2018, at 06:58, Eric Tykwinski 
> >> wrote:
> >>
> >>  From back in archives, I think he’s using wget to just pull the
> >> files, but freshclam would just pull the cdiffs and keep you up to
> >> date on the next check.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Eric Tykwinski 
Dennis,

> On Dec 10, 2018, at 8:26 PM, Dennis Peterson  wrote:
> 
> Helps too to read the entire thread and the thread that preceded this one. 
> The OP has used combinations of dig and wget in diagnosing his problems.
> 
> dp

Seriously, then he should be just trying to pull the new cdiffs to see if they 
are propagated to the various Cloudflare hosts.

>> 
>> Sigh.
>> 
>> Does no one actually READ THE MESSAGES???
>> 
>> The OP's problem is:
>> 
>> FRESHCLAM FAILS, REPEATEDLY, UNTIL ALL MIRRORS ARE MARKED AS BAD
>> AND NO UPDATES CAN OCCUR.
>> 
>> Pissing up a rope about "you shouldn't do various work-arounds" is a waste 
>> of time and bandwidth.
>> 
>> The OP has shown that different Cloudflare nodes give (him) different 
>> results, someone should be asking CLoudflare about how this can be 
>> addressed, not dismissing the very valid and basic problem.
>> 
>> This sort of behaviour just proves that Dunning-Kruger is alive and involved 
>> in far too many OSS projects.
>> 
>> Cheers,
>> GaryB-)

Gary,

I haven’t really followed the whole thread, but I’ve been seeing it for months 
that I recall, definitely a waste of bandwidth, and probably should be solved 
to some extent.

Looking at his logs, the headers are only for a CVD, so he’s not trying updates.

Example of a cdiff pull from telnet:
telnet database.clamav.net 80
Trying 104.16.186.138...
Connected to database.clamav.net.cdn.cloudflare.net.
Escape character is '^]'.
GET /daily-25195.cdiff HTTP/1.1
host: database.clamav.net

?o??_}??/~?uЯ?|??~?f?l??Ox~??O6/??_?>??Ϸ_7?~??̯???ߢ?ӏ~???B??{}~?[A???7ņ?>???


You don’t get those nice header parts to the file, so you wouldn’t know the 
last update as it’s apart of the file itself.  Looking at manager.c on 
freshclam, he should have been posting something like: "^getfile: %s not found 
on %s (IP: %s)\n" which gets posted to the logs when the file doesn’t exist.

I’m not positive on this so Micah can chime in, but I do believe you get the 
cdiff files from the DNS TXT somehow.

If anything it’s a good lesson on how exactly freshclam works.

Sincerely,

Eric Tykwinski___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Dennis Peterson 
Helps too to read the entire thread and the thread that preceded this one. The 
OP has used combinations of dig and wget in diagnosing his problems.


dp

On 12/10/18 5:22 PM, Gary R. Schmidt wrote:

On 11/12/2018 11:46, Dennis Peterson wrote:
Exactly right. We can't be blaming the ClamAV process when we don't use the 
ClamAV process. People that don't use freshclam should have no expectation of 
high reliability. In fact any expectations are baseless when the wrong tools 
are employed.




Sigh.

Does no one actually READ THE MESSAGES???

The OP's problem is:

FRESHCLAM FAILS, REPEATEDLY, UNTIL ALL MIRRORS ARE MARKED AS BAD
AND NO UPDATES CAN OCCUR.

Pissing up a rope about "you shouldn't do various work-arounds" is a waste of 
time and bandwidth.


The OP has shown that different Cloudflare nodes give (him) different results, 
someone should be asking CLoudflare about how this can be addressed, not 
dismissing the very valid and basic problem.


This sort of behaviour just proves that Dunning-Kruger is alive and involved 
in far too many OSS projects.


Cheers,
    Gary    B-)
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Gary R. Schmidt 

On 11/12/2018 11:46, Dennis Peterson wrote:
Exactly right. We can't be blaming the ClamAV process when we don't use 
the ClamAV process. People that don't use freshclam should have no 
expectation of high reliability. In fact any expectations are baseless 
when the wrong tools are employed.




Sigh.

Does no one actually READ THE MESSAGES???

The OP's problem is:

FRESHCLAM FAILS, REPEATEDLY, UNTIL ALL MIRRORS ARE MARKED AS BAD
AND NO UPDATES CAN OCCUR.

Pissing up a rope about "you shouldn't do various work-arounds" is a 
waste of time and bandwidth.


The OP has shown that different Cloudflare nodes give (him) different 
results, someone should be asking CLoudflare about how this can be 
addressed, not dismissing the very valid and basic problem.


This sort of behaviour just proves that Dunning-Kruger is alive and 
involved in far too many OSS projects.


Cheers,
GaryB-)
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Dennis Peterson 
Exactly right. We can't be blaming the ClamAV process when we don't use the 
ClamAV process. People that don't use freshclam should have no expectation of 
high reliability. In fact any expectations are baseless when the wrong tools are 
employed.


dp

On 12/9/18 5:44 AM, Joel Esler (jesler) wrote:

As it should be.  No one should be downloading the daily and main, (although 
thousands are), cdiffs were created for a reason.

Sent from my  iPhone


On Dec 9, 2018, at 06:58, Eric Tykwinski  wrote:

 From back in archives, I think he’s using wget to just pull the files, but 
freshclam would just pull the cdiffs and keep you up to date on the next check.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Detecting Word docs with macros

2018-12-10 Thread Steve Basford 




On 10 December 2018 17:21:05 "G.W. Haywood"  wrote:


Hi there,

On Mon, 10 Dec 2018, Steve Basfordwrote:


... MiscreantPunch099-Low.ldb for additional detection but can hit
scanning performance.


Can you give any estimate (however rough) of the performance hit?


Scanning a small file... With each database... Not hugely scientific... 
Just relative to each other...


badmacro.ndb: 937 ms

blurl.ndb: 1125 ms

bofhland_cracked_URL.ndb: 859 ms
bofhland_malware_attach.hdb: 859 ms
bofhland_malware_URL.ndb: 844 ms
bofhland_phishing_URL.ndb: 828 ms
crdfam.clamav.hdb: 844 ms
doppelstern.hdb: 844 ms
doppelstern.ndb: 844 ms
doppelstern-phishtank.ndb: 828 ms
foxhole_all.cdb: 844 ms
foxhole_all.ndb: 844 ms
foxhole_filename.cdb: 938 ms
foxhole_generic.cdb: 860 ms
foxhole_js.cdb: 828 ms
foxhole_js.ndb: 828 ms
foxhole_mail.cdb: 828 ms

junk.ndb: 1750 ms

jurlbl.ndb: 985 ms
jurlbla.ndb: 906 ms
lott.ndb: 859 ms
malware.expert.hdb: 828 ms
malware.expert.ldb: 860 ms
malware.expert.ndb: 859 ms
MiscreantPunch099-INFO-Low.ldb: 922 ms

MiscreantPunch099-Low.ldb: Possible Performance Issue: 10407 ms

phish.ndb: 4282 ms

phishtank.ndb: 1172 ms

porcupine.ndb: 922 ms
rogue.hdb: 859 ms

scam.ndb: 1156 ms

scamnailer.ndb: 3953 ms

shelter.ldb: 843 ms
spam.ldb: 844 ms
spamattach.hdb: 891 ms
spamimg.hdb: 844 ms

spear.ndb: 1532 ms

spearl.ndb: 828 ms
winnow.attachments.hdb: 829 ms
winnow.complex.patterns.ldb: 860 ms
winnow_bad_cw.hdb: 844 ms
winnow_extended_malware.hdb: 937 ms
winnow_extended_malware_links.ndb: 844 ms
winnow_malware.hdb: 828 ms
winnow_malware_links.ndb: 843 ms
winnow_phish_complete.ndb: 843 ms
winnow_phish_complete_url.ndb: 828 ms
winnow_spam_complete.ndb: 844 ms


Cheers,

Steve
Twitter: @sanesecurity
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav download

2018-12-10 Thread Joel Esler (jesler) 
Correct.

> On Dec 10, 2018, at 5:42 AM, Robert Chalmers  wrote:
> 
> http://www.clamav.net/downloads 
> 
> 
> 
> -
> Robert Chalmers
> https://robert-chalmers.uk 
> aut...@robert-chalmers.uk 
> @R_A_Chalmers
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Detecting Word docs with macros

2018-12-10 Thread G.W. Haywood 

Hi there,

On Mon, 10 Dec 2018, Steve Basfordwrote:


... MiscreantPunch099-Low.ldb for additional detection but can hit
scanning performance.


Can you give any estimate (however rough) of the performance hit?

--

73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Detecting Word docs with macros

2018-12-10 Thread Eric Tykwinski 
Steve.

> Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much
> cover a lot of those... MiscreantPunch099-Low.ldb for additional detection
> but can hit scanning performance.
> 
> ClamAV settings in clamd.conf can also be tweaked to block documents with
> macro and or passwords.


Thanks, just added badmacro.ndb, so hopefully that will help.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Detecting Word docs with macros

2018-12-10 Thread Steve Basford 


On Mon, December 10, 2018 2:58 pm, Eric Tykwinski wrote:
> Default clam sigs obviously are not catching these, but wondering if
> anyone has them included in a third party that rather FP friendly.
>
> I also just tested a yara from here, and it seems to work, but not
> certain about FPs from it either.
>
Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much
cover a lot of those... MiscreantPunch099-Low.ldb for additional detection
but can hit scanning performance.

ClamAV settings in clamd.conf can also be tweaked to block documents with
macro and or passwords.


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Detecting Word docs with macros

2018-12-10 Thread Eric Tykwinski 
Default clam sigs obviously are not catching these, but wondering if anyone
has them included in a third party that rather FP friendly.

I also just tested a yara from here, and it seems to work, but not certain
about FPs from it either.

https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-co
ntaining-macro/

 

Anyone have a suggestion?

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Clamav download

2018-12-10 Thread Robert Chalmers 
http://www.clamav.net/downloads



-
Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Installation problem.

2018-12-10 Thread Robert Chalmers 

Ok, try
make clean

To cleanup the build first.

What sort of OS are you on? You may have said but I can’t remember.
So, delete the current directory you have it in and make sure you are 
downloading the correct sources.
https://github.com/Cisco-Talos/clamav-faq/blob/master/faq/Installing.md

Or
https://github.com/Cisco-Talos/clamav-faq/blob/master/manual/UserManual/Installation-Unix.md

Ensure your environment points to your compiler. and libraries etc.

Read the INSTALL.MD 

Other than that, not sure what could be wrong.

-
Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers


> On 10 Dec 2018, at 9:01 am, nikos  wrote:
> 
> Robert,
> 
> Both ./configure tidy and ./configure clean give:
>  
> configure: WARNING: you should use --build, --host, --target
> checking for clean-g++... no
> checking for clean-c++... no
> checking for clean-gpp... no
> checking for clean-aCC... no
> checking for clean-CC... no
> checking for clean-cxx... no
> checking for clean-cc++... no
> checking for clean-cl.exe... no
> checking for clean-FCC... no
> checking for clean-KCC... no
> checking for clean-RCC... no
> checking for clean-xlC_r... no
> checking for clean-xlC... no
> checking for g++... no
> checking for c++... no
> checking for gpp... no
> checking for aCC... no
> checking for CC... no
> checking for cxx... no
> checking for cc++... no
> checking for cl.exe... no
> checking for FCC... no
> checking for KCC... no
> checking for RCC... no
> checking for xlC_r... no
> checking for xlC... no
> checking whether the C++ compiler works... no
> configure: error: in `/home/qbit/Downloads/clamav-0.101.0':
> configure: error: C++ compiler cannot create executables
> See `config.log' for more details
> 
> Thank you.
> 
> 
> Ok, try this first.
> ./configure tidy
> ./configure clean
> ./configure 
> 
> make
> 
> 
> 
> -
> Robert Chalmers
> https://robert-chalmers.uk
> author at robert-chalmers.uk
> @R_A_Chalmers
> 
> 
> > On 10 Dec 2018, at 7:36 am, nikos  wrote:
> > 
> > Hello list.
> > 
> > I tried Robert, but nothing change. 
> > 
> > I think is something with configure file. I copy the configure file from 
> > previous version and work with no problem. So there is no problem with the 
> > C++ compiler. Can I do the installation with the previous configure file?
> > 
> > I try download it again but nothing change, same problem.
> > 
> > Any suggestions?
> > 
> > Thank you.
> > 
> > 
> > 
> >> On 7/12/2018 7:00 ì.ì., clamav-users-request at lists.clamav.net wrote:
> >> My reasons for querying C++ is this in your log
> >> 
> >> 
> >>> checking for cc++... no
> >> 
> >>> checking whether the C++ compiler works... no
> >> 
> >> 
> >> 
> >> and as you are building 101, if you want to stop freshclam dumping an exit 
> >> error in your logs - it still work, just gives a false error. change this
> >> 
> >> freshclam/freshclamcodes.h from
> >> 
> >> typedef enum fc_error_tag {
> >> FC_SUCCESS  = 0,
> >> FC_UPTODATE = 1,
> >> 
> >> to
> >> 
> >> typedef enum fc_error_tag {
> >> FC_SUCCESS  = 0,
> >> FC_UPTODATE = 0,
> >> 
> >> The clamav code maintainers are aware of this⤦
> >> 
> >> robert
> >> 
> >>> On 7 Dec 2018, at 07:28, nikos  wrote:
> >>> 
> >>> Hello list.
> >>> 
> >>> I'm trying to install the now version of clam and it seems to be 
> >>> compilation problems.
> >>> 
> >>> I run ./configure --sysconfdir=/etc --enable-milter in the programs 
> >>> folder and I get the error:
> >>> 
> >>> checking for g++... no
> >>> checking for c++... no
> >>> checking for gpp... no
> >>> checking for aCC... no
> >>> checking for CC... no
> >>> checking for cxx... no
> >>> checking for cc++... no
> >>> checking for cl.exe... no
> >>> checking for FCC... no
> >>> checking for KCC... no
> >>> checking for RCC... no
> >>> checking for xlC_r... no
> >>> checking for xlC... no
> >>> checking whether the C++ compiler works... no
> >>> configure: error: in `/home/admin/clamav-0.101.0':
> >>> configure: error: C++ compiler cannot create executables
> >>> See `config.log' for more details
> >>> 
> >>> I always install clam from source, as the previous versions. The funny 
> >>> thing is, if exctract and run configure in the previous version 
> >>> clamav-0.100.2 every works fine!
> >>> 
> >>> I have a server with latest centos release, full updated.
> >>> 
> >>> Any suggestions?
> >>> 
> >>> Thank you in advance, Nikos.
> >>> 
> >>> 
> >>> ___
> >>> clamav-users mailing list
> >>> clamav-users at lists.clamav.net
> >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>> 
> >>> 
> >>> Help us build a comprehensive ClamAV guide:
> >>> https://github.com/vrtadmin/clamav-faq
> >>> 
> >>> http://www.clamav.net/contact.html#ml
> >> 
> >> Robert Chalmers
> >> https://robert-chalmers.uk
> >> author at robert-chalmers.uk
> >> @R_A_Chalmers
> > ___
> > clamav-users maili

Re: [clamav-users] Installation problem.

2018-12-10 Thread nikos 

  
  
Robert,

Both ./configure tidy and ./configure clean give:
 
configure: WARNING: you should use --build, --host, --target
checking for clean-g++... no
checking for clean-c++... no
checking for clean-gpp... no
checking for clean-aCC... no
checking for clean-CC... no
checking for clean-cxx... no
checking for clean-cc++... no
checking for clean-cl.exe... no
checking for clean-FCC... no
checking for clean-KCC... no
checking for clean-RCC... no
checking for clean-xlC_r... no
checking for clean-xlC... no
checking for g++... no
checking for c++... no
checking for gpp... no
checking for aCC... no
checking for CC... no
checking for cxx... no
checking for cc++... no
checking for cl.exe... no
checking for FCC... no
checking for KCC... no
checking for RCC... no
checking for xlC_r... no
checking for xlC... no
checking whether the C++ compiler works... no
configure: error: in `/home/qbit/Downloads/clamav-0.101.0':
configure: error: C++ compiler cannot create executables
See `config.log' for more details

Thank you.


Ok, try this first.
./configure tidy
./configure clean
./configure 

make



-
Robert Chalmers
https://robert-chalmers.uk
author at robert-chalmers.uk
@R_A_Chalmers


> On 10 Dec 2018, at 7:36 am, nikos  wrote:
> 
> Hello list.
> 
> I tried Robert, but nothing change. 
> 
> I think is something with configure file. I copy the configure file from previous version and work with no problem. So there is no problem with the C++ compiler. Can I do the installation with the previous configure file?
> 
> I try download it again but nothing change, same problem.
> 
> Any suggestions?
> 
> Thank you.
> 
> 
> 
>> On 7/12/2018 7:00 μ.μ., clamav-users-request at lists.clamav.net wrote:
>> My reasons for querying C++ is this in your log
>> 
>> 
>>> checking for cc++... no
>> 
>>> checking whether the C++ compiler works... no
>> 
>> 
>> 
>> and as you are building 101, if you want to stop freshclam dumping an exit error in your logs - it still work, just gives a false error. change this
>> 
>> freshclam/freshclamcodes.h from
>> 
>> typedef enum fc_error_tag {
>> FC_SUCCESS  = 0,
>> FC_UPTODATE = 1,
>> 
>> to
>> 
>> typedef enum fc_error_tag {
>> FC_SUCCESS  = 0,
>> FC_UPTODATE = 0,
>> 
>> The clamav code maintainers are aware of this…
>> 
>> robert
>> 
>>> On 7 Dec 2018, at 07:28, nikos  wrote:
>>> 
>>> Hello list.
>>> 
>>> I'm trying to install the now version of clam and it seems to be compilation problems.
>>> 
>>> I run ./configure --sysconfdir=/etc --enable-milter in the programs folder and I get the error:
>>> 
>>> checking for g++... no
>>> checking for c++... no
>>> checking for gpp... no
>>> checking for aCC... no
>>> checking for CC... no
>>> checking for cxx... no
>>> checking for cc++... no
>>> checking for cl.exe... no
>>> checking for FCC... no
>>> checking for KCC... no
>>> checking for RCC... no
>>> checking for xlC_r... no
>>> checking for xlC... no
>>> checking whether the C++ compiler works... no
>>> configure: error: in `/home/admin/clamav-0.101.0':
>>> configure: error: C++ compiler cannot create executables
>>> See `config.log' for more details
>>> 
>>> I always install clam from source, as the previous versions. The funny thing is, if exctract and run configure in the previous version clamav-0.100.2 every works fine!
>>> 
>>> I have a server with latest centos release, full updated.
>>> 
>>> Any suggestions?
>>> 
>>> Thank you in advance, Nikos.
>>> 
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> Robert Chalmers
>> https://robert-chalmers.uk
>> author at robert-chalmers.uk
>> @R_A_Chalmers
> ___
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

  

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml