Re: [clamav-users] Clamav error using YARA
Hello again, On Mon, 11 Nov 2019, Philippe Lefèvre wrote: thanks for your post Ged. You're very welcome. :) ... it seems that neither Clamav nor Maldet installed on my Debian box have the right rfxn.* files I'm not familiar with these programs but I would like to understand if clamav is delivered with an instance of rfxn files or if those files are installed with Maldet (part of Maldet package?) or something else. There are Debian packages for ClamAV. I don't think Debian has its own package for the rfxn signatures but I haven't looked carefully. If you are using a Debian system I would suggest that using the Debian ClamAV packages would be the simplest way to install ClamAV. Then you can install extra signatures very simply, more or less by copying files to the ClamAV database directory. ClamAV does not supply the Maldet files, they are what the supplier of ClamAV calls 'third-party' or 'unofficial' signatures. There are many such sets of signatures which essentially add functionality to ClamAV, for example I use the Sanesecurity signatures on mail servers to catch a lot of spam; I'm less interested in malware as I rule my systems with a rod of iron. :) May be something is/was broken somewhere and it would save me time reinstall maldet or clamav, both, copy the rfxn.* files? Please your advise. The people who produce the Maldet files should be able to help you better than I can, I'm afraid I know nothing about the installation process for Maldet. If ClamAV is scanning files normally then I don't think you need to reinstall it. If ClamAV finds a set of signatures in a suitable form in its database directory then it will try to load and use them unless you tell it otherwise. I looked briefly at the documentation at https://www.rfxn.com/projects/linux-malware-detect/ and I'm afraid it left me asking more questions rather than fewer. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd onaccess scanning NFS
Mark Parker via clamav-users wrote: Hi all, I'm investigating clamav as a solution for a couple hundred linux boxes. We need onaccess scanning but I'm running into an issue. For clamd to do onaccess scanning it needs to be run as root to use the inotify components, but since we export our NFS volumes with root_squash, it doesn't have permissions to view a user's home directory contents. Am I missing something? clamd needs to run as root to scan arbitrary files on the system. Try scanning home directories on the NFS host instead, and exclude the home directory tree from scanning on the clients if you have reason to scan elsewhere on those systems. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd onaccess scanning NFS
Hi there, On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote: On 11/11/2019 12:05 PM, G.W. Haywood via clamav-users wrote: On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote: ... need onaccess scanning but .. clamd .. doesn't have permissions to view a user's home directory contents. Am I missing something? Group read? Well, I don't want to change permissions on 30 million files to make this work. Seems like the wrong thing to do. It seems like you've made this harder than it needs to be. Normally I'd expect a private home directory to contain mostly files with 'ugo' read, and the permissions on the home directory would be what controls access to them. Each user will be in a group of the same name (that's usual in a lot of setups anyway) and all you need to do to permit the clamav user to scan the files would be to put that user in every group. Everyone here knows I'm not a great fan of using ClamAV in this way, but of course in the '.edu' TLD you do have different issues from the rest of us... -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav error using YARA
Hi all, thanks for your post Ged. I have a maldet 6.1.4 installed under /usr/local: #maldet -version === Linux Malware Detect v1.6.4 (C) 2002-2019, R-fx Networks (C) 2019, Ryan MacDonald This program may be freely redistributed under the terms of the GNU GPL v2 === but when I do # grep -n is__elf /usr/local/maldetect/sigs/rfxn.yara I get === 9112: is__elf and all of ($s*) === same when I do # grep -n is__elf /var/lib/clamav/rfxn.yara === 9112: is__elf and all of ($s*) === I just downloaded maldet 1.6.4 and had a look into my downlowds dir, I can see # grep -n is__elf ~/telechargements/maldetect-1.6.4/files/sigs/rfxn.yara === 9068:private rule is__elf 9105: is__elf and all of ($s*) === So it seems that neither Clamav nor Maldet installed on my Debian box have the right rfxn.* files I'm not familiar with these programs but I would like to understand if clamav is delivered with an instance of rfxn files or if those files are installed with Maldet (part of Maldet package?) or something else. May be something is/was broken somewhere and it would save me time reinstall maldet or clamav, both, copy the rfxn.* files? Please your advise. Thanks Le 11/11/2019 à 14:41, G.W. Haywood via clamav-users a écrit : Hi there, On Mon, 11 Nov 2019, Philippe Lefèvre wrote: # grep -n is__elf /var/lib/clamav/rfxn.yara 9112: is__elf and all of ($s*) Maybe this will help: https://www.rfxn.com/downloads/maldetect-current.tar.gz 8<-- laptop3:~$ >>> grep -n is__elf ~/Downloads/maldetect-1.6.4/files/sigs/rfxn.yara 9068:private rule is__elf 9105: is__elf and all of ($s*) laptop3:~$ >>> 8<-- ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd onaccess scanning NFS
Well, I don't want to change permissions on 30 million files to make this work. Seems like the wrong thing to do. On 11/11/2019 12:05 PM, G.W. Haywood via clamav-users wrote: Hi there, On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote: ... need onaccess scanning but .. clamd .. doesn't have permissions to view a user's home directory contents. Am I missing something? Group read? -- Mark Parker - SGL Network Administrator Applied Research Laboratories : The University of Texas at Austin (512) 835-3768 / mpar...@arlut.utexas.edu smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd onaccess scanning NFS
Hi there, On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote: ... need onaccess scanning but .. clamd .. doesn't have permissions to view a user's home directory contents. Am I missing something? Group read? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamd onaccess scanning NFS
Hi all, I'm investigating clamav as a solution for a couple hundred linux boxes. We need onaccess scanning but I'm running into an issue. For clamd to do onaccess scanning it needs to be run as root to use the inotify components, but since we export our NFS volumes with root_squash, it doesn't have permissions to view a user's home directory contents. Am I missing something? -Mark -- Mark Parker - SGL Network Administrator Applied Research Laboratories : The University of Texas at Austin (512) 835-3768 / mpar...@arlut.utexas.edu smime.p7s Description: S/MIME Cryptographic Signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav error using YARA
Hi there, On Mon, 11 Nov 2019, Philippe Lefèvre wrote: # grep -n is__elf /var/lib/clamav/rfxn.yara 9112: is__elf and all of ($s*) Maybe this will help: https://www.rfxn.com/downloads/maldetect-current.tar.gz 8<-- laptop3:~$ >>> grep -n is__elf ~/Downloads/maldetect-1.6.4/files/sigs/rfxn.yara 9068:private rule is__elf 9105:is__elf and all of ($s*) laptop3:~$ >>> 8<-- -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav error using YARA
I'm not entirely familiar with yara, but based on https://yara.readthedocs.io/en/latest/modules/elf.html , there is no such function as "is__elf". Based on a whole search in the yara doc, there's only is_dll, is_32bit and is_64bit. Further googling shows this: https://github.com/Yara-Rules/rules/commit/8130cda6a3cd1b470b59e29a769162600bf1efab It seems is__elf is a private function now, so you can't use it directly anymore I guess. Franky Op Maandag, 11-11-2019 om 09:10 schreef Philippe Lefèvre: Hello, thanks for your reply :-) here is: = # grep -n is__elf /var/lib/clamav/rfxn.yara 9112: is__elf and all of ($s*) = Le 11/11/2019 à 01:02, G.W. Haywood via clamav-users a écrit : > grep -n is__elf /var/lib/clamav/rfxn.yara ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav error using YARA
Hello, thanks for your reply :-) here is: = # grep -n is__elf /var/lib/clamav/rfxn.yara 9112: is__elf and all of ($s*) = Le 11/11/2019 à 01:02, G.W. Haywood via clamav-users a écrit : grep -n is__elf /var/lib/clamav/rfxn.yara ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml