Re: [clamav-users] vistumbler as false positive

[Eero Volotinen]

got response:

” There are three downloads available for 10.7 The SHA256 of those files
should be

Vistumbler_v10-7.exe -
ECA2ACE14102F623E1C2490257FB645611314C918E45A845AE7337CEFA6FFD01
Vistumbler_v10-7.zip -
7CC806B74131BCCA5AE11EE81E39152DBC61F1477108FFDE7E416927C196DBA0
Vistumbler_v10-7_Portable.zip -
F729B9BBAEADFF288D78655B996102CC4274CB2D5527F58A1464EEF3BE9D636C

All 3 should contain the same files.

   - the non portable zip is just vistumbler with default settings (storing
   data in your profile temp directory and documents folder)
   - the exe file is just the zip file packed into an installer with NSIS (
   https://nsis.sourceforge.io/Main_Page )
   - the portable version has different settings which cause temp files and
   save files to be stored inside the same directory as the program (better
   for portable use) instead of inside your windows profile.

I went and reanalyzed the file you submitted to virus total and it looks
like bitdefender no longer considers them viruses, so it seems they
consider it a false positive. You can see if you go to the link you posted
above,
https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detectionbitdefender
has removed the detection”


Eero

On Thu 8. Apr 2021 at 17.02, Andrew C Aitchison via clamav-users <
clamav-users@lists.clamav.net> wrote:

>
> On Thu, 8 Apr 2021, Eero Volotinen wrote:
>
> >
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> >
> > Looks like this is (vistumbler) detected as false positive.
>
> and
>
> On Thu, 8 Apr 2021, Arnaud Jacques wrote:
> > At first look, ClamAV is not the only one that flags it as malware :
> >
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
>
> and https://vistumbler.en.lo4d.com/virus-malware-tests
> but that has a different sha256sum.
> Hmm.
>
> If I feed the github URL into virustotal it comes up clean
>
> https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection
>
> but if I download the file and give that to virustotal I get
>
> https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
> (the bit between file/ and /detection matches the sha256sum of my file and
> that on https://vistumbler.en.lo4d.com/virus-malware-tests ).
>
> Initially that page reported
>   19 security vendors flagged this file as malicious
>   Size 6.92 MB
>direct-cpu-clock-access invalid-signature
>nsis overlay peexe runtime-modules signed
> but when I asked virustotal to rescan, "19 security vendors" changed to
> "16 security vendors".
>
> I have put my copy at:
>
> https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe
>
> I think this means that raw.github.com has given out at least three
> different versions of this file. Eero, could you pass this back to
> the Vistumbler developer "Andrew" (Calcutt?) please ?
>
> # file Vistumbler_v10-7.exe
> Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS Windows,
> Nullsoft Installer self-extracting archive
>
> # host raw.github.com
> raw.github.com has address 185.199.108.133
> raw.github.com has address 185.199.109.133
> raw.github.com has address 185.199.110.133
> raw.github.com has address 185.199.111.133
>
> On Thu, 8 Apr 2021, Eero Volotinen wrote:
>
> > comment from developer
> >
> > "Unfortunately autoit, which vistumbler is written in, gets flagged
> > as a false positive a lot. Vistumbler has struggled with this since
> > the beginning.
> >
> > I recently submitted the 10.7 release files to microsoft for false
> > detection and they removed the false detection, so i think these
> > files are fine. However I have also just submitted a false positive
> > report to bitdefender, so we can see if they remove it too.
> >
> > If vistumbler gets flagged by your AV company, my suggestion is to
> > submit it as a false positive to them. I really don't have the time
> > to chase down all these AV companies.
> >
> > -Andrew"
>
> Not sure about this as it is open source, but if I were paying for
> the software I would expect them to liase with the AV companies.
>
> --
> Andrew C. Aitchison Kendal, UK
>   and...@aitchison.me.uk
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

Re: [clamav-users] ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

[Micah Snyder (micasnyd) via clamav-users]

So it's actually kinda funny you should ask that.  In 0.103.2 we deprecated the 
SafeBrowsing option in freshclam.conf which means it will no longer add 
safebrowsing to the list of desired databases.  

FreshClam has two options "ExcludeDatabase" and "ExtraDatabase" for 
adding/removing official CVD's to the list of databases to update. In version 
0.102+, FreshClam detects if you have a CVD database in your database directory 
that isn't in the list (eg. because you excluded it, or no longer include an 
"extra" database) and will remove it.  

I didn't realize that deprecating the SafeBrowsing option would cause FreshClam 
to remove the old safebrowsing.cld file until I read your question and the 
thought struck me.  I just tested it now.  I found that in 0.103.2 if you used 
to have safebrowsing.cld (or safebrowsing.cvd), FreshClam will automatically 
remove it for you. 

-Micah

> -Original Message-
> From: clamav-users  On Behalf Of
> Matus UHLAR - fantomas
> Sent: Thursday, April 8, 2021 5:40 AM
> To: clamav-users@lists.clamav.net
> Subject: Re: [clamav-users] ClamAV® blog: Are you still attempting to
> download safebrowsing.cvd?
> 
> >Dne středa 7.  dubna 2021 19:41:34 CEST, Joel Esler (jesler) via
> >clamav-users napsal(a):
> >> > Are you still attempting to download safebrowsing.cvd?
> >> >
> >> >  It has come to our attention that a few of you (about 515,000 of
> >> > you, to  be more accurate), are still attempting to download the
> >> > safebrowsing.cvd  file from the official ClamAV mirrors.  This
> >> > tells us that these  attempted downloads are an installation of
> >> > FreshClam (a non-updated  FreshClam.conf or other script) that have
> >> > not been updated to remove the  safebrowsing database.>
> 
> On 07.04.21 21:04, Vladislav Kurz via clamav-users wrote:
> >These could be Debian users. The debian package offers to enable
> >safebrowsing.cvd, and there is no indication that it is discontinued.
> >Perhaps, if you talk to Debian Clamav maintainers, they could release
> >an update that disables this option without asking ?
> 
> it's disabled by default, but yes, that disabling it unconditionally would be
> good
> 
> The question is, if the old safebrowsing.cld has to be removed if it exists.
> 
> >Anyway I was one of those, and now disabling it everywhere...
> 
> +1
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 2B|!2B, that's a question!
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

[Joel Esler (jesler) via clamav-users]

Feel free if you have the ability to do so.  We’re poking in all directions 
already.  

Sent from my  iPhone

> On Apr 8, 2021, at 17:34, Andrew C Aitchison  wrote:
> 
> 
>> On Thu, 8 Apr 2021, Joel Esler (jesler) via clamav-users wrote:
>> Still, 102.4 should work properly, shouldn't it?
>> 
>> It does.  But 103.2 handles the downloads and interactions SO MUCH
>> BETTER (I’ve been watching the updates for 103.2’s FreshClam all
>> morning, and it’s working so much better.
>> 
>> Please.  Please upgrade.
> 
> https://packages.ubuntu.com/search?suite=hirsute=clamav
> suggests that Ubuntu Hirsute, due out this month, will still have ClamAV 
> 0.103.0.
> 
> Is it worth giving them a prod ?
> 
> -- 
> Andrew C. AitchisonKendal, UK
>and...@aitchison.me.uk

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

[Andrew C Aitchison via clamav-users]

On Thu, 8 Apr 2021, Joel Esler (jesler) via clamav-users wrote:

Still, 102.4 should work properly, shouldn't it?

It does.  But 103.2 handles the downloads and interactions SO MUCH
BETTER (I’ve been watching the updates for 103.2’s FreshClam all
morning, and it’s working so much better.

Please.  Please upgrade.


https://packages.ubuntu.com/search?suite=hirsute=clamav
suggests that Ubuntu Hirsute, due out this month, will still have ClamAV 
0.103.0.


Is it worth giving them a prod ?

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

[Joel Esler (jesler) via clamav-users]

On Apr 8, 2021, at 2:26 PM, Matus UHLAR - fantomas 
mailto:uh...@fantomas.sk>> wrote:

On 08.04.21 16:23, Joel Esler (jesler) via clamav-users wrote:
Advice, for literally anyone:

Upgrade to 103.2.  The FreshClam there is much better and will resolve the 
issues.

I don't think this is easily doable for devuan ascii.
(not much people want to backport manually)

Still, 102.4 should work properly, shouldn't it?

It does.  But 103.2 handles the downloads and interactions SO MUCH BETTER (I’ve 
been watching the updates for 103.2’s FreshClam all morning, and it’s working 
so much better.

Please.  Please upgrade.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

[Matus UHLAR - fantomas]

On 08.04.21 16:37, marko...@eunet.rs wrote:
I use ClamAV on a Devuan ASCII (based on Debian Stretch) machine and
when try to update databases I get error 429 from server (logged in
/var/log/clamav/freshclam.log):



Thu Apr  8 14:23:32 2021 -> WARNING: downloadFile: Unexpected response
(429) from https://database.clamav.net/daily.cvd



Is there a way to solve this?




On Thu, 8 Apr 2021 16:44:46 +0200
Matus UHLAR - fantomas mailto:uh...@fantomas.sk>> wrote:
code 429 means you make a problem:

https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html

are you behind NAT? do you use clamav on multiple machines?



On Apr 8, 2021, at 11:52 AM, Marko Randjelovic 
mailto:marko...@eunet.rs>> wrote:
After a long time I tried to scan a file but saw databases are very old
and update was not working. Then I deleted databases
from /var/lib/clamav thinking this will resolve problem. But obviously
I was wrong. And yes, I have another machine with clamav which is
behind the same NAT as the problematic machine.


one time freshclam download should not cause a problem.

...unless others knows more :)


Now I just copied files from another machine and freshclam says
databases are up to date. I'll see after update become available if
freshclam will be able to download it.


this _should_ work. but the real quest is why tehe above didn't work.
If you cause problem, another update may be refused...

again, more info may be available from others

good luck and watch the logs.

On 08.04.21 16:23, Joel Esler (jesler) via clamav-users wrote:

Advice, for literally anyone:

Upgrade to 103.2.  The FreshClam there is much better and will resolve the 
issues.


I don't think this is easily doable for devuan ascii.
(not much people want to backport manually)

Still, 102.4 should work properly, shouldn't it?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] vistumbler as false positive

[Eero Volotinen]

>
> Not sure about this as it is open source, but if I were paying for
> the software I would expect them to liase with the AV companies.
>

 Well. not sure if this software is malware or not. a bit worried about
that.

Eero

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

[Joel Esler (jesler) via clamav-users]

On Apr 8, 2021, at 11:52 AM, Marko Randjelovic 
mailto:marko...@eunet.rs>> wrote:

On Thu, 8 Apr 2021 16:44:46 +0200
Matus UHLAR - fantomas mailto:uh...@fantomas.sk>> wrote:

On 08.04.21 16:37, marko...@eunet.rs wrote:
I use ClamAV on a Devuan ASCII (based on Debian Stretch) machine and
when try to update databases I get error 429 from server (logged in
/var/log/clamav/freshclam.log):

Thu Apr  8 14:23:32 2021 -> ClamAV update process started at Thu Apr
8 14:23:32 2021
Thu Apr  8 14:23:32 2021 -> WARNING: Your ClamAV installation is
OUTDATED!
Thu Apr  8 14:23:32 2021 -> WARNING: Local version: 0.102.4
Recommended version: 0.103.2
Thu Apr  8 14:23:32 2021 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Thu Apr  8 14:23:32 2021 -> daily database available for download
(remote version: 26134)
Thu Apr  8 14:23:32 2021 -> WARNING: downloadFile: Unexpected response
(429) from https://database.clamav.net/daily.cvd
Thu Apr  8 14:23:32 2021 -> WARNING: getcvd: Can't download daily.cvd
from https://database.clamav.net/daily.cvd
Thu Apr  8 14:23:32 2021 -> Trying again in 5 secs...

Is there a way to solve this?

code 429 means you make a problem:

https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html

are you behind NAT? do you use clamav on multiple machines?



After a long time I tried to scan a file but saw databases are very old
and update was not working. Then I deleted databases
from /var/lib/clamav thinking this will resolve problem. But obviously
I was wrong. And yes, I have another machine with clamav which is
behind the same NAT as the problematic machine.

Now I just copied files from another machine and freshclam says
databases are up to date. I'll see after update become available if
freshclam will be able to download it.

Advice, for literally anyone:

Upgrade to 103.2.  The FreshClam there is much better and will resolve the 
issues.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

[Marko Randjelovic]

On Thu, 8 Apr 2021 16:44:46 +0200
Matus UHLAR - fantomas  wrote:

> On 08.04.21 16:37, marko...@eunet.rs wrote:
> >I use ClamAV on a Devuan ASCII (based on Debian Stretch) machine and 
> >when try to update databases I get error 429 from server (logged in 
> >/var/log/clamav/freshclam.log):
> >
> >Thu Apr  8 14:23:32 2021 -> ClamAV update process started at Thu Apr  
> >8 14:23:32 2021
> >Thu Apr  8 14:23:32 2021 -> WARNING: Your ClamAV installation is 
> >OUTDATED!
> >Thu Apr  8 14:23:32 2021 -> WARNING: Local version: 0.102.4 
> >Recommended version: 0.103.2
> >Thu Apr  8 14:23:32 2021 -> DON'T PANIC! Read 
> >https://www.clamav.net/documents/upgrading-clamav
> >Thu Apr  8 14:23:32 2021 -> daily database available for download 
> >(remote version: 26134)
> >Thu Apr  8 14:23:32 2021 -> WARNING: downloadFile: Unexpected response 
> >(429) from https://database.clamav.net/daily.cvd
> >Thu Apr  8 14:23:32 2021 -> WARNING: getcvd: Can't download daily.cvd 
> >from https://database.clamav.net/daily.cvd
> >Thu Apr  8 14:23:32 2021 -> Trying again in 5 secs...
> >
> >Is there a way to solve this?  
> 
> code 429 means you make a problem:
> 
> https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html
> 
> are you behind NAT? do you use clamav on multiple machines?
> 
> 

After a long time I tried to scan a file but saw databases are very old
and update was not working. Then I deleted databases
from /var/lib/clamav thinking this will resolve problem. But obviously
I was wrong. And yes, I have another machine with clamav which is
behind the same NAT as the problematic machine.

Now I just copied files from another machine and freshclam says
databases are up to date. I'll see after update become available if
freshclam will be able to download it.

Thanks,
Marko

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] Re: ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

[Joel Esler (jesler) via clamav-users]

On Apr 8, 2021, at 10:48 AM, Vladislav Kurz via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

Dne čtvrtek 8. dubna 2021 16:17:24 CEST, Ralf Hildebrandt via clamav-users
napsal(a):
* Vladislav Kurz via clamav-users 
mailto:clamav-users@lists.clamav.net>>:
How about just making the file empty?

I think this causes an error in clamav/clamd

Then just make is as small as possible - e.g. leave only one signature in the
file, or something like that.

Yup, we’ve got it. :)

Thanks

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] Re: ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

[Vladislav Kurz via clamav-users]

Dne čtvrtek 8. dubna 2021 16:17:24 CEST, Ralf Hildebrandt via clamav-users 
napsal(a):
> * Vladislav Kurz via clamav-users :
> > How about just making the file empty?
> 
> I think this causes an error in clamav/clamd

Then just make is as small as possible - e.g. leave only one signature in the 
file, or something like that.

-- 
Best regards
Vladislav Kurz




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

[Joel Esler (jesler) via clamav-users]

Dear Marko,

Thanks for your email. I believe you will find what you are looking for here: 
https://www.clamav.net/documents/freshclam-faq under “Error Codes"

-- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group 
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

On Apr 8, 2021, at 10:37 AM, marko...@eunet.rs wrote:

Hello,

I use ClamAV on a Devuan ASCII (based on Debian Stretch) machine and when try 
to update databases I get error 429 from server (logged in 
/var/log/clamav/freshclam.log):

Thu Apr  8 14:23:32 2021 -> ClamAV update process started at Thu Apr  8 
14:23:32 2021
Thu Apr  8 14:23:32 2021 -> WARNING: Your ClamAV installation is OUTDATED!
Thu Apr  8 14:23:32 2021 -> WARNING: Local version: 0.102.4 Recommended 
version: 0.103.2
Thu Apr  8 14:23:32 2021 -> DON'T PANIC! Read 
https://www.clamav.net/documents/upgrading-clamav
Thu Apr  8 14:23:32 2021 -> daily database available for download (remote 
version: 26134)
Thu Apr  8 14:23:32 2021 -> WARNING: downloadFile: Unexpected response (429) 
from https://database.clamav.net/daily.cvd
Thu Apr  8 14:23:32 2021 -> WARNING: getcvd: Can't download daily.cvd from 
https://database.clamav.net/daily.cvd
Thu Apr  8 14:23:32 2021 -> Trying again in 5 secs...

Is there a way to solve this?

Regards,
Marko

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

[Matus UHLAR - fantomas]

On 08.04.21 16:37, marko...@eunet.rs wrote:
I use ClamAV on a Devuan ASCII (based on Debian Stretch) machine and 
when try to update databases I get error 429 from server (logged in 
/var/log/clamav/freshclam.log):


Thu Apr  8 14:23:32 2021 -> ClamAV update process started at Thu Apr  
8 14:23:32 2021
Thu Apr  8 14:23:32 2021 -> WARNING: Your ClamAV installation is 
OUTDATED!
Thu Apr  8 14:23:32 2021 -> WARNING: Local version: 0.102.4 
Recommended version: 0.103.2
Thu Apr  8 14:23:32 2021 -> DON'T PANIC! Read 
https://www.clamav.net/documents/upgrading-clamav
Thu Apr  8 14:23:32 2021 -> daily database available for download 
(remote version: 26134)
Thu Apr  8 14:23:32 2021 -> WARNING: downloadFile: Unexpected response 
(429) from https://database.clamav.net/daily.cvd
Thu Apr  8 14:23:32 2021 -> WARNING: getcvd: Can't download daily.cvd 
from https://database.clamav.net/daily.cvd

Thu Apr  8 14:23:32 2021 -> Trying again in 5 secs...

Is there a way to solve this?


code 429 means you make a problem:

https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html

are you behind NAT? do you use clamav on multiple machines?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Error 429 when updating database

[markoran]

Hello,

I use ClamAV on a Devuan ASCII (based on Debian Stretch) machine and 
when try to update databases I get error 429 from server (logged in 
/var/log/clamav/freshclam.log):


Thu Apr  8 14:23:32 2021 -> ClamAV update process started at Thu Apr  8 
14:23:32 2021
Thu Apr  8 14:23:32 2021 -> WARNING: Your ClamAV installation is 
OUTDATED!
Thu Apr  8 14:23:32 2021 -> WARNING: Local version: 0.102.4 Recommended 
version: 0.103.2
Thu Apr  8 14:23:32 2021 -> DON'T PANIC! Read 
https://www.clamav.net/documents/upgrading-clamav
Thu Apr  8 14:23:32 2021 -> daily database available for download 
(remote version: 26134)
Thu Apr  8 14:23:32 2021 -> WARNING: downloadFile: Unexpected response 
(429) from https://database.clamav.net/daily.cvd
Thu Apr  8 14:23:32 2021 -> WARNING: getcvd: Can't download daily.cvd 
from https://database.clamav.net/daily.cvd

Thu Apr  8 14:23:32 2021 -> Trying again in 5 secs...

Is there a way to solve this?

Regards,
Marko

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

[Joel Esler (jesler) via clamav-users]

On Apr 8, 2021, at 10:06 AM, Vladislav Kurz via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

Dne středa 7. dubna 2021 19:41:34 CEST, Joel Esler (jesler) via clamav-users
napsal(a):
https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html


Are you still attempting to download safebrowsing.cvd?

and continue to download the safebrowsing.cvd account for nearly 10TB of
traffic a month, just for that file.

As a result, we have put in a block to make any attempts to download the
safebrowsing.cvd result in a 403 error.

How about just making the file empty?
Also I wonder if freshclam does not check if the file has been modified, and
skip the download if not?

We’re actually working on this as we speak


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] Re: ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

[Ralf Hildebrandt via clamav-users]

* Vladislav Kurz via clamav-users :

> How about just making the file empty? 

I think this causes an error in clamav/clamd

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

[Vladislav Kurz via clamav-users]

Dne středa 7. dubna 2021 19:41:34 CEST, Joel Esler (jesler) via clamav-users 
napsal(a):
> > https://blog.clamav.net/2021/04/are-you-still-attempting-to-download.html
> >  > l>
> > 
> > Are you still attempting to download safebrowsing.cvd?
> > 
> > and continue to download the safebrowsing.cvd account for nearly 10TB of
> > traffic a month, just for that file.
> > 
> > As a result, we have put in a block to make any attempts to download the
> > safebrowsing.cvd result in a 403 error.

How about just making the file empty? 
Also I wonder if freshclam does not check if the file has been modified, and 
skip the download if not?

-- 
Best regards
Vladislav Kurz




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] vistumbler as false positive

[Andrew C Aitchison via clamav-users]

On Thu, 8 Apr 2021, Eero Volotinen wrote:


https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe

Looks like this is (vistumbler) detected as false positive.


and

On Thu, 8 Apr 2021, Arnaud Jacques wrote:

At first look, ClamAV is not the only one that flags it as malware :
https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection


and https://vistumbler.en.lo4d.com/virus-malware-tests
but that has a different sha256sum.
Hmm.

If I feed the github URL into virustotal it comes up clean
https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection

but if I download the file and give that to virustotal I get
https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection
(the bit between file/ and /detection matches the sha256sum of my file and that 
on https://vistumbler.en.lo4d.com/virus-malware-tests ).

Initially that page reported
 19 security vendors flagged this file as malicious
 Size 6.92 MB
  direct-cpu-clock-access invalid-signature
  nsis overlay peexe runtime-modules signed
but when I asked virustotal to rescan, "19 security vendors" changed to "16 security 
vendors".

I have put my copy at:
https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe

I think this means that raw.github.com has given out at least three
different versions of this file. Eero, could you pass this back to
the Vistumbler developer "Andrew" (Calcutt?) please ?

# file Vistumbler_v10-7.exe
Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS Windows,
Nullsoft Installer self-extracting archive

# host raw.github.com
raw.github.com has address 185.199.108.133
raw.github.com has address 185.199.109.133
raw.github.com has address 185.199.110.133
raw.github.com has address 185.199.111.133

On Thu, 8 Apr 2021, Eero Volotinen wrote:


comment from developer

"Unfortunately autoit, which vistumbler is written in, gets flagged
as a false positive a lot. Vistumbler has struggled with this since
the beginning.

I recently submitted the 10.7 release files to microsoft for false
detection and they removed the false detection, so i think these
files are fine. However I have also just submitted a false positive
report to bitdefender, so we can see if they remove it too.

If vistumbler gets flagged by your AV company, my suggestion is to
submit it as a false positive to them. I really don't have the time
to chase down all these AV companies.

-Andrew"


Not sure about this as it is open source, but if I were paying for
the software I would expect them to liase with the AV companies.

--
Andrew C. Aitchison Kendal, UK
 and...@aitchison.me.uk


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

[Matus UHLAR - fantomas]

Dne středa 7.  dubna 2021 19:41:34 CEST, Joel Esler (jesler) via
clamav-users napsal(a):

> Are you still attempting to download safebrowsing.cvd?
>
>  It has come to our attention that a few of you (about 515,000 of you, to
>  be more accurate), are still attempting to download the safebrowsing.cvd
>  file from the official ClamAV mirrors.  This tells us that these
>  attempted downloads are an installation of FreshClam (a non-updated
>  FreshClam.conf or other script) that have not been updated to remove the
>  safebrowsing database.>


On 07.04.21 21:04, Vladislav Kurz via clamav-users wrote:

These could be Debian users. The debian package offers to enable
safebrowsing.cvd, and there is no indication that it is discontinued. Perhaps,
if you talk to Debian Clamav maintainers, they could release an update that
disables this option without asking ?


it's disabled by default, but yes, that disabling it unconditionally would
be good

The question is, if the old safebrowsing.cld has to be removed if it exists.


Anyway I was one of those, and now disabling it everywhere...


+1
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [Clamav-announce] ClamAV® blog: ClamAV 0.103.2 security patch release

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 7 Apr 2021, Joel Esler (jesler) wrote:


...
FreshClam will now exit with a failure in daemon mode if an HTTP
403 (Forbidden) was received, because retrying later won't help
any. The FreshClam user will have to take actions to get unblocked.
...


Won't some dumb system utility just restart it?

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning a large file through HTTP

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 7 Apr 2021, Paul Kosinski via clamav-users wrote:


Seems to me that this behavior, advertising a 4GB limit while
silently imposing a 2GB limit and reporting "OK" for anything in
between, is a *major* security flaw: ClamAV *must* report that the
file was too big to deal with (however worded).


Don't get too excited about it.  When ClamAV says "OK" it really means
"I didn't find anything in there", which if you're unlucky it will say
for maybe two out of three infected files anyway.  Getting bent out of
shape about a couple of files which happen to give that result because
they're huge and the scanner gives up on them is simply not seeing the
Big Picture.

You will have problems if you believe everything ClamAV (or indeed any
other virus scanner) tells you.  No scanner will give you an accurate
result every time.  The best anyone can hope for, with ANY scanner and
ANY profile of data, is probably four out of five, so if you're seeing
thousands of malicious samples every day, and all you do is trust your
virus scanners to be right every time, you'll be accepting hundreds of
malicious samples daily at least.

My take on it is that the way to use ClamAV is to try to have it give
you an estimate of the credibility the data sources rather than to try
to whack all the moles, which is usually a fruitless exercise and will
inevitably lead to failure.


Thus I've taken to using clamscan rather than clamdscan (slow though
that is), because at least it reports how many bytes were read, and
how many scanned, so I can see what's going on.


You can easily put something together which gives you that information
but still uses clamd.  If anyone wants to take a project and run with
it I'll be happy to post some Perl code which sends a stream to clamd.
It would take care of the ugly inter-process communications, leaving
our hero to make it somehow useful.  Perhaps on the development list,
or the ClamAV Bugzilla.


P.S. Recently I've downloaded some MP3s from Amazon and scanned them
(as I do everything I download -- except updates from my Linux
distros). But for a reason I saw on this list -- but can't remember
-- MP3s are fully read, but not scanned. Is this going to be
remedied?


See this thread:

https://marc.info/?l=clamav-users=150039601417286=2

See also the messages in 2014 from Steve Basford on Jul. 8 and Sep 17,
and Douglas Goddard on Sep 25:

https://marc.info/?l=clamav-users=2=1=MP3=b

See also

https://bugzilla.clamav.net/show_bug.cgi?id=11582

which tells me that there's plenty of work still to do but it isn't at
the top of anybody's priority list.  The bottom line seems to be that
MP3 viruses are, if not non-existent, relatively rare and there's more
to be achieved looking for things which masquerade as MP3 but aren't.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] vistumbler as false positive

[Eero Volotinen]

comment from developer

” Unfortunately autoit, which vistumbler is written in, gets flagged as a
false positive a lot. Vistumbler has struggled with this since the
beginning.

I recently submitted the 10.7 release files to microsoft for false
detection and they removed the false detection, so i think these files are
fine. However I have also just submitted a false positive report to
bitdefender, so we can see if they remove it too.

If vistumbler gets flagged by your AV company, my suggestion is to submit
it as a false positive to them. I really don't have the time to chase down
all these AV companies.

-Andrew”

On Thu 8. Apr 2021 at 13.49, Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> That signature has been in the ClamAV daily.ldb database since Jan 15 and
> appears to be looking for some relatively unique strings:
>
> % sigtool -fWin.Malware.Generic-9819492-0|sigtool --decode-sigs
> VIRUS NAME: Win.Malware.Generic-9819492-0
> TDB: Engine:81-255,Target:1
> LOGICAL EXPRESSION: 0&1&2&3&4
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: WIDE
>  +-> DECODED SUBSIGNATURE:
> *Unable to get a list of running processes.
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: WIDE
>  +-> DECODED SUBSIGNATURE:
> 0Expected a "=" operator in assignment statement.*Invalid keyword at the
> start of this line.
>  * SUBSIG ID 2
>  +-> OFFSET: ANY
>  +-> SIGMOD: WIDE
>  +-> DECODED SUBSIGNATURE:
> api-ms-win-core-synch-l1-2-0.dll
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> internal error: invalid forward reference offset
>  * SUBSIG ID 4
>  +-> OFFSET: ANY
>  +-> SIGMOD: WIDE
>  +-> DECODED SUBSIGNATURE:
> Error parsing function call.0Incorrect number of parameters in function
> call.'"ReDim" used without an array variable.>
>
> -Al-
>
> On Apr 8, 2021, at 03:24, Arnaud Jacques 
> wrote:
>
>
> Hello,
>
> At first look, ClamAV is not the only one that flags it as malware :
>
>
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
>
>
> Le 08/04/2021 à 11:41, Eero Volotinen a écrit :
>
> Thanks. I submitted files via that url.
>  clamscan Vistumbler_v1*
> /
> root/Vistumbler_v10-7.exe: OK
> /root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND
> /root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND
> So. looks like this is false positive on vistumbler..
> Eero
> On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users <
> clamav-users@lists.clamav.net  >> wrote:
>Without knowing the name of the infection I can't provide even a
>guess as to whether it is or not, but the exact answer to your
>question is for you to report it by filling out the form found
>@https://www.clamav.net/reports/fp
> including the file itself.
>Sent from my iPad
>-Al-
>On Apr 7, 2021, at 18:03, Eero Volotinen > wrote:
>
>
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
><
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
> >
>
>Looks like this is (vistumbler) detected as false positive.
>
>How to fix this?
>
>Eero
>
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] vistumbler as false positive

[Al Varnell via clamav-users]

That signature has been in the ClamAV daily.ldb database since Jan 15 and 
appears to be looking for some relatively unique strings:

% sigtool -fWin.Malware.Generic-9819492-0|sigtool --decode-sigs
VIRUS NAME: Win.Malware.Generic-9819492-0
TDB: Engine:81-255,Target:1
LOGICAL EXPRESSION: 0&1&2&3&4
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
*Unable to get a list of running processes.
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
0Expected a "=" operator in assignment statement.*Invalid keyword at the start 
of this line.
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
api-ms-win-core-synch-l1-2-0.dll
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
internal error: invalid forward reference offset
 * SUBSIG ID 4
 +-> OFFSET: ANY
 +-> SIGMOD: WIDE
 +-> DECODED SUBSIGNATURE:
Error parsing function call.0Incorrect number of parameters in function 
call.'"ReDim" used without an array variable.>

-Al-

On Apr 8, 2021, at 03:24, Arnaud Jacques  wrote:
> 
> Hello,
> 
> At first look, ClamAV is not the only one that flags it as malware :
> 
> https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection
>  
> 
> 
> 
> Le 08/04/2021 à 11:41, Eero Volotinen a écrit :
>> Thanks. I submitted files via that url.
>>  clamscan Vistumbler_v1*
>> /
>> root/Vistumbler_v10-7.exe: OK
>> /root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND
>> /root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND
>> So. looks like this is false positive on vistumbler..
>> Eero
>> On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users 
>> mailto:clamav-users@lists.clamav.net> 
>> > >> wrote:
>>Without knowing the name of the infection I can't provide even a
>>guess as to whether it is or not, but the exact answer to your
>>question is for you to report it by filling out the form found
>>@https://www.clamav.net/reports/fp 
>>> 
>> including the file itself.
>>Sent from my iPad
>>-Al-
>>On Apr 7, 2021, at 18:03, Eero Volotinen > 
>>>> wrote:
>>>
>>> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
>>>  
>>> 
>>>
>>> >>  
>>> >
>>> 
>>>Looks like this is (vistumbler) detected as false positive.
>>> 
>>>How to fix this?
>>> 
>>>Eero



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] vistumbler as false positive

[Arnaud Jacques]

Hello,

At first look, ClamAV is not the only one that flags it as malware :

https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection


Le 08/04/2021 à 11:41, Eero Volotinen a écrit :

Thanks. I submitted files via that url.

  clamscan Vistumbler_v1*
/
root/Vistumbler_v10-7.exe: OK
/root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND
/root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND

So. looks like this is false positive on vistumbler..

Eero

On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users 
mailto:clamav-users@lists.clamav.net>> 
wrote:


Without knowing the name of the infection I can't provide even a
guess as to whether it is or not, but the exact answer to your
question is for you to report it by filling out the form found
@https://www.clamav.net/reports/fp
 including the file itself.

Sent from my iPad

-Al-

On Apr 7, 2021, at 18:03, Eero Volotinen mailto:eero.voloti...@iki.fi>> wrote:


https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe



Looks like this is (vistumbler) detected as false positive.

How to fix this?

Eero


___

clamav-users mailing list
clamav-users@lists.clamav.net 
https://lists.clamav.net/mailman/listinfo/clamav-users



Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq


http://www.clamav.net/contact.html#ml




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] vistumbler as false positive

[Eero Volotinen]

Thanks. I submitted files via that url.

 clamscan Vistumbler_v1*
/
root/Vistumbler_v10-7.exe: OK
/root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND
/root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND

So. looks like this is false positive on vistumbler..

Eero

On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Without knowing the name of the infection I can't provide even a guess as
> to whether it is or not, but the exact answer to your question is for you
> to report it by filling out the form found @
> https://www.clamav.net/reports/fp including the file itself.
>
> Sent from my iPad
>
> -Al-
>
> On Apr 7, 2021, at 18:03, Eero Volotinen  wrote:
>
>
> https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe
>
> Looks like this is (vistumbler) detected as false positive.
>
> How to fix this?
>
> Eero
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning a large file through HTTP

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 7 Apr 2021, Micah Snyder (micasnyd) via clamav-users wrote:


There’s a lot of technical work to be done to safely raise that
limitation, as large files of various file types types have never
been tested.


In my milter I've a pretty general-purpose Perl harness which can send
data to clamd in flexible ways.  It wouldn't take much effort to tweak
it to run tests on clamd - in fact I've used it for that kind of thing
in the past.  If you'd like me to do some testing with large files and
especially if you have some candidate large files which would be worth
trying, I'd be happy to set a job running on an otherwise idle machine
and cook rice puddings while waiting on the results.  I have machines
which I can cheerfully crash without worries.  They're Pi4Bs, which if
you leave them running for long enough will crash all by themselves.


A large TAR, for example, may well work fine when a large ZIP might
crash the program.  We really have no idea.


Do you have anything fuzzing the code, deliberately trying to break
it, any even semi-automatic analysis?  Seems like if you could break
things into manageable blocks the community could help quite a bit.

What would help most is a design document explaining the structure of
the code, how it all hangs together, and the intended function of the
various parts.  Then people who would otherwise be overwhelmed by it
all could get their teeth into it.  It could pay enormous dividends if
something like that were available to the community.  Help in testing
would be just the start.


A lot of folks seem to be unhappy with it saying “OK” when a file
hasn’t been scanned (myself included).  So we have been talking
about changing the output to something like the following messages
when files are not scanned or are only partially scanned:
 *   “SKIPPED (exceeded max file size)”
 *   “INCOMPLETE (exceeded max scan size)”
The exact wording is TBD.  If anyone has any specific requests, I’d
enjoy some help brainstorming.


Agreed it's perverse to report "OK" if a file was not properly scanned
but since it's been that way for decades I think you'll probably break
an awful lot of stuff Out There if you just go ahead and change that.
A compile-time option, initially defaulting to the current behaviour,
or a configuration option (the default behaviour as now) might prevent
a lot of angst.  No issues with the suggested wordings that I can see,
as long as they don't turn out to be a moving target.  There should be
another one, perhaps something like "DUNNO", for things nobody thought
of yet possibly including "SKIPPED (below minimum file size)".  Please
also something in the docs reserving the right to add new replies, so
that coders get the habit of coding for the future or so at the, er,
barest minimum your @r$e is covered.


... Some file formats, like PDF, DMG, and ZIP* store metadata at the
end of the file ... zips are actually pretty easy to parse in-order
...  Files like DMG, on the other hand, can’t even be identified as
DMG’s without reading the end of the file first ...


Is there somewhere a document listing the file types of which ClamAV
is aware, how it parses them, and any specific limitations/issues?
Whenever I've delved into the code it's been pretty daunting to try to
work out some of that stuff.


In short, don’t send chunks of files as separate files to be
scanned; It probably won’t catch any malware that way and may print
lots of warnings or errors if it gets confused about the type of the
file and starts processing it with the wrong parser.


I think the OP was confused by the use of 'chunks' in the clamd 'man'
page, which refers to the API for streaming data to clamd rather than
any suggestion that files can be broken into parts which will then be
scanned separately.  Clearly I can scan any known malicious file four
bytes at a time to guarantee a clean result.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml