Re: [clamav-users] Blocking file types?

2021-04-26 Thread Alex via clamav-users 
Hi,

> for examples of utilities which might be useful.  You're just going to
> create regular expressions of a kind, where (unlike the familiar kind)
> literal characters are given in hexadecimal instead of as themselves.
>
> The regex way: (A|B)C{1,3}\x01
> Signature way: (41|42)43{1-3}01
>
> There's also the Yara way, which can be more convenient.  A couple of
> custom Yara rules here deals with quite a few irritating spammers who
> might otherwise be tricky to catch reliably.
>
> You might find something to get you started in the existing signatures.

I managed to do it quite easily using a simple yara rule. Just create
it in a text editor and save it with a yara extension in the clamav
lib directory. I'm sure this is prone to false-positives, but it's
probably unique enough for this purpose.

rule javablock : javascript
{
meta:
description = "block javascript"
threat_level = 3
in_the_wild = true

strings:
$a = "/JS"
$b = "<>"

condition:
$a or $b
}


$ clamscan -v JavaScriptClock.pdf
Scanning /home/alex/JavaScriptClock.pdf
/home/alex/JavaScriptClock.pdf: YARA.javablock.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Known viruses: 8718308
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 5.31 MB
Data read: 4.98 MB (ratio 1.07:1)
Time: 14.863 sec (0 m 14 s)
Start Date: 2021:04:26 20:34:09
End Date:   2021:04:26 20:34:24

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problema antivirus su Nas QNAP

2021-04-26 Thread Joel Esler (jesler) via clamav-users 
Hello Federico,

Thank you for your email.  As a result of events documented in places here 
 and 
here, 
we’ve been forced to take emergency measures to protect the ClamAV environment.

Please read our FAQ page under 
"Error Codes".

Please Immediately switch to using Freshclam or if you using a private 
mirror or want to 
download the updates seperately than Freshclam please use 
cvdupdate to update your AV 
definitions. If you are using Qnap (or another NAS) or ClamWin, it’s likely 
that you are using a version of ClamAV that has been 
EOL’ed.

Sorry for the inconvenience.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

On Apr 26, 2021, at 4:49 PM, Federico Dal Zotto via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

Buongiorno,

possiedo un Nas QNAP TS-231
firmware 4.3.6.1620

e da quando l'ho comprato 2 anni fa
non sono mai riuscito a fare l'aggiornamento automatico
di Clamav Antivirus ,

solo in modo manuale importando il file nuovo
con le definizioni.

Ho contattato l'assistenza tecnica QNAP
la quale mi ha detto di contattare Clamav perchè
il Nas è ok senza problemi.


In attesa di vostre info,

grazie, cordialità


--
___
Federico Dal Zotto




[https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]
  Mail priva di virus. 
www.avast.com


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Problema antivirus su Nas QNAP

2021-04-26 Thread Federico Dal Zotto via clamav-users 
Buongiorno,

possiedo un Nas QNAP TS-231
firmware 4.3.6.1620

e da quando l'ho comprato 2 anni fa
non sono mai riuscito a fare l'aggiornamento automatico
di Clamav Antivirus ,

solo in modo manuale importando il file nuovo
con le definizioni.

Ho contattato l'assistenza tecnica QNAP
la quale mi ha detto di contattare Clamav perchè
il Nas è ok senza problemi.


In attesa di vostre info,

grazie, cordialità


-- 
___
Federico Dal Zotto





Mail
priva di virus. www.avast.com

<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to scan a single partition

2021-04-26 Thread Christian 

Hi all and thanks so much for your replies,

@Sorin Petrut Niculae:

So basically I´d have to exclude my home-partition, the 3rd 
(data-)partition and the 3 sticks in the command.


Thanks for the advice.
Greetings.
Rosika


@G.W. Haywood:

Thanks for the suggestion.

Alas I couldn't gel hold of a ClamAV manual.
I also looked around to find some info regarding the "cross filesystem" 
feature but curiously couldn´t find anything.


So I took a look at the man pages and found the following entry:

/−−cross−fs=[yes(*)/no]//
//Scan files and directories on other filesystems.

/As  "df -h" says (shortened):

Filesystem  Size  Used Avail Use% Mounted on
/dev/sdc1    23G   13G  9,4G  58% /
/dev/sdc2    36G   22G   12G  65% /home
/dev/sdf1   7,5G  2,1G  5,4G  29% /media/rosika/A492-CD29
/dev/sdd1    30G   26G  4,1G  87% /media/rosika/28BC-DAFC
/dev/sdc3   193G   99G   84G  55% 
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1

/dev/sdb 30G   26G  3,9G  87% /media/rosika/74C1-30C7/

/"filesystem/" /is denoted as//_/dev/sdc1_ .

I'm not sure about the *syntax* though. Should I use /  or /dev/sdc1 as  
a starting point:


clamscan --cross-fs=no --recursive --infected 
--exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M 
--max-scansize=4000M / -l ~/clamav-scan-results/log


OR:

clamscan 
--cross-fs=no --recursive --infected 
--exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M 
--max-scansize=4000M /dev/sdc1 -l ~/clamav-scan-results/log


Thanks in advance.
Greetings
Rosika
// 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Odd behavior when scanning eicar test files

2021-04-26 Thread Haukur Valgeirsson via clamav-users 

Uhm... now this is strange.

When I run the script I wrote, it behaves as one would expect (md5 sum 
must match the file, md5 from eicar.com covers eicar.com.txt too, but 
not the zips and the md5 from zips only covers the zip that it was 
generated from).


then I reran with the falsepos file only containing the md5 sum from 
eicarcom2.zip


# cat /var/lib/clamav/maldet_ignore_sigs.fp
e4968ef99266df7c9a1f0637d2389dab:308:eicarcom2.zip

then it seems to whitelist eicar.com as well as itself???

# clamscan .
When run /usr/local/maldetect/testfolder/clamcars.sh: OK
/usr/local/maldetect/testfolder/eicar.com.txt: 
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/usr/local/maldetect/testfolder/eicar_com.zip: 
{HEX}EICAR.TEST.3.UNOFFICIAL FOUND

/usr/local/maldetect/testfolder/eicarcom2.zip: OK
/usr/local/maldetect/testfolder/eicar.com: OK
/usr/local/maldetect/testfolder/result_eicar.com: OK
/usr/local/maldetect/testfolder/result_eicar.com.txt: OK
/usr/local/maldetect/testfolder/result_eicar_com.zip: OK
/usr/local/maldetect/testfolder/result_eicarcom2.zip: OK
/usr/local/maldetect/testfolder/.clamcars.sh.swp: OK

--- SCAN SUMMARY ---

Known viruses: 8539062
Engine version: 0.103.2
Scanned directories: 1
Scanned files: 10
Infected files: 2
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 42.336 sec (0 m 42 s)
Start Date: 2021:04:26 10:14:50
End Date:   2021:04:26 10:15:33


and just to test again, I scan another folder, only containing the eicar 
files:


# ll /home/haukurv/www/testfiles
total 16
-rw-r--r-- 1 haukurv haukurv  68 Apr 26 05:30 eicar.com
-rw-r--r-- 1 haukurv haukurv 308 Apr 26 05:30 eicarcom2.zip
-rw-r--r-- 1 haukurv haukurv  68 Apr 26 05:30 eicar.com.txt
-rw-r--r-- 1 haukurv haukurv 184 Apr 26 05:30 eicar_com.zip


# clamscan /home/haukurv/www/testfiles
/home/haukurv/www/testfiles/eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
/home/haukurv/www/testfiles/eicarcom2.zip: OK
/home/haukurv/www/testfiles/eicar.com.txt: OK
/home/haukurv/www/testfiles/eicar_com.zip: OK

--- SCAN SUMMARY ---
Known viruses: 8539062
Engine version: 0.103.2
Scanned directories: 1
Scanned files: 4
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 32.812 sec (0 m 32 s)
Start Date: 2021:04:26 10:29:16

End Date:   2021:04:26 10:29:48


I am getting a little bit confused here :-s

reg. Haukur


On 26.4.2021 15:04, Haukur Valgeirsson via clamav-users wrote:

Sorry, adding more details for reproducability.

My original idea was to use maldet, which uses clamscan so 
whitelisting and path exclusions need to happen in clamav, they don't 
seem to be passed on to clamscan.


Environment: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) 
x86_64 GNU/Linux


The script clamcars.sh (attached) downloads, whitelists, scans and 
puts the results in "result_" for each of the eicar files. I 
can repeat with debug output redirected into the file if it helps.


I am using "clamscan" (used apt-get install clamav) not the daemon 
(clamdscan), so I do not seem to have clamconf:


# clamscan --version
ClamAV 0.103.2/26152/Mon Apr 26 06:04:28 2021

Would it help you to look into this if I installed the daemon scanner 
and repeated the test?


The only config I was able to locate is below.

Thanks.

Haukur




# cat /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam 
package


DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net


On 26.4.2021 13:42, G.W. Haywood via clamav-users wrote:

Hi there,

On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:

I am setting up daily scanning and was figuring out how to whitelist 
based on file signatures, and decided to use the eicar test files to 
tune the settings. Used 'sigtool --md5 eicarcom2.zip > 
falsepossigs.fp' to create the sig to whitelist and proceeded to run 
test scans and the results were a little surprising:


Given your description of what you did I'd struggle to reproduce it.
Please give full details of how you are running the scans, the exact
unaltered output as you see it, and the output of 'clamconf -n'.




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Odd behavior when scanning eicar test files

2021-04-26 Thread Haukur Valgeirsson via clamav-users 

Sorry, adding more details for reproducability.

My original idea was to use maldet, which uses clamscan so whitelisting 
and path exclusions need to happen in clamav, they don't seem to be 
passed on to clamscan.


Environment: 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) 
x86_64 GNU/Linux


The script clamcars.sh (attached) downloads, whitelists, scans and puts 
the results in "result_" for each of the eicar files. I can 
repeat with debug output redirected into the file if it helps.


I am using "clamscan" (used apt-get install clamav) not the daemon 
(clamdscan), so I do not seem to have clamconf:


# clamscan --version
ClamAV 0.103.2/26152/Mon Apr 26 06:04:28 2021

Would it help you to look into this if I installed the daemon scanner 
and repeated the test?


The only config I was able to locate is below.

Thanks.

Haukur




# cat /etc/clamav/freshclam.conf
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net


On 26.4.2021 13:42, G.W. Haywood via clamav-users wrote:

Hi there,

On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:

I am setting up daily scanning and was figuring out how to whitelist 
based on file signatures, and decided to use the eicar test files to 
tune the settings.  Used 'sigtool --md5 eicarcom2.zip > 
falsepossigs.fp' to create the sig to whitelist and proceeded to run 
test scans and the results were a little surprising:


Given your description of what you did I'd struggle to reproduce it.
Please give full details of how you are running the scans, the exact
unaltered output as you see it, and the output of 'clamconf -n'.





clamcars.sh
Description: application/shellscript

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

2021-04-26 Thread Matus UHLAR - fantomas 

On Apr 8, 2021, at 2:26 PM, Matus UHLAR - fantomas 
mailto:uh...@fantomas.sk>> wrote:
I don't think this is easily doable for devuan ascii.
(not much people want to backport manually)

Still, 102.4 should work properly, shouldn't it?


On 08.04.21 18:38, Joel Esler (jesler) via clamav-users wrote:

It does.  But 103.2 handles the downloads and interactions SO MUCH BETTER
(I’ve been watching the updates for 103.2’s FreshClam all morning, and
it’s working so much better.


FYI, 0.103.2 has landed in debian 10 this weekend.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0

2021-04-26 Thread Turritopsis Dohrnii Teo En Ming via clamav-users 
Subject: How to Easily Set Up a Full-Featured Linux Mail Server on
Ubuntu 18.04.5 LTS with iRedMail 1.4.0

Good day from Singapore,

I followed linuxbabe.com's Xiao Guoan's guide and successfully setup a
full featured Linux mail server on Ubuntu 18.04.5 LTS with IRedMail
1.4.0.

Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)
Country: Singapore
Date: 25 April 2021 Sunday

Type of Publication: PDF Manual
Document Version: 20210425.01 (1st release)

***IMPORTANT NOTICE*** Please note that Turritopsis Dohrnii Teo En
Ming’s guide is based on Xiao Guoan’s guide at linuxbabe.com.

Reference Guide Used by Teo En Ming: How to Easily Set Up a
Full-Featured Mail Server on Ubuntu 18.04 with iRedMail
Link: https://www.linuxbabe.com/mail-server/ubuntu-18-04-iredmail-email-server
Original Author: Xiao Guoan

The following is a list of open-source software that will be
automatically installed and configured by iRedMail.

• Postfix SMTP server
• Dovecot IMAP server
• Nginx web server to serve the admin panel and webmail
• OpenLDAP, MySQL/MariaDB, or PostgreSQL for storing user information
• Amavised-new for DKIM signing and verification
• SpamAssassin for anti-spam
• ClamAV for anti-virus
• Roundcube webmail
• SOGo groupware, providing webmail, calendar (CalDAV), contacts
(CardDAV), tasks and ActiveSync services.
• Fail2ban for protecting SSH
• mlmmj mailing list manager
• Netdata server monitoring
• iRedAPD Postfix policy server for greylisting

Redundant Download Links for Teo En Ming's PDF Manual:

[1] 
https://drive.google.com/file/d/1un8sLLmNSMIt7V6blWCvJEgwGvxMbd4B/view?usp=sharing

[2] 
https://drive.google.com/file/d/1i0vY7kfYkobu563qoI3_qCZg7G7BFoYR/view?usp=sharing

[3] 
https://drive.google.com/file/d/1U9MFN1EklLbA8TMweLV5ntiSJuBBVkpQ/view?usp=sharing

[4] https://www.docdroid.net/dW70KtS/iredmail-setup-1st-release-pdf

[5] 
https://www.mediafire.com/file/evar7j28knqyoj6/IRedMail+Setup+1st+Release.pdf/file

[6] https://www.scribd.com/document/504932780/IRedMail-Setup-1st-Release

Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 26 April 2021,
is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant
with a System Integrator (SI)/computer firm in Singapore. He is an IT
enthusiast.






-BEGIN EMAIL SIGNATURE-

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html



Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's
Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts
at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan
(5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-END EMAIL SIGNATURE-

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Odd behavior when scanning eicar test files

2021-04-26 Thread G.W. Haywood via clamav-users 

Hi there,

On Mon, 26 Apr 2021, Haukur Valgeirsson via clamav-users wrote:

I am setting up daily scanning and was figuring out how to whitelist based on 
file signatures, and decided to use the eicar test files to tune the 
settings.  Used 'sigtool --md5 eicarcom2.zip > falsepossigs.fp' to create the 
sig to whitelist and proceeded to run test scans and the results were a 
little surprising:


Given your description of what you did I'd struggle to reproduce it.
Please give full details of how you are running the scans, the exact
unaltered output as you see it, and the output of 'clamconf -n'.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to scan a single partition

2021-04-26 Thread G.W. Haywood via clamav-users 

Hi there,

On Mon, 26 Apr 2021, Christian wrote:


My system is Linux/Lubuntu 20.04.2 LTS, 64 bit.


Then you have 'man' pages. :)

I have *three* partitions: root-, home- and a third (data-)partition with 23 
GB, 36 GB and 193 GB respectively plus 3 usb-sticks:

...
What I want to do is: scan the _root-partition exclusively_, not the other 
ones and not the sticks.


What command would I need for this?

Looking around on the web I found this command 
(https://pikedom.com/clam-anti-virus-on-arch-linux/ ):


/clamscan --recursive --infected 
--exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M 
--max-scansize=4000M / -l ~/clamav-scan-results/201803261436/

As the starting point is / this would scan everything, right? Which is not 
what I want to achieve.


No it won't scan everything because it has exclusions, but you're much
better off looking at the ClamAV manual than scouring the Internet for
random shell commands which may or may not have been written by people
who know what they are doing; may or may not do what you want; and may
or may not even be safe.

In this case you're looking for the "cross filesystems" features, but
unfortunately they're named differently for the different ClamAV tools.

As you're using clamscan, the command-line option '--cross-fs=no' will
limit recursive scanning to the filesystem containing the starting
point of the scan.

If you were to use clamd, the configuration option 'CrossFilesystems'
can be set to 'no' (the default is 'yes') for the same purpose.

You may want to look at the symlink options too.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to scan a single partition

2021-04-26 Thread Sorin Petrut Niculae via clamav-users 
Hello,

You can use the --exclude-dir= option and indicate what you want to exclude 
from the scan process.

Regards.

Sorin Petrut Niculae
[cid:image009.jpg@01D4C7AC.7C1B4010]
P Please consider the environment before printing this e-mail.

De: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] En nombre de 
Christian
Enviado el: lunes, 26 de abril de 2021 15:15
Para: clamav-users@lists.clamav.net
Asunto: [clamav-users] How to scan a single partition

Hi altogether,

My system is Linux/Lubuntu 20.04.2 LTS, 64 bit.

I have three partitions: root-, home- and a third (data-)partition with 23 GB, 
36 GB and 193 GB respectively plus 3 usb-sticks:

df -h
DateisystemGröße Benutzt Verf. Verw% Eingehängt auf
udev1,9G   0  1,9G0% /dev
tmpfs   386M1,8M  384M1% /run
/dev/sdc123G 13G  9,4G   58% /  
 # root partition
tmpfs   1,9G   0  1,9G0% /dev/shm
tmpfs   5,0M8,0K  5,0M1% /run/lock
tmpfs   1,9G   0  1,9G0% /sys/fs/cgroup
/dev/sdc236G 22G   12G   64% /home  
# home partition
tmpfs   386M 12K  386M1% /run/user/1000
/dev/sdf1   7,5G2,1G  5,4G   29% /media/rosika/A492-CD29
  # usb-stick 1
/dev/sdd130G 26G  4,1G   87% /media/rosika/28BC-DAFC
# usb-stick 2
/dev/sdc3   193G 99G   84G   55% 
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1  # 3rd partition 
(data-partition)
/dev/sdb 30G 26G  3,9G   87% /media/rosika/74C1-30C7
   # usb-stick 3


What I want to do is: scan the root-partition exclusively, not the other ones 
and not the sticks.

What command would I need for this?

Looking around on the web I found this command 
(https://pikedom.com/clam-anti-virus-on-arch-linux/
 ):

clamscan --recursive --infected 
--exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M 
--max-scansize=4000M / -l ~/clamav-scan-results/201803261436

As the starting point is / this would scan everything, right? Which is not what 
I want to achieve.

Thanks for your help in advance.

Many greetings.
Rosika

P Please consider the environment before printing this e-mail.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] How to scan a single partition

2021-04-26 Thread Christian 

Hi altogether,

My system is Linux/Lubuntu 20.04.2 LTS, 64 bit.

I have *three* partitions: root-, home- and a third (data-)partition 
with 23 GB, 36 GB and 193 GB respectively plus 3 usb-sticks:


df -h
Dateisystem    Größe Benutzt Verf. Verw% Eingehängt auf
udev    1,9G   0  1,9G    0% /dev
tmpfs   386M    1,8M  384M    1% /run
/dev/sdc1    23G 13G  9,4G   58% /                            # 
root partition

tmpfs   1,9G   0  1,9G    0% /dev/shm
tmpfs   5,0M    8,0K  5,0M    1% /run/lock
tmpfs   1,9G   0  1,9G    0% /sys/fs/cgroup
/dev/sdc2    36G 22G   12G   64% /home                       # 
home partition

tmpfs   386M 12K  386M    1% /run/user/1000
/dev/sdf1   7,5G    2,1G  5,4G   29% /media/rosika/A492-CD29         
# usb-stick 1
/dev/sdd1    30G 26G  4,1G   87% /media/rosika/28BC-DAFC        
# usb-stick 2
/dev/sdc3   193G 99G   84G   55% 
/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1      # 3rd partition 
(data-partition)
/dev/sdb 30G 26G  3,9G   87% /media/rosika/74C1-30C7         
  # usb-stick 3



What I want to do is: scan the _root-partition exclusively_, not the 
other ones and not the sticks.


What command would I need for this?

Looking around on the web I found this command 
(https://pikedom.com/clam-anti-virus-on-arch-linux/ ):


/clamscan --recursive --infected 
--exclude-dir='^/sys|^/dev|^/proc|^/var/lib/clamav' --max-filesize=4000M 
--max-scansize=4000M / -l ~/clamav-scan-results/201803261436/


As the starting point is / this would scan everything, right? Which is 
not what I want to achieve.


Thanks for your help in advance.

Many greetings.
Rosika

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Odd behavior when scanning eicar test files

2021-04-26 Thread Haukur Valgeirsson via clamav-users 

Hi.

I am setting up daily scanning and was figuring out how to whitelist 
based on file signatures, and decided to use the eicar test files to 
tune the settings.  Used 'sigtool --md5 eicarcom2.zip > falsepossigs.fp' 
to create the sig to whitelist and proceeded to run test scans and the 
results were a little surprising:


eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicarcom2.zip: OK * whitelisted
eicar.com.txt: OK * by association? but why not 'eicar.com' too then}
eicar_com.zip: OK * by association?

This got me scratching my head, whitelisting the double zipped 
'eicar.com' caused the zipped one and the 'eicar.com.txt' to be 
whitelisted by association somehow, but not the raw 'eicar.com' file 
(which is identical to 'eicar.com.txt' except for the name)??


I decided to test further and whitelisted the 'eicar.com' file itself 
and scanned again, now the results were predictable, the 'eicar.com.txt' 
also got whitelisted (as it has the same md5):


eicar.com: OK * whitelisted
eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicar.com.txt: OK * makes sense, same md5 sum
eicar_com.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND

To round this experiment off I then whitelisted the single zipped file 
and the results were:


eicar.com: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicarcom2.zip: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND
eicar.com.txt: OK * by association? but why not 'eicar.com' too then}
eicar_com.zip: OK * whitelisted

Is this supposed to behave like this? I find it a little strange to 
whitelist files based on checksums if a whitelisted archive contains 
that file, is there maybe some config setting or flag that controls this 
behavior that I missed?


Thanks beforehand

Haukur


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml