Re: [clamav-users] MS Windows Explorer Context Menu sendto (clamscan.exe) - how to keep cmd box open to view results?

2021-06-24 Thread RW Jones via clamav-users 



Thanks very much for the input.

I did examine (for starters) the .ps1 clamscan script file but owing to my 
pretty much total ignorance of Powershell syntax and time being 
exceptionally tight over the last couple of days I haven't yet got to 
grips with it because it seems I will have to research script privilege 
change and some other stuff; plus I couldn't see, absent comments to the 
code, what the operand file/s were. (That's probably just me being 
incoherent btw).


Anyway I now have what is for me a neat and workable solution based on 
simple use of the two programs' logs and avoiding batch files and cmd line 
typing (doubtless just one among many potentials I could explore, time 
permitting) - please see my reply to G.W. Haywood's response to my initial 
posting.


I will probably stick with ClamAV now, especially given the remarks re: 
versioning of ClamWin that were earlier referenced by you in your quoted 
post here:


https://marc.info/?l=clamav-users=162298199126248=2


Regards,




Robert Jones



On Sun, 20 Jun 2021, Micah Snyder (micasnyd) via clamav-users wrote:


Date: Sun, 20 Jun 2021 21:55:09 +
From: "Micah Snyder (micasnyd) via clamav-users"

To: ClamAV users ML 
Cc: "Micah Snyder (micasnyd)" 
Subject: Re: [clamav-users] MS Windows Explorer Context Menu sendto
(clamscan.exe) - how to keep cmd box open to view results?

Two more things...

In the scripts, "Pause" is supposed to be on a new line, not on the same 
line as "Start-Process".


Also I forgot to mention that there is a new version of ClamWin released 
June 7th that should work okay: https://clamwin.com/content/view/251/1/


Regards,
Micah



-Original Message-
From: clamav-users  On Behalf Of
Micah Snyder (micasnyd) via clamav-users
Sent: Sunday, June 20, 2021 12:29 PM
To: ClamAV users ML 
Cc: Micah Snyder (micasnyd) 
Subject: Re: [clamav-users] MS Windows Explorer Context Menu sendto
(clamscan.exe) - how to keep cmd box open to view results?

Hi Robert,

You're correct that there is no config file for clamscan.exe. There also isn't 
any
config option to have the command-line applications stay open if you're
double-clicking them.  ClamAV wasn't designed to be double-clicked.  The
problem you're facing is not really specific to ClamAV but really is for any
command line application.  But I think I can help...


[snip]











THIS E-MAIL AND ANY ATTACHED FILES ARE CONFIDENTIAL AND MAY BE LEGALLY
PRIVILEGED. If you are not the addressee, any disclosure,
reproduction, copying, distribution or other dissemination or use of
this communication is strictly prohibited. If you have received this
transmission in error please notify the sender immediately and then
delete this e-mail. All liability for viruses is excluded.

r...@sdf.org
SDF Public Access UNIX System - http://SDF.org

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] MS Windows Explorer Context Menu sendto (clamscan.exe) - how to keep cmd box open to view results?

2021-06-24 Thread RW Jones via clamav-users 



Thanks for the input and in particular the heads-up on logfiles which imo 
is the key to a simple, elegant solution which avoids batch files and 
tiresome cmd box typing.  I did some more research after the replies to my 
post but it's been interrupted by other stuff; so as the following works 
for me, I'll go with the following as one possible solution.



(In neither case will the cmd box stay open by using the settings in (A) 
and (B) below but the ***objective of seeing program output*** is in each 
case secured by viewing the log file in the chosen location, while in the 
case of clamscan.exe also preserving the convenience of selecting 
multiple, even non-contiguous, operand files in Explorer and sending them 
to clamscan.exe via its Context Menu's sendto). I've assumed Administrator 
privileges are required to do all the following whether or not that is 
actually so.  Adjust filenames/locations to taste; also the following 
assumes a default ClamAV installation.



~~~

(A) freshclam.exe desktop icon settings:

Create a desktop icon for freshclam.exe using one or other of the various 
means available.

Right click the desktop icon and set Properties as:

"C:\Program Files\ClamAV\freshclam.exe" --log=c:\[some-folder]\freshclam.log

Start in: "C:\Program Files\ClamAV"

After running via clicking the desktop icon, freshclam's log of operations 
is found in your 'favourite' / convenient directory which you specified as 
per the above.  Likewise the results of scanning files by clamscan.exe are 
logged in the location chosen as per the below.



(B) clamscan.exe and Explorer/ Context Menu sendto settings:

Add clamscan.exe to the sendto list in Explorer's Context Menu using one 
or other of the various means available.


Navigate to view:

C:\Users\[admin]\AppData\Roaming\Microsoft\Windows\SendTo\clamscan.exe.lnk

Right click clamscan.exe.lnk and set Properties as:

"C:\Program Files\ClamAV\clamscan.exe" --log=c:\[some-folder]\clamscan.log

Start in:  "C:\Program Files\ClamAV\"

~~~

Freshclam alerted me to new ClamAV version 0.103.3 so I've also updated to 
that.


Interesting to read concerning ClamWin's creative versioning; I'd just 
decided to go with ClamAV's own MS Windows version as closer to source so 
to speak.


The Windows 7 machines were of course hardened using a couple of programs 
designed for the purpose as well as utilising modiified HOSTS etc etc.; 
the plan having been to upgrade to a dual-boot with the next Debian major 
release, stable/Xfce/nonfree when it emerges in July or August. (The i386 
/ w32 version of current runs pretty well on a travelling laptop with only 
a celeron 1197.030 MHz processor and 2GB RAM). Maybe I'll consider devuan 
but offhand I don't know what its release timing will be following on the 
new Debian major version.


ClamAV is also going on the Windows 10 laptop.


Regards,


Robert Jones



On Sun, 20 Jun 2021, G.W. Haywood via clamav-users wrote:


Date: Sun, 20 Jun 2021 16:29:41 +0100 (BST)
From: G.W. Haywood via clamav-users 
To: RW Jones via clamav-users 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] MS Windows Explorer Context Menu sendto
(clamscan.exe) - how to keep cmd box open to view results?

Hi there,

Disclaimer: I don't generally use Windows, and my experience of it is
more or less limited to fixing problems that clients have had with it.
That said, they've had a lot of problems over the years, and I know a
lot more about it than most Windows users, but I don't by any means
consider myself a "Windows expert"...

On Sun, 20 Jun 2021, RW Jones via clamav-users wrote:


BACKGROUND:
MS Windows 7 SP1 x64 Pro and Home Premium.  Also intending MS Windows 10, 
Pro.

[snip]








THIS E-MAIL AND ANY ATTACHED FILES ARE CONFIDENTIAL AND MAY BE LEGALLY
PRIVILEGED. If you are not the addressee, any disclosure,
reproduction, copying, distribution or other dissemination or use of
this communication is strictly prohibited. If you have received this
transmission in error please notify the sender immediately and then
delete this e-mail. All liability for viruses is excluded.

r...@sdf.org
SDF Public Access UNIX System - http://SDF.org

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Unable to start clamd daemon

2021-06-24 Thread vze1amckv--- via clamav-users 
I apologize if the answer to my question is obvious from your original 
post.  Although I can see you're running it in the cloud, what 
distribution/flavor/version of operating system are you using?


Meanwhile, please feel free to post the output of the "clamconf" 
command.  Thank you.


On 6/24/21 8:04 PM, Lopez, Carmelo via clamav-users wrote:

Hello,

I am new to clamav and I’ve completed installing a private mirror 
server. Freshclam works fine but when I try to start the clamd daemon I 
get this error. Any help is appreciated.


systemctl status clamd@scan -l

● clamd@scan.service - clamd scanner (scan) daemon

    Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; 
vendor preset: disabled)


    Active: failed (Result: start-limit) since Thu 2021-06-24 23:21:13 
UTC; 41min ago


  Docs: man:clamd(8)

    man:clamd.conf(5)

    https://www.clamav.net/documents/

   Process: 2030 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/%i.conf 
(code=exited, status=1/FAILURE)


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
clamd@scan.service: control process exited, code=exited status=1


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
Failed to start clamd scanner (scan) daemon.


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
Unit clamd@scan.service entered failed state.


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
clamd@scan.service failed.


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
clamd@scan.service holdoff time over, scheduling restart.


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
Stopped clamd scanner (scan) daemon.


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
start request repeated too quickly for clamd@scan.service


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
Failed to start clamd scanner (scan) daemon.


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
Unit clamd@scan.service entered failed state.


Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
clamd@scan.service failed.


*Carmelo Lopez*

Access-CL-Concur US

*Concur St. Louis Park (MN), *1550 Utica Avenue South, St. Louis Park 
55416-5312, United States


T   +19529471714, M   +16512602626, carmelo.lope...@sap.com 



*Please consider the impact on the environment before printing this email.*

signature_791736281



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Broken media detection

2021-06-24 Thread Micah Snyder (micasnyd) via clamav-users 
Ged is right to be wary about sharing files with the mailing list.  Next time 
please put it in an encrypted zip and give us the password so we can choose to 
extract it if desired – and preferably share it by some other means like a link 
to a file sharing service instead of attaching it to an email.

That said, I took a peek at the file.  When you say “spoiled by ransomware” I 
think you mean “encrypted by ransomware”.  Though the file retains its .jpg 
file name extension, the file contents appear encrypted. If you open it with a 
hex editor, the bytes look “random”.

The reason ClamAV’s –alert-broken-media option isn’t detecting anything is that 
ClamAV doesn’t use file extensions to determine file type; ClamAV tries to 
determine the type by evaluating the file contents.  In this case, since the 
file has been encrypted there is no way to know what type the file is.  In 
cases like this, ClamAV usually scans the file as raw binary, or in this case 
it thinks it is UTF16-BE.  In any case, because ClamAV has no idea it used to a 
JPEG so the feature doesn’t cause an alert.

Regards,
Micah

From: clamav-users  On Behalf Of Zvi 
Kave via clamav-users
Sent: Thursday, June 24, 2021 1:37 AM
To: clamav-users@lists.clamav.net
Cc: Zvi Kave 
Subject: Re: [clamav-users] Broken media detection

Hi Arnaud,

When I try to open it, I get error message:
agam.jpg:
It looks like we don't support this file format.

File is attached here.

Thanks,

Zvi

On 6/24/2021 11:19 AM, Arnaud Jacques wrote:
Hello Zvi,

Le 24/06/2021 à 10:09, Zvi Kave via clamav-users a écrit :

Hi,


I tried to use "clamscan --alert-broken-media=yes ag.jpg" to detect

spoiled JPEG files by RYUK ransomware.

Seems that it was not detected - ag.jpg OK.

Perhaps I use it not correctly?

Perhaps JPG file format is strictly correct (even if the datas of the image are 
corrupted).



Please advise .


You should send your sample to https://www.clamav.net/reports/malware


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Unable to start clamd daemon

2021-06-24 Thread Lopez, Carmelo via clamav-users 
Hello,

I am new to clamav and I’ve completed installing a private mirror server. 
Freshclam works fine but when I try to start the clamd daemon I get this error. 
Any help is appreciated.


systemctl status clamd@scan -l
● clamd@scan.service - clamd scanner (scan) daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor 
preset: disabled)
   Active: failed (Result: start-limit) since Thu 2021-06-24 23:21:13 UTC; 
41min ago
 Docs: man:clamd(8)
   man:clamd.conf(5)
   https://www.clamav.net/documents/
  Process: 2030 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/%i.conf (code=exited, 
status=1/FAILURE)

Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
clamd@scan.service: control process exited, code=exited status=1
Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: Failed 
to start clamd scanner (scan) daemon.
Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: Unit 
clamd@scan.service entered failed state.
Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
clamd@scan.service failed.
Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
clamd@scan.service holdoff time over, scheduling restart.
Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: Stopped 
clamd scanner (scan) daemon.
Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: start 
request repeated too quickly for clamd@scan.service
Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: Failed 
to start clamd scanner (scan) daemon.
Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: Unit 
clamd@scan.service entered failed state.
Jun 24 23:21:13 ip-10-64-205-168.us-west-2.compute.internal systemd[1]: 
clamd@scan.service failed.

Carmelo Lopez
Access-CL-Concur US
Concur St. Louis Park (MN), 1550 Utica Avenue South, St. Louis Park 55416-5312, 
United States

T   +19529471714, M   +16512602626, 
carmelo.lope...@sap.com

Please consider the impact on the environment before printing this email.


[signature_791736281]


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Broken media detection

2021-06-24 Thread G.W. Haywood via clamav-users 

Hi there,

On Thu, 24 Jun 2021, Zvi Kave via clamav-users wrote:

On 6/24/2021 11:19 AM, Arnaud Jacques wrote:

Le 24/06/2021 à 10:09, Zvi Kave via clamav-users a écrit :


I tried to use "clamscan --alert-broken-media=yes ag.jpg" to detect
spoiled JPEG files by RYUK ransomware.
...
Please advise .


You should send your sample to https://www.clamav.net/reports/malware

...
agam.jpg:
...

File is attached here.


You asked for advice.  The excellent advice given to you by M. Jacques
was to submit the potentially dangerous file to the ClamAV reporting site
- not to send it to thousands of people on this mailing list.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Broken media detection

2021-06-24 Thread Zvi Kave via clamav-users 

  
  
Arnaud,


I understand now. Thank you.


Zvi



On 6/24/2021 11:55 AM, Arnaud Jacques
  wrote:

Zvi,
  
  
  
  When I try to open it, I get error
message:


agam.jpg:


It looks like we don't support this file format.

  
  
  If you look at the content of the file with an hexadecimal editor,
  you see garbage. It has no known file format.
  
  
  The file format is defined with the content of a file, not with
  the filename/extension.
  
  
  For me, and for ClamAV, it is not an image. Verify with "file"
  command line tool :
  
  
  #file agam.jpg
  
  agam.jpg: data
  
  
  

  


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Broken media detection

2021-06-24 Thread Arnaud Jacques 

Zvi,



When I try to open it, I get error message:

agam.jpg:

It looks like we don't support this file format.


If you look at the content of the file with an hexadecimal editor, you 
see garbage. It has no known file format.


The file format is defined with the content of a file, not with the 
filename/extension.


For me, and for ClamAV, it is not an image. Verify with "file" command 
line tool :


#file agam.jpg
agam.jpg: data


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Broken media detection

2021-06-24 Thread Arnaud Jacques 

Hello Zvi,

Le 24/06/2021 à 10:09, Zvi Kave via clamav-users a écrit :

Hi,


I tried to use "clamscan --alert-broken-media=yes ag.jpg" to detect

spoiled JPEG files by RYUK ransomware.

Seems that it was not detected - ag.jpg OK.

Perhaps I use it not correctly?


Perhaps JPG file format is strictly correct (even if the datas of the 
image are corrupted).




Please advise .



You should send your sample to https://www.clamav.net/reports/malware


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.60.47.09.81
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
Signatures for ClamAV antivirus : http://ow.ly/LqfdL

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Broken media detection

2021-06-24 Thread Zvi Kave via clamav-users 

  
  
Hi,


I tried to use "clamscan --alert-broken-media=yes ag.jpg" to
  detect
spoiled JPEG files by RYUK ransomware.
Seems that it was not detected - ag.jpg OK.

Perhaps I use it not correctly?
Please advise .
I use clamav 0.103.3 .



Thanks,



Zvi

  


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml