Re: [clamav-users] Max Open File Descriptors issue found this morning

2018-01-26 Thread Jason J. W. Williams 
Hi Joel,

Appreciate you chiming in. For what its worth, I can confirm David
Shrimpton's suggestion of adding Vbs.Downloader.Generic-6431223-0 to
local.ign2 stops the problem.

-J

On Fri, Jan 26, 2018 at 7:38 AM, Joel Esler (jesler) 
wrote:

> There are a bunch of threads going on, so I am going to try and address
> most of them with this email, sorry if I leave anything out.
>
> There are reports of exploits against 0.99.2 in the wild. Heise reports
> on that (in german, can't find an english source right now):
> https://heise.de/-3951801
>
> No that I  have seen.  Maybe I'm wrong and maybe one of my coworkers here
> at Cisco knows something that I don't, but all of the referenced CVE's in
> my blog post here: http://blog.clamav.net/2018/01/clamav-0993-has-been-
> released.html were disclosed to us responsibly by the folks from
> Offensive Research at Salesforce.com.  We
> appreciate their work, and it helps tremendously.
>
> Reading through the
> thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
> 24257), or am I wrong?
>
>
> We are currently reviewing the issue to see if we can isolate the cause
> and work out a fix.  This is a "All Hands on Deck" situation (https://en.
> oxforddictionaries.com/definition/all_hands_on_deck) here.  We apologize
> for any issues, and we'll do a post mortem analysis once we fix it to
> figure out what went wrong and what we can do to remedy this in the future.
>
> ClamAV QA team: In future, please run new signatures against a clamd
> process a few thousand times to check for possible resource leakage.
>
>
> Thank you for your suggestion.  We have had some transition in personnel
> in the last several months on the ClamAV team, as well as further
> augmenting our QA resources.  I'm not making excuses, I'm just trying to
> let you all know the reality we've faced.  We want to change the model of
> ClamAV to be even more open source and develop more in a "Bazaar" method.
> More on this over time.
>
> Re: Mail loops
>
> which f**g idiot is responsible for that?
>
> Unfortunately Reindl, from what you reported, and your eloquent
> description, I'm not sure what the issue is.  I'm not seeing that issue on
> my side.
>
> Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
> As previously mentioned, if you downloaded the beta version of ClamAV
> 0.99.3, you will need to completely uninstall it and do a fresh install
> with the production version of 0.99.3 as there are significant code
> differences
>
> when i read something like this in 2018 my brain ends with a bluescreen
>
> This is something we debated for a couple weeks here internally and we
> found this to be the best solution.  We were stuck between a rock in and a
> hard place.  Trust me, this is not the user experience I want for our users
> either, but we were faced with a tough choice, and replacing the 0.99.3
> beta with a completely different codebase was the one we found to be the
> best path forward without upsetting even more people.
>
>
>
>
>
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
>
>
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with Max Open desciptor Files limit

2018-01-26 Thread Jason J. W. Williams 
Good find David. Thank you very much.

-J

On Fri, Jan 26, 2018 at 7:18 AM, David Shrimpton 
wrote:

> I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and
> restarting clamd fixed the problem.
>
> This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem
> began  a few minutes later
> clamd run out of file descriptors.
>
> I also had to clean out TemporaryDirectory before restarting.
>
> Not sure what the exact reason for problem is.
>
> There is an EOF-15 in a subsig.  Perhaps this causes a performance hit on
> large text files as end
> of file must be seeked to and this is sufficient on busy system to cause
> demand to exceed supply.
>
> sigtool --find Vbs.Downloader.Generic-6431223-0
> Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:
> 207075626c69632073756220;0:2073756220;EOF-15:
> 203d202272652220656e6420696620;657865202f63207374617274
>
> sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs
> VIRUS NAME: Vbs.Downloader.Generic-6431223-0
> TDB: Engine:51-255,Target:7
> LOGICAL EXPRESSION: (0|1)&2&3
>  * SUBSIG ID 0
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>  public sub
>  * SUBSIG ID 1
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>  sub
>  * SUBSIG ID 2
>  +-> OFFSET: EOF-15
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>  = "re" end if
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> exe /c start
>
>
>
>
> David Shrimpton
>
> 
> From: clamav-users  on behalf of
> Carlos García Gómez 
> Sent: Saturday, January 27, 2018 12:03:32 AM
> To: clamav-users@lists.clamav.net
> Subject: [clamav-users] Problem with Max Open desciptor Files limit
>
> Hi,
>
> We have a problem with ClamAV due to Max Open desciptor Files limit
> It’s seems like delete temp files are not freeded
> When the soft is reached the clamav proccess responses with an ERROR
>
> THe problem has begined Today with 0.99.2 clamav version
> We have updated to the last release 0.99.3 but then problem again be here.
>
>
>
>   [root@mx2 tmp]# ps -ef |grep clamav
>   clamav   22927 1  0 13:50 ?00:00:00
> /home/vmail/antivirus/clamav/bin/freshclam -d
>   root 23128 21677  0 15:01 pts/100:00:00 grep clamav
>   clamav   23137 1  2 13:51 ?00:01:39
> /home/vmail/antivirus/clamav/sbin/clamd
>
>
>   [root@mx2 tmp]# lsof -p 23137
>   COMMAND   PID   USER   FD   TYPE DEVICE SIZE   NODE NAME
>   clamd   23137 clamav  cwdDIR8,1 4096  2 /
>   clamd   23137 clamav  rtdDIR8,1 4096  2 /
>   clamd   23137 clamav  txtREG8,2   3308231507346
> /home/vmail/antivirus/clamav-0.99.3/sbin/clamd
>   clamd   23137 clamav   11u   REG8,2   461540613
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 40e1c3eb5c91506cd8029a626d44e430.tmp (deleted)
>   clamd   23137 clamav   12u   REG8,2  1191540264
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 6191bbf55622fa150f6a562fedaa96bf.tmp (deleted)
>   clamd   23137 clamav   13u   REG8,2  1191540266
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> d23444b929c3e8f70b245d0f7df9c64e.tmp (deleted)
>   clamd   23137 clamav   14u   REG8,2   361540265
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 0323a84d6821a592bccefde5a36c0bb4.tmp (deleted)
>   clamd   23137 clamav   15u   REG8,2 47931540268
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> a08b30fcf5ca4cbc35089753a49b688f.tmp (deleted)
>   clamd   23137 clamav   16u   REG8,2 47931540267
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 8fa41cdf16f7e03e3fef00fa7faefe66.tmp (deleted)
>   clamd   23137 clamav   17u   REG8,2   581540270
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 8106966405936ecc207ceb37377b2be5.tmp (deleted)
>   clamd   23137 clamav   18u   REG8,2  1831540272
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 6f395db61ea80440bbcdcccf8c1fd87e.tmp (deleted)
>   clamd   23137 clamav   19u   REG8,2  2931540273
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 4d454dfbedfa70c192000a2cc021a0e9.tmp (deleted)
>   clamd   23137 clamav   20u   REG8,2  1831540271
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> d7b9350895ea3c7c16a95810da93cbcd.tmp (deleted)
>   clamd   23137 clamav   21u   REG8,2 31371540274
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 61ead91328b1a1fb2eed66e0092fab37.tmp (deleted)
>   clamd   23137 clamav   22u   REG8,2 31371540276
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> ea8e77c7746f4e20efa08dd714e3bab1.tmp (deleted)
>   clamd   23137 clamav   23u   REG8,2   421540275
>

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.3 has been released!

2018-01-26 Thread Jason J. W. Williams 
Hi Joel & Micah,

Is anyone from Cisco going to be commenting on the signatures issue
everyone is seeing with daily.cld 24256+?

-J

On Fri, Jan 26, 2018 at 7:13 AM, Micah Snyder (micasnyd)  wrote:

> Tobi,
>
> Yup this is correct.  We are planning to get an 0.100.0 beta out next week
> to replace the old 0.99.3-beta2.
>
> Going forwards, the last number in our version string will be reserved for
> urgent fixes so we don’t find ourselves in this position again. The 2nd
> number will be used when there are improvements and new features.
>
> Again, sorry for the confusion in this update.
>
>
> Micah Snyder
> Software Engineer
> Talos
> Cisco Systems, Inc.
>
>
>
> On Jan 26, 2018, at 10:06 AM, Tobi > wrote:
>
> As far as I understand the release notes of 99.3 its a security fix which
> has nothing to do with former 99.3 beta.
> The former beta now is 0.100 (http://blog.clamav.net/2018/
> 01/clamav-version-number-adjustment.html).
> So at least for me it makes sense that you have to remove the beta first
> to apply fixed 99.3 version
>
> Am 26. Januar 2018 15:49:14 MEZ schrieb Reindl Harald <
> h.rei...@thelounge.net>:
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

2018-01-26 Thread Jason J. W. Williams 
HI Marcus,

Any chance you'd be willing to share your copy of 24255?

-J

On Fri, Jan 26, 2018 at 7:07 AM, Marcus Schopen <li...@localguru.de> wrote:

> Am Freitag, den 26.01.2018, 07:02 -0800 schrieb Jason J. W. Williams:
> > How does one manually download an old daily.cld?
>
> Good question. workaround: got the old version from my backup.
>
> Ciao!
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

2018-01-26 Thread Jason J. W. Williams 
How does one manually download an old daily.cld?

-J

On Fri, Jan 26, 2018 at 7:00 AM, Paul  wrote:

> On 26/01/2018 14:56, Marcus Schopen wrote:
>
> Am Freitag, den 26.01.2018, 07:48 -0700 schrieb Rafael Ferreira:
>>
>>> Nope, latest is still
>>>
>>> File: daily.cvd
>>> Build time: 26 Jan 2018 04:24 -0500
>>> Version: 24257
>>> Signatures: 1835982
>>> Functionality level: 63
>>> Builder: neo
>>> MD5: 3b3092994fdf9aa39aae480c38fb31ab
>>> Digital signature:
>>> D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3
>>> cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ
>>> 7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg
>>>
>>> which appears to have the issue, we, scanii.com ,
>>> are having quite a bit of run today because of it.
>>>
>> What about replacing the current daily.cld with an older one, e.g. with
>> 24255? Disable freshclam, stop clamd, replace daily.cld by old one
>> (24255) and start clamd again. Wouldn't that work until a fixed
>> daily.cld is provided?
>>
>> Ciao!
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>> This has worked for me all day
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

2018-01-26 Thread Jason J. W. Williams 
We started seeing this problem last night as well. Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
24257), or am I wrong?

-J

On Fri, Jan 26, 2018 at 6:24 AM, Dianne Skoll 
wrote:

> On Fri, 26 Jan 2018 13:50:27 +0100
> Ralf Hildebrandt  wrote:
>
> > If I had to guess: they used the beta for testing, but the release
> > versions (both 0.99.2 and 0.99.3!) fail to operate properly...
>
> No, I bet that's not what happened.  A file descriptor leak doesn't show
> up right away.  They probably tested the signatures on a lightly-loaded
> server and didn't notice any problems.
>
> ClamAV QA team: In future, please run new signatures against a clamd
> process a few thousand times to check for possible resource leakage.
>
> Regards,
>
> Dianne.
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] daily-23474 & daily-23475 updates are failing to load

2017-06-15 Thread Jason J. W. Williams 
Hi Guys,

Earlier this evening all of our healthchecks for the freshness of our
ClamAV servers' databases started to go off indicating all of them were 2
versions behind. Investigating the freshclam logs, all of the servers are
reporting the same error loading the daily cdiffs:

freshclam daemon 0.98.7 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
ClamAV update process started at Thu Jun 15 06:30:48 2017
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98.7 Recommended version: 0.99.2
DON'T PANIC! Read http://www.clamav.net/support/faq
Downloading main-58.cdiff [100%]
main.cld updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily-23474.cdiff [100%]
Downloading daily-23475.cdiff [100%]
WARNING: [LibClamAV] cli_ac_addsig: Signature for Win.Worm.Fadok-6328944-0
is too short
WARNING: [LibClamAV] cli_parse_add(): Problem adding signature (3).
WARNING: [LibClamAV] Problem parsing database at line 2793
WARNING: [LibClamAV] Can't load daily.ldb: Malformed database
WARNING: [LibClamAV] cli_tgzload: Can't load daily.ldb
WARNING: [LibClamAV] Can't load
/var/lib/clamav/clamav-67926f9ec604f961a16747a484057689.tmp/clamav-250dc2257e1473258a61b534dbdef759.cld:
Malformed database
ERROR: Failed to load new database: Malformed database
WARNING: Database load exited with status 55
ERROR: Failed to load new database

Is this a known issue, or is there something else we should be doing to
clear the problem? Thank you in advance for your help.

-J
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-06-03 Thread Jason J. W. Williams 
That's unfortunate. Given the magnitude of the change I would've expected
them to be very attentive to the list, post deployment.

-J

On Thu, Mar 17, 2016 at 1:23 PM, Al Varnell <alvarn...@mac.com> wrote:

> No. I'm sure they are trying to recover from this week's activities and
> rarely have time to follow this list anyway. It would likely be Alain
> Zidouemba the sig team lead.
>
> To get feedback on FP's you would need to subscribe to the clamav-virusdb
> list and it often takes weeks under normal circumstances.
>
> The main contributor here is Joel Esler, Manager, Talos Group.
>
> Sent from Janet's iPad
>
> -Al-
>
> On Mar 17, 2016, at 1:09 PM, "Jason J. W. Williams" <
> jasonjwwilli...@gmail.com> wrote:
> > Does anyone that's chimed in work on the signatures team?
> >
> > -J
> >
> > On Thu, Mar 17, 2016 at 10:31 AM, Al Varnell <alvarn...@mac.com> wrote:
> >
> >> There have not been any additional updates released yet, so nothing
> could
> >> have changed.
> >>
> >> -Al-
> >>
> >> On Thu, Mar 17, 2016 at 10:25 AM, Jason Williams wrote:
> >>>
> >>> Is anyone still seeing this or have they fixed it?
> >>>
> >>> -J
> >>>
> >>> Sent via iPhone
> >>>
> >>>> On Mar 17, 2016, at 02:44, Mark Allan <markjal...@gmail.com> wrote:
> >>>>
> >>>> Just to confirm, I'm also seeing everything being flagged as
> >> Win.Trojan.Trojan-476 with the new main/daily.cvd files.
> >>>>
> >>>> Mark
> >>>>
> >>>>> On 17 Mar 2016, at 6:49 am, Al Varnell <alvarn...@mac.com> wrote:
> >>>>>
> >>>>> I just ran a scan against the ClamAV test files contained in the
> >> 0.99.1 source file and I’m getting all Win.Trojan.Trojan-476:
> >>>>>
> >>>>> File NameInfection NameStatus
> >>>>>
> >>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail
> >> Win.Trojan.Trojan-476
> >>>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt
> >> Win.Trojan.Trojan-476
> >>>>> /

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Jason J. W. Williams 
Hi Dave,

Thanks. I don't see any issues with it loading the daily.cld. I'm going to
wipe it out and let Freshclam reload it and the ign.

-J

On Tue, May 17, 2016 at 2:02 PM, David Raynor <dray...@sourcefire.com>
wrote:

> If you run clamscan with "--debug" it will tell you which files it is
> loading, even the files inside a cvd or cld file. It will also remark about
> which signatures is skips when loading.
>
> You should see these lines within your debug output:
>
> ...
> LibClamAV debug: daily.ign2 loaded
> ...
> LibClamAV debug: /var/lib/clamav/daily.cld loaded
> ...
> LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605
> ...
> LibClamAV debug: main.ndb loaded
> ...
>
> Which of these rows you see is going to be affected by the contents of your
> database, but this is what I see with an up-to-date daily and main.cvd. The
> signature is in the latest main. The ignore is set in the latest daily
> (21562) and has been for weeks. Once you get to a fresh enough daily it
> will have the ignore set. If there is something else going on that is
> preventing clamscan from loading that daily.cld (e.g. file permissions,
> path difference) that would be the culprit.
>
> Hope this helps,
>
> Dave R.
>
>
> On Tue, May 17, 2016 at 4:33 PM, Jason J. W. Williams <
> jasonjwwilli...@gmail.com> wrote:
>
> > Yessir:
> >
> > # sigtool -u /var/lib/clamav/daily.cld
> >
> > # grep -i 'Win.Trojan.Trojan-605' daily.ign
> > main:42:Win.Trojan.Trojan-605
> >
> > On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba <
> > azidoue...@sourcefire.com>
> > wrote:
> >
> > > $ sigtool -u /usr/local/share/clamav/daily.cld
> > >
> > > $ grep -i 'Win.Trojan.Trojan-605' daily.ign
> > > main:42:Win.Trojan.Trojan-605
> > >
> > >
> > > Same on your end?
> > >
> > > - Alain
> > >
> > > On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
> > > jasonjwwilli...@gmail.com> wrote:
> > >
> > > > We do.
> > > >
> > > > -J
> > > >
> > > > On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
> > > > azidoue...@sourcefire.com>
> > > > wrote:
> > > >
> > > > > Jason:
> > > > >
> > > > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605
> > was
> > > > > dropped several weeks ago, but would only be reflected in your
> > > > installation
> > > > > if you have both main.cvd and daily.cvd. Please confirm.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > - Alain
> > > > >
> > > > >
> > > > >
> > > > > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> > > > > jasonjwwilli...@gmail.com> wrote:
> > > > >
> > > > > > No ClamAV 0.98.7.
> > > > > >
> > > > > > -J
> > > > > >
> > > > > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell <alvarn...@mac.com>
> > > > wrote:
> > > > > >
> > > > > > > I’m unable to replicate your findings:
> > > > > > >
> > > > > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > > > > > >
> > > > > > > Taking a look at the current daily.cld I see entries in both
> > ignore
> > > > > > > sections:
> > > > > > >
> > > > > > > daily.ign
> > > > > > >  1374
> > > > > > > 002516
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > fake:1:Dont_remove_this_line
> > > > > > > ...
> > > > > > > main:42:Win.Trojan.Trojan-605
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >           daily.ign2
> > > > > > >
> > > > > > >   1072002573
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >   fake_dont_remove_this_line
> > > > > > > ...
> > >

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Jason J. W. Williams 
Yessir:

# sigtool -u /var/lib/clamav/daily.cld

# grep -i 'Win.Trojan.Trojan-605' daily.ign
main:42:Win.Trojan.Trojan-605

On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba <azidoue...@sourcefire.com>
wrote:

> $ sigtool -u /usr/local/share/clamav/daily.cld
>
> $ grep -i 'Win.Trojan.Trojan-605' daily.ign
> main:42:Win.Trojan.Trojan-605
>
>
> Same on your end?
>
> - Alain
>
> On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams <
> jasonjwwilli...@gmail.com> wrote:
>
> > We do.
> >
> > -J
> >
> > On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <
> > azidoue...@sourcefire.com>
> > wrote:
> >
> > > Jason:
> > >
> > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
> > > dropped several weeks ago, but would only be reflected in your
> > installation
> > > if you have both main.cvd and daily.cvd. Please confirm.
> > >
> > > Thanks,
> > >
> > > - Alain
> > >
> > >
> > >
> > > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> > > jasonjwwilli...@gmail.com> wrote:
> > >
> > > > No ClamAV 0.98.7.
> > > >
> > > > -J
> > > >
> > > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell <alvarn...@mac.com>
> > wrote:
> > > >
> > > > > I’m unable to replicate your findings:
> > > > >
> > > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > > > >
> > > > > Taking a look at the current daily.cld I see entries in both ignore
> > > > > sections:
> > > > >
> > > > > daily.ign
> > > > >  1374
> > > > > 002516
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > fake:1:Dont_remove_this_line
> > > > > ...
> > > > > main:42:Win.Trojan.Trojan-605
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >   daily.ign2
> > > > >
> > > > >   1072002573
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >   fake_dont_remove_this_line
> > > > > ...
> > > > > Win.Trojan.Trojan-605
> > > > >
> > > > > I wonder if it’s engine specific?  Are you using 0.99.x
> > > > >
> > > > > -Al-
> > > > >
> > > > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > > > > >
> > > > > > Looks like EICAR is getting classified as Win.Trojan.Trojan-605
> > again
> > > > > > (daily 21557).
> > > > > >
> > > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > > > >
> > > > > > -J
> > > > > >
> > > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com>
> > > wrote:
> > > > > >
> > > > > >> The new database was just made available, so I recommend you
> hold
> > > off
> > > > > >> until you have the new mail.cvd v57 and daily.cvd v21466 before
> > > > getting
> > > > > too
> > > > > >> excited about this.
> > > > > >>
> > > > > >> -Al-
> > > > > >>
> > > > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> > > > > >>>
> > > > > >>> As of the latest daily update, running ClamAV against the EICAR
> > > test
> > > > > >>> string
> > > > > >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> > > > > >>>
> > > > > >>> -J
> > > > >
> > > > > ___
> > > > > Help us build a comprehensive ClamAV guide:
> > > > > https://github.com/vrtadmin/clamav-faq
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > ___
> > > > Help us build a comprehensive ClamAV guide:
> > > > https://github.com/vrtadmin/clamav-faq
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > ___
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Jason J. W. Williams 
We do.

-J

On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba <azidoue...@sourcefire.com>
wrote:

> Jason:
>
> Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 was
> dropped several weeks ago, but would only be reflected in your installation
> if you have both main.cvd and daily.cvd. Please confirm.
>
> Thanks,
>
> - Alain
>
>
>
> On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams <
> jasonjwwilli...@gmail.com> wrote:
>
> > No ClamAV 0.98.7.
> >
> > -J
> >
> > On Mon, May 16, 2016 at 11:25 PM, Al Varnell <alvarn...@mac.com> wrote:
> >
> > > I’m unable to replicate your findings:
> > >
> > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
> > >
> > > Taking a look at the current daily.cld I see entries in both ignore
> > > sections:
> > >
> > > daily.ign
> > >  1374
> > > 002516
> > >
> > >
> > >
> > >
> > > fake:1:Dont_remove_this_line
> > > ...
> > > main:42:Win.Trojan.Trojan-605
> > >
> > >
> > >
> > >
> > >   daily.ign2
> > >
> > >   1072002573
> > >
> > >
> > >
> > >
> > >   fake_dont_remove_this_line
> > > ...
> > > Win.Trojan.Trojan-605
> > >
> > > I wonder if it’s engine specific?  Are you using 0.99.x
> > >
> > > -Al-
> > >
> > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> > > >
> > > > Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
> > > > (daily 21557).
> > > >
> > > > https://gist.github.com/williamsjj/b8104402e80f44475df5
> > > >
> > > > -J
> > > >
> > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com>
> wrote:
> > > >
> > > >> The new database was just made available, so I recommend you hold
> off
> > > >> until you have the new mail.cvd v57 and daily.cvd v21466 before
> > getting
> > > too
> > > >> excited about this.
> > > >>
> > > >> -Al-
> > > >>
> > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> > > >>>
> > > >>> As of the latest daily update, running ClamAV against the EICAR
> test
> > > >>> string
> > > >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> > > >>>
> > > >>> -J
> > >
> > > ___
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-17 Thread Jason J. W. Williams 
No ClamAV 0.98.7.

-J

On Mon, May 16, 2016 at 11:25 PM, Al Varnell <alvarn...@mac.com> wrote:

> I’m unable to replicate your findings:
>
> ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND
>
> Taking a look at the current daily.cld I see entries in both ignore
> sections:
>
> daily.ign
>  1374
> 002516
>
>
>
>
> fake:1:Dont_remove_this_line
> ...
> main:42:Win.Trojan.Trojan-605
>
>
>
>
>   daily.ign2
>
>   1072002573
>
>
>
>
>   fake_dont_remove_this_line
> ...
> Win.Trojan.Trojan-605
>
> I wonder if it’s engine specific?  Are you using 0.99.x
>
> -Al-
>
> On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote:
> >
> > Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
> > (daily 21557).
> >
> > https://gist.github.com/williamsjj/b8104402e80f44475df5
> >
> > -J
> >
> > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com> wrote:
> >
> >> The new database was just made available, so I recommend you hold off
> >> until you have the new mail.cvd v57 and daily.cvd v21466 before getting
> too
> >> excited about this.
> >>
> >> -Al-
> >>
> >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> >>>
> >>> As of the latest daily update, running ClamAV against the EICAR test
> >>> string
> >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> >>>
> >>> -J
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-16 Thread Jason J. W. Williams 
Looks like EICAR is getting classified as Win.Trojan.Trojan-605 again
(daily 21557).

https://gist.github.com/williamsjj/b8104402e80f44475df5

-J

On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com> wrote:

> The new database was just made available, so I recommend you hold off
> until you have the new mail.cvd v57 and daily.cvd v21466 before getting too
> excited about this.
>
> -Al-
>
> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> >
> > As of the latest daily update, running ClamAV against the EICAR test
> string
> > reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> >
> > -J
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-03-19 Thread Jason J. W. Williams 
ojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v3.rar
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.bz2
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bz2.zip
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_int.exeaa
>   Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam.isoaa
>   Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_ext.exeaa
>   Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clamjol.isoaa
>   Win.Trojan.Trojan-476
> >>>
> >>> -Al-
> >>>
> >>>> On Wed, Mar 16, 2016 at 10:46 PM, Jason Williams wrote:
> >>>>
> >>>> Hey Al,
> >>>>
> >>>> I submitted a FP report with one attached. Just put the EICAR string
> into a txt file and that'll trigger it.
> >>>>
> >>>> -J
> >>>>
> >>>> Sent via iPhone
> >>>>
> >>>>> On Mar 16, 2016, at 22:16, Al Varnell <alvarn...@mac.com> wrote:
> >>>>>
> >>>>> I don’t know why sanesecurity-porcupine.ndb is causing this, but I
> can now see that the signatures for Win.Test.EICAR_LDB-1 and
> Win.Trojan.Trojan-605 are identical, so this is an FP situation which would
> be reported.
> >>>>> <
> http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Test.EICAR_LDB-1=contains=No=daily=main=database=virus=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
> >
> >>>>>
> >>>>> However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1
> file to submit.
> >>>>>
> >>>>> -Al-
> >>>>>
> >>>>>
> >>>>>> On Wed, Mar 16, 2016 at 09:44 PM, Jason J. W. Williams wrote:
> >>>>>>
> >>>>>> Culprit seems to be sanesecurity-porcupine.ndb (
> >>>>>> http://sanesecurity.com/usage/signatures/). Moving it out causes
> >>>>>> Win.Test.EICAR_NDB-1
> >>>>>> FOUND to be found, moving it back in triggers the
> Win.Trojan.Trojan-605 FP.
> >>>>>> Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why
> that is.
> >>>>>>
> >>>>>> -J
> >>>>>>
> >>>>>>> On Wed, Mar 16, 2016 at 9:38 PM, Al Varnell <alvarn...@mac.com>
> wrote:
> >>>>>>>
> >>>>>>> Disregard, I found it here after they got the new main.cvd:
> >>>>>>> <
> >>>>>>>
> http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605=contains=No=daily=main=database=virus=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
> >>>>>>>
> >>>>>>> I’ll see what I get once my main.cvd finishes.
> >>>>>>>
> >>>>>>> -Al-
> >&g

[clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-03-19 Thread Jason J. W. Williams 
As of the latest daily update, running ClamAV against the EICAR test string
reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.

-J
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-03-19 Thread Jason J. W. Williams 
Thanks. Hopefully it'll sync up soon. I'm getting weird download errors out
of freshclam:

WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from db.local.clamav.net
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from db.local.clamav.net
Empty script daily-21465.cdiff, need to download entire database

On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com> wrote:

> The new database was just made available, so I recommend you hold off
> until you have the new mail.cvd v57 and daily.cvd v21466 before getting too
> excited about this.
>
> -Al-
>
> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> >
> > As of the latest daily update, running ClamAV against the EICAR test
> string
> > reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> >
> > -J
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-03-19 Thread Jason J. W. Williams 
Pulled down 21466 (and force restarted clamd) but it's still classifying
EICAR as Win.Trojan.Trojan:

https://gist.github.com/williamsjj/b8104402e80f44475df5

Databases are up to date now:
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder:
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder:
amishhammer)
Database updated (4302724 signatures) from db.local.clamav.net (IP:
193.1.193.64)



On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell <alvarn...@mac.com> wrote:

> Those are normal messages for an update of this kind.  The 21465.cdiff was
> purposely blank in order to force you to download the entire daily.cvd.
> Give it plenty of time as the main.cvd is 109MB.
>
> Technical details: <
> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
> >
>
> -Al-
>
> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote:
> >
> > Thanks. Hopefully it'll sync up soon. I'm getting weird download errors
> out
> > of freshclam:
> >
> > WARNING: getfile: Error while reading database from db.local.clamav.net
> > (IP: 200.236.31.1): Operation now in progress
> > WARNING: getpatch: Can't download daily-21465.cdiff from
> db.local.clamav.net
> > nonblock_recv: recv timing out (30 secs)
> > WARNING: getfile: Error while reading database from db.local.clamav.net
> > (IP: 194.186.47.19): Operation now in progress
> > WARNING: getpatch: Can't download daily-21465.cdiff from
> db.local.clamav.net
> > Empty script daily-21465.cdiff, need to download entire database
> >
> > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com> wrote:
> >
> >> The new database was just made available, so I recommend you hold off
> >> until you have the new mail.cvd v57 and daily.cvd v21466 before getting
> too
> >> excited about this.
> >>
> >> -Al-
> >>
> >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> >>>
> >>> As of the latest daily update, running ClamAV against the EICAR test
> >> string
> >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> >>>
> >>> -J
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-03-19 Thread Jason J. W. Williams 
Culprit seems to be sanesecurity-porcupine.ndb (
http://sanesecurity.com/usage/signatures/). Moving it out causes
Win.Test.EICAR_NDB-1
FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP.
Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.

-J

On Wed, Mar 16, 2016 at 9:38 PM, Al Varnell <alvarn...@mac.com> wrote:

> Disregard, I found it here after they got the new main.cvd:
> <
> http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605=contains=No=daily=main=database=virus=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
> >
>
> I’ll see what I get once my main.cvd finishes.
>
> -Al-
>
> On Wed, Mar 16, 2016 at 09:32 PM, Al Varnell wrote:
> >
> > I’m still looking, but so far I can’t find any Win.Trojan.Trojan
> signatures in the ClamAV Official database or listed in clamav-virusdb
> e-mail list.
> >
> > Nor can I confirm your results using my own EICAR.
> >
> > Are you using any Unofficial signatures from a different source?
> >
> > -Al-
> >
> > On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote:
> >>
> >> Pulled down 21466 (and force restarted clamd) but it's still classifying
> >> EICAR as Win.Trojan.Trojan:
> >>
> >> https://gist.github.com/williamsjj/b8104402e80f44475df5
> >>
> >> Databases are up to date now:
> >> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60,
> builder:
> >> amishhammer)
> >> Empty script daily-21465.cdiff, need to download entire database
> >> Downloading daily.cvd [100%]
> >> daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder:
> >> amishhammer)
> >> Empty script bytecode-275.cdiff, need to download entire database
> >> Downloading bytecode.cvd [100%]
> >> bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder:
> >> amishhammer)
> >> Database updated (4302724 signatures) from db.local.clamav.net (IP:
> >> 193.1.193.64)
> >>
> >>
> >>
> >> On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell <alvarn...@mac.com> wrote:
> >>
> >>> Those are normal messages for an update of this kind.  The 21465.cdiff
> was
> >>> purposely blank in order to force you to download the entire daily.cvd.
> >>> Give it plenty of time as the main.cvd is 109MB.
> >>>
> >>> Technical details: <
> >>>
> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
> >>>>
> >>>
> >>> -Al-
> >>>
> >>> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote:
> >>>>
> >>>> Thanks. Hopefully it'll sync up soon. I'm getting weird download
> errors
> >>> out
> >>>> of freshclam:
> >>>>
> >>>> WARNING: getfile: Error while reading database from
> db.local.clamav.net
> >>>> (IP: 200.236.31.1): Operation now in progress
> >>>> WARNING: getpatch: Can't download daily-21465.cdiff from
> >>> db.local.clamav.net
> >>>> nonblock_recv: recv timing out (30 secs)
> >>>> WARNING: getfile: Error while reading database from
> db.local.clamav.net
> >>>> (IP: 194.186.47.19): Operation now in progress
> >>>> WARNING: getpatch: Can't download daily-21465.cdiff from
> >>> db.local.clamav.net
> >>>> Empty script daily-21465.cdiff, need to download entire database
> >>>>
> >>>> On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com>
> wrote:
> >>>>
> >>>>> The new database was just made available, so I recommend you hold off
> >>>>> until you have the new mail.cvd v57 and daily.cvd v21466 before
> getting
> >>> too
> >>>>> excited about this.
> >>>>>
> >>>>> -Al-
> >>>>>
> >>>>> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> >>>>>>
> >>>>>> As of the latest daily update, running ClamAV against the EICAR test
> >>>>> string
> >>>>>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> >>>>>>
> >>>>>> -J
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-03-18 Thread Jason J. W. Williams 
Yeah, the sanesecurity sigs. Moving them out, causes   Win.Test.EICAR_NDB-1
FOUND to be found. Which I assume is the new name.

Not sure why the update is suddenly causing the SaneSecurity sigs to get
checked first. I'll track it down.

-J

On Wed, Mar 16, 2016 at 9:32 PM, Al Varnell <alvarn...@mac.com> wrote:

> I’m still looking, but so far I can’t find any Win.Trojan.Trojan
> signatures in the ClamAV Official database or listed in clamav-virusdb
> e-mail list.
>
> Nor can I confirm your results using my own EICAR.
>
> Are you using any Unofficial signatures from a different source?
>
> -Al-
>
> On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote:
> >
> > Pulled down 21466 (and force restarted clamd) but it's still classifying
> > EICAR as Win.Trojan.Trojan:
> >
> > https://gist.github.com/williamsjj/b8104402e80f44475df5
> >
> > Databases are up to date now:
> > main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
> > amishhammer)
> > Empty script daily-21465.cdiff, need to download entire database
> > Downloading daily.cvd [100%]
> > daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder:
> > amishhammer)
> > Empty script bytecode-275.cdiff, need to download entire database
> > Downloading bytecode.cvd [100%]
> > bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder:
> > amishhammer)
> > Database updated (4302724 signatures) from db.local.clamav.net (IP:
> > 193.1.193.64)
> >
> >
> >
> > On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell <alvarn...@mac.com> wrote:
> >
> >> Those are normal messages for an update of this kind.  The 21465.cdiff
> was
> >> purposely blank in order to force you to download the entire daily.cvd.
> >> Give it plenty of time as the main.cvd is 109MB.
> >>
> >> Technical details: <
> >>
> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
> >>>
> >>
> >> -Al-
> >>
> >> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote:
> >>>
> >>> Thanks. Hopefully it'll sync up soon. I'm getting weird download errors
> >> out
> >>> of freshclam:
> >>>
> >>> WARNING: getfile: Error while reading database from
> db.local.clamav.net
> >>> (IP: 200.236.31.1): Operation now in progress
> >>> WARNING: getpatch: Can't download daily-21465.cdiff from
> >> db.local.clamav.net
> >>> nonblock_recv: recv timing out (30 secs)
> >>> WARNING: getfile: Error while reading database from
> db.local.clamav.net
> >>> (IP: 194.186.47.19): Operation now in progress
> >>> WARNING: getpatch: Can't download daily-21465.cdiff from
> >> db.local.clamav.net
> >>> Empty script daily-21465.cdiff, need to download entire database
> >>>
> >>> On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell <alvarn...@mac.com> wrote:
> >>>
> >>>> The new database was just made available, so I recommend you hold off
> >>>> until you have the new mail.cvd v57 and daily.cvd v21466 before
> getting
> >> too
> >>>> excited about this.
> >>>>
> >>>> -Al-
> >>>>
> >>>> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> >>>>>
> >>>>> As of the latest daily update, running ClamAV against the EICAR test
> >>>> string
> >>>>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> >>>>>
> >>>>> -J
> >>
> >> ___
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >>
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml