Re: [clamav-users] Disable official database
On Sat, 24 Aug 2019, azu...@pobox.sk wrote: > Hi, > > is it possible to disable official virus database? I would like to use only > custom database. Thanks for info. Before I retired nearly a year ago I ran for several years an instance of clamd on the incoming mail servers at work that should only detect macro's in office files. These macro's are detected by build-in heuristics in clamd so I didn't need virus databases at all for these clamd instances but I didn't want to run clamd in the ultimate edge case using no databases. (I didn't even test if I could start clamd without databases.) I created a database dirctory containing only a custom database with a single definition to detect the "eicar-virus". I created a customized clamd config file pointing to this nearly empty database dirctory. And I started these instances of clamd with the commandline option to use this customized config file. The overhead involved with using a single -actually not needed- eicar definition was acceptable to me. So yes, at that time, it was possible to run at least clamd without the official virus database. I only used this with clamd, not with clamscan. And I didn't test this with the current clamav version. Regards, Kees. -- Kees Theunissen Email: kees.theunis...@xs4all.nl ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands
On Tue, 10 Jul 2018, Robert Kudyba wrote: >Hello hive, > >Running: >clamav-0.100.0-2.fc28.x86_64 > >clamd, freshclam and clamav-milter all up and running: >ps -auwx | grep clam >clamupd+ 20336 0.0 0.0 50672 4016 ?Ss Jun29 1:15 >/usr/bin/freshclam -d -c 4 >clamav 23713 0.0 0.0 176780 1160 ?Ssl 13:23 0:00 >/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf >clamscan 25458 0.0 4.6 1405848 1142996 ? Ssl 13:27 0:00 >/usr/sbin/clamd -c /etc/clamd.d/scan.conf >root 25593 0.0 0.0 9156 1084 pts/1S+ 17:02 0:00 grep >--color=auto clam > >However it fails with sendmail with these errors: >Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: >milter_sys_read(clamav): cmd read returned 11, expecting 1431194445 >Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter (clamav): to >error state >Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter (clamav): >init failed to open >Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter (clamav): to >error state >Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter: >initialization failed, temp failing commands > >Here's the relevant line in sendmail.mc: >INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamd.scan/clamd.sock, >F=T,T=S:4m;R:4m;E:10m')dnl Your INPUT_MAIL_FILTER should be clamav-milter listening on socket /var/run/clamav-milter/clamav-milter.socket (as defined below) and not the clamd daemom which is listening on socket /var/run/clamd.scan/clamd.sock > >Lines in /etc/mail/clamav-milter.conf >MilterSocket /var/run/clamav-milter/clamav-milter.socket >MilterSocket inet:7357 >ClamdSocket tcp:localhost:3310 >ClamdSocket unix:/var/run/clamd.scan/clamd.sock > >Lines in /etc/clamd.d/scan.conf > >TCPSocket 3310 >TCPAddr 127.0.0.1 > >Everything I've read says that as long as ClamdSocket in the >clamav-milter.conf and INPUT_MAIL_FILTER in sendmail.mc match it should >work. > >Is my syntax wrong some where? > Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) email address:c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Sig missing
On Sun, 25 Mar 2018, Al Varnell wrote: >Have you tried disabling your unofficial signature to see if the official one >detects it yet? Just try clamscan or clamdscan with the -z or --allmatch option. -z, --allmatch After a match, continue scanning within the file for additional matches. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAVR blog: ClamAV 0.99.4 has been released!
On Thu, 8 Mar 2018, Andy Schmidt wrote: >Nah, Brian, in this case it's actually a bug, albeit a "cosmetic" one. I >have been getting the same misleading error message on every system ever >since I upgraded to 0.99.4 - so I suspect many, if not all others, have too: > > Thu Mar 08 11:46:31 2018 -> WARNING: Local version: clamav-0.99.4 >Recommended version: 0.99.4 I only saw messages like Mar 7 16:41:18 pcict9 freshclam[1311]: Local version: 0.99.3 Recommended version: 0.99.4 Until I upgraded to a locally compiled 0.99.4 package. After that I didn't see such warnings anymore -- as expected. > >So, thanks Brian, for being the one reporting it. I had "let it slide" >though, given that they had just hoped to have fixed that same error last >weekend, when FreshClam thought that even 0.99.3 was recommended instead of >an already installed 0.99.4. > >Clearly there is some imperfect comparison being performed prior to issuing >this message, when even identical "local" vs. "recommended" versions are >evaluated as "not equal". The version strings "clamav-0.99.4" and "0.99.4" are not identical. The package that you installed seems to have been built with a wrong version string (including the phrase "clamav-"). How is your version shown by commands like "freshclam --version" or "clamscan --version"? ~$ freshclam --version ClamAV 0.99.4/24377/Fri Mar 9 10:13:20 2018 ~$ clamscan --version ClamAV 0.99.4/24377/Fri Mar 9 10:13:20 2018 In your case I would expect somthing like: ClamAV clamav-0.99.4/24377/Fri Mar 9 10:13:20 2018 Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV 0.99.3 and GCC Patch
On Wed, 21 Feb 2018, Bill S wrote: >On Wed, Feb 21, 2018 at 9:47 AM, Reindl Harald wrote: > >> point was that there are binary packages which working fine all over >> distributions > >I have not had much luck finding a binary package that is not part of >a non Slackware install. If anyone finds such a package in their >travels I would be very grateful for a link. Have a look at https://slackbuilds.org/ for build scripts that produce binary Slackware packages which integrate nicely with the Slackware package management tools. The build script for Clamav 0.99.3 on Slackware 14.2 doesn't require any patches. Are you running "Slackware Current" perhaps? Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] submitting phish samples - stripped
On Mon, 12 Feb 2018, Joel Esler (jesler) wrote: >Generally speaking, it's better for us to have as much detail as possible. >Samples that you submit through the website (either one) are not shared >with partners (unless you check the "share with partners" checkbox) Hi Joel, In a previous message in this thread you wrote: >Phish can also be sent in to >phishtank.com<http://phishtank.com> (also a project ran by my team) which >allows community voting on phish to product a blacklist for users to use. Can you explain how you organized this "community voting" without sharing the submitted phish samples with the/some "community"? Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) email address:c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
On Fri, 26 Jan 2018, Matus UHLAR - fantomas wrote: > On 26.01.18 13:09, Kees Theunissen wrote: >> On Fri, 26 Jan 2018, Al Varnell wrote: >> >>> If you can't revert to daily 24255 then disable daily.cld until you know >>> it's >>> fixed. >>> >>> Has anybody updated to daily 24257 to see if that helps? I doubt that it >>> does >>> as no sigs are shown as dropped. >> >> I'm running ClamAv 0.99.2 on two mail servers (debian 9, with >> sendmail / MimeDefang / SpamAssassing /ClamAv) and a >> workstation (slackware 14.2) without any problem. >> >> I'm currently running daily 24257. But 24256 ran without >> problems too. > > I've had to start clamd on 3 of servers I looked at, some other were OK. I didn't see any problems on my two (very lightly-loaded, about 2.5 messages per minute on average) servers. But I could reproduce the stale fd's in /prod//fd on my workstation by increasing the load on clamd. Just scanning inbound mail on the workstaion didn't trigger the error. But scanning a few hundred (clean, text-only) email messages from this mailing lingst did. cat ~/mail/clamav | formail -s clamdscan - I didn't try to trigger the error on the two production servers. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) email address:c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
On Fri, 26 Jan 2018, Al Varnell wrote: >If you can't revert to daily 24255 then disable daily.cld until you know it's >fixed. > >Has anybody updated to daily 24257 to see if that helps? I doubt that it does >as no sigs are shown as dropped. I'm running ClamAv 0.99.2 on two mail servers (debian 9, with sendmail / MimeDefang / SpamAssassing /ClamAv) and a workstation (slackware 14.2) without any problem. I'm currently running daily 24257. But 24256 ran without problems too. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Using a file to list exclusions for on-demand search?B
On Thu, 4 Jan 2018, Paul B. wrote: >Hi, >I just installed ClamAv on a desktop Linux machine. I would like to >set it up using aliases in the bashrc file, so I can do various kinds >of file and directory scans from the command line. Rather than an >unwieldy string of exclusions in the alias' command line, I would like >to have a file that lists exclusions, which Clam would reference. I've >seen mention of this ability, but not enough info to get me started. I >do not have the daemon installed, just ClamAv, and FreshClam for >updates. Hi Paul, This can be done with a litle bit of shell scripting. Create an exclusion file like this: # # # file: /home/kees/scan_excludes # # Parsing rules: # -- leading and trailing white space will be removed # -- empty lines -after space removal- will be ignored # -- lines starting with a '#' -after space removal- will be ignored # -- lines starting with 'file:' define file exclusions # -- lines starting with 'dir:' define directory exclusions # -- lines must contain exactly one exclusion expression # Exclude some files file:expression_to_exclude_some_files file:exclude_more_files # Exclude a directory dir:some_directory # And define aliases like below: alias parse_exclude_file="sed -r \ -e 's/^[[:space:]]+//' -e 's/[[:space:]]+$//' -e '/^(#|$)/d' \ -e 's/^file:/--exclude=/' -e 's/^dir:/--exclude-dir=/'" alias scan_home_dirs="clamscan -r --suppress-ok-results --bell \ \$( parse_exclude_file /home/kees/scan_excludes ) \ /home" For testing/debugging first run 'set -x' and then 'scan_home_dirs'. With the x flag set the shell will show all commands with options and parameters that are executed during the alias expansion. '+' signs at the start of a line indicate the nesting depth of the shown command. Run 'set +x' to reset the flag. Let's try: kees@ithmar:~$ set -x kees@ithmar:~$ scan_home_dirs ++ sed -r -e 's/^[[:space:]]+//' -e 's/[[:space:]]+$//' -e '/^(#|$)/d' -e 's/^file:/--exclude=/' -e 's/^dir:/--exclude-dir=/' /home/kees/scan_excludes + clamscan -r --suppress-ok-results --bell --exclude=expression_to_exclude_some_files --exclude=exclude_more_files --exclude-dir=some_directory /home ^C (scan aborted, it takes way too much time) kees@ithmar:~$ set +x + set +x Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) email address:c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] password protected encrypted .docx files
On Wed, 15 Nov 2017, Mark Foley wrote: >On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell wrote: > >>On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote: >>> I found this older message in the archives. I'm receiving a lot of fake >>> "Invoice" messages with attached encrypted .doc files that run VB scripts >>> and >>> execute .exe files. >>> >>> I'd like to block encrypted Word documents. Interestingly, as Reindl Harald >>> says, ".docx files *are* zip files", but lately I've been getting .doc files >>> which are really .docx file. KDE Dolphin isn't deceived and opens the >>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a >>> document. If I rename the document to .docx, then Dolphin opens it in >>> LibreOffice. >>> >>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart >>> enough to look beyond the extension? >> >> In general, yes, clamAV doesn't pay attention to extensions and looks for >> document signatures that are usually at the top of a file to determine >> file type. That being said, I can't confirm exactly how it handles .doc and >> .docx files. >> > >Thanks Al. I'll turn this on and experiment. I'll post back my findings. > >Does anyone have exerience with this? I did a few tests some time ago. The encryption/protection is implemented by microsoft as a internal format somewhere in the office document structure, _not_ as a encrypted zip file. So ArchiveblockEncrypted won't block encrypted Word documents. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to find string for a signature?
On Sat, 21 Oct 2017, Eric Tykwinski wrote:
>clamscan TA17-293A_\ Advanced\ Persistent\ Threat\ Activity\ Targeting\
>Energy\ and\ Other\ Critical\ Infrastructure\ Sectors.eml
>TA17-293A_ Advanced Persistent Threat Activity Targeting Energy and Other
>Critical Infrastructure Sectors.eml: OK
>
>--- SCAN SUMMARY ---
>Known viruses: 6320077
>Engine version: 0.99.2
>Scanned directories: 0
>Scanned files: 1
>Infected files: 0
>Data scanned: 0.30 MB
>Data read: 0.10 MB (ratio 3.08:1)
>Time: 11.661 sec (0 m 11 s)
>
>I definitely have that signature in ClamAV as well:
>PUA.Win.Trojan.Xored-1:3:*:63686172636f6465617428{-5}295e
>
>Perhaps amavisd is different in the way it scans?
The detection of PUAs is configurable.
Look for "PUA" in the clamscan and clamd.conf manpages.
$ clamscan us-cert-message
us-cert-message: OK
--- SCAN SUMMARY ---
Known viruses: 6519776
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.30 MB
Data read: 0.10 MB (ratio 3.08:1)
Time: 8.104 sec (0 m 8 s)
$ clamscan --detect-pua us-cert-message
us-cert-message: PUA.Win.Trojan.Xored-1 FOUND
--- SCAN SUMMARY ---
Known viruses: 6525318
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.16 MB
Data read: 0.10 MB (ratio 1.68:1)
Time: 7.986 sec (0 m 7 s)
Regards,
Kees Theunissen.
--
Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address: c.j.theunis...@differ.nl
postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands
visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials
On Wed, 13 Sep 2017, Kees Theunissen wrote: >On Wed, 13 Sep 2017, lukn wrote: > >>Hello List >> >>Same here, I do see FPs with >>BC.Win.Exploit.CVE_2017_11244-6335828-0 >>hitting legitimate corporate files (so no submission possible from me >>either). > >We saw BC.Win.Exploit.CVE_2017_11244-6335828-0 hitting a *.docx >attachment in an outbound e-mail from one of our users. >That was probably a FP too. >I didn't see the attachment myself so I'm not sure that it was >a FP. I asked the user if the file was confidential and if I could >get a copy of the file for inspection and submission of a FP-report. >He didn't answer yet. Update: he answered while I wrote the above message. Unfortunately the file is a confidential research proposal so I can't include it in a FP-report. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials
On Wed, 13 Sep 2017, lukn wrote: >Hello List > >Same here, I do see FPs with >BC.Win.Exploit.CVE_2017_11244-6335828-0 >hitting legitimate corporate files (so no submission possible from me >either). We saw BC.Win.Exploit.CVE_2017_11244-6335828-0 hitting a *.docx attachment in an outbound e-mail from one of our users. That was probably a FP too. I didn't see the attachment myself so I'm not sure that it was a FP. I asked the user if the file was confidential and if I could get a copy of the file for inspection and submission of a FP-report. He didn't answer yet. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ubuntu xenial non-free?
On Fri, 4 Aug 2017, Jan-Peter Rühmann wrote: >But there is no such Package as libclamunrar6. On debian 8 or 9 (with clamav 0.99.2) the package is called: libclamunrar7. I guess that name is also used on Ubunto. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] how to find Html.Phishing.Auction-214
On Wed, 22 Mar 2017, Hajo Locke wrote: > thank you steve. i could find the lines and removed them. How could you decode > this signature? ~$ sigtool --find-sigs Html.Phishing.Auction-214 | sigtool --decode-sigs VIRUS NAME: Html.Phishing.Auction-214 TARGET TYPE: HTML OFFSET: * DECODED SIGNATURE: sein, weil sie [... snipped ...] aktualisiert wurde > especially interesting is that virus was found in complete sql-file but not in > splitted subfiles. May be target type is ignored at filesize x? > complete sql file is 4.6mb I guess that the string that was looked for spanned a subfile boundary and was split over two subfiles. Groeten, Kees. -- Kees Theunissen, Systeem- en netwerkbeheerder, Tel: 040-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mailadres: c.j.theunis...@differ.nl postadres: Postbus 6336, 5600 HH, Eindhoven bezoekersadres: De Zaale 20, 5612 AJ, Eindhoven ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] SpoofedDomain FOUND
On Wed, 15 Feb 2017, ellanios82 wrote: > Hello List , > > > scanning my Thunderbird directory , am getting : > > /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: > Heuristics.Phishing.Email.SpoofedDomain FOUND > /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus: copied to > '/var/log/clams.infected/bus' > > > How please do i locate the offending message to delete, as i do not want to > delete the entire directory ? It's likely a message from this mailinglist: My spam/virus fileter rejected a messeage from this list: Timestamp:Feb 15 17:50:33 (UTC +1) Size: 1365308 Subject: Re: [clamav-users] clamdscan mail file Message-ID: 43291D57DEB83042A250562D597FDBDA477C0EED@PC1WEPSIEXDAG02 Status: Rejecting because of virus Heuristics.Phishing.Email.SpoofedDomain The timestamp is not the "Date:" header from the message but the time of the delivery attempt at my mail server. Looks like this was the message that Reindl Harald replied to with his last message in the thread: "clamdscan mail file". This should be sufficient information to locate the message. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Cannot skip OLE2 checking
On Wed, 21 Dec 2016, Mark Foley wrote: >On Wed, 21 Dec 2016 17:34:05 Reindl Harald wrote: >> >> Am 21.12.2016 um 17:25 schrieb Mark Foley: >> > I'm running clamdscan on Maildir folders as: >> > >> > clamdscan --config-file=/usr/local/etc/clamdscan.conf --multiscan \ >> > --fdpass --allmatch --stdout /home/HPRS/user/Maildir/ >> > >> > I want to skip checking for OLE2 macros. The /usr/local/etc/clamdscan.conf >> > has: >> > >> > ScanOLE2 no >> > OLE2BlockMacros no Also specify different values for "LocalSocket", "PidFile" and "LogFile" and start a second instance of the clamd daemon using this config file. < ... > >Thinking about what the "d" means doesn't help me solve my problem. clamdscan >has an option --config-file. I would assume clamdscan would spawn another clamd >with the new option file. Is this not the case? Will the currently running >clamd >be used regardless of the --config-file parameter? Clamdscan will connect to the socket specified in the config file and hence to the right deamon process. The socket specification is probably the only parameter from the config that is used by clamdscan. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ERROR: Malformed database
On Wed, 13 Jul 2016, Rejaine Monteiro wrote: > yes, I deleted all databases .. I think the problem is the version of this > particular server, which is very old (V.96). in other servers with version > v.098 is functioning normally. See: http://www.clamav.net/documents/end-of-life-policy-eol Quote from that page: "Before releasing a CVD update, we verify that it can be correctly loaded by the latest two major releases of ClamAV and all the minor versions released after each of them" Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav fails to detect exe within rar
On Fri, 20 Nov 2015, Steve basford wrote: > Hi Alex... do you have libunrar On Debian linux systems (and probably on most/all linux distrubutions based on Debian) you need to install the "libclamunrar6" package from the non-free/libs section. This is _not_ mentioned in the main clamav package as a dependancy, recommendation or even a suggestion. The strict debian policy rules seems to dictate that the whole clamav package would otherwise classify as non-free. I guess that -as a result of this strict policy- quite a lot of sysadmins are unaware of the fact that their virusscanner is running without unrar support. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Permission problem while creating tmp file
On Fri, 1 May 2015, Alex Regan wrote: > Hi, > > I have a fedora20 system with amavisd-2.9.1, clamav-0.98.6, postfix, and > spamassassin, and it's been running fine forever. I'm now having an issue with > clamav creating temporary files for amavis. clamd is running as user amavis, > yet it prints the following: > > May 1 17:02:06 mail02 clamd[25732]: > /var/spool/amavisd/tmp/amavis-20150501T165504-27729-5xw6dnm4/parts/p001: Can't > create temporary directory ERROR > > # ps axwwwu|grep clam > amavis 25732 2.8 1.5 823212 523148 ? Ssl 16:47 0:21 clamd.amavisd > -c /etc/clamd.d/amavisd.conf --pid /var/run/clamd.amavisd/clamd.pid > > If I change to the amavis user, I can create files in the tmp directory: > > # ls -ld /var/spool/amavisd/tmp > drwxr-x---. 9 amavis amavis 12288 May 1 17:03 /var/spool/amavisd/tmp > > Does anyone have any ideas how to troubleshoot this? Maybe there's some > tracing > I can enable to troubleshoot this? If the process had permissions to create files/directories then you most likely were running out of free disk space or free inodes. Is amavis' scratch area located on a ram disk (tmpfs filesystem) with limited size? The error might have been caused by the concurrent handling of several large messages or compressed attachments that expand to many and/or large files. Do your logs show such events? Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan of RAR problem
On Wed, 29 Apr 2015, jose-marcio martins da cruz wrote: > On 04/29/2015 06:20 PM, René Bellora wrote: >> El 29/04/15 a las 13:04, jose-marcio martins da cruz escibió: >>> >>> Hello, >>> >>> I'm getting different results when scanning a infected email message. >>> >>> On a Sparc Solaris 10 (32 bits compiled), clamdscan tels me that the >>> message is infected : "Heuristics.Encrypted.RAR FOUND" >>> >>> Testing it on two 64 bits linux boxes (fedora and ubuntu), both tels >>> me that the message is clean. >> >> >> >> linux 32bits also report the message clean (with "ArchiveBlockEncrypted >> yes" in clamd.conf) > > Hmmm... > > On the Solaris boxes, there are libclamunrar* libraries, while there aren't at > Linux boxes... > > Clamav on Solaris boxes were compiled and installed from sources, while at > Linux boxes they come from distros... > > If I remember, there is a kind of licence problem with rar libraries... Debian has put the rar support in the "libclamunrar6" package in the "non-free" section of the repository. The clamav package doesn't even mention libclamunrar6 as a dependency or a recommended package. I guess that a formal dependancy on the non-free "libclamunrar6" package would have made clamav "non-free" too. I didn't check ubuntu but most likely ubuntu has a "libclamunrar6" package too as ubuntu is derived from debian. And I don't know anything about clamav in fedora. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Trouble whitelisting URLs
On Tue, 11 Jun 2013, Kris Deugau wrote: >Greg Folkert wrote: >> On Tue, 2013-06-11 at 14:38 -0400, Kris Deugau wrote: >>> (Resend; list seems to have gone black-hole for a few days) >> >> FYI, I saw your last e-mail on Wednesday of last week on this very >> subject. I didn't have any answers so I didn't respond. > >Curious. I didn't get a copy back as usual, and I didn't get a copy of >today's message either. Time to check my subscription settings... Or just check your virus-filter logs. Both your messages were rejectecd by my filter. The log shows: "Messsage rejected because of virus Heuristics.Phishing.Email.SpoofedDomain." It triggered most likely on the URL's in your messages. That probably also happened with your copies. Time to whitelist the list server I guess. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] TTL on the current.cvd.clamav.net TXT resource record.
On Fri, 15 Feb 2013, Shawn Webb wrote: >We temporarily bumped the TTL up to three hours yesterday to ease the >burden on the mirrors while we pushed out a change that would cause a lot >of bandwidth. The TTL will be set back to its previous value soon. Thanks. That explains why I didn't see this before. I noticed this yesterday when I had update problems. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] TTL on the current.cvd.clamav.net TXT resource record.
The "ClamAV Virus Databases" FAQ (http://www.clamav.net/lang/en/faq/faq-cvd/) says: You can check for database update as often as 4 times per hour provided that you have the following options in freshclam.conf: DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.XY.clamav.net DatabaseMirror database.clamav.net Replace XY with your country code. If you don't have that option, then you must stick with 1 check per hour. But the TTL (Time To Live) on the current.cvd.clamav.net TXT Resource Record is 10800 seconds (3 hours). ~$ dig @ns3.clamav.net txt current.cvd.clamav.net [...] ;; ANSWER SECTION: current.cvd.clamav.net. 10800 IN TXT "0.97.6:54:16685:1360928385:0:63:40236:214" [...] This will cause the record to be kept in DNS caches for 3 hours and it will reduce the effective update frequency to once in 3 hours (unless you can flush your resolver casches). Shouldn't the TTL be reduceced to something like 900 seconds? Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
