Re: [clamav-users] ClamWin finds malware, ClamAV doesn't.

2016-07-26 Thread Kevin Lin 
The filesize limit can be dynamically set for clamscan with the
"--max-filesize=xxM" option. clamd.conf can be used to change the clamd
filesize limit with "MaxFileSize".

Excerpt from clamscan help:

--max-filesize=#nFiles larger than this will be
skipped and assumed clean
--max-scansize=#nThe maximum amount of data to scan
for each container file (**)
--max-files=#n   The maximum number of files to
scan for each container file (**)


Excerpt from clamd.conf manpage:

   MaxScanSize SIZE
  Sets the maximum amount of data to be scanned for each input
file. Archives and other containers are recursively extracted and scanned
up to this value. The size of an archive plus the sum of the sizes of  all
 files within  archive  count  toward  the  scan  size. For example, a 1M
uncompressed archive containing a single 1M inner file counts as 2M toward
the max scan size. Warning: disabling this limit or setting it too
high may result
in severe damage to the system.
  Default: 100M

   MaxFileSize SIZE
  Files larger than this limit won't be scanned. Affects the
input file itself as well as files contained inside it (when the input file
is an archive, a document or some other kind  of  container).  Warning:
 disabling this limit or setting it too high may result in severe damage to
the system.
  Default: 25M

   ...

   MaxFiles NUMBER
  Number of files to be scanned within an archive, a document,
or any other kind of container. Warning: disabling this limit or setting it
too high may result in severe damage to the system.
  Default: 1


As said earlier, be careful with expanding the engine limits as scanning
oversized files can be dangerous.

-Kevin

On Tue, Jul 26, 2016 at 2:10 AM, Al Varnell  wrote:

> You might be able to re-compile the ClamAV source and configure it with
> --maxfilesize=xxM, but the limit is there to prevent severe system damage
> that can result from attempting to scan over-sized files.  I know in the
> case of OS X there is no known malware that exceed the established limits.
>
> -Al-
>
> > Thanks for your questions and suggestions.
> >
> > I had a look via the --debug method, and found the following in the
> clamAV call:-
> >
> > LibClamAV debug: cli_updatelimits: filesize exceeded (allowed: 26214400,
> needed: 104096320)
> 
> > Is there somewhere in the clamAV config I can set the cli_updatelimits:
> filesize to be larger?
> >
> > In the install dir I only see clamd.conf and freshclam.conf:
> >
> > TCPSocket 3310
> > MaxThreads 2
> > LogFile C:\working\clam_av_logs\clamd.txt
> > DatabaseDirectory C:\Program Files\clamav-amd64-0.99.2\db
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamWin finds malware, ClamAV doesn't.

2016-07-21 Thread Kevin Lin 
clamd.conf does not affect the behavior of clamscan which is why you needed
to run freshclam first to pull database to the default database location.
Thus, there is a possibility that the databases may be mismatched though
it's unlikely as the signature is still part of the current set. In order
to change the clamscan directory from the default, you need to use the '-d'
option.

clamscan -d [database directory] [sample]

Secondly, the versions of ClamAV differ between the two test cases (ClamWin
uses 0.99.1 and clamscan uses 0.99.2). However, there doesn't seem to be
any engine changes that would affect the signature in question.

Thirdly, it appears that ClamWin reports that it scans 85.88 MB while
clamscan reports it scans 0 MB (both read 99.27 MB). It is possible that
the engine is not scanning the file though the reason is uncertain. The
reason could be deduced from comparing the debug logs. It might also be
worth it to provide the logs here as well. Unfortunately, I'm not familiar with
generating debug logs with ClamWin. clamscan will generate the debug log if
you specify "--debug" to it on the command line.

clamscan --debug [sample]

For additional information on clamscan options, refer to the clamscan
manpage or use the the "--help" option.

clamscan --help

Finally, if you suspect that this may be a bug, please report the issue to
https://bugzilla.clamav.net and supply the appropriate samples.

-Kevin


On Wed, Jul 20, 2016 at 3:03 PM, Jay Gattuso 
wrote:

> I’m trying to get clamd running as a service so I can fire files/streams
> at it via pyclam.
>
> I’m working on win7.
>
> I have a test file that shows a Win.Trojan.URLspoof-2 warning.
>
> ClamWin:
>
> --- SCAN SUMMARY ---
> Known viruses: 4660817
> Engine version: 0.99.1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
>
> Data scanned: 85.88 MB
> Data read: 99.27 MB (ratio 0.87:1)
> Time: 10.720 sec (0 m 10 s)
>
> --
> Completed
> --
>
> ClamAV:
>
> C:\Program Files\clamav-amd64-0.99.2>freshclam
> ClamAV update process started at Thu Jul 21 06:51:27 2016
> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
> amishhammer)
> daily.cvd is up to date (version: 21938, sigs: 447370, f-level: 63,
> builder: neo)
> bytecode.cvd is up to date (version: 283, sigs: 53, f-level: 63, builder:
> neo)
>
> C:\Program Files\clamav-amd64-0.99.2>clamscan
> C:\Users\_\Desktop\NLNZ-TI9
> 5846839-20160630231930-8-kaiwae-z4.warc
>
>
> --- SCAN SUMMARY ---
> Known viruses: 4660817
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 99.27 MB (ratio 0.00:1)
> Time: 7.847 sec (0 m 7 s)
>
> clamscan wouldn’t work until I fired freshclam.
> Clamd.conf points towards the clamwin db files.
> The pyclam endgame also doesn’t find anything. I assume its working from
> the clamav clamd service.
>
>
> What am I missing? / What else do you need to know to help me trouble
> shoot?
>
>
> Jay Gattuso | Digital Preservation Analyst | Preservation, Research and
> Consultancy
> National Library of New Zealand | Te Puna Mātauranga o Aotearoa
> PO Box 1467 Wellington 6140 New Zealand | +64 (0)4 474 3064
> jay.gatt...@dia.govt.nz
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV warning, cli_pdf unimplemented filter DCTDECODE

2016-05-19 Thread Kevin Lin 
This warning occurs in the new experimental pdf filter rework that is not
part of any existing ClamAV releases (as of 0.99.2). Thus as a disclaimer,
it must be stated that the version of ClamAV being used may be unstable or
incomplete especially with the experimental section that this warnings is
related to.

A little background on PDFs:
PDF documents are made up of entities called objects which store that
various bits of content that make up the document. Taken from the PDF spec:
"A *filter *is an optional part of the specification of a stream,
indicating how the data in the stream must be decoded before it is used". As
a result, in order to properly scan the objects of a PDF document, the
objects need to be decoded according to their list of filters.
DCTDecode is one of a number of PDF filters that can be applied to PDF
objects; in particular: "grayscale or color image data that has been encoded
in the JPEG baseline format" (PDF Spec). If you are interested in more
about filters or PDFs, the PDF specification is freely available online and
explains things in greater detail.

On LibClamAV and cli_pdf:
LibClamAV's internal function to handle PDF documents is cli_pdf.


In a nutshell, this warning occurs because ClamAV encountered a DCTDecode
filter but does not have a implementation to decode that filter yet. It is
possible but unlikely that associated document is malicious.

-Kevin

On Thu, May 19, 2016 at 12:43 AM, Rick Valenzuela  wrote:

> Hi,
>
> Where can I find info on this warning when running clamscan?:
>
> LibClamAV Warning: cli_pdf: unimplemented filter type [10] => DCTDECODE
>
> I've been searching, but I can't find much on LibClamAV and filters,
> much less cli_pdf or DCTDECODE.
>
> Best regards,
> Rick
>
> --
> Rick Valenzuela
> Videojournalist
> Shanghai, China
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] yara #match does not work with regex

2016-04-14 Thread Kevin Lin 
In order to minimize the amount of regex execution in ClamAV, regex
signatures are usually run until the first match is detected. This means
that counting regex matches do not work in the general case.

The ClamAV ldb signatures have a custom flag 'g' which specifies to the
engine to find all matches of the affected regex signature; yara signatures
unfortunately do not have such an option at this time.

-Kevin

On Wed, Apr 13, 2016 at 7:27 PM, David Shrimpton 
wrote:

> Using #match as a condition in a yara rule to
> count the occurences of $match doesn't appear to
> work where $match is a regex.
> #match only appears to work if $match is a string literal
> eg "abc123"
>
> Is #match  intended to work with a regex ?
>
> --
> David Shrimpton
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Strange problem with custom Yara rule

2016-04-13 Thread Kevin Lin 
Please refer to the bug report at:
https://bugzilla.clamav.net/show_bug.cgi?id=11552
for the patch to resolve the issue.

On Wed, Apr 13, 2016 at 1:32 PM, Kevin Lin <k...@sourcefire.com> wrote:

> ClamAV, in order to optimize the AC algorithm execution, runs the filetype 
> signatures alongside the malware detection signatures. ClamAV is set to 
> immediately return after AC execution if a filetype signature detection 
> occurs. This unfortunately causes the engine to skip PCRE signature execution.
>
>
> On Wed, Apr 13, 2016 at 1:00 PM, Steven Morgan <smor...@sourcefire.com>
> wrote:
>
>> Hi,
>>
>> Thanks for the example. I've opened bug
>> https://bugzilla.clamav.net/show_bug.cgi?id=11552 to track.
>>
>> Thanks again,
>> Steve
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Strange problem with custom Yara rule

2016-04-13 Thread Kevin Lin 
ClamAV, in order to optimize the AC algorithm execution, runs the
filetype signatures alongside the malware detection signatures. ClamAV
is set to immediately return after AC execution if a filetype
signature detection occurs. This unfortunately causes the engine to
skip PCRE signature execution.


On Wed, Apr 13, 2016 at 1:00 PM, Steven Morgan 
wrote:

> Hi,
>
> Thanks for the example. I've opened bug
> https://bugzilla.clamav.net/show_bug.cgi?id=11552 to track.
>
> Thanks again,
> Steve
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Unscannable MS Office files?

2016-04-02 Thread Kevin Lin 
It seems as if the xml parser ClamAV is has some parsing errors in regard
to this document variant. You could submit a bug report at
bugzilla.clamav.net; attaching a sample would also help.

-Kevin

On Fri, Apr 1, 2016 at 6:30 PM, David Shaw  wrote:

> Hello,
>
> I am using ClamAV 0.99 on CentOS 7 (so clamav-0.99-2.el7.x86_64.rpm).  I
> occasionally see MS Office files (in the new, XML format) that cannot be
> scanned, with this error:
>
> clamd[7726]: msxml.xml:1: parser error : Document labelled UTF-16 but has
> UTF-8 content
> clamd[7726]:  progid="Excel.Sheet"?><
> clamd[7726]: ^
> clamd[7726]: fd[14]: Can't parse data ERROR
>
> Any suggestions where to go from here?  The error itself seems fairly
> straightforward, but these are standard MS Office files, generated by MS
> Office, so it's not clear what, if anything, I can change on that side.
>
> David
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] some clamd.conf issues

2016-01-11 Thread Kevin Lin 
It appears that the "PCREMaxFileSize" options is currently set to accept
raw numbers and not sizes as indicated by the documentation. This is a
minor bug in the current release of ClamAV 0.99.

The work around would be to use "26214400" instead of "25M".

-Kevin

On Mon, Jan 11, 2016 at 7:19 AM, Benny Pedersen  wrote:

> Michael K. skrev den 2016-01-11 13:14:
>
> the file "clamd.conf" is owned by "root" - this is not correct?
>>
>
> maybe you have a old clamav installed with a new systemrc ?
>
> anyway try see
>
> clamconf
>
> with list all valid config entrys
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain FP

2015-08-25 Thread Kevin Lin 
As a heuristic, the generation of this detection is a result of behavioral
detection by the ClamAV engine and not by any particular database
signature. Unfortunately, this effectively means that sigtool is unable to
decode the signature as there is no signature associated with this
detection.

Luckily, it appears you can see the domain that causes the heuristic
detection by running clamscan on the email with the --debug flag. The
debug flag causes clamscan to log the domain checks to stderr and most
likely terminates the scan once it detects the heuristic if
--heuristic-scan-precedence=yes is set as well.

Additionally, you can provide the false positive to
http://www.clamav.net/report/report-fp.html.

-Kevin

On Tue, Aug 25, 2015 at 6:36 AM, Alex mysqlstud...@gmail.com wrote:

 Hi,

 I have an email with an apparent false-positive spoofed domain. How
 can I determine what domain it is that clamscan thinks is spoofed and
 correct it?

 I'm sorry if this is a FAQ. I'm familiar with how to use sigtool to
 decode a false-positive, but no signature or other details are given.

 Thanks,
 Alex
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq

 http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [SUSPECTED SPAM] Re: Calamav cannot scan tar file and gzip files?

2015-02-17 Thread Kevin Lin 
There are a number of reasons for the differences in the detection cases.

The first of which is how ClamAV identifies the file type of file being
scanned. ClamAV determines the file type of a scanned file using the 'ftm'
signature files. The important signatures follow:

type:offset:magic:rtype:type

0:0:504b0304:ZIP:CL_TYPE_ANY:CL_TYPE_ZIP
0:0:504b3030504b0304:ZIP:CL_TYPE_ANY:CL_TYPE_ZIP
1:*:504b0304:ZIP-SFX:CL_TYPE_ANY:CL_TYPE_ZIPSFX

0:0:1f8b:GZip:CL_TYPE_ANY:CL_TYPE_GZ

There ZIP archive file type signatures, two of which look for a specific
magic at offset 0. However, the last signature uses a '*' offset which
indicates the magic can be located anywhere within the file. Do note that
the signature is meant to detect the specific variant of ZIPSFX.

The GZ file, on the other hand, only has one magic that only triggers if
found at offset 0.

While an argument could be to extend the GZ file type signature file to
search the entire file, there are a number of important counter arguments:

   1. The GZ file magic is only 2 bytes long, this means that the extension
   over the whole file would result in a large number of false positives
   2. In theory, by modifying the original GZ file, the file may no longer
   be a valid GZ file. Thus it's likely that ClamAV would not be able to
   correctly parse the file.

Argument 2 may also result in the lack of detection as the file may not be
possible to parse with modifications.


As for the reason for the curl POST issue in case #6, can I ask how you
what response you get back from clamd when you upload the file using curl
POST?

clamd is designed to handle a specific of commands that are described in
the clamdoc.pdf that comes with the ClamAV source distribution. From what I
can see, clamd does not natively support parsing HTTP messages. When I send
a file to scan to clamd using curl, clamd fails to understand the message
and sends back the message:

UNKNOWN COMMAND

-Kevin

On Tue, Feb 17, 2015 at 1:23 PM, Noel Jones njo...@megan.vbhcs.org wrote:

 On 2/17/2015 12:11 AM, Manoj Ramakrishnan wrote:
  Hi Al,
 
  Thanks for replying.
  It is exactly what I thought. But why is it different from ZIP file?
  I added extra characters in the beginning of the ZIP file but no issues
 in
  scanning that and finding eicar signature.

 zip and gzip are very different formats.  I suppose you added your
 random character at a point where unzip ignored it.


 
  Also curious to see why is it not working in case #4 and #6?

 Either broke the eicar file with leading or trailing characters, or
 maybe the squid plugin didn't recognize the file as a gzip.  Use the
 clam debug tools to examine the files extracted and scanned.

 The eicar signature is *very* specific, anchored at both the
 beginning and end allowing only for a few extra spaces at the end of
 the payload, no other extra characters.
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq

 http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Unclear how to proceed after Windows install

2015-02-13 Thread Kevin Lin 
The clamav-0.98.6-win32.msi simply installs the bare-bones for ClamAV on
Windows which comprises of a number of command line programs. This means
that there are no GUIs and it's generally for technical specialists.

If you're interested in acquiring a ClamAV variant that includes a GUI,
some programs you could look into are ClamWin and Immunent. ClamWin is a
third-party derivative of ClamAV and Immunent is a first-party derivative
but mileage may vary with either.

As for solving the Please define server type (local and/or TCP) error,
'clamd' is the a daemon that listens on a socket for files to scan and can
be run in the background. In order for 'clamd' to function, the
specifications of the socket it uses must be defined.

   - If you are using TCP, you need to set the TCPSocket and TCPAddr
   options in clamd.conf. TCPSocket is required and TCPAddr may
provide some
   degree of protection from the outside world.
   - Local sockets (UNIX sockets) are not supported for the Windows
   platform.

When using 'clamd', it is recommended you use 'clamdscan' alongside
it. 'clamscan'
is also a stand-alone scanner.

For additional information for program usage, you can read the program's
help message or query its manpage.

-Kevin

On Fri, Feb 13, 2015 at 1:13 PM, Jonathan Coles jcoles0...@rogers.com
wrote:

 I installed clamav-0.98.6-win32.msi on Windows. It added nothing to the
 Start menu. After searching the registry I found clamav executables in
 C:\Program Files\Sourcefire Inc\ClamAV, but they are all command-line
 programs.

 Your manual clamdoc.pdf is relevant only to Linux.

 I have used Clam-Tk on Linux and it works well -- easy to install, easy to
 use. I'm surprised at this baffling Windows version of the program.

 Even with access to the clamd.conf man page on Linux (not provided in
 Windows) I could not figure out how to fix the Please define server type
 (local and/or TCP) error. The conf file options require specialist
 knowledge that few Windows end users would have.

 Do I have the wrong package? Or, is the Windows version of ClamAV just a
 bare-bones toolkit for technical specialists?

 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq

 http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Configure Options For Minimal Install

2015-01-21 Thread Kevin Lin 
'clamscan' is an on-demand scanner. In regards to the blog post, have you
tried running 'autoreconf' after your changes? I'm assuming the 'SUBDIRS'
changes were to an autotools file.

-Kevin

On Wed, Jan 21, 2015 at 5:48 PM, Ed Christiansen MS edwa...@ll.mit.edu
wrote:

 I just compile it and then use clamscan when I want to.


 On 1/21/2015 5:47 PM, Joel Esler (jesler) wrote:

 I’ll let someone from the team chime in here, but it’s always better to
 come to the mailing lists than to go to Github.

 We’ll see it either way, but more people are here.

 --
 Joel Esler
 Open Source Manager
 Threat Intelligence Team Lead
 Talos


  On Jan 21, 2015, at 4:26 PM, E R ears@gmail.com wrote:

 Hi to all,

 I made this post over at Github, my assumptions that this is Clamav's
 Github?

 https://github.com/vrtadmin/clamav-devel/issues/14

 I'm trying to figure out how to compile clamav as only a stand alone
 scanner when needed...

 Any help would be apprecaited.

 thank you
 Mii
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq

 http://www.clamav.net/contact.html#ml




 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq

 http://www.clamav.net/contact.html#ml

  ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq

 http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Locked freshclam.log error msg

2014-09-23 Thread Kevin Lin 
Have you tried to query what process is locking the log file?

It is possible that multiple freshclam instances are running at the same
time, especially if an instance of freshclam is running as a daemon.

On Linux, you can use a command such as lsof | grep freshclam.log to
identify what process is locking a freshclam.log.

-Kevin

On Mon, Sep 22, 2014 at 6:26 PM, David Cain sblkclamav-us...@jimmiedave.com
 wrote:

 ERROR: Problem with internal logger (UpdateLogFile =
 /var/log/clamav/freshclam.log).
 ERROR: /var/log/clamav/freshclam.log is locked by another process

 DC
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq

 http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] invalid icon entries?

2014-08-12 Thread Kevin Lin 
One of the scans that ClamAV does on PE files is icon scanning which is
used as part of a heuristic to identify possible impersonation programs.
These warning messages means that the PE file being scanned has declared
that it has icons in it but ClamAV cannot properly parse these icons
(either icons are not there, icons are misplaced, or the icon entry is
garbage). For example, the last above message states that of the 12 icons
that the PE file has declared it has, ClamAV could not properly parse 12 of
the icons. (Note that the multiple warning messages may be due to a PE file
having multiple icon groups.)

However, whether or not this file is malicious is debatable. The fact that
the icons are missing is suspicious but is not an complete means to convict
a file as malicious (hence a warning and not a detection or heuristic). The
reasons a PE file could be missing icons could be it is truncated, it is
poorly made, it is potential AV evasion, or that ClamAV cannot parse it
(unidentified icon format). A more detailed assessment of the PE file would
be needed to make an accurate conclusion on the maliciousness of the file.
If you want, you can submit the sample to
http://www.clamav.net/lang/en/sendvirus/.

In regards to responding to the warning, it ultimately depends on how much
you trust the file. Just take note that there aren't any legitimate PE
files that are missing icons that they declared. Additionally, a PE file
without icons can still be properly run for the most part.

Regards,
Kevin


On Sat, Aug 9, 2014 at 2:45 PM, Tom t...@foscore.com wrote:

 When I run clamscan (clamav-0.98.4-1.el6.rf.x86_64), I get this output:

 LibClamAV Warning: cli_scanicon: found 3 invalid icon entries of 3 total
 LibClamAV Warning: cli_scanicon: found 3 invalid icon entries of 3 total
 LibClamAV Warning: cli_scanicon: found 12 invalid icon entries of 12 total

 Are these infected files? If so, how can I get rid of them? If not, how do
 I deal with these warnings? Thanks in advance...
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] clamscan : correct syntax : exclude Directory

2014-06-12 Thread Kevin Lin 
The --exclude-dir option to clamscan takes a regex argument that tells
clamscan to exclude the directories that match the regex.

This means that specifying:

*--exclude-dir=BTC*

will exclude all directories whose absolute path that match BTC (e.g.
/some/directory/BTC, /BTC, /some/directory/helloBTC,
/some/directory/somethingBTCsomething, /BTC/some/other/directory)

*--exclude-dir=/BTC*

will exclude all directories that exclusively start with BTC as the regex
matches against the absolute directory address (e.g. /BTC,
/some/directory/BTC, something/BTCsomething/something)

If you want to exclude a very specific directory from the clamscan, you
would want to use the absolute path to the directory to minimize the number
of regex matches and marking the start and end of the regex accordingly.

So for the case of /BTC which I am assuming is the absolute path to
your Bitcoin
Directory which you wish to exclude. I would use the command:

*clamscan --recursive=yes --exclude-dir=^/BTC$*

Note the usage of '^' and '$' to force the regex to only match the /BTC
directory.

For further information on clamscan options, you can refer to the clamscan
man page or run *clamscan --help*.

-Kevin


On Thu, Jun 12, 2014 at 2:39 PM, ellanios82 ellanio...@gmail.com wrote:

  Hello List


  my hope is to exclude from clamscan a Bitcoin Directory named /BTC

  - what please is the correct syntax :

  --exclude-directory=BTC

 or

 --exclude-directory=/BTC

   ??
 .
 thanks
Ellan


 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Tips for low memory systems

2014-05-27 Thread Kevin Lin 
One way you can reduce the amount of memory that clamav uses is to specify
the --disable-llvm flag to clamav configuration line. This flag tells
clamav not to compile the packaged llvm project into libclamav library and
will use up less space with libclamav is loaded into memory. Note that this
means bytecode signatures will be run on the internal interpreter instead
of compiled to JIT using llvm.

The downside is that bytecode signatures with run slightly slower on the
clamav interpreter than with llvm JIT. However, bytecodes make up a fairly
small amount of clamav's signatures and, if JIT is desired with a smaller
memory footprint in clamav, you can configure clamav with
--with-system-llvm to use the system's native llvm.

-Kevin


On Tue, May 27, 2014 at 10:29 AM, Michael Heuberger 
michael.heuber...@binarykitchen.com wrote:

 Hello everyone

 On my 2GB server clamav uses a lot of memory:

 ```
 3460 clamav 476528 kB /usr/sbin/clamd
 ```

 Are there tips how to tweak `/etc/clamav/clamd.conf` to reduce its
 memory usage?

 Cheers
 Michael

 --

 Binary Kitchen
 Michael Heuberger
 4c Dunbar Road
 Mt Eden
 Auckland 1024
 (New Zealand)

 Mobile (text only) ...  +64 21 261 89 81
 Email   mich...@binarykitchen.com
 Website ..  http://www.binarykitchen.com

 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml