from:"Marcus Schopen"

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

2018-08-23 Thread Marcus Schopen

Hi,

Am Dienstag, den 14.11.2017, 11:20 +0100 schrieb Hajo Locke:
> Hello,
> 
> based on my working whitelist regex i would say the 2nd part should
> not 
> look only for amazon\.com
> 
> 
> If i understood it the correct way it should be something like:
> 
> X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.(c
> om|de)([/?].*)?
> 
> Using this regex shows a clean mail. May be more extensions are
> needed 
> on right side, dependent on amazon changes/uses on different domains.

Anything new on this? Is above rule still working? Some of my amazon
mails are blocked by "Phishing.Email.SpoofedDomain" too, e.g.:

http://www.adobe.com/de/products/acrobat/readstep2.html
-> https://sellercentral-europe.amazon.com/...

or

Amazon.de 
-> https://sellercentral-europe.amazon.com/...

Cheers
m

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] CVE-2017-6419 patched in 0.99.3?

2018-01-28 Thread Marcus Schopen

Hi,

does anyone know why the CVE-2017-6419 patch is not part of 0.99.3?

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 99.3 for Ubuntu

2018-01-28 Thread Marcus Schopen

Hi Chris,

Am Sonntag, den 28.01.2018, 09:11 -0600 schrieb Chris:
> On Sun, 2018-01-28 at 00:54 +0100, Marcus Schopen wrote:
> > Am Samstag, den 27.01.2018, 17:22 -0600 schrieb Chris:
> > > 
> > > Thanks so much for this Marcus, seems a lot easier than going
> > > through
> > > using pbuilder.
> > 
> > Never used pbuilder. For sure there are easier ways to build
> > packages.
> > It's just how I build backports or patch packages sometimes.
> > 
> 
> Good morning Marcus. I replied to the email you sent this morning
> however it bounced.

The smtp you used, is blacklisted on http://dnsbl.inps.de/. A BL with a
high weight in my config. That's your message was blocked. ;)


Jan 28 15:55:11 lillith sm-mta[26133]: w0SEt6l6026133: <-- MAIL FROM:
...
Jan 28 15:55:14 lillith sm-mta[26133]: w0SEt6l6026133: --- 551 5.7.1
Bad reputation - mail.onyx.syn-alias.com [206.152.134.66] listed on too
many DNS blacklists: BL_INPS (blhit 4)


>  Please look at the pastebin for the reason:
> 
> https://pastebin.com/8Gm0Hp4Y

Did not run in these problems on 14.04 LTS. Try to remove the old
0.99.2 packages (aptitude remove) and then install your 0.99.3 packages
from clean. Do some backup of your clamav config before remove.

Ciao
Marcus

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 99.3 for Ubuntu

2018-01-28 Thread Marcus Schopen

Chris,

good morning!

Am Samstag, den 27.01.2018, 20:26 -0600 schrieb Chris:
> 
> Of course I run into problems :(, I always seem to. All the .deb
> packages were made

Perfect, well done! No need to quarrel with yourself. 

> The paste below is the output of sudo dpkg -i 
> 
> https://pastebin.com/xRXXMNrg
> 
> Should I have run dpkg-buildpackage -us -uc as sudo?

I did run the build as root, yes. But that shouldn't be the problem. I
never tested it is as unprivileged user. Will try it next time ;)

Start installing the packages one after another , so that you don't run
into dependency conficts, e.g. milter package depends on base package,
so install base package first. This is my installing history:

 dpkg -i libclamav7_0.99.3-0ubuntu1~binux1_amd64.deb
 dpkg -i clamav-base_0.99.3-0ubuntu1~binux1_all.deb
 dpkg -i clamav-freshclam_0.99.3-0ubuntu1~binux1_amd64.deb
 dpkg -i clamav_0.99.3-0ubuntu1~binux1_amd64.deb
 dpkg -i clamav-daemon_0.99.3-0ubuntu1~binux1_amd64.deb

Good luck
Marcus

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 99.3 for Ubuntu

2018-01-27 Thread Marcus Schopen

Am Samstag, den 27.01.2018, 17:22 -0600 schrieb Chris:
> Thanks so much for this Marcus, seems a lot easier than going through
> using pbuilder.

Never used pbuilder. For sure there are easier ways to build packages.
It's just how I build backports or patch packages sometimes.

>  One question. I'm at step 7, what should go after
> --local? Not sure what you mean by ~yoursuffix.

It's your personal choice, e.g. dch --local ~chris+

The package name would be

  clamav_0.99.3-0ubuntu1~chris+1_amd64.deb

then. The tilde ~ makes the package inferior in version, which should
allow a proper package upgrade when you upgrade to the next debian
release (e.g. your package will be replaced with the official debian
package).

Ciao!
Marcus


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 99.3 for Ubuntu

2018-01-27 Thread Marcus Schopen

Am Freitag, den 26.01.2018, 16:25 +0100 schrieb Reindl Harald:
> 
> if you use distribution packages you are supposed to wait for a
> update 
> from the distribution or learn to proper package at your own
> 
> i heard that's not that easy as on Redhat systems because you don't
> have 
> everything in a .src.rpm and just need to replace the tarball after 
> unpack the src.rpm and edit the version in the spec file but again:

That's not right. Building a 0.99.3 deb package based on the current
0.99.2 deb source package are just a few shell commands, e.g.:

0. set up an build environment e.g. on a fresh box:

 aptitude install dpkg-dev devscripts equivs quilt

 export QUILT_PATCHES=debian/patches

1. get the current 0.99.2 clamav src package, e.g. for 14.04 TLS from

 https://packages.ubuntu.com/source/trusty/clamav

wget http://archive.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.99.2+
addedllvm-0ubuntu0.14.04.2.dsc

wget http://archive.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.99.2+
addedllvm.orig.tar.xz

wget http://archive.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.99.2+
addedllvm-0ubuntu0.14.04.2.debian.tar.gz

2. unpack the source package
 
 dpkg-source -x clamav_0.99.2+addedllvm-0ubuntu0.14.04.2.dsc

3. download the new original 0.99.3 clamav source

 http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz

4. upgrade the old 0.99.2 deb source package

 cd clamav-0.99.2+addedllvm
 uupdate -v 0.99.3 ../clamav-0.99.3.tar.gz

5. enter the new 0.99.3 deb source package dir

  cd ../clamav-0.99.3

6. remove old patches from ./debian/patches dir which are not longer
needed. 

 In this case (to my mind) on 14.04 LTS CVE-2017-6418 and CVE-2017-6420 
are already patched in 0.99.3. Unsure about CVE-2017-6419 (didn't find
it in the README); I removed it, because 0.99.3 original source doesn't
come up with this patch. May be someone knows better.

 quilt pop -a
 quilt delete -r CVE-2017-6418
 quilt delete -r CVE-2017-6419
 quilt delete -r CVE-2017-6420
 quilt delete -r CVE-2017-6420-2

7. maintenance debian/changelog and add your suffix, e.g.

 dch --local ~yoursuffix

8. finally build new deb package

 dpkg-buildpackage -us -uc

That's it. So basically it's replacing the orig tar ball and update
changelog too.

Ciao
Marcus


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

2018-01-26 Thread Marcus Schopen

Am Freitag, den 26.01.2018, 07:02 -0800 schrieb Jason J. W. Williams:
> How does one manually download an old daily.cld?

Good question. workaround: got the old version from my backup.

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

2018-01-26 Thread Marcus Schopen

Am Freitag, den 26.01.2018, 07:48 -0700 schrieb Rafael Ferreira:
> Nope, latest is still 
> 
> File: daily.cvd
> Build time: 26 Jan 2018 04:24 -0500
> Version: 24257
> Signatures: 1835982
> Functionality level: 63
> Builder: neo
> MD5: 3b3092994fdf9aa39aae480c38fb31ab
> Digital signature:
> D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3
> cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ
> 7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg
> 
> which appears to have the issue, we, scanii.com ,
> are having quite a bit of run today because of it. 

What about replacing the current daily.cld with an older one, e.g. with
24255? Disable freshclam, stop clamd, replace daily.cld by old one
(24255) and start clamd again. Wouldn't that work until a fixed
daily.cld is provided?

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

2018-01-26 Thread Marcus Schopen

Am Freitag, den 26.01.2018, 09:22 +0100 schrieb Reindl Harald:
> 
> Am 26.01.2018 um 09:19 schrieb Marco:
> > Il 26/01/2018 09:00, Reindl Harald ha scritto:
> > > freshclam and a custom script downloads anything to 
> > > /var/lib/clamav-download and then for the two "/var/lib/clamav"
> > > and 
> > > "/var/lib/clamav-sa" basend on file-lists hardlinks are set -
> > > from the 
> > > official only "safebrowsing" is active
> > 
> > We have the same problem: I confirm that without official
> > signature 
> > Clamav works!
> 
> looks like "freshclam" needs something like a downgrade option when
> bad 
> signatures can lead to such a massive fuckup

Is there a way to "downgrade" to 24255 as it seems it started with
24256. My first crash was at 7:47am GMT+1 and at this time I was on
24256.

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Heuristics.Phishing.Email.SpoofedDomain with amazon

[clamav-users] CVE-2017-6419 patched in 0.99.3?

Re: [clamav-users] 99.3 for Ubuntu

Re: [clamav-users] 99.3 for Ubuntu

Re: [clamav-users] 99.3 for Ubuntu

Re: [clamav-users] 99.3 for Ubuntu

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

9 matches

Site Navigation

Mail list logo

Footer information