[clamav-users] Thank You
Hello all, My name is Matthew Olney and I’m the manager of the VRT Research Development team. Among other things, my group is responsible for ClamAV engine development. I just wanted to take a moment to express my appreciation for those in the community who have worked with us to ensure a quality release of ClamAV 0.98.4. In particular those of you who have submitted bugs and worked with us to test patches, and those of you who downloaded and tested 0.98.4RC1. Due to the success of this release candidate, we would like to use the beta/RC model going forward. Development is what it is, so we may not always be able to do this, but my strong preference would be to use this model. Provided nothing serious comes up in the meantime, you should expect a beta for 0.98.5 in the near future. Thank you all again, it’s a pleasure working with you, Matthew Olney Manager, VRT Research Development ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] SOLVED: freshclam checks database every time
To track this and your other feature request, please put a ticket in at https://bugzilla.clamav.net. Matt On Tue, Nov 5, 2013 at 8:29 AM, Andreas Schulze andreas.schu...@datev.dewrote: Am 21.06.2013 13:28 schrieb Andreas Schulze: Am 10.04.2013 15:05 schrieb Andreas Schulze: symptom: freshclam needs 3..4 seconds to finish also in the case where *no* updates are available. Thats worse because freshclam still steal cputime here :-( I finaly found the relevant piece of code. Using the attached patch freshclam check the db only if there was really an update available. Maybe it could be an option in freshclam.conf Andreas -- Andreas Schulze Internetdienste | P252 DATEV eG 90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196 E-Mail info @datev.de | Internet www.datev.de Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70 Vorstand Prof. Dieter Kempf (Vorsitzender) Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender) Dipl.-Kfm. Michael Leistenschneider Dipl.-Kfm. Dr. Robert Mayr Jörg Rabe v. Pappenheim Dipl.-Vw. Eckhard Schwarzer Vorsitzender des Aufsichtsrates: Reinhard Verholen ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compilation failed for ClamAV 0.98 on AIX 6.1
Added information to bug https://bugzilla.clamav.net/show_bug.cgi?id=8993in case the failures are related. We'll provide info here when we resolve the issues. On Wed, Sep 25, 2013 at 8:34 AM, ANANT S ATHAVALE a...@isac.gov.in wrote: Dear List, Compilation of ClamAV 0.98 fails on AIX 6.1 with gcc 4.2.0. make all-recursive Making all in libltdl cp ./argz_.h argz.h-t mv argz.h-t argz.h make all-am CC dlopen.lo CCLD dlopen.la CC libltdlc_la-preopen.lo CC libltdlc_la-lt__alloc.lo CC libltdlc_la-lt_dlloader.lo CC libltdlc_la-lt_error.lo CC libltdlc_la-ltdl.lo CC libltdlc_la-slist.lo CC argz.lo CC lt__strl.lo CCLD libltdlc.la Target all-am is up to date. Making all in libclamav make all-recursive CC libclamav_la-matcher-ac.lo CC libclamav_la-matcher-bm.lo CC libclamav_la-matcher-hash.lo CC libclamav_la-matcher.lo CC libclamav_la-others.lo In file included from others.c:60: clamav.h:32:1: warning: STAT redefined In file included from /usr/include/dirent.h:35, from others.c:36: /usr/include/sys/dir.h:270:1: warning: this is the location of the previous definition CC libclamav_la-readdb.lo In file included from readdb.c:42: clamav.h:32:1: warning: STAT redefined In file included from /usr/include/dirent.h:35, from readdb.c:32: /usr/include/sys/dir.h:270:1: warning: this is the location of the previous definition CC libclamav_la-cvd.lo CC libclamav_la-dsig.lo CC libclamav_la-scanners.lo In file included from scanners.c:51: clamav.h:32:1: warning: STAT redefined In file included from /usr/include/dirent.h:35, from scanners.c:41: /usr/include/sys/dir.h:270:1: warning: this is the location of the previous definition CC libclamav_la-textdet.lo CC libclamav_la-filetypes.lo CC libclamav_la-rtf.lo CC libclamav_la-blob.lo CC libclamav_la-mbox.lo mbox.c: In function 'rfc1341': mbox.c:2816: error: called object '1' is not a function make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 2. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 2. Stop. Any hints to resolve this issue. The same gcc was used to compile 0.97.8 and it had worked. -- Regards Anant --**--** -- Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. --**--** -- __**_ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/**clamav-faqhttps://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
This is actually really good data. Thanks for taking the time out to evaluate these files. First, have you modified bofhland_cracked_URL.ndb at all? I'm getting 20+ seconds to load that. On the flip side, I'm getting sub-second loading times for winnow_phish_complete.ndb, winnow_phish_complete_url.ndb and phish.ndb. I'm running this on a beefy macbook pro with 16Gb of RAM, so I'm not sure if that helps or not in this particular case. Scamnailer is a little longer at 1.5 seconds. But, if I were guessing, the pattern for http://; for winnow_phish. for phish.ndb, it looks like a lot of sigs in the form PK{WILDCARD_ANY_STRING(LENGTH==28)} Which would demonstrate the same behavior. We'll have to do more checkingon scamnailer. There is a ton of alternating patterns, and really no repeating static contents that I can see in a cursory glance. We'll check it out and get more information. Again, thanks for the data, we'll keep it in mind as we work on coming versions. Matt On Thu, Aug 15, 2013 at 7:45 AM, Steve Basford steveb_cla...@sanesecurity.com wrote: I've done some analysis of ClamAV with just this signature set, and the loading is simply slowing down as it runs through the list. * Third Party dbs * Hi, While looking into the database loading time issue, thought it might be an idea to quickly scan the same small file with each database, just to see what scanning time each database took and the amount of memory the *single* database used. When using multiple db's it's not the whole story... but just in case it's useful bofhland_cracked_URL.ndb: Time: 6.593 sec bofhland_cracked_URL.ndb: Memory: 29.777 MB bofhland_malware_attach.hdb: Time: 0.047 sec bofhland_malware_attach.hdb: Memory: 4.331 MB bofhland_malware_URL.ndb: Time: 0.125 sec bofhland_malware_URL.ndb: Memory: 7.816 MB bofhland_phishing_URL.ndb: Time: 0.047 sec bofhland_phishing_URL.ndb: Memory: 4.741 MB crdfam.clamav.hdb: Time: 0.062 sec crdfam.clamav.hdb: Memory: 5.046 MB foxhole_all.ccdb: Time: 0.046 sec foxhole_all.cdb: Memory: 4.308 MB foxhole_filename.ccdb: Time: 0.047 sec foxhole_filename.cdb: Memory: 4.308 MB foxhole_generic.ccdb: Time: 0.047 sec foxhole_generic.cdb: Memory: 4.312 MB junk.ndb: Time: 0.860 sec junk.ndb: Memory: 18.866 MB jurlbl.ndb: Time: 0.078 sec jurlbl.ndb: Memory: 5.281 MB jurlbla.ndb: Time: 0.125 sec jurlbla.ndb: Memory: 6.386 MB lott.ndb: Time: 0.078 sec lott.ndb: Memory: 5.206 MB phish.ndb: Time: 2.390 sec phish.ndb: Memory: 14.546 MB phishtank.ndb: Time: 0.157 sec phishtank.ndb: Memory: 5.699 MB porcupine.ndb: Time: 0.078 sec porcupine.ndb: Memory: 5.898 MB rogue.hdb: Time: 0.047 sec rogue.hdb: Memory: 4.652 MB scam.ndb: Time: 0.407 sec scam.ndb: Memory: 11.585 MB scamnailer.ndb: Time: 4.609 sec scamnailer.ndb: Memory: 22.085 MB spam.lcdb: Time: 0.047 sec spam.ldb: Memory: 4.515 MB spamattach.hdb: Time: 0.047 sec spamattach.hdb: Memory: 4.308 MB spamimg.hdb: Time: 0.047 sec spamimg.hdb: Memory: 4.398 MB spear.ndb: Time: 0.610 sec spear.ndb: Memory: 12.140 MB spearl.ndb: Time: 0.063 sec spearl.ndb: Memory: 5.089 MB winnow.attachments.hdb: Time: 0.047 sec winnow.attachments.hdb: Memory: 4.370 MB winnow.complex.patterns.lcdb: Time: 0.047 sec winnow.complex.patterns.ldb: Memory: 4.320 MB winnow_bad_cw.hdb: Time: 0.046 sec winnow_bad_cw.hdb: Memory: 4.308 MB winnow_extended_malware.hdb: Time: 0.109 sec winnow_extended_malware.hdb: Memory: 7.413 MB winnow_extended_malware_links.ndb: Time: 0.046 sec winnow_extended_malware_links.ndb: Memory: 4.308 MB winnow_malware.hdb: Time: 0.110 sec winnow_malware.hdb: Memory: 7.777 MB winnow_malware_links.ndb: Time: 0.125 sec winnow_malware_links.ndb: Memory: 7.128 MB winnow_phish_complete.ndb: Time: 4.907 sec winnow_phish_complete.ndb: Memory: 7.577 MB winnow_phish_complete_url.ndb: Time: 4.922 sec winnow_phish_complete_url.ndb: Memory: 7.577 MB winnow_spam_complete.ndb: Time: 0.125 sec winnow_spam_complete.ndb: Memory: 7.097 MB Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
OK, we've been able to reproduce the problem and it is, as you all suspected revolving around the www. matching. I've asked one of the developers to look at it, and we should be able to provide some best-practice guidelines on how to construct rules to avoid this situation. We'll also review if code changes are appropriate, but given how the tree operates, I don't immediately expect that to be the case. Matt ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
Nope. 0.98 is getting patches applied to it and will then move to QA regression and finally to release engineering. There is a lot going on in 0.98, and we'll have more information once we finalize a build. Matt On Wed, Aug 14, 2013 at 5:03 PM, A K Varnell alvarn...@mac.com wrote: On Aug 14, 2013, at 1:54 PM, Joel Esler jes...@sourcefire.com wrote: On Aug 14, 2013, at 2:34 PM, Steve Basford steveb_cla...@sanesecurity.com wrote: We'll also review if code changes are appropriate, but given how the tree operates, I don't immediately expect that to be the case. Out of interest are there any roadmaps/future improvements for ClamAV that are being discussed, as the last changelog update was May (before the takeover)? Steve, Just to clarify, at this time we’ve just announced Cisco acquiring Sourcefire. It takes time for the deal to be approved and go through. I’ll let Matt speak to the specifics of the roadmap. So I gather the 0.98 release that was announced back in February is in a holding pattern pending final approval once the Cisco acquisition has been approved and their processes put into place? -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
Sowhat qualifies as a kitchen sink-load? Matt On Tue, Aug 13, 2013 at 11:25 PM, Vincent Fox vb...@ucdavis.edu wrote: Hi, Previously I was using a short list of signatures and startup time of 30 seconds which was acceptable. Well it didn't get noticed much. However recently I added a kitchen sink of extra databases like winnow etc. Now startup time is 2.5 minutes, which becomes noticeable. Any way to ameliorate this? __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
OK...I'll do some testing tomorrow and see if we can't come up with some information for you. Matt On Wed, Aug 14, 2013 at 12:12 AM, Vincent Fox vb...@ucdavis.edu wrote: On 8/13/2013 8:49 PM, Matt Olney wrote: Sowhat qualifies as a kitchen sink-load? Most everything that SaneSecurity hosts that is low or medium risk: ss_dbs= blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb bofhland_malware_attach.hdb crdfam.clamav.hdb junk.ndb jurlbl.ndb jurlbla.ndb lott.ndb phish.ndb phishtank.ndb porcupine.ndb rogue.hdb sanesecurity.ftm sigwhitelist.ign2 scam.ndb scamnailer.ndb spam.ldb spamimg.hdb spamattach.hdb spear.ndb spearl.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow.complex.patterns.ldb winnow_extended_malware.hdb winnow_extended_malware_links.**ndb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb si_dbs= securiteinfoelf.hdb securiteinfosh.hdb securiteinfopdf.hdb securiteinfooffice.hdb securiteinfohtml.hdb securiteinfodos.hdb securiteinfobat.hdb securiteinfo.hdb mbl_dbs= mbl.ndb My mail routers are VM's and not the fastest things around but neither are they 486's pulled from a scrap heap: [root@msa3 etc]# grep name /proc/cpuinfo model name : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz model name : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz model name : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz model name : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz [root@msa3 etc]# grep MemTotal /proc/mem* MemTotal:8057768 kB __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] news: Cisco Announces Agreement to Acquire Sourcefire
What exactly did you need to know re:: database types. The format for the signatures are detailed, per database type, in this document: http://www.clamav.net/doc/latest/signatures.pdf Matt On Thu, Jul 25, 2013 at 2:11 PM, Benny Pedersen m...@junc.eu wrote: Greg Folkert skrev den 2013-07-25 16:45: http://blog.clamav.net/2013/**07/a-continued-commitment-to-** open-source.htmlhttp://blog.clamav.net/2013/07/a-continued-commitment-to-open-source.html Hopefully this will help out :) Time will tell. paul Wow, that was a *MUCH* better and much more simple response than I was going to do... and passed on making. Time will tell and one can hope. me to :) i cant find docs on database types or how to create pua category :( __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] freshclam can't download daily.cvd
Please review the information here and let us know if this addresses your problem: http://blog.clamav.net/2013/02/resolving-issues-with-freshclam.html I'll get with the appropriate person and see if updating the mirror-problem page is appropriate. Matt On Fri, May 17, 2013 at 10:32 AM, Cedric Knight ced...@gn.apc.org wrote: Hello Running clamav 0.97.6 and then 0.97.8 on a Debian squeeze server, since 14 Feb this year freshclam has been consistently failing with ERROR: getpatch: Can't download daily-16682.cdiff from database.clamav.net WARNING: Incremental update failed, trying to download daily.cvd ... Ignoring mirror 217.135.32.99 (has connected too many times with an outdated version) ERROR: Can't download daily.cvd from database.clamav.net Giving up on database.clamav.net... Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/support/**mirror-problemhttp://www.clamav.net/support/mirror-problemfor possible reasons. One solution (delete daily.cvd and run freshclam again) has been covered here on 15 Feb http://www.gossamer-threads.** com/lists/clamav/users/57663#**57663http://www.gossamer-threads.com/lists/clamav/users/57663#57663. However, that solution is not necessarily obvious, and there is other advice out there such as reducing number of Checks per day to less than 6 and waiting at least 24 hours http://forums.debian.net/** viewtopic.php?f=5t=97058http://forums.debian.net/viewtopic.php?f=5t=97058, which didn't work for me. (The upgrade to 0.97.8 also reduced Checks to 3.) Another solution that I found was setting a HTTPProxyServer and HTTPProxyPort in freshclam.conf. So are the mirrors blocking the IPv4 address used by my freshclam? And if so, why, is there any way to remove the block, and why is the restriction only enforced when the old daily.cvd is present? I'm wondering how many ClamAV installations there might be out there which are stuck on updates prior to daily.cvd version 16685 months later, without the owners even knowing. The updates usually work very nicely thank you, and the errors may not get noticed. Could this be fixed by an update to the freshclam client, or perhaps to the mirrors? At least could http://www.clamav.net/support/** mirror-problem http://www.clamav.net/support/mirror-problem be updated to reflect this? Thanks CK __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] looking for Bill Landry b...@inetmsg.com
Hey Paul, You asked about the status of ClamAV supporting third party signatures. As far as I know there is no barrier to entry, other than an understanding the signature format, to creating a third-party signature set. We always welcome people that enhance the value of the engine by contributing additional content. Is there more to the question that I need to answer? Matt On Sun, Nov 25, 2012 at 10:19 PM, Paul Wise p...@debian.org wrote: Hi all, Bill Landry is the developer of clamav-unofficial-sigs and since I'm the Debian maintainer of that, I need to discuss some things with him but his domain inetmsg.com doesn't respond to HTTP or SMTP connections. Does anyone know what happened to him or if he moved to a different domain? PS: whats the status of clamav support for third-party signatures? -- bye, pabs http://wiki.debian.org/PaulWise ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] SubmitDetectionStats error message after update
Jerry, is this still an issue for you? Our systems team says there was an issue with the box but that has been resolved. Please let us know, Matt On Sun, Mar 24, 2013 at 7:15 AM, Jerry je...@seibercom.net wrote: Ever since I updated clamav the other day, the freshclam.log has been filling up with the following. Sun Mar 24 06:43:43 2013 - Received signal: wake up Sun Mar 24 06:43:43 2013 - ClamAV update process started at Sun Mar 24 06:43:43 2013 Sun Mar 24 06:43:43 2013 - main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) Sun Mar 24 06:43:43 2013 - daily.cld is up to date (version: 16892, sigs: 981794, f-level: 63, builder: neo) Sun Mar 24 06:43:43 2013 - bytecode.cld is up to date (version: 214, sigs: 41, f-level: 63, builder: neo) Sun Mar 24 06:44:32 2013 - nonblock_recv: recv timing out (30 secs) Sun Mar 24 06:44:32 2013 - ERROR: SubmitDetectionStats: Can't read from socket The actual setting is: SubmitDetectionStats /usr/local/etc/clamd.conf Everything was working fine until the update. Nothing was modified and I have tried to do a hard reboot to see if it made any difference, but it didn't. I welcome any suggestions. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Memory level
Not really sure what other people are thinking. ClamAV is built into Sourcefire's advanced malware protection product (FireAMP). So we use it, at least. Matt On Sun, Mar 24, 2013 at 10:19 AM, Benny Pedersen m...@junc.eu wrote: Matt Olney skrev den 2013-03-22 18:49: Yep, we've heard that a couple of times. We'll do our best to address it. being on clouds with sigle user clamd is waste of ram :) i find this very funny that a cloud service cant provide cloud service with clamd are clamd not powerfull enough yet ? __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] http://blog.clamav.net/2013/02/resolving-issues-with-freshclam.html
Benny, I don't completely understand what you're saying. Do you have an issue and you tried the fix? I'm not sure which URL you'r talking about that says 73, so I'm sort of at a loss as to how to help you. Matt On Sun, Mar 24, 2013 at 10:22 AM, Benny Pedersen m...@junc.eu wrote: daily.cvd is still here on 63 after doing this fix note that the url says 73, so is it fixed now ? __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Memory level
All of that is being looked at in the freshclam rewrite portion of the next version of ClamAV. On Tue, Mar 26, 2013 at 11:33 AM, Benny Pedersen m...@junc.eu wrote: Matt Olney skrev den 2013-03-26 14:10: Not really sure what other people are thinking. ClamAV is built into Sourcefire's advanced malware protection product (FireAMP). So we use it, at least. will it be opensource, with license key ?, well for now i happy with clamav, its good to use for stopping phishing and paypal wannabees :) what i have thinked about is that main and daily is being big files, is there planned to get them smaller ?, maybe with some kind of expire signatures ?, take in to account on 3dr party signatures that hit just once :( i have yet to see freshclam report stats to webpage :( if something changes i like to have main daily and one more for hits widely now on all freshclam reporters, that could reduce mem footprint, but still keep signatures for virus hitting in wild, and who wants it all can tell freshclam to get it all will main eventuly be optional, just like safebrowsing ? one more: will clamav-milter have selective pua so it can use diff pua then clamd ? this will hopefully make it more possible to make pua pr recipient in clamav-milter __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] New Version of ClamAV
Spiro, a messenger has just arrived by horse. Apparently we have released ClamAV 0.97.7 :) We'll do better next time :) Matt On Wed, Mar 20, 2013 at 8:45 PM, Spiro Harvey sp...@knossos.net.nz wrote: We're currently scoping out the next version of ClamAV. We have a number of ideas in house, but I wanted to solicit some feedback from our users about what you might be interested in seeing. Timely release announcement on the mailing list. /ducks ;) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] New Version of ClamAV
Ian, if you can put more detail about your zombie issue into a bug, it would be easier for us to deal with it. Thanks, Matt On Thu, Mar 21, 2013 at 7:57 AM, Ian Eiloart i...@sussex.ac.uk wrote: On 20 Mar 2013, at 14:35, Matt Olney mol...@sourcefire.com wrote: efore you ask, we don't have a lot of information that we're ready to share on our end about what we're planning, so I don't want to promise anything yet. In general we're looking to expand the detection capability, the engine's stability and make the system a little more usable. As we firm things up, we'll let you guys know more about what we're working on. …. Thanks in advance for your ideas! Please send your ideas to this list so we can track them. Focus on stability and usability. I use Exim, Clam, and Spamassassin (in order of descending importance). I regard Exim as essential for continuity of service. Clam, when available, is trusted absolutely to reject emails that are a security threat to my network - so it's important to me that it's as available as possible. Unfortunately, it occasionally hangs leaving zombie processes that require a reboot to fix. When it's available, I want it to block malware attachments, but I also want it to block emails with links to malware, and links to phishing sites. BTW, I use Clam to scan outbound email, as well as inbound, in order to improve herd immunity to infections. One thing that I'd like to do with outbound email is to prevent people from emailing their own passwords. Something along these lines: https://grepular.com/Defending_Against_Spear_Phishing_with_Exim That's a useful tool, but it's Exim specific, and it would be neat to have clam deal with this. -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Memory level
HI Christian, Yep, we've heard that a couple of times. We'll do our best to address it. Matt On Fri, Mar 22, 2013 at 12:40 PM, Christian Salway ccsal...@itmanx.comwrote: In your new version, can you please consider how to run it on low memory systems (512MB) for spamassassin other than direct from the command line which takes time to load each time it's called. Our basic internet servers we roll out to dedicated clients run on the Amazon EC2 micro servers and consist of mysql, postfix, dovecot, apache, spamassassin and clamd (disabled). Disabled because it consumes too much RAM and deemed the least required because antivirus is readily available on desktops, tablets and phones and most clients would prefer to deal with one or two virus' messages than 100's of spam messages. At the moment, on the Amazon EC2 micro servers, there is 512Mb RAM available, of which, clamd consumes 30% if enabled, taking the RAM load from 165/512MB to 337/512MB, and that's before the server has started processing anything. Kind regards, Christian ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] New Version of ClamAV
Hey all, We're currently scoping out the next version of ClamAV. We have a number of ideas in house, but I wanted to solicit some feedback from our users about what you might be interested in seeing. Before you ask, we don't have a lot of information that we're ready to share on our end about what we're planning, so I don't want to promise anything yet. In general we're looking to expand the detection capability, the engine's stability and make the system a little more usable. As we firm things up, we'll let you guys know more about what we're working on. We will also be interested, as we get further down the road, in beta testers. I think you'll see a lot of new functionality in ClamAV and we'd appreciate as many eyes as possible on it once we're ready to show it off. And no, we don't have an estimated release date :) Thanks in advance for your ideas! Please send your ideas to this list so we can track them. Matt ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV 0.97.7 available?
Yeah, we could have done better on this. I'll review the release procedures and see if we can't improve them. More info tomorrow, this is just an informal note :) Matt On Thu, Mar 14, 2013 at 6:03 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.eduwrote: - Original Message - On Mar 14, 2013, at 12:42 PM, Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote: This is annoying. There was no announcement on clamav-announce of 0.97.6 http://blog.clamav.net/2012/09/clamav-0976-has-been-released.html. Sent from Janet's iPad -Al- -- Al Varnell I didn't get that email. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] SourceFire support - signature file updates
OK, there is a bit of a translation error here. We are no longer selling commercial support for deployments of ClamAV. We do of course continue to produce signatures that are available to all users of ClamAV. Robin, can you email me privately the name of your sales manager so I can get in touch with him to clear this up? Matt On Tue, Nov 27, 2012 at 4:32 AM, robin.wakefi...@ubs.com wrote: Hi, Our regional SourceFire sales manager has made the following statement: I can confirm as discussed that the product (ClamAV) is now officially no longer supported as a product and therefore you will no longer receive signatures. Can anyone clarify what this means in terms of continuing to download new signature files via freshclam? Or are signature file updates to cease? Regards, Robin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] SourceFire support - signature file updates
(Dennis Peterson)++ On Tue, Nov 27, 2012 at 8:29 PM, Dennis Peterson denni...@inetnw.com wrote: On 11/27/12 2:19 PM, Nigel Houghton wrote: On Nov 27, 2012, at 2:17 PM, Dennis Peterson denni...@inetnw.com wrote: I was hoping to hear from someone higher up than a mentalist time lord. Well, if Rassilon wasn't in a time lock he might reply, but since he is, I'm it. It would have helped quite a lot if you had mentioned you are a demi-god. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] PHP.Exploit.CVE_2011_4153-3 false positive
Can you zip these up, password protect the zip and email them to v...@sourcefire.com? Matt On Tue, Nov 20, 2012 at 4:23 AM, Anssi Johansson cla...@miuku.net wrote: Hi, $ clamscan php*.bz2 php-5.4.0.tar.bz2: PHP.Exploit.CVE_2011_4153-3 FOUND php-5.4.1.tar.bz2: PHP.Exploit.CVE_2011_4153-3 FOUND php-5.4.3.tar.bz2: PHP.Exploit.CVE_2011_4153-3 FOUND $ md5sum php*.bz2 04bb6f9d71ea86ba05685439d50db074 php-5.4.0.tar.bz2 5b9529ed89dbc48c498e9693d1af3caf php-5.4.1.tar.bz2 51f9488bf8682399b802c48656315cac php-5.4.3.tar.bz2 $ clamscan --version ClamAV 0.97.6/15602/Mon Nov 19 23:29:58 2012 I tried submitting these as false positives through the FP reporting page some days ago, but the FP submit page said that This file is not detected by ClamAV. The md5sums of those files match the md5sums published on http://php.net/releases/index.php ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] LibClamAV Warnings
We're looking into it, guys. Don't have an answer right now, but thanks for the info. By chance, do you have a sample that triggers this behavior? Matt On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman mbroek...@maileig.com wrote: -Original Message- LibClamAV Warning: Bytecode run timed out in interpreter after 765000 opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error code LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV Error: Opcode 45 of type 0 is not implemented yet! LibClamAV Warning: Bytcode 16 failed to run: Invalid argument passed to function LibClamAV Warning: Bytecode run timed out in interpreter after 68 opcodes LibClamAV Warning: Bytcode 20 failed to run: Unknown error code LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV Error: Opcode 45 of type 0 is not implemented yet! LibClamAV Warning: Bytcode 20 failed to run: Invalid argument passed to function LibClamAV Warning: Bytecode run timed out in interpreter after 19255000 opcodes LibClamAV Warning: Bytcode 1 failed to run: Unknown error code LibClamAV Warning: Bytecode run timed out in interpreter after 139 opcodes LibClamAV Warning: Bytcode 39 failed to run: Unknown error code I have been seeing the same behavior on my systems, though with Bytecode 37 and 38. LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytcode 37 failed to run: Unknown error code I get the same error regardless of whether I have --bytecode-timeout=0 set or not. Anyone know what's going on? --Maarten ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] LibClamAV Warnings
Can you attach that sample to this bug: https://bugzilla.clamav.net/show_bug.cgi?id=6139 Or if you don't have and don't want a bugzilla account, you can zip it up, password protect it and then send it to me. Matt On Fri, Nov 16, 2012 at 11:30 AM, Maarten Broekman mbroek...@maileig.com wrote: Yep. I have a .js file that triggers the Bytecode 37 error. I've filed a bug against the CVD with it. Bug 6140 - Bytecode 37 failed to run: Unknown error code --Maarten -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- boun...@lists.clamav.net] On Behalf Of Matt Olney Sent: Friday, November 16, 2012 11:15 AM To: ClamAV users ML Subject: Re: [clamav-users] LibClamAV Warnings We're looking into it, guys. Don't have an answer right now, but thanks for the info. By chance, do you have a sample that triggers this behavior? Matt On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman mbroek...@maileig.com wrote: -Original Message- LibClamAV Warning: Bytecode run timed out in interpreter after 765000 opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error code LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV Error: Opcode 45 of type 0 is not implemented yet! LibClamAV Warning: Bytcode 16 failed to run: Invalid argument passed to function LibClamAV Warning: Bytecode run timed out in interpreter after 68 opcodes LibClamAV Warning: Bytcode 20 failed to run: Unknown error code LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV Error: Opcode 45 of type 0 is not implemented yet! LibClamAV Warning: Bytcode 20 failed to run: Invalid argument passed to function LibClamAV Warning: Bytecode run timed out in interpreter after 19255000 opcodes LibClamAV Warning: Bytcode 1 failed to run: Unknown error code LibClamAV Warning: Bytecode run timed out in interpreter after 139 opcodes LibClamAV Warning: Bytcode 39 failed to run: Unknown error code I have been seeing the same behavior on my systems, though with Bytecode 37 and 38. LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytcode 37 failed to run: Unknown error code I get the same error regardless of whether I have --bytecode- timeout=0 set or not. Anyone know what's going on? --Maarten ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] LibClamAV Warnings
Try now? On Fri, Nov 16, 2012 at 11:41 AM, Maarten Broekman mbroek...@maileig.com wrote: I have a bugzilla account but I don't have the right permissions to see that bug. You are not authorized to access bug #6139. --Maarten -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- boun...@lists.clamav.net] On Behalf Of Matt Olney Sent: Friday, November 16, 2012 11:33 AM To: ClamAV users ML Subject: Re: [clamav-users] LibClamAV Warnings Can you attach that sample to this bug: https://bugzilla.clamav.net/show_bug.cgi?id=6139 Or if you don't have and don't want a bugzilla account, you can zip it up, password protect it and then send it to me. Matt On Fri, Nov 16, 2012 at 11:30 AM, Maarten Broekman mbroek...@maileig.com wrote: Yep. I have a .js file that triggers the Bytecode 37 error. I've filed a bug against the CVD with it. Bug 6140 - Bytecode 37 failed to run: Unknown error code --Maarten -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- boun...@lists.clamav.net] On Behalf Of Matt Olney Sent: Friday, November 16, 2012 11:15 AM To: ClamAV users ML Subject: Re: [clamav-users] LibClamAV Warnings We're looking into it, guys. Don't have an answer right now, but thanks for the info. By chance, do you have a sample that triggers this behavior? Matt On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman mbroek...@maileig.com wrote: -Original Message- LibClamAV Warning: Bytecode run timed out in interpreter after 765000 opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error code LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV Error: Opcode 45 of type 0 is not implemented yet! LibClamAV Warning: Bytcode 16 failed to run: Invalid argument passed to function LibClamAV Warning: Bytecode run timed out in interpreter after 68 opcodes LibClamAV Warning: Bytcode 20 failed to run: Unknown error code LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV Error: Opcode 45 of type 0 is not implemented yet! LibClamAV Warning: Bytcode 20 failed to run: Invalid argument passed to function LibClamAV Warning: Bytecode run timed out in interpreter after 19255000 opcodes LibClamAV Warning: Bytcode 1 failed to run: Unknown error code LibClamAV Warning: Bytecode run timed out in interpreter after 139 opcodes LibClamAV Warning: Bytcode 39 failed to run: Unknown error code I have been seeing the same behavior on my systems, though with Bytecode 37 and 38. LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytcode 37 failed to run: Unknown error code I get the same error regardless of whether I have --bytecode- timeout=0 set or not. Anyone know what's going on? --Maarten ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Problems with signature mirrors today?
Hey guys, thanks for the heads up. We're checking into it now. Matt On Fri, Nov 9, 2012 at 12:38 PM, José Celestino j...@co.sapo.pt wrote: On Sex, 2012-11-09 at 10:23 -0700, Chris Stone wrote: Seeing a lot of: Current working dir is /usr/local/share/clamav Max retries == 3 ClamAV update process started at Fri Nov 9 10:22:52 2012 Using IPv6 aware code If-Modified-Since: Tue, 11 Oct 2011 14:34:20 GMT Reading CVD header (main.cvd): Ignoring mirror 63.141.241.106 (due to previous errors) Ignoring mirror 69.163.100.14 (due to previous errors) ... Problems? Everyone else seeing this as well? Yes. daily-15558.cdiff is nowhere to be found. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Problems with signature mirrors today?
Folks, We seem to have resolved the issue. Mirrors should be syncing now. Let us know if you see anything else. Matt On Fri, Nov 9, 2012 at 12:51 PM, Nigel Houghton nhough...@sourcefire.comwrote: On Nov 9, 2012, at 12:38 PM, José Celestino j...@co.sapo.pt wrote: On Sex, 2012-11-09 at 10:23 -0700, Chris Stone wrote: Seeing a lot of: Current working dir is /usr/local/share/clamav Max retries == 3 ClamAV update process started at Fri Nov 9 10:22:52 2012 Using IPv6 aware code If-Modified-Since: Tue, 11 Oct 2011 14:34:20 GMT Reading CVD header (main.cvd): Ignoring mirror 63.141.241.106 (due to previous errors) Ignoring mirror 69.163.100.14 (due to previous errors) ... Problems? Everyone else seeing this as well? Yes. daily-15558.cdiff is nowhere to be found. We are working on the problem. -- Nigel Houghton Head Mentalist, Time Lord SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ http://labs.snort.org/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Deep scanning of image files
Maarten, can you help us track this by adding a bug at https://bugzilla.clamav.net/? Thanks, Matt On Tue, Oct 23, 2012 at 2:18 PM, Maarten Broekman mbroek...@maileig.com wrote: One thing I'm seeing more and more of is malware code (be it PHP or ASP) embedded after GIF headers. ClamAV sees the GIF header and treats it like an image (properly), but then ClamAV sees an HTML signature later in the file. However, it doesn't do any normalization on that HTML data. Would it be possible to add an option to clamscan that does normalize the HTML data and analyzes it as usual? Example: LibClamAV debug: Recognized GIF file LibClamAV debug: in cli_check_jpeg_exploit() LibClamAV debug: Matched signature for file type HTML data at 4197 Problem: I have signatures that would match the normalized HTML data, but because the GIF header is there, clamscan doesn't normalize the HTML data. This means that I have to create unique signatures for each file with a GIF header that contains different non-normalized HTML data. Thanks, Maarten ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Communigate Pro parser fails
Can you submit a bug through https://bugzilla.clamav.net/ please? Shawn will keep working with you, but this will allow us to track this issue. Matt On Thu, Sep 6, 2012 at 10:28 PM, Victor Sudakov v...@mpeks.tomsk.su wrote: Shawn Webb wrote: AFAIK clamd can parse Communigate Pro message spool format, where the message itself is preceded by several extra lines like P I 06-09-2012 08:53:14 suda...@sibptus.tomsk.ru O LH A sibptus.tomsk.ru [212.73.124.5] S SMTP [212.73.125.240] R W 06-09-2012 08:53:14 _FY_ suda...@sibptus.tomsk.ru However, I have found a condition when this parser fails on clamav-0.97.5 and clamd reports OK though there is a known virus in the message. I can provide samples and more details. Were you able to scan with versions of ClamAV prior to 0.97.5? clamav-0.97 has the same problem. Sorry, I don't have older ClamAV installations anywhere at the moment. Can you send me some samples? Please take a sample at ftp://ftp.tomsk.ru/pub/m2.zip ClamAV says it's OK. But if you manually add some Content-Type: header to the message, it is reported as containing Trojan.Startpage-131 (which it does). If you remove the CommunigatePro extra lines without adding a Content-Type: header, it's again reported as containing Trojan.Startpage-131. I have come across this bug (?) when sending messages with the Unix mail program. It does not generate the Content-Type: header so any virus sent by the mail(1) program passes through ClamAV+Communigate. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Communigate Pro parser fails
I'll have someone contact you directly. Matt On Thu, Sep 6, 2012 at 6:15 AM, Victor Sudakov v...@mpeks.tomsk.su wrote: Colleagues, AFAIK clamd can parse Communigate Pro message spool format, where the message itself is preceded by several extra lines like P I 06-09-2012 08:53:14 suda...@sibptus.tomsk.ru O LH A sibptus.tomsk.ru [212.73.124.5] S SMTP [212.73.125.240] R W 06-09-2012 08:53:14 _FY_ suda...@sibptus.tomsk.ru However, I have found a condition when this parser fails on clamav-0.97.5 and clamd reports OK though there is a known virus in the message. I can provide samples and more details. Who do I contact about it? Thank you in advance. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] update clamav
Bruno, Nigel Houghton replied on Jun 27th: Here's the relevant information from the wiki: Solution 1: Use an HTTP proxy This solution is really easy to implement and is bandwidth efficient. Install a proxy server (i.e. squid) and then tell your freshclam clients to use it. This can be done by setting the HTTPProxyServer parameter in freshclam.conf (see man 5 freshclam.conf for the details). Solution 2: Serve .cvd files from a local web server This solution is really simple to implement but it's only effective if your clients are all on the same local network and bandwidth is not an issue for you. Configure a local webserver on one of your machines (say machine1.mylan) and let freshclam download the *.cvd files from http://database.clamav.net to the webserver’s DocumentRoot. Add this line to freshclam.conf on machine1.mylan: ScriptedUpdates off First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it. For this to work you have to change freshclam.conf on your clients so that it reads: DatabaseMirror machine1.mylan ScriptedUpdates off Matt On Mon, Jul 9, 2012 at 7:43 AM, Joel Esler jes...@sourcefire.com wrote: What issue? -- Joel Esler On Jul 9, 2012, at 5:08 AM, Bruno Barosa bruno.bar...@pessoaseprocessos.com wrote: Hello again, Good morning and a good week for all anyone has got news on this issue? Regards Bruno On 27-06-2012 19:29, Nigel Houghton wrote: On Jun 27, 2012, at 8:12 AM, Matthew Olney wrote: Apparently, the answer to this is on the wiki, but it is having issues. Begin forwarded message: From: Ilyas Doskhozhayevidoskhozha...@gmail.com Date: June 27, 2012, 5:45:28 AM EDT To: jes...@sourcefire.com Subject: update clamav Hi thank all you team for this antivirus tool/ My question is on debian i have servers that can not update virus database directly from internet, so they update from local repository on network So can i make clamav update from my local repository on server that has internet ? I use this source list to update from repository on server deb http://10.0.1.11/localrepository / Thank in advanse Here's the relevant information from the wiki: Solution 1: Use an HTTP proxy This solution is really easy to implement and is bandwidth efficient. Install a proxy server (i.e. squid) and then tell your freshclam clients to use it. This can be done by setting the HTTPProxyServer parameter in freshclam.conf (see man 5 freshclam.conf for the details). Solution 2: Serve .cvd files from a local web server This solution is really simple to implement but it's only effective if your clients are all on the same local network and bandwidth is not an issue for you. Configure a local webserver on one of your machines (say machine1.mylan) and let freshclam download the *.cvd files from http://database.clamav.net to the webserver's DocumentRoot. Add this line to freshclam.conf on machine1.mylan: ScriptedUpdates off First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it. For this to work you have to change freshclam.conf on your clients so that it reads: DatabaseMirror machine1.mylan ScriptedUpdates off -- Nigel Houghton Head Mentalist, Time Lord SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/; http://labs.snort.org/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clam virus database for test purposes
You can create a file called test.ndb and add the following lines to it: Eicar-Test-Signature:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a Eicar-Test-Signature-1:0:*:574456504956416c51454651577a5263554670594e54516f554634704e304e444b5464394a45564a513046534c564e555155354551564a454c55464f56456c5753564a565579315552564e550a4c555a4a544555684a45677253436f3d0a Then run clamscan against that database file: kpyke@vrt-dev-01:~$ clamscan --database=./test.ndb eicar.com eicar.com: Eicar-Test-Signature.UNOFFICIAL FOUND --- SCAN SUMMARY --- Known viruses: 2 Engine version: 0.97.4 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.007 sec (0 m 0 s) Let me know if that doesn't answer your question. Matt On Mon, Jul 2, 2012 at 6:24 AM, Wojciech Michalak wojciech.micha...@nask.pl wrote: Hello, I was wondering if you could release (or point me to if one exists) a set of cvd files which would contain only the eicar test samples? When developing software I was hoping to refrain from having to commit/host the whole current virus database. Checkout/download becomes cumbersome when running software deployment tests. I tried searching both the web and the mailing list, but didn't find anything useful. I was hoping to have a set of files that I could place in /var/lib/clamav which would be sufficient for starting /etc/init.d/clamav-daemon and running tests with the eicar sample. Kind regards, Wojciech Michalak ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] current version
Thanks Florian, I'll kick this over to the ops team to make sure it gets updated. On Wed, Jun 20, 2012 at 1:02 AM, sys...@ra-schaal.de sys...@ra-schaal.de wrote: could you please update your dns? sometimes host -t txt current.cvd.clamav.net reports 0.97.4 regards florian ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Help to download ClamAV 0.97.5
We're having some trouble with our freshmeat account. You can download the latest here, until we get it fixed up: https://sourceforge.net/projects/clamav/files/ On Thu, Jun 14, 2012 at 10:07 PM, Michael Wu chmichae...@gmail.com wrote: Hello, We try to download ClamAV 0.97.5 from http://www.clamav.net/lang/en/download/sources/ , but only get the download clamav-0.97.4.tar.gz. Please help to check if the file is not updated. Thank you. Regards, Michael ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV 0.97.5 download
We're having some trouble with our freshmeat account. You can download the latest here, until we get it fixed up: https://sourceforge.net/projects/clamav/files/ On Thu, Jun 14, 2012 at 4:04 PM, Bowie Bailey bowie_bai...@buc.com wrote: I see that the text on the download page of the website has changed to 0.97.5, but the link still goes to an 0.97.4 download file. -- Bowie ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] WARNING: Your ClamAV installation is OUTDATED!
Bill, Can you submit a sample or two here: http://cgi.clamav.net/sendvirus.cgihttp://cgi.clamav.net/sendvirus.cgi So we can look at it? Thanks, Matt On Fri, Jun 15, 2012 at 1:40 AM, Bill Maidment b...@maidment.vu wrote: I've updated to clamav-0.97.5 and now I'm getting lots of rejections like Clamd returned error: CL_EFORMAT: Bad format or broken data I've had to revert to 0.97.4 for now. Did I miss some crucial upgrade info? Regards Bill Maidment Maidment Enterprises Pty Ltd -Original message- From: Bill Landry b...@inetmsg.com Sent: Thursday 14th June 2012 9:47 To: clamav-users@lists.clamav.net Subject: [clamav-users] WARNING: Your ClamAV installation is OUTDATED! I've been seeing these notifications for the past few hours: WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.97.4 Recommended version: 0.97.5 but the download link at clamav.net still shows: Latest stable release: ClamAV 0.97.4 (signature – ChangeLog) When will the new release be available for download? Thanks, Bill ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://wiki.clamav.net http://www.clamav.net/support/ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Help to download ClamAV 0.97.5
On Fri, Jun 15, 2012 at 9:46 AM, Brian Morrison b...@fenrir.org.uk wrote: On Fri, 15 Jun 2012 09:13:30 -0400 Matt Olney mol...@sourcefire.com wrote: We're having some trouble with our freshmeat account. You can download the latest here, until we get it fixed up: https://sourceforge.net/projects/clamav/files/ The download is 14MB odd, previous version have been 48MB and when I run my rpm build script it tells me that the main and daily cvd files are missing. -- Brian Morrison ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Brian, It looks like our new build system doesn't bundle the .cvds. More accurately it ships 0-length main and daily cvds. For now you can, of course, run freshclam to pickup the signature files. We'll revisit the desired behavior (with or without cvds) and adjust our build process accordingly. Since you brought it up, do you have a preference or use-case that supports one behavior or the other? Matt ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Latest Clam PGP key?
A, On this release, one of the changes you will notice is that the signing key is now the Sourcefire VRT key which can be found here: http://labs.snort.org/contact.html This key can also be imported via the M.I.T. key server using the key id 15497F03. The key fingerprint is 9851 AE1B 3C52 0073 86DC 9F25 681A 2A64 1549 7F03. Matt On Fri, Jun 15, 2012 at 12:04 PM, A J Thew aj.t...@gmail.com wrote: Hi, what key is the 0.97.5 package signed with? I had the previous key on my gpg keyring. Thanks A Thew ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Known issue -- LZX compression
All, We wanted to bring to your attention an issue that we have been made aware of in ClamAV 0.97.5. As part of this release, we tightened the malformed compression checks in LZX compressed files. CAB, CHM and Install Shield file formats may use this compression. In previous versions of ClamAV, these files would be passed as OK when the decompression failed. ClamAV 0.97.5 will respond with a CL_EFORMAT error instead. In some environments, this level of checking may be inappropriate. We are currently reviewing the situation and evaluating what, if any, changes are appropriate. A bug has been created so you can follow our work: https://bugzilla.clamav.net/show_bug.cgi?id=5252 If you have any questions, please let us know. Matthew Olney Sourcefire VRT / ClamAV Team ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] WARNING: Your ClamAV installation is OUTDATED!
0.97.5 is now available on Sourceforge. The outbound synchronization process for the new build is ongoing and should be complete today. Once it is complete the standard notifications will go out. Sorry for any confusion. Matthew Olney Sourcefire VRT ClamAV Team On Wed, Jun 13, 2012 at 7:38 PM, Bill Landry b...@inetmsg.com wrote: I've been seeing these notifications for the past few hours: WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.97.4 Recommended version: 0.97.5 but the download link at clamav.net still shows: Latest stable release: ClamAV 0.97.4 (signature – ChangeLog) When will the new release be available for download? Thanks, Bill __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Deprecation of Basic signature format
Nathan, There are no current plans to remove support for that signature format. However, you should investigate the alternate formats in case that changes in a future version of ClamAV. In particular look at the .hdb format that matches both size and MD5. Matt On Wed, Jun 13, 2012 at 12:29 PM, ng seclists ngsecli...@gmail.com wrote: Folks, I see that in the signatures documentation that Basic signature format is now deprecated. Using Clam 0.97.4, this .db format is still working. Will support for this format ever be dropped or can I continue to create signatures using this format indefinitely without consequence? Thanks! Nathan G. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Massive bugzilla notifications
Nope, no problem. We have some new developers on board and we're doing some administrative stuff on the back end. Matt On Wed, Jun 13, 2012 at 11:55 AM, Gianluigi Tiesi sher...@netfarm.itwrote: Hi, I'm receiving a lot of bugzilla emails from clamav bugzilla, bugs are rather old, there is some problem? Regards -- Gianluigi Tiesi sher...@netfarm.it EDP Project Leader Netfarm S.r.l. - http://www.netfarm.it/ Free Software: http://oss.netfarm.it/ Q: Because it reverses the logical flow of conversation. A: Why is putting a reply at the top of the message frowned upon? __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Identifying all infections in a file...
Maarten, There currently isn't a way to do this. We could look at doing that in a future release. Feel free to put a bug in https://bugzilla.clamav.net/ and we'll consider it. Thanks, Matthew Olney Sourcefire VRT On Thu, Jun 7, 2012 at 3:36 PM, Maarten Broekman mbroek...@maileig.com wrote: Is there any way to get a list of all the signatures that match a file with multiple infections? For example, I have a file that's been infected with both PHP and JavaScript code (or even multiple, different, PHP code blocks), how would I be able to get all the signatures that match? My primary interest in this is making sure I have signatures that cover all the infections since they can appear together as well as singularly. --Maarten ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml