[clamav-users] ClamAV 1.4.0 release candidate now available!

[Micah Snyder (micasnyd) via clamav-users]

Read this online at: 
https://blog.clamav.net/2024/05/clamav-140-release-candidate-now.html


The ClamAV 1.4.0 release candidate is now available.
You may find the source code and installers for this release on the 
clamav.net/downloads page or the ClamAV 
GitHub release 
page.
Tip: If you are downloading the source from the GitHub release page, the 
package labeled "clamav-1.4.0-rc.tar.gz" does not require an internet 
connection to build. All dependencies are included in this package.  But if you 
download the ZIP or TAR.GZ generated by GitHub, located at the very bottom, 
then an internet connection will be required during the build to download 
additional Rust dependencies.
For Docker users, there is no specific Docker tag for the release candidate, 
but you can use the clamav:unstable or clamav:unstable_base tags.
The release candidate phase is expected to last two to three weeks before we 
publish the stable release or a second release candidate. Please take this time 
to evaluate ClamAV 1.4.0.
Please help us validate this release by providing feedback via the ClamAV 
mailing list or on our 
Discord.
ClamAV 1.4.0 includes the following improvements and changes:
Major changes

  *
Added support for extracting ALZ archives. The new ClamAV file type for ALZ 
archives is CL_TYPE_ALZ. Added a 
DCONF option to 
enable or disable ALZ archive support.
Tip: DCONF (Dynamic CONFiguration) is a feature that allows for some 
configuration changes to be made via ClamAV .cfg "signatures".
 *   GitHub pull request
  *
Added support for extracting LHA/LZH archives. The new ClamAV file type for ALZ 
archives is CL_TYPE_LHA_LZH. Added a 
DCONF option to 
enable or disable LHA/LZH archive support.
 *   GitHub pull request
  *
Added the ability to disable image fuzzy hashing, if needed. For context, image 
fuzzy hashing is a detection mechanism useful for identifying malware by 
matching images included with the malware or phishing email/document.
New ClamScan options:

--scan-image[=yes(*)/no]
--scan-image-fuzzy-hash[=yes(*)/no]


New ClamD config options:

ScanImage yes(*)/no
ScanImageFuzzyHash yes(*)/no


New libclamav scan options:

options.parse &= ~CL_SCAN_PARSE_IMAGE;
options.parse &= ~CL_SCAN_PARSE_IMAGE_FUZZY_HASH;


Added a DCONF 
option to enable or disable image fuzzy hashing support.
 *   GitHub pull request

Other improvements

  *
Added cross-compiling instructions for targeting ARM64/aarch64 processors for 
Windows
 and 
Linux.
 *   GitHub pull request
  *
Improved the Freshclam warning messages when being blocked or rate limited so 
as to include the Cloudflare Ray ID, which helps with issue triage.
 *   GitHub pull request
  *
Removed unnecessary memory allocation checks when the size to be allocated is 
fixed or comes from a trusted source. We also renamed internal memory 
allocation functions and macros, so it is more obvious what each function does.
 *   GitHub pull request
  *
Improved the Freshclam documentation to make it clear that the --datadir option 
must be an absolute path to a directory that already exists, is writable by 
Freshclam, and is readable by ClamScan and ClamD.
 *   GitHub pull request
  *
Added an optimization to avoid calculating the file hash if the clean file 
cache has been disabled. The file hash may still be calculated as needed to 
perform hash-based signature matching if any hash-based signatures exist that 
target a file of the same size, or if any hash-based signatures exist that 
target "any" file size.
 *   GitHub pull request
  *
Added an improvement to the SystemD service file for ClamOnAcc so that the 
service will shut down faster on some systems.
 *   GitHub pull request

Bug fixes

  *
Silenced confusing warning message when scanning some HTML files.
 *   GitHub pull request
  *
Fixed minor compiler warnings.
 *   GitHub pull request
  *
Since the build system changed 

Re: [clamav-users] Are the Clam AV community signature sets still being actively maintained by Cisco?

[Micah Snyder (micasnyd) via clamav-users]

Hi Richard,

Sorry about the delay on the reply.  Retirement of Immunet had no impact on 
ClamAV CVD signatures.  We still create new detections and publish daily 
updates.

Immunet was a sort of testing ground for Cisco Secure Endpoint - specifically 
for Windows, but without the enterprise features or administrative dashboard. 
It suffered from lack of support for users. And without the dashboard it was 
not a good showcase for Secure Endpoint. It was for the best to discontinue 
Immunet.

Secure Endpoint is still an active Cisco product and it's really good.

Cheers,
Micah


Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Richard 
Savage via clamav-users 
Sent: Thursday, April 11, 2024 6:42 AM
To: clamav-users@lists.clamav.net 
Cc: Richard Savage 
Subject: [clamav-users] Are the Clam AV community signature sets still being 
actively maintained by Cisco?


Hello



Since the retirement of Immunet in early 2024, has maintenance of Clam AV CVD 
signature files by Cisco TALOS been impacted? Are the Clam AV community 
signature sets still being actively maintained by Cisco?



Thanks in advance



**
This email and any files transmitted with it are private and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please return it to the address
it came from telling them it is not for you and then delete it from your system.
This email message has been swept for computer viruses.
**
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.3.1, 1.2.3, 1.0.6 patch versions published

[Micah Snyder (micasnyd) via clamav-users]

Read this online at: 
https://blog.clamav.net/2024/04/clamav-131-123-106-patch-versions.html




Today, we are publishing the 1.3.1, 1.2.3, and 1.0.6 security patch versions.

The release files for the patch versions are available for download on the 
ClamAV downloads page, on the GitHub Release 
page, and through Docker 
Hub.

The images on Docker Hub may not be immediately available on release day.

Continue reading to learn what changed in each version.

1.3.1

ClamAV 1.3.1 is a critical patch release with the following fixes:

  *   
CVE-2024-20380: 
Fixed a possible crash in the HTML file parser that could cause a 
denial-of-service (DoS) condition.

This issue affects version 1.3.0 only and does not affect prior versions.

Thank you to Błażej Pawłowski for identifying this issue.

 *   GitHub pull request
  *   Updated select Rust dependencies to the latest versions. This resolved 
Cargo audit complaints and included PNG parser bug fixes.

 *   GitHub pull request
  *   Fixed a bug causing some text to be truncated when converting from UTF-16.

 *   GitHub pull request
  *   Fixed assorted complaints identified by Coverity static analysis.

 *   GitHub pull request
  *   Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam 
config option to be pruned and then re-downloaded with every update.

 *   GitHub pull request
  *   Added the new 'valhalla' database name to the list of optional databases 
in preparation for future work.

 *   GitHub pull request
  *   Added symbols to the libclamav.map file to enable additional build 
configurations.

Patch courtesy of Neil Wilson.

 *   GitHub pull request

1.2.3

ClamAV 1.2.3 is a critical patch release with the following fixes:

  *   Updated select Rust dependencies to the latest versions. This resolved 
Cargo audit complaints and included PNG parser bug fixes.

 *   GitHub pull request
  *   Fixed a bug causing some text to be truncated when converting from UTF-16.

 *   GitHub pull request
  *   Fixed assorted complaints identified by Coverity static analysis.

 *   GitHub pull request
  *   Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam 
config option to be pruned and then re-downloaded with every update.

 *   GitHub pull request
  *   Added the new 'valhalla' database name to the list of optional databases 
in preparation for future work.

 *   GitHub pull request
  *   Silenced a warning "Unexpected early end-of-file" that occured when 
scanning some PNG files.

 *   GitHub pull request

1.0.6

ClamAV 1.0.6 is a critical patch release with the following fixes:

  *   Updated select Rust dependencies to the latest versions. This resolved 
Cargo audit complaints and included PNG parser bug fixes.

 *   GitHub pull request
  *   Fixed a bug causing some text to be truncated when converting from UTF-16.

 *   GitHub pull request
  *   Fixed assorted complaints identified by Coverity static analysis.

 *   GitHub pull request
  *   Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam 
config option to be pruned and then re-downloaded with every update.

 *   GitHub pull request
  *   Added the new 'valhalla' database name to the list of optional databases 
in preparation for future work.

 *   GitHub pull request
  *   Silenced a warning "Unexpected early end-of-file" that occured when 
scanning some PNG files.

 *   GitHub pull request





Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Unable to download daily.cvd after upgrade to RHEL 8

[Micah Snyder (micasnyd) via clamav-users]

According to our Cloudflare log for CF-RAY: 860d52e20d2136c2-YYZ, you're using 
wget​.  I completely missed that from your initial email that you were testing 
with wget​ after the download failure.  Sorry about that.

You must use freshclam​ from a supported version of ClamAV, or else use 
CVDUpdate.We block all other software to prevent excessive downloads.  
freshclam​ comes with ClamAV, so that shouldn't be a difficult ask.  CVDUpdate 
is also easy to install and is primarily provided for folks who need to host a 
private database update server (mirror).   More details here: 
https://docs.clamav.net/faq/faq-freshclam.html#http-error-codes

Regards,
Micah


Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of John 
Paul Guay via clamav-users 
Sent: Thursday, March 7, 2024 3:38 PM
To: ClamAV users ML 
Cc: John Paul Guay 
Subject: Re: [clamav-users] Unable to download daily.cvd after upgrade to RHEL 8

Hi Micah,

Here’s the output you requested. Let me know if you require anymore information.
___


Proxy request sent, awaiting response...

---response begin---

HTTP/1.1 403 Forbidden

Date: Thu, 07 Mar 2024 20:27:00 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

X-Frame-Options: SAMEORIGIN

Referrer-Policy: same-origin

Cache-Control: max-age=15

Expires: Thu, 07 Mar 2024 20:27:15 GMT

Vary: Accept-Encoding

X-Content-Type-Options: nosniff

Server: cloudflare

CF-RAY: 860d52e20d2136c2-YYZ

Connection: keep-alive

Set-Cookie: 
__cf_bm=8o9Hb87idaC8xpij0R4xZRG9WqRYEBHVILTongzCv74-1709843220-1.0.1.1-Q0OQ6No68PXQfGlECq97wLXsjdx8pT2z5y63XiSVNKGwes07ndBgODPddF55.Q0rustRtsVRRRuXYaA4iGs4WQ;
 path=/; expires=Thu, 07-Mar-24 20:57:00 GMT; 
domain=.clamav.net<http://clamav.net>; HttpOnly; SameSite=None



---response end---

403 Forbidden

cdm: 1

___

Thanks,
John

On Thu, Mar 7, 2024 at 3:20 PM Micah Snyder (micasnyd) via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:
It feels like the proxy may not be forwarding freshclam​'s HTTP User-Agent 
header.  We use that header to block unsupported software (like curl, wget, 
firefox, chrome, etc) from downloading the database files.  I don't know why 
that would change with just an in-place upgrade of the system to RHEL 8, 
however.

John, if you can get the HTTP "cf-ray" header value from the HTTP 403 response 
to the proxy, our Cloudflare admin can look for the firewall event logs in 
Cloudflare to confirm the reason for the 403 response.

Regards,
Micah


Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users 
mailto:clamav-users-boun...@lists.clamav.net>>
 on behalf of Joel Esler via clamav-users 
mailto:clamav-users@lists.clamav.net>>
Sent: Thursday, March 7, 2024 2:44 PM
To: ClamAV users ML 
mailto:clamav-users@lists.clamav.net>>
Cc: Joel Esler mailto:joel.es...@me.com>>
Subject: Re: [clamav-users] Unable to download daily.cvd after upgrade to RHEL 8

Looks like you’re trying to connect through a proxy.  Not directly.
—
Sent from my iPhone

On Mar 7, 2024, at 13:34, John Paul Guay via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:


Hello,

We have performed an In-Place upgrade to RHEL 8 on our system that ClamAV 
resides on and afterwards we are no longer able to download the daily.cvd.

Just a little history. The system is in a lab behind a corporate proxy and it 
requires proxy rules to be able to reach 
database.clamav.net<http://database.clamav.net> and 
clamav.net<http://clamav.net>. Prior to the upgrade there were no issues in 
downloading the signatures on an hourly basis. We have verified that the rules 
on the proxy are still valid and the system is able to reach the proxy but it 
seems like it’s being blocked at 
database.clamav.net<http://database.clamav.net>.

I’ve included some output below:


Thu Mar  7 11:52:47 2024 -> WARNING: Can't download daily.cvd 
fromhttps://database.clamav.net/daily.cvd

Thu Mar  7 11:52:47 2024 -> Trying again in 5 secs...

Thu Mar  7 11:52:52 2024 -> daily database available for update (local version: 
27075, remote version: 27207)

Thu Mar  7 11:52:52 2024 -> ERROR: Download failed (35) Thu Mar  7 11:52:52 
2024 -> ERROR:  Message: SSL connect error

Thu Mar  7 11:52:52 2024 -> ERROR: Can't download daily.cvd 
fromhttps://database.clamav.net/daily.cvd

Thu Mar  7 11:52:52 2024 -> Giving up onhttps://database.clamav.net...

Thu Mar  7 11:52:52 2024 -> ERROR: Update failed for database: daily

Thu Mar  7 11:52:52 2024 -> ERROR: Database update process failed: Connection 
failed

Thu Mar  7 11:52:52 2024 -> ERROR: Update failed.

Thu Mar  7 11:52:52 2024 -> --

Thu Mar  7 11:53:06 2024 -> Update process terminated

Thu Mar  7 11:53:08

Re: [clamav-users] Unable to download daily.cvd after upgrade to RHEL 8

[Micah Snyder (micasnyd) via clamav-users]

It feels like the proxy may not be forwarding freshclam​'s HTTP User-Agent 
header.  We use that header to block unsupported software (like curl, wget, 
firefox, chrome, etc) from downloading the database files.  I don't know why 
that would change with just an in-place upgrade of the system to RHEL 8, 
however.

John, if you can get the HTTP "cf-ray" header value from the HTTP 403 response 
to the proxy, our Cloudflare admin can look for the firewall event logs in 
Cloudflare to confirm the reason for the 403 response.

Regards,
Micah


Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Joel 
Esler via clamav-users 
Sent: Thursday, March 7, 2024 2:44 PM
To: ClamAV users ML 
Cc: Joel Esler 
Subject: Re: [clamav-users] Unable to download daily.cvd after upgrade to RHEL 8

Looks like you’re trying to connect through a proxy.  Not directly.
—
Sent from my iPhone

On Mar 7, 2024, at 13:34, John Paul Guay via clamav-users 
 wrote:


Hello,

We have performed an In-Place upgrade to RHEL 8 on our system that ClamAV 
resides on and afterwards we are no longer able to download the daily.cvd.

Just a little history. The system is in a lab behind a corporate proxy and it 
requires proxy rules to be able to reach 
database.clamav.net and 
clamav.net. Prior to the upgrade there were no issues in 
downloading the signatures on an hourly basis. We have verified that the rules 
on the proxy are still valid and the system is able to reach the proxy but it 
seems like it’s being blocked at 
database.clamav.net.

I’ve included some output below:


Thu Mar  7 11:52:47 2024 -> WARNING: Can't download daily.cvd 
fromhttps://database.clamav.net/daily.cvd

Thu Mar  7 11:52:47 2024 -> Trying again in 5 secs...

Thu Mar  7 11:52:52 2024 -> daily database available for update (local version: 
27075, remote version: 27207)

Thu Mar  7 11:52:52 2024 -> ERROR: Download failed (35) Thu Mar  7 11:52:52 
2024 -> ERROR:  Message: SSL connect error

Thu Mar  7 11:52:52 2024 -> ERROR: Can't download daily.cvd 
fromhttps://database.clamav.net/daily.cvd

Thu Mar  7 11:52:52 2024 -> Giving up onhttps://database.clamav.net...

Thu Mar  7 11:52:52 2024 -> ERROR: Update failed for database: daily

Thu Mar  7 11:52:52 2024 -> ERROR: Database update process failed: Connection 
failed

Thu Mar  7 11:52:52 2024 -> ERROR: Update failed.

Thu Mar  7 11:52:52 2024 -> --

Thu Mar  7 11:53:06 2024 -> Update process terminated

Thu Mar  7 11:53:08 2024 -> --

Thu Mar  7 11:53:08 2024 -> ClamAV update process started at Thu Mar  7 
11:53:08 2024

Thu Mar  7 11:53:08 2024 -> daily database available for update (local version: 
27075, remote version: 27207)

Thu Mar  7 11:53:08 2024 -> WARNING: Download failed (35) Thu Mar  7 11:53:08 
2024 -> WARNING:  Message: SSL connect error



[root@seti026 ~]# wget http://database.clamav.net/

URL transformed to HTTPS due to an HSTS policy

--2024-03-07 13:26:55--  https://database.clamav.net/

Resolving proxy.x.xxx-xxx.net 
(proxy.x.xxx-xxx.net)... 7.xx.xx.xx

Connecting to 
proxy.x.xxx-xxx.net(proxy.x.xxx-xxx.net)|
 7.xx.xx.xx |:8080... connected.

Proxy request sent, awaiting response... 403 Forbidden

2024-03-07 13:26:55 ERROR 403: Forbidden.

Let me know if you require anything else.

Thanks,
John

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Software version from DNS: 0.103.11, but version is 1.3.0?

[Micah Snyder (micasnyd) via clamav-users]

The "Software version from DNS" is intended to display the most recent patch 
version.  If it is higher than your current version, you get a very loud 
warning recommending an upgrade.

Since we changed our end-of-life policy and introduced LTS versions, we've 
decided to have the version from DNS set to most recent security patch version 
for the oldest supported release. So right now, that's 0.103.11.

In the future, I would like to store the latest versions for every release in 
the DNS TXT record, and then have it show you the most recent patch version for 
your release.  Or if your release is no longer supported, I'd like to have it 
present you with a list of supported versions and recommend an upgrade.

Regards,
Micah


Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
energynorman--- via clamav-users 
Sent: Thursday, March 7, 2024 12:19 PM
To: Matus UHLAR - fantomas via clamav-users 
Cc: energynor...@gmail.com 
Subject: Re: [clamav-users] Software version from DNS: 0.103.11, but version is 
1.3.0?

Thanks for your answer. And, no we do not have any further version
installed. This happens on several systems.

Therefore our question.

Here is our research:


sudo dpkg -l | grep clam
ii  clamav 1.3.0-1 amd64ClamAV open source email, web, and
end-point anti-virus toolkit.

sudo which clamd
/usr/local/sbin/clamd

sudo /usr/local/sbin/clamd --version
ClamAV 1.3.0/27207/Thu Mar  7 10:27:12 2024

which freshclam
/usr/local/bin/freshclam

sudo /usr/local/bin/freshclam --version
ClamAV 1.3.0/27207/Thu Mar  7 10:27:12 2024


sudo systemctl status clamav-daemon.service
● clamav-daemon.service
  Loaded: loaded (/lib/systemd/system/clamav-daemon.service;
enabled; preset: enabled)
  Active: active (running) since Thu 2024-03-07 18:15:04 CET; 1s ago
Main PID: 151696 (clamd)
   Tasks: 1 (limit: 9304)
  Memory: 285.7M
 CPU: 1.435s
  CGroup: /system.slice/clamav-daemon.service
  └─151696 /usr/local/sbin/clamd --foreground=true -l
/var/log/clamav/clamav.log


sudo systemctl status clam-freshclam 4 ⨯
● clam-freshclam.service - freshclam scanner
  Loaded: loaded (/lib/systemd/system/clam-freshclam.service;
enabled; preset: enabled)
  Active: active (running) since Thu 2024-03-07 05:32:57 CET; 12h ago
 Process: 1200 ExecStart=/usr/local/bin/freshclam -d -c 4 -l
/var/log/clamav/freshclam.log (code=exited, status=0/SUCCESS)
Main PID: 1364 (freshclam)
   Tasks: 1 (limit: 9304)
  Memory: 64.6M
 CPU: 8.192s
  CGroup: /system.slice/clam-freshclam.service
  └─1364 /usr/local/bin/freshclam -d -c 4 -l
/var/log/clamav/freshclam.log


Your thinking was also our first thought, therefore we cleaned long time
before the systems with all old clamav progs.


Kindly Regards,


Norman



Am 07.03.2024 um 15:48 schrieb Matus UHLAR - fantomas via clamav-users:
> On 07.03.24 15:29, energynorman--- via clamav-users wrote:
>> hope all of you are well. I have a more cosmetic question. We used
>> the last clam versions all above 1.03, but in our eMail report we
>> still see:
>
>> Software version from DNS: 0.103.11
>
> 0.103.11 is the LTS version
>
>> Last ClamAV update process started at Wed Mar  6 23:48:42 2024
>> Last Status:
>>Current working dir is/var/lib/clamav/
>>Querying current.cvd.clamav.net
>>TTL: 81
>>fc_dns_query_update_info: Software version from DNS: 0.103.11
>>Current working dir is/var/lib/clamav/
>>check_for_new_database_version: Local copy of daily found: daily.cld.
>>query_remote_database_version: daily.cvd version from DNS: 27206
>>daily.cld database is up-to-date (version: 27206, sigs: 2054298,
>> f-level: 90, builder: raynman)
>>fc_update_database: daily.cld already up-to-date.
>>Current working dir is/var/lib/clamav/
>>check_for_new_database_version: Local copy of main found: main.cvd.
>>query_remote_database_version: main.cvd version from DNS: 62
>>main.cvd database is up-to-date (version: 62, sigs: 6647427,
>> f-level: 90, builder: sigmgr)
>>fc_update_database: main.cvd already up-to-date.
>>Current working dir is/var/lib/clamav/
>>check_for_new_database_version: Local copy of bytecode found:
>> bytecode.cld.
>>query_remote_database_version: bytecode.cvd version from DNS: 335
>>bytecode.cld database is up-to-date (version: 335, sigs: 86,
>> f-level: 90, builder: raynman)
>>fc_update_database: bytecode.cld already up-to-date.
>>
>>
>> we use 1.3.0:
>>
>> clamscan --version
>>
>> ClamAV 1.3.0/27207/Thu Mar  7 10:27:12 2024
>
> 1.3.0 is the newest version, not LTS.
>
>> Is there a reason for this?
>
> you may have multiple clamav versions installed on your system.
> Which you shouldn't have
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Re: [clamav-users] Slow PDF Scanning pt 3.

[Micah Snyder (micasnyd) via clamav-users]

Hi Eric,

Thank you for the in-depth analysis of the PDF scanning speed issue.

We took a look at the bytecode (BC) signatures and considering the performance 
impact and value of the detections we decided to drop these signatures.  You 
should have seen them drop in yesterday's update to the bytecode.cvd database.  
I'm hopeful that this mostly resolves the concern regarding slow PDF scans.

With regards to your analysis of the PDF object dictionary parsing, I could use 
your help.  You mention that the state is not reset when looking for object 
dictionary keys which causes the ordering to matter.  You implied that this 
causes ClamAV's PDF parser to fail to extract (dump) some images.  We should 
fix it so that it will correctly extract every image, as image detection is 
very useful in identifying phishing documents and other malicious documents and 
emails.

If you have any specific recommendations for fixing this issue, we would 
appreciate it.

Also, if you have sample files that I could debug which illustrate the image 
extraction issue you described, I would appreciate a copy.

On a side note, we will be investigating looking into using pdfium or another 
third-party PDF parser in the future in order to improve detection and 
performance.  It is possible that we will replace our own PDF parser partially 
or entirely depending on the results of this investigation.  I mention this so 
that you do not spend a tremendous effort on this issue.

Regards,
Micah


Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Eric 
Zhou via clamav-users 
Sent: Thursday, February 22, 2024 2:29 PM
To: clamav-users@lists.clamav.net 
Cc: Eric Zhou 
Subject: [clamav-users] Slow PDF Scanning pt 3.


Hi ClamAV team and users,



This is a follow up to my previous posts, which can be found 
here 
& 
here.
 I wanted to give a summary and make sure the problem identified is clear.



My team and I have noticed that ClamAV can be very slow in scanning certain PDF 
files. When we investigated the matter, we discovered the potential root cause 
within ClamAV source code. In 
https://github.com/Cisco-Talos/clamav/blob/5f934c16b47591157a7082b71e751c45f095e2c8/libclamav/pdf.c#L1984,
 ClamAV handles PDF document tags. This function comes with a state to properly 
handle tags that require parameters. However, this state is not reset after 
parameters are parsed, so parsing is sensitive to the order in which tags are 
listed in the dictionary.



For example, this collection of headers for a PDF will scan fast because image 
subtype is before all filters:



```

429 0 obj << /ColorSpace /DeviceRGB /Name /im56 /Height 2850 /Subtype /Image 
/Filter /FlateDecode /DecodeParms << /Columns 1776 /Colors 3 /Predictor 2 >> 
/Type /XObject /Width 1776 /Length 25686 /BitsPerComponent 8 /Interpolate true 
>> stream

```



However, this collection of headers for a PDF will scan slow because image 
subtype comes after filter (image will be dumped, though it should not be):



```

454 0 obj<>/Width 1776/Height 2850/BitsPerComponent 
8/ColorSpace/DeviceRGB/Interpolate 
true/Type/XObject/Name/im56/Subtype/Image>>stream

```



Finally, in this line: 
https://github.com/Cisco-Talos/clamav/blob/5f934c16b47591157a7082b71e751c45f095e2c8/libclamav/pdf.c#L1580,
 we see references to parameters, but they are used after tags are parsed. And 
neither DP nor DecodeParms are in `pdfname_actions`, so they are not affecting 
state.



Slow PDF scanning has been a known problem for 3 years, and it would be nice to 
see it addressed in a new patch soon.



Again, I’m happy to provide more details if needed. Thank you for your time.



Best,

Eric







CONFIDENTIALITY NOTICE: This e-mail and any files attached may contain 
confidential information of Five9 and/or its affiliated entities. Access by the 
intended recipient only is authorized. Any liability arising from any party 
acting, or refraining from acting, on any information contained in this e-mail 
is hereby excluded. If you are not the intended recipient, please notify the 
sender immediately, destroy the original transmission and its attachments and 
do not disclose the contents to any other person, use it for any purpose, or 
store or copy the information in any medium. Copyright in this e-mail and any 
attachments belongs to Five9 and/or its affiliated entities.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

[Micah Snyder (micasnyd) via clamav-users]

Hi Ralf,

There are 3 bytecode rules for detecting CVE's that seem to take a rather long 
time to run, particularly as the file grows in size.  I'm discussing with our 
threat research team if we can remove them as CVE's are old enough that no one 
should reasonably still be affected by the vulnerabilities.

I am curious though - what are your MaxFileSize / MaxScanSize settings? I 
wonder if you're seeing timeouts with the default settings or if you increased 
them.

Regards,
Micah


Micah Snyder (they/them)
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Ralf 
Hildebrandt via clamav-users 
Sent: Tuesday, February 20, 2024 9:36 AM
To: clamav-users@lists.clamav.net 
Cc: Ralf Hildebrandt 
Subject: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

In yesterdays logs I found this:

Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode run 
timed out in interpreter after 5000 opcodes
Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode 
'BC.Img.Exploit.CVE-2017-16386-6404655-1.{}' (id: 77) failed to run: Exceeded 
time limit

is this a bad Bytecode rule?

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Save a copy of the mail (quarantine=quarantined by clamav-milter)

[Micah Snyder (micasnyd) via clamav-users]

Hi Jobst,

I don't know the exact answer to your question.  I don't have hardly any 
experience with sendmail or even clamav-milter.  Perhaps someone else knows 
better and can help.

>From the clamav-milter.conf.sample file, I see this comment, which may help:

# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
# For Postfix this causes the message to be placed on hold

Cheers,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
Postmaster via clamav-users 
Sent: Friday, February 2, 2024 9:09 PM
To: clamav-users@lists.clamav.net 
Cc: Postmaster 
Subject: [clamav-users] Save a copy of the mail (quarantine=quarantined by 
clamav-milter)


Hi

Setup
~
os: AlmaLinux release 8.9
sendmail: 8.15.2-34.el8
mimedefang: version 3.4.1
clamd: 1.0.1/27173

Problem:

I have a few problems with emails sent by a couple of legimate senders, they 
are quarantined.
I would like to save copies of the emails sent, but I cannot find out how to to 
this.

I searched the config files for a setting, cant find anything.

I know I can see the queue by doing a 'mailq -qQ' and I can see the mail in 
question.

How can I see the CONTENT of the email and/or find the REASON for the 
quarantine?


thanks
Jobst
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.3.0 feature release and 1.2.2, 1.0.5 security patch release!

[Micah Snyder (micasnyd) via clamav-users]

Correct.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Arjen 
de Korte via clamav-users 
Sent: Wednesday, February 7, 2024 12:12 PM
To: ClamAV users ML 
Cc: Arjen de Korte 
Subject: Re: [clamav-users] ClamAV 1.3.0 feature release and 1.2.2, 1.0.5 
security patch release!

Citeren "Micah Snyder (micasnyd) via clamav-users"
:

[...]

>  *   0.104 (all patch versions)
>  *   0.105 (all patch versions)
>  *   1.0.0 through 1.0.4 (LTS)
>  *   1.1 (all patch versions)
>  *   1.2.0 and 1.2.1

Do I understand correctly that 0.103 LTS is not affected by this?

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.3.0 feature release and 1.2.2, 1.0.5 security patch release!

[Micah Snyder (micasnyd) via clamav-users]

Read this online at: 
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html



The ClamAV 1.3.0 feature release is now stable!

Today, we are also publishing the 1.2.2 and 1.0.5 security patch versions.

ClamAV 1.1 is past EOL for security 
fixes and will not receive an update. Switch to the 1.0 LTS, 1.2, or 1.3 
versions for continued support.

The release files are available for download on the ClamAV downloads 
page, on the Github Release 
page, and through Docker Hub*:

  *   Alpine-based images
  *   Debian-based multi-arch 
images

*The Docker images are built on release day and may not be available until 
later in the day.


Continue reading to learn what changed in each version.


1.3.0

ClamAV 1.3.0 includes the following improvements and changes:

Major changes

  *   Added support for extracting and scanning attachments found in Microsoft 
OneNote section files. OneNote parsing will be enabled by default, but may be 
optionally disabled using one of the following options:
a. The clamscan command line option: --scan-onenote=no,
b. The clamd.conf config option: ScanOneNote no,
c. The libclamav scan option options.parse &= ~CL_SCAN_PARSE_ONENOTE;,
d. A signature change to the daily.cfg dynamic configuration (DCONF).
 *   GitHub pull request

Other improvements

  *   Fixed issue when building ClamAV on the Haiku (BeOS-like) operating 
system. Patch courtesy of Luca D'Amico

 *   GitHub pull request
  *   ClamD: When starting, ClamD will now check if the directory specified by 
TemporaryDirectory in clamd.conf exists. If it doesn't, ClamD will print an 
error message and will exit with exit code 1. Patch courtesy of Andrew Kiggins.

 *   GitHub pull request
  *   CMake: If configured to build static libraries, CMake will now also 
install the libclamav_rust, libclammspack, libclamunrar_iface, and libclamunrar 
static libraries required by libclamav.

Note: These libraries are all linked into the clamscan, clamd, sigtool, and 
freshclam programs, which is why they did not need to be installed to function. 
However, these libraries would be required if you wish to build some other 
program that uses the libclamav static library.

Patch courtesy of driverxdw.

 *   GitHub pull request
  *   Added file type recognition for compiled Python (`.pyc`) files.

  The file type appears as a string parameter for these callback functions:

  - clcb_pre_cache

  - clcb_pre_scan

  - clcb_file_inspection

  When scanning a `.pyc` file, the `type` parameter will now show

  "CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".

 *   GitHub pull request
  *   Improved support for decrypting PDFs with empty passwords.
 *   GitHub pull request
  *   Assorted minor improvements and typo fixes.

Bug fixes

  *   Fixed a warning when scanning some HTML files.

 *   GitHub pull request
  *   Fixed an issue decrypting some PDF's with an empty password.

 *   GitHub pull request
  *   ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.

 *   GitHub pull request
  *   ClamOnAcc: Fixed an infinite loop when a file has been deleted before a 
scan.
Patch courtesy of gsuehiro.
 *   GitHub pull request
  *   Fixed a possible crash when processing VBA files on HP-UX/IA 64bit. Patch 
courtesy of Albert Chin-A-Young.

 *   GitHub pull request
  *   ClamConf: Fixed an issue printing `MaxScanSize` introduced with the 
change to allow a `MaxScanSize` greater than 4 GB.
Fix courtesy of teoberi.
 *   GitHub pull request
  *   Fixed an issue building a ClamAV RPM in some configurations.
The issue was caused by faulty CMake logic that intended to create an empty 
database directory during the installation.
 *   GitHub pull request

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

  *   Albert Chin-A-Young
  *   Andrew Kiggins
  *   driverxdw
  *   gsuehiro
  *   Luca D'Amico
  *   RainRat
  *   teoberi

1.2.2 and 1.0.5
ClamAV 1.2.2 and ClamAV 1.0.5 are critical patch versions with the following 
fixes:


  *   

Re: [clamav-users] Installation and Use

[Micah Snyder (micasnyd) via clamav-users]

Hi Gene,

Did you use this download URL?
https://www.clamav.net/downloads/production/clamav-1.2.1.win.win32.msi

I just tested it on a 32bit Windows 10 VM and did not run into any issues. The 
installation worked okay and running the EXE programs (in PowerShell) worked 
okay.

Please keep in mind that ClamAV is a command-line (terminal) application.  
Double-clicking the EXE's will not do anything useful.

You can find installation instructions here: 
https://docs.clamav.net/manual/Installing.html#windows

After installing, continue along to the Usage section.

-Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Gene 
Long via clamav-users 
Sent: Wednesday, January 31, 2024 2:24 PM
To: 'clamav-users@lists.clamav.net' 
Cc: Gene Long 
Subject: [clamav-users] Installation and Use


I have downloaded the 32bit msi file and installed and rebooted the system.

Every .exe file I click on says it is not a valid win32 application.



How can I run the anti virus or configure it?



Gene Long | Network Administrator

P: 240-374-5420  | gl...@fco.com
Fair Collections & Outsourcing, Inc.
14400 Sweitzer Ln #235, Laurel, MD 20707

Please note we have moved from Beltsville to Laurel.
Please update your records to reflect our new address.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.3.0 second release candidate published!

[Micah Snyder (micasnyd) via clamav-users]

Thanks Andreas,

I'm glad to hear it.

Cheers,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of A. 
Schulze via clamav-users 
Sent: Monday, January 29, 2024 2:59 PM
To: clamav-users@lists.clamav.net 
Cc: A. Schulze 
Subject: Re: [clamav-users] ClamAV 1.3.0 second release candidate published!



Am 24.01.24 um 23:09 schrieb Micah Snyder (micasnyd) via clamav-users:
> We are excited to announce the ClamAV 1.3.0 release candidate.

Hello,

at least I could confirm, the build issue [1] was fixed. Build with rust-1.75.0 
works fine on an isolated build host.
Unfortunately, I can't spent time for further functional tests.

Andreas

[1] https://lists.clamav.net/pipermail/clamav-users/2023-December/013699.html
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [ext] ClamAV 1.3.0 second release candidate published!

[Micah Snyder (micasnyd) via clamav-users]

Apologies for the confusion.  The links got messed up and it wasn't caught in 
review.

 They should have been:
https://www.clamav.net/downloads
and
https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.3.0-rc2

I've updated the blog post to read:
You can find the source code and installers for this release on the 
clamav.net/downloads 
page
 or the ClamAV GitHub release 
page.


Thanks for saying something Ralf so I could fix it.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Ralf 
Hildebrandt via clamav-users 
Sent: Thursday, January 25, 2024 3:55 AM
To: clamav-users@lists.clamav.net ; ClamAV 
Announcements ML ; ClamAV Development 

Cc: Ralf Hildebrandt 
Subject: Re: [clamav-users] [ext] ClamAV 1.3.0 second release candidate 
published!

> You can find the source code and installers for this release on 
> the 
> clamav.net/downloads page or the ClamAV GitHub 
> release 
> page.

https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc2
returns a 404.

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.3.0 second release candidate published!

[Micah Snyder (micasnyd) via clamav-users]

View this online at: 
https://blog.clamav.net/2024/01/clamav-130-second-release-candidate-now.html




We are excited to announce the ClamAV 1.3.0 release candidate.

You can find the source code and installers for this release on 
the 
clamav.net/downloads page or the ClamAV GitHub 
release 
page.

Tip: If you are downloading the source from the GitHub release page, the 
package labeled "clamav-1.3.0-rc2.tar.gz" does not require an internet 
connection to build. All dependencies are included in this package. But if you 
download the ZIP or TAR.GZ generated by GitHub, located at the very bottom, 
then an internet connection will be required during the build to download 
additional Rust dependencies.

For Docker users, there is no specific Docker tag for the release candidate, 
but you can use these tags:

  *   clamav/clamav:unstable
  *   clamav/clamav:unstable_base
  *   clamav/clamav-debian:unstable
  *   clamav/clamav-debian:unstable_base

This release candidate phase is expected to last two weeks before we publish 
the stable release. Please take this time to evaluate ClamAV 1.3.0.

Please help us validate this release by providing feedback via the ClamAV 
mailing list or our 
Discord.

Changes since the first release candidate include:

  *   Improved support for decrypting PDFs with empty passwords.
 *   GitHub pull request
  *   ClamOnAcc: Fixed an infinite loop when a file has been deleted before a 
scan.
Patch courtesy of gsuehiro.
 *   GitHub pull request
  *   ClamConf: Fixed an issue printing `MaxScanSize` introduced with the 
change to allow a `MaxScanSize` greater than 4 GB.
Fix courtesy of teoberi.
 *   GitHub pull request
  *   Fixed an issue building a ClamAV RPM in some configurations.
The issue was caused by faulty CMake logic that intended to create an empty 
database directory during the installation.
 *   GitHub pull request

You can find the full list of changes and improvements in the blog post for the 
first release 
candidate.

Posted by Micah Snyder  
at 3:31 
PM




Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV Debian multi-Arch Docker images now available!

[Micah Snyder (micasnyd) via clamav-users]

Read this online, at: 
https://blog.clamav.net/2024/01/clamav-debian-multi-arch-docker-images.html




We now offer official ClamAV docker images based on `debian:11-slim`.

In addition to offering an alternative to the original Alpine Linux 
images, the new images are 
multi-arch images supporting `linux/amd64`, `linux/arm64`, and `linux/ppc64le`.

ClamAV's Alpine-based and Debian-based Docker images are now built weekly to 
pick up security fixes in the base images.

Check it out here.

Posted by Micah Snyder  
at 
1:01 
PM




Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.3.0 release candidate published

[Micah Snyder (micasnyd) via clamav-users]

Thanks for the kind words, Steve.  I'm glad to hear we're making a difference.

Happy holidays!
-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Steve 
Basford via clamav-users 
Sent: Friday, December 15, 2023 2:25 PM
To: ClamAV users ML 
Cc: Steve Basford 
Subject: Re: [clamav-users] ClamAV 1.3.0 release candidate published


On 15 December 2023 16:49:49 "Micah Snyder \(micasnyd\) via clamav-users" 
 wrote

  *   Fixed an issue decrypting some PDF's with an empty password.

Hi Micah,

Just tested and it's decoding URLs now :)

I also wanted to say a huge Thank You for all the programming bug fixes/new 
features and support work you've done for ClamAV this year.

Have a Happy Holiday ClamAV team 

Cheers,

Steve
sanesecurity.com<http://sanesecurity.com>
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.3.0 release candidate published

[Micah Snyder (micasnyd) via clamav-users]

Thanks Andreas and Arjen.  I will investigate asap.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of A. 
Schulze via clamav-users 
Sent: Monday, December 18, 2023 9:57 AM
To: clamav-users@lists.clamav.net 
Cc: A. Schulze 
Subject: Re: [clamav-users] ClamAV 1.3.0 release candidate published



Am 15.12.23 um 22:19 schrieb Arjen de Korte via clamav-users:
> Unfortunately, the above doesn´t seem to work, the package fails to build 
> without an internet connection:>
> [   25s] Updating git repository 
> `https://github.com/Cisco-Talos/onenote.rs.git`

Hello,

confirmed: build without internet access is impossible now.
I hope, this will get fixed :-)

Andreas
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.3.0 release candidate published

[Micah Snyder (micasnyd) via clamav-users]

Read this online at: 
https://blog.clamav.net/2023/12/clamav-130-release-candidate-now.html


We are excited to announce the ClamAV 1.3.0 release candidate.

You may find the source code and installers for this release on the 
clamav.net/downloads page or the ClamAV 
GitHub release 
page.

Tip: If you are downloading the source from the GitHub release page, the 
package labeled "clamav-1.3.0-rc.tar.gz" does not require an internet 
connection to build. All dependencies are included in this package.  But if you 
download the ZIP or TAR.GZ generated by GitHub, located at the very bottom, 
then an internet connection will be required during the build to download 
additional Rust dependencies.

For Docker users, there is no specific Docker tag for the release candidate, 
but you can use the clamav:unstable or clamav:unstable_base tags.

The release candidate phase is expected to last two to three weeks before we 
publish the stable release or a second release candidate. Please take this time 
to evaluate ClamAV 1.3.0.

Please help us validate this release by providing feedback via the ClamAV 
mailing list or on our 
Discord.

ClamAV 1.3.0 includes the following improvements and changes:

Major changes

  *   Added support for extracting and scanning attachments found in Microsoft 
OneNote section files. OneNote parsing will be enabled by default, but may be 
optionally disabled using one of the following options:
a. The clamscan command line option: --scan-onenote=no,
b. The clamd.conf config option: ScanOneNote no,
c. The libclamav scan option options.parse &= ~CL_SCAN_PARSE_ONENOTE;,
d. A signature change to the daily.cfg dynamic configuration (DCONF).
 *   GitHub pull request

Other improvements

  *   Fixed issue when building ClamAV on the Haiku (BeOS-like) operating 
system. Patch courtesy of Luca D'Amico

 *   GitHub pull request
  *   ClamD: When starting, ClamD will now check if the directory specified by 
TemporaryDirectory in clamd.conf exists. If it doesn't, ClamD will print an 
error message and will exit with exit code 1. Patch courtesy of Andrew Kiggins.

 *   GitHub pull request
  *   CMake: If configured to build static libraries, CMake will now also 
install the libclamav_rust, libclammspack, libclamunrar_iface, and libclamunrar 
static libraries required by libclamav.

Note: These libraries are all linked into the clamscan, clamd, sigtool, and 
freshclam programs, which is why they did not need to be installed to function. 
However, these libraries would be required if you wish to build some other 
program that uses the libclamav static library.

Patch courtesy of driverxdw.

 *   GitHub pull request
  *   Added file type recognition for compiled Python (`.pyc`) files.

  The file type appears as a string parameter for these callback functions:

  - `clcb_pre_cache`

  - `clcb_pre_scan`

  - `clcb_file_inspection`

  When scanning a `.pyc` file, the `type` parameter will now show

  "CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".

 *   GitHub pull request
  *   Assorted minor improvements and typo fixes.

Bug fixes

  *   Fixed a warning when scanning some HTML files.

 *   GitHub pull request
  *   Fixed an issue decrypting some PDF's with an empty password.

 *   GitHub pull request
  *   ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.

 *   GitHub pull request
  *   Fixed a possible crash when processing VBA files on HP-UX/IA 64bit. Patch 
courtesy of Albert Chin-A-Young.

 *   GitHub pull request

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

  *   Albert Chin-A-Young
  *   Andrew Kiggins
  *   driverxdw
  *   Luca D'Amico
  *   RainRat



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How to respond to request?

[Micah Snyder (micasnyd) via clamav-users]

Hi Jay,

Essentially, the cli_malloc()​ function is a wrapper around the standard 
malloc()​ memory allocation function.  This wrapper has a limit on how much 
it's willing to allocate.  The purpose is to limit memory allocations when the 
size of the allocation required is based on untrusted file input.  So, like if 
the file has a field saying "the next bit is absurdly large" this function 
safeguards against allocating all the RAM on the system.  When that happens, 
this error message is spit out.

This error message isn't a great one. We have made some improvements to it in 
newer ClamAV versions to better explain the cause of the message and also to 
increase the limit some.  I think there are more improvements that could be 
made though.

Anyways, ... since you're scanning with the scan limits set really high, you're 
using a slightly older version of clamav, and you're scanning your whole system 
and don't have specific file to pinpoint as the cause of the issue - don't 
worry about it.

Cheers,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of 
jay-1--- via clamav-users 
Sent: Monday, December 11, 2023 11:17 PM
To: clamav-users@lists.clamav.net 
Cc: ja...@jay-e.net ; ja...@jay-e.net 
Subject: [clamav-users] How to respond to request?

I was running clamav on Linux (Ubuntu) /home and a run-tme message appeared on 
the shellk script;
LibClamAV Error: cli_malloc(): Attempt to allocate 294892266 bytes. Please 
report to https://github.com/Cisco-Talos/clamav/issues
LibClamAV Warning: Couldn't grow the blob: we may be low on memory


So, thought the best way to respond is tp poost tis question in the mailing 
list.

Question: Any other action needed/desired?

Thanks in advance!
Jay

notes:
 a gkrellm resource monitor showed I was using lass than 25% of memory

hardware and software notes (collected by a BOINC log):

Mon 11 Dec 2023 08:39:13 PM EST | | Processor: 4 GenuineIntel Intel(R) Core(TM) 
i7-8665U CPU @ 1.90GHz [Family 6 Model 142 Stepping 12]
Mon 11 Dec 2023 08:39:13 PM EST | | Processor features: fpu vme de pse tsc msr 
pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse 
sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon 
pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq 
dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 
sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm 
abm 3dnowprefetch cpuid_fault epb invpcid_single ssbd ibrs ibpb stibp 
ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust 
sgx bmi1 avx2 smep bmi2 erms invpcid mpx rdseed adx smap clflushopt intel_pt 
xsaveopt xsavec xgetbv1 xsaves dtherm arat pln pts hwp hwp_notify 
hwp_act_window hwp_epp md_clear flush_l1d arch_capabilities
Mon 11 Dec 2023 08:39:13 PM EST | | OS: Linux Ubuntu: Ubuntu 23.04 
[6.2.0-39-generic|libc 2.37]
Mon 11 Dec 2023 08:39:13 PM EST | | Memory: 30.99 GB physical, 9.77 GB virtual
Mon 11 Dec 2023 08:39:13 PM EST | | Disk: 119.60 GB total, 100.95 GB free
Mon 11 Dec 2023 08:39:13 PM EST | | Local time is UTC -5 hours



The clamscan command was
clamscan -r -z -o --max-filesize=4000M --bytecode-timeout=60 
--max-scansize=4000M --bell --detect-structured=no --alert-encrypted=yes 
--detect-pua=yes /home


other:

filesystem 1K-blocks Used Available Use% Mounted on

/dev/nvme0n1p5 125404540 13137020 105851136 12% /

/dev/nvme0n1p6 151085680 36466792 106871356 26% /home

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize / news of upcoming Large Archive Scanner tool

[Micah Snyder (micasnyd) via clamav-users]

We are primarily creating the large archive scanning to support the use case of 
scanning bundled collections of software, VM images, etc.

Large MP4/MOV/AVI/etc media files are not traditional archives even if they do 
technically archive media streams. But media streams are not a significant 
threat concern. As you mentioned, the biggest concern is probably a malicious 
media file exploiting a vulnerable application to get code execution. Media 
streams would not otherwise be executable.

Someone may add support to later to extract and scan media streams, but without 
signature content or special logic coded in a custom media-stream parser 
written to detect exploits, the scanning of such files is pointless. We have 
some of that kind of logic to inspect some picture formats (JPEG, PNG, etc) for 
correctness, but don't have any support for H265, AAC, or other video or audio 
file formats.

Respectfully,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Paul 
Kosinski via clamav-users 
Sent: Monday, November 13, 2023 7:28 PM
To: Micah Snyder (micasnyd) via clamav-users 
Cc: Paul Kosinski 
Subject: Re: [clamav-users] Question About MaxFileSize / news of upcoming Large 
Archive Scanner tool

Large archive files may be the most obvious case, especially if things like 
disk images and installation images are included, but make sure that large 
multimedia files are also handled.

In today's Internet environment, there are probably far, far more large video 
files floating around than traditional archives. And in some sense multimedia 
"container" files (like MP4, MOV, AVI etc.) are archives of their media streams 
(like H.264/5, AAC, etc.) -- but these archives are, of course, interleaved for 
real-time playback.

I might add that there have been recent reports of malformed (perhaps 
malicious) multimedia files causing crashes or unwanted code execution in 
software such as FFMPEG.


On Mon, 13 Nov 2023 20:32:38 +0000
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> In case anyone else is looking into this, I wanted to share some news.
>
> We have been getting some help to create a tool to recursively unpack (or 
> mount) and scan large archives (greater than 2000MB).
>
> This effort has progressed to the point where we've started code review and 
> writing documentation. I'm not entirely sure how we will package it for 
> people to use.  I'll share more when we go to open source it. I wanted to 
> share the news now in case anyone else was going to work on it and so they're 
> not as frustrated when it turns out we've done the same.
>
> I don't have a specific release date in mind.  It likely won't be until early 
> next year.  While we've started code review and testing, the developer that 
> has built the tool for us is now working on adding the allmatch-mode feature 
> support.
>
> Best regards,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> 
> From: Andrew C Aitchison 
> Sent: Thursday, June 8, 2023 6:25 PM
> To: Micah Snyder (micasnyd) 
> Cc: ClamAV users ML 
> Subject: Re: [clamav-users] Question About MaxFileSize
>
> On Thu, 8 Jun 2023, Micah Snyder (micasnyd) wrote:
>
> > I agree with you.  I suspect the majority of cases today is when
> > people have a large archive of files to scan.
> >
> > I think best case scenario for people with a need to scan files
> > larger than the present internal 2GB limit is that archives larger
> > than 2GB are decompressed and then the files inside are scanned, but
> > without actually scanning the very large outer archive.
> >
> > The way to do this as things work today is to script something
> > around clamscan or clamdscan that if the file is too large, handle
> > some assorted file types:
> >
> >  1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
> >  2.  if file is a zip, un-zip it and then scan the files within.
> >  3.  etc.
> >
> > I think everyone would like if clamav could do this automatically
> > for select archive types. And I think the advantage would be that we
> > would perhaps keep the extracted files in memory, or else at least
> > delete the temp files as we go without extracting all of it to disk
> > before starting to scan.
> >
> > However, it would be far easier to make a shell script or a python
> > script that wraps clamscan/clamdscan and uses native tools like
> > "tar", "unzip", etc.
>
> Good idea.
>
> Simply untarring or unzipping into a pipe does not separate the packed files.
> However at least tar does have an option which allow us to write a one-liner:
&

Re: [clamav-users] Question About MaxFileSize / news of upcoming Large Archive Scanner tool

[Micah Snyder (micasnyd) via clamav-users]

Hi,

It's going to be a python script that depends on having clamav installed and 
has a few other dependencies for working with zip's, tar's, iso's, and a few 
other archive formats. At this time, I'm expecting that we will publish it in a 
separate git repo and not bundle it directly with ClamAV.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Vu, 
Hong-Duc V. via clamav-users 
Sent: Tuesday, November 14, 2023 10:49 AM
Cc: Vu, Hong-Duc V. ; ClamAV users ML 

Subject: Re: [clamav-users] Question About MaxFileSize / news of upcoming Large 
Archive Scanner tool


Hi Micah,



Is it going to be part of clamav or a different application entirely?



Hong-Duc Vu





From: Micah Snyder (micasnyd) 
Sent: Monday, November 13, 2023 3:33 PM
To: Andrew C Aitchison 
Cc: ClamAV users ML 
Subject: Re: [clamav-users] Question About MaxFileSize / news of upcoming Large 
Archive Scanner tool



In case anyone else is looking into this, I wanted to share some news.



We have been getting some help to create a tool to recursively unpack (or 
mount) and scan large archives (greater than 2000MB).



This effort has progressed to the point where we've started code review and 
writing documentation. I'm not entirely sure how we will package it for people 
to use.  I'll share more when we go to open source it. I wanted to share the 
news now in case anyone else was going to work on it and so they're not as 
frustrated when it turns out we've done the same.



I don't have a specific release date in mind.  It likely won't be until early 
next year.  While we've started code review and testing, the developer that has 
built the tool for us is now working on adding the allmatch-mode feature 
support.



Best regards,

Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize / news of upcoming Large Archive Scanner tool

[Micah Snyder (micasnyd) via clamav-users]

In case anyone else is looking into this, I wanted to share some news.

We have been getting some help to create a tool to recursively unpack (or 
mount) and scan large archives (greater than 2000MB).

This effort has progressed to the point where we've started code review and 
writing documentation. I'm not entirely sure how we will package it for people 
to use.  I'll share more when we go to open source it. I wanted to share the 
news now in case anyone else was going to work on it and so they're not as 
frustrated when it turns out we've done the same.

I don't have a specific release date in mind.  It likely won't be until early 
next year.  While we've started code review and testing, the developer that has 
built the tool for us is now working on adding the allmatch-mode feature 
support.

Best regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: Andrew C Aitchison 
Sent: Thursday, June 8, 2023 6:25 PM
To: Micah Snyder (micasnyd) 
Cc: ClamAV users ML 
Subject: Re: [clamav-users] Question About MaxFileSize

On Thu, 8 Jun 2023, Micah Snyder (micasnyd) wrote:

> I agree with you.  I suspect the majority of cases today is when
> people have a large archive of files to scan.
>
> I think best case scenario for people with a need to scan files
> larger than the present internal 2GB limit is that archives larger
> than 2GB are decompressed and then the files inside are scanned, but
> without actually scanning the very large outer archive.
>
> The way to do this as things work today is to script something
> around clamscan or clamdscan that if the file is too large, handle
> some assorted file types:
>
>  1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
>  2.  if file is a zip, un-zip it and then scan the files within.
>  3.  etc.
>
> I think everyone would like if clamav could do this automatically
> for select archive types. And I think the advantage would be that we
> would perhaps keep the extracted files in memory, or else at least
> delete the temp files as we go without extracting all of it to disk
> before starting to scan.
>
> However, it would be far easier to make a shell script or a python
> script that wraps clamscan/clamdscan and uses native tools like
> "tar", "unzip", etc.

Good idea.

Simply untarring or unzipping into a pipe does not separate the packed files.
However at least tar does have an option which allow us to write a one-liner:
(tar xf ~/viruses.tar --to-command='clamdscan -v - || echo "  found in 
$TAR_REALNAME\n\n---"' ) |& egrep -i found
stream: Eicar-Signature FOUND
   found in viruses/EICAR.COM.TAR
stream: Eicar-Signature FOUND
   found in viruses/eicar.com.txt
stream: Eicar-Signature FOUND
   found in viruses/URLEICAR.COM.TAR
stream: Eicar-Signature FOUND
   found in viruses/4DOSBOX/EICAR.COM
stream: Eicar-Signature FOUND
   found in viruses/EICAR.COM

The echo is needed to show the name of the file inside the archive.

This appears not to write the unpacked files to disk.

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.2.1, 1.1.3, 1.0.4, 0.103.11 patch versions published

[Micah Snyder (micasnyd) via clamav-users]

Read this online at: 
https://blog.clamav.net/2023/10/clamav-121-113-104-010311-patch.html




Today, we are publishing the 1.2.1, 1.1.3, 1.0.4, and 0.103.11 security patch 
versions.

The release files for the patch versions are available for download on the 
ClamAV downloads page, on the GitHub Release 
page, and through Docker 
Hub.

Continue reading to learn what changed in each version.

1.2.1

ClamAV 1.2.1 is a patch release with the following fixes:

  *   Eliminate security warning about unused "atty" dependency.

 *   GitHub pull request.
  *   Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.

 *   GitHub pull request.
  *   Build system: Fix link error with Clang/LLVM/LLD version 17. Patch 
courtesy of Yasuhiro Kimura.

 *   GitHub pull request.
  *   Fix alert-exceeds-max feature for files > 2GB and < max-filesize.

 *   GitHub pull request.

Special thanks to Yasuhiro Kimura for code contributions and bug reports.

1.1.3

ClamAV 1.1.3 is a patch release with the following fixes:

  *   Eliminate security warning about unused "atty" dependency.

 *   GitHub pull request.
  *   Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.

 *   GitHub pull request.
  *   Windows: libjson-c 0.17 compatibility fix with ssize_t type definition.

 *   GitHub pull request.
  *   Build system: Fix link error with Clang/LLVM/LLD version 17. Patch 
courtesy of Yasuhiro Kimura.

 *   GitHub pull request.
  *   Fix alert-exceeds-max feature for files > 2GB and < max-filesize.

 *   GitHub pull request.

Special thanks to Yasuhiro Kimura for code contributions and bug reports.

1.0.4

ClamAV 1.0.4 is a patch release with the following fixes:

  *   Eliminate security warning about unused "atty" dependency.

 *   GitHub pull request.
  *   Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.

 *   GitHub pull request.
  *   Windows: libjson-c 0.17 compatibility fix with ssize_t type definition.

 *   GitHub pull request.
  *   Freshclam: Removed a verbose warning printed for each Freshclam HTTP 
request.

 *   GitHub pull request.
  *   Build system: Fix link error with Clang/LLVM/LLD version 17. Patch 
courtesy of Yasuhiro Kimura.

 *   GitHub pull request.
  *   Fix alert-exceeds-max feature for files > 2GB and < max-filesize.

 *   GitHub pull request.

Special thanks to Yasuhiro Kimura for code contributions and bug reports.

0.103.11

ClamAV 0.103.11 is a patch release with the following fixes:

  *   Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.

 *   GitHub pull request.
  *   Windows: libjson-c 0.17 compatibility fix with ssize_t type definition.

 *   GitHub pull request.
  *   Windows: Update build system to use OpenSSL 3 and PThreads-Win32 v3.

 *   GitHub pull request.

Posted by Micah Snyder  
at 1:36 
PM 
[https://img1.blogblog.com/img/icon18_email.gif]  

Email 
ThisBlogThis!Share
 to 
TwitterShare
 to 
FacebookShare
 to 
Pinterest
Labels: 0.103.11, 
1.0.4, 
1.1.3, 
1.2.1, 
clamav, patch 

Re: [clamav-users] first questioon????

[Micah Snyder (micasnyd) via clamav-users]

Hi Rahim,

Sorry, this is not possible.

-Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Rahim 
Fakir via clamav-users 
Sent: Sunday, October 22, 2023 5:18 PM
To: clamav-users@lists.clamav.net 
Cc: Rahim Fakir 
Subject: [clamav-users] first questioon

I would like to know if it is possible to have clamav on the desktop and 
remotely scan the phone.
for example: clamscan -r -i remove=yes ipaddress root.of.cellphone


Eu desejava saber se é possível ter o clamav no desktop e remotamente fazer um 
scan ao telemovel.
for example: clamscan -r -i remove=yes ipaddress root.of.cellphone

Rahim 00351 933 5959 74 is bugged
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [ext] Compressing log files with clamav

[Micah Snyder (micasnyd) via clamav-users]

There are no plans to add compression for log files.  And I can't recall any 
prior feature request asking for this though I see the appeal.  Feel free to 
put in a feature request issue on GitHub.

I imagine it wouldn't be hard to add this feature.  If anyone wants to 
contribute this feature, you're welcome to.  My team is unfortunately down a 
developer, and already behind on other work. It is unlikely that we'll pick it 
up ourselves.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Andrew 
C Aitchison via clamav-users 
Sent: Tuesday, October 24, 2023 12:20 PM
To: Vu, Hong-Duc V. via clamav-users 
Cc: Andrew C Aitchison ; Vu, Hong-Duc V. 

Subject: Re: [clamav-users] [ext] Compressing log files with clamav

On Tue, 24 Oct 2023, Vu, Hong-Duc V. via clamav-users wrote:

>> Use logrotate:
> ==
>
>
> Thank you Ralf. I take that to mean there is no compression directive in the 
> configuration file by default.
>
> Are there plans to add this feature to a future release, Micah?

I guess this might be useful in docker or a similar container,
but it would be a lot if work to do it on every platform
and unless you include the right optional features, a lot
of people will use logrotate anyway.

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Error installing from source

[Micah Snyder (micasnyd) via clamav-users]

Hi,

A newer version of GCC should solve the problem, but you may be able to resolve 
it with the old GCC as well.  Some other users have reported mixed results in 
this discussion: https://github.com/Cisco-Talos/clamav/issues/1017

The most recent comment states:

Personally it works for me when I run it like this:
./configure CXXFLAGS='-std=c++11'


If you're wondering what changed that is causing this issue, the reason is that 
we had to upgrade to a newer version of UnRAR for extracting RAR archives 
because of a CVE in the UnRAR library. And the newer version of UnRAR is now 
using some C++ 11 features that do not work with the default settings for older 
versions of GCC.

Regards,
Micah

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Andrew 
C Aitchison via clamav-users 
Sent: Friday, October 13, 2023 12:34 PM
To: ClamAV users ML 
Cc: Andrew C Aitchison ; ni...@qbit.gr 
Subject: Re: [clamav-users] Error installing from source

On Fri, 13 Oct 2023, Paul Netpresto wrote:

> HI
>
> You need to find a later version of GCC for your servers.
>
> I had a similar problem with some legacy Ubuntu machines. Fortunately an
> upgrade to GCC 7.5 was available in the Ubuntu release archive.

For CentOS 6 the devtoolset-7 suite will give you gcc-7.3.1

I never used CentOS 7, RHEL7 or other clones, but newer versions of gcc
are available for that too.

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Freshclam version 1.0.2 warnings

[Micah Snyder (micasnyd) via clamav-users]

Sorry for the confusion, everyone. The warning message was accidentally 
introduced when adding it for debugging purposes.

We fixed it in 1.1 but missed backporting the fix to 1.0.  I will make priority 
to fix it in the next 1.0 patch version.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Jorge 
Bastos 
Sent: Sunday, September 3, 2023 9:23 AM
To: clamav-users@lists.clamav.net 
Cc: Matus UHLAR - fantomas 
Subject: Re: [clamav-users] Freshclam version 1.0.2 warnings


On 2023-09-03 15:36, Matus UHLAR - fantomas wrote:

On 02.09.23 22:32, Jorge Bastos wrote:
Since version 1.0.2 i'm having this information on freshclam update, in 
previous 1.0.0 it was not happening.
Any ideia how to solve it, or it's something that has an ongoing fix?
Sat Sep  2 21:25:12 2023 -> Received signal: wake up
Sat Sep  2 21:25:13 2023 -> ClamAV update process started at Sat Sep  2 
21:25:13 2023
Sat Sep  2 21:25:13 2023 -> daily.cld database is up-to-date (version: 27019, 
sigs: 2040213, f-level: 90, builder: raynman)
Sat Sep  2 21:25:13 2023 -> main.cvd database is up-to-date (version: 62, sigs: 
6647427, f-level: 90, builder: sigmgr)
Sat Sep  2 21:25:13 2023 -> bytecode.cvd database is up-to-date (version: 334, 
sigs: 91, f-level: 90, builder: anvilleg)
Sat Sep  2 21:25:14 2023 -> WARNING:  *** RESULT 304, SIZE: 0 ***
Sat Sep  2 21:25:14 2023 -> malware.expert.ndb is up-to-date (version: custom 
database)

HTTP code 304 means "not modified" which means your files are accurate.

I have no idea why that produces warning, it should be treated as OK state, 
possibly INFO message...



Oh I see, it's the HTTP code, didn't associated to that.
well, maybe someone left this warning info for debug, I had no change on my 
configuration,
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.2.0 feature version and 1.1.1, 1.0.2, 0.103.9 patch versions published

[Micah Snyder (micasnyd) via clamav-users]

Read this online at 
https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html



The ClamAV 1.2.0 feature release is now stable and available for download on 
the ClamAV downloads page, on the Github 
Release page, and through 
Docker Hub.

Today, we are also publishing the 1.1.2, 1.0.3, and 0.103.10 security patch 
versions. You may be surprised about the impromptu patch release. Indeed, we 
just published patch versions earlier this 
month. Unfortunately, 
a recent CVE for the UnRAR* library has prompted us to prepare these additional 
updates.

We strongly encourage everyone to upgrade to one of these versions.

The release files for the patch versions are also available for download on the 
ClamAV downloads page, on the Github Release 
page, and through Docker 
Hub. Because ClamAV 1.2.0 is now the 
latest release, the release files for version 1.1.2 will be found under the 
"Previous Stable Releases" section of the ClamAV.net downloads page.

*UnRAR is an open-source library by the makers of WinRAR which we bundle with 
ClamAV under the name "libclamunrar". We are concerned that ClamAV may be 
affected by CVE-2023-40477. Special thanks to Jan Pokorny, at St. Anne's 
University Hospital, for identifying its potential impact on ClamAV and 
reporting it to us.

Continue reading to learn what changed in each version.
1.2.0

ClamAV 1.2.0 includes the following improvements and changes:

Major changes

  *   Added support for extracting Universal Disk Format (UDF) partitions.

Specifically, this version adds support for the Beginning Extended Area 
Descriptor (BEA01) type of UDF files.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/941
  *   Added an option to customize the size of ClamAV's clean file cache.

Increasing the size of the clean file cache may improve scan performance but 
will require more RAM. The cache size value should be a square number or will 
be rounded up to the nearest square number.

The cache size option for clamd and clamscan is --cache-size. Alternatively, 
you can customize the cache size for ClamD by setting CacheSize in clamd.conf.

Patch courtesy of Craig Andrews.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/882
  *   Introduced a SystemD timer for running Freshclam updates, without sending 
Freshclam into the background. This takes the "burden of timing the updates" 
from Freshclam and puts it onto SystemD. The timer can be activated, audited, 
and the logs inspected:

sudo systemctl enable --now clamav-freshclam-once.timer
sudo systemctl list-timers
sudo systemctl status clamav-freshclam-once.timer
sudo systemctl status clamav-freshclam-once.service
journalctl -u clamav-freshclam-once.service


If you want a different update interval you can edit the timer unit file:

sudo systemctl edit clamav-freshclam-once.timer


Patch courtesy of Nils Werner.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/962
  *   Raised the MaxScanSize limit so the total amount of data scanned when 
scanning a file or archive may exceed 4 gigabytes.

Introduced the ability to suffix the MaxScanSize and other config file size 
options with a "G" or "g" for the number of gigabytes. For example, for ClamD 
you may now specify MaxScanSize 10G in clamd.conf. And for ClamScan, you may 
now specify --max-scansize=10g.

The MaxFileSize is still limited internally in ClamAV to 2 gigabytes. Any file, 
or embedded file, larger than 2GB will be skipped. You may use clamscan 
--alert-exceeds-max, or the clamd.conf option AlertExceedsMax yes to tell if a 
scan is not completed because of the scan limits.

Patch courtesy of matthias-fratz-bsz.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/945
  *   Added ability for Freshclam to use a client certificate PEM file and a 
private key PEM file for authentication to a private mirror by setting the 
following environment variables:

 *   FRESHCLAM_CLIENT_CERT: May be set to the path of a file (PEM) 
containing the client certificate.
 *   FRESHCLAM_CLIENT_KEY: May be set to the path of a file (PEM) 
containing the client private key.
 *   FRESHCLAM_CLIENT_KEY_PASSWD: May be set to a password for the client 
key PEM file, if it is password protected.

Patch courtesy of jedrzej.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/955

Other improvements

  *   Fix an issue extracting files from ISO9660 partitions where the files are 
listed in the plain ISO tree and there also exists an empty Joliet tree.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/938
  *   CMake build system 

Re: [clamav-users] QNAP NAS virus definition updates.

[Micah Snyder (micasnyd) via clamav-users]

Unless QNAP is customizing things or hosting their own mirror, chances are it's 
reaching out to https://database.clamav.net over port 443.

Disclaimer: I don't have any experience with QNAP devices.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Thomas 
ONeill via clamav-users 
Sent: Friday, August 25, 2023 11:29 AM
To: clamav-users@lists.clamav.net 
Cc: Thomas ONeill 
Subject: [clamav-users] QNAP NAS virus definition updates.

Hello all!
I was wondering if anyone knows the ports or IP addresses that my QNAP NAS 
reaches out to in order to receive definition updates. I have locked down my 
firewall but would like to allow the automatic updates.

Thanks,

Tom
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.2.0 release candidate now available

[Micah Snyder (micasnyd) via clamav-users]

Read this online at 
https://blog.clamav.net/2023/08/clamav-120-release-candidate-now.html



We are excited to announce the ClamAV 1.2.0 release candidate.


You may find the source code and installers for this release on the 
clamav.net/downloads page or the ClamAV 
GitHub release 
page.


Tip: If you are downloading the source from the GitHub release page, the 
package labeled "clamav-1.2.0-rc.tar.gz" does not require an internet 
connection to build. All dependencies are included in this package.  But if you 
download the ZIP or TAR.GZ generated by GitHub, located at the very bottom, 
then an internet connection will be required during the build to download 
additional Rust dependencies.

For Docker users, there is no specific Docker tag for the release candidate, 
but you can use the clamav:unstable or clamav:unstable_base tags.

The release candidate phase is expected to last two to three weeks before we 
publish the stable release or a second release candidate. Please take this time 
to evaluate ClamAV 1.2.0.

Please help us validate this release by providing feedback via the ClamAV 
mailing list or on our 
Discord.

ClamAV 1.2.0 includes the following improvements and changes:

Major changes

  *   Added support for extracting Universal Disk Format (UDF) partitions.

Specifically, this version adds support for the Beginning Extended Area 
Descriptor (BEA01) type of UDF files.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/941
  *   Added an option to customize the size of ClamAV's clean file cache.

Increasing the size of the clean file cache may improve scan performance but 
will require more RAM. The cache size value should be a square number or will 
be rounded up to the nearest square number.

The cache size option for clamd and clamscan is --cache-size. Alternatively, 
you can customize the cache size for ClamD by setting CacheSize in clamd.conf.

Patch courtesy of Craig Andrews.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/882
  *   Introduced a SystemD timer for running Freshclam updates, without sending 
Freshclam into the background. This takes the "burden of timing the updates" 
from Freshclam and puts it onto SystemD. The timer can be activated, audited, 
and the logs inspected:

sudo systemctl enable --now clamav-freshclam-once.timer
sudo systemctl list-timers
sudo systemctl status clamav-freshclam-once.timer
sudo systemctl status clamav-freshclam-once.service
journalctl -u clamav-freshclam-once.service


If you want a different update interval you can edit the timer unit file:

sudo systemctl edit clamav-freshclam-once.timer


Patch courtesy of Nils Werner.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/962
  *   Raised the MaxScanSize limit so the total amount of data scanned when 
scanning a file or archive may exceed 4 gigabytes.

Introduced the ability to suffix the MaxScanSize and other config file size 
options with a "G" or "g" for the number of gigabytes. For example, for ClamD 
you may now specify MaxScanSize 10G in clamd.conf. And for ClamScan, you may 
now specify --max-scansize=10g.

The MaxFileSize is still limited internally in ClamAV to 2 gigabytes. Any file, 
or embedded file, larger than 2GB will be skipped. You may use clamscan 
--alert-exceeds-max, or the clamd.conf option AlertExceedsMax yes to tell if a 
scan is not completed because of the scan limits.

Patch courtesy of matthias-fratz-bsz.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/945
  *   Added ability for Freshclam to use a client certificate PEM file and a 
private key PEM file for authentication to a private mirror by setting the 
following environment variables:

 *   FRESHCLAM_CLIENT_CERT: May be set to the path of a file (PEM) 
containing the client certificate.
 *   FRESHCLAM_CLIENT_KEY: May be set to the path of a file (PEM) 
containing the client private key.
 *   FRESHCLAM_CLIENT_KEY_PASSWD: May be set to a password for the client 
key PEM file, if it is password protected.

Patch courtesy of jedrzej.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/955

Other improvements

  *   Fix an issue extracting files from ISO9660 partitions where the files are 
listed in the plain ISO tree and there also exists an empty Joliet tree.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/938
  *   CMake build system improvement to support compiling with OpenSSL 3.x on 
macOS with the Xcode toolchain.

The official ClamAV installers and packages are now built with OpenSSL 3.1.1 or 
newer.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/970
  *   The suggested 

Re: [clamav-users] Scanning blocked during database reload

[Micah Snyder (micasnyd) via clamav-users]

Michal,

I'm not sure what's going wrong for you.  It works as expected with 1.1.0 for 
me.

I would be wondering about that same setting.
If you run "clamconf -n" can you confirm the settings it finds, and also the 
path of the config file you've been editing to make sure it is the same as what 
"clamconf" is using?

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Michał 
Smyczyński via clamav-users 
Sent: Thursday, July 13, 2023 8:04 AM
To: ClamAV users ML 
Cc: Michał Smyczyński 
Subject: Re: [clamav-users] Scanning blocked during database reload

Hi Matus, thank you for your prompt reply.

I did not disable ConcurrentDatabaseReload and moreover ,as indicated, in 
addition I set it to explicitely to yes. My server has 6 gig of memory, with 
around 2gig of normal utilization so that should not be a problem. I started to 
observe this issue from Clamav 0.105 and 1.0. In 0.103. and 0.104  - problem 
did not occur.

Regards
W dniu 2023-07-13 16:22:36 użytkownik Matus UHLAR - fantomas 
 napisał:

On 13.07.23 15:53, Michał Smyczyński via clamav-users wrote:
> I have noticed the blocking of clamd scanning during database reload in
> clamav 1.1.0 and 0.105.2, exactly as it  had happened in the earlier
> versions, prior to 0.103 as if the concurrent database reload feature did
> not properly work.  I have also explicitely added ConcurrentDatabaseReload
> yes directive in clamd.conf but with no luck.

>Thu Jul 13 15:19:30 2023 -> Reading databases from /var/lib/clamav
>Thu Jul 13 15:20:24 2023 -> Database correctly reloaded (9536284 signatures)
>Thu Jul 13 15:20:24 2023 -> Activating the newly loaded database...
>Thu Jul 13 15:25:36 2023 -> Client disconnected (FD 10)
>Thu Jul 13 15:25:36 2023 -> Client disconnected (FD 11)
>Thu Jul 13 15:25:36 2023 -> Client disconnected (FD 12)

>And the scanning is blocked for 5 minutes after the database is activated.
>I kindly appreciate the possibility of further investigation/diagnostics.

check if you didn't disable ConcurrentDatabaseReload in clamd.conf

if it's enabled (by default), it allows scanning  during database reload,
but clamd uses twice as much RAM (can exceed 3G) during that time.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV on RHEL9 with FIPS enabled

[Micah Snyder (micasnyd) via clamav-users]

Apologies for the delayed response.

We are only just starting to discuss a possibility of a new CVD (signed 
signature database archive) format internally.  Sorry I cannot promise anything 
in terms of timeline.

-Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Vu, 
Hong-Duc V. via clamav-users 
Sent: Friday, July 7, 2023 2:33 PM
To: clamav-users@lists.clamav.net 
Cc: Vu, Hong-Duc V. 
Subject: [clamav-users] ClamAV on RHEL9 with FIPS enabled


Hello Everyone,



Looks like there’s some discussion on the clamav github about this issue.



https://github.com/Cisco-Talos/clamav/issues/564



Micah do you have an anticipated roadmap of when you plan on implementing the 
new SHA256 signatures?





Hong-Duc Vu

Phone: 240-592-3072 Email: hong-duc...@jhuapl.edu


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0

[Micah Snyder (micasnyd) via clamav-users]

You can submit FP reports through https://www.clamav.net/reports/fp

Our threat research team has automation in place behind this submission portal 
to investigate and resolve FP's.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Eric 
Tykwinski via clamav-users 
Sent: Tuesday, July 11, 2023 1:04 PM
To: 'ClamAV users ML' 
Cc: Eric Tykwinski 
Subject: [clamav-users] Needed to whitelist 
Email.Phishing.RPMSG_Downloader-10004958-0


Just a heads up, we had a legitimate customer receiving Office 365 secure 
emails get hit with this filter.

I’m not sure what the original rule was for, but I’m assuming it was for 
phishing emails, but seems to be a bit too loose on the rules to not get false 
positives.



Clam team, if you need headers or anything let me know.



Sincerely,



Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Shutting down old ClamAV Bugzilla

[Micah Snyder (micasnyd) via clamav-users]

Read this online at 
https://blog.clamav.net/2023/06/shutting-down-old-clamav-bugzilla.html



ClamAV will shut down the old ClamAV Bugzilla 
server in July.

Users who have any outstanding Bugzilla reports should move them to GitHub 
Issues  as soon as possible.

We disabled new tickets in 
Bugzilla
 in December 2021 in favor of GitHub Issues for all new ClamAV bug reports and 
a new process for reporting vulnerabilities as defined by a new security 
policy. As it has now 
been 18 months since the switch to GitHub Issues, we have decided to shut down 
our old Bugzilla.

We plan to take the Bugzilla server off the internet sometime after July 1 and 
keep it as an internal reference for our development team. It will no longer be 
accessible to the public.

Posted by Jon Munshaw  at 
9:06 AM
Share to 
TwitterShare
 to 
FacebookShare
 to 
Pinterest



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize

[Micah Snyder (micasnyd) via clamav-users]

I agree with you.  I suspect the majority of cases today is when people have a 
large archive of files to scan.

I think best case scenario for people with a need to scan files larger than the 
present internal 2GB limit is that archives larger than 2GB are decompressed 
and then the files inside are scanned, but without actually scanning the very 
large outer archive.

The way to do this as things work today is to script something around clamscan 
or clamdscan that if the file is too large, handle some assorted file types:

  1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
  2.  if file is a zip, un-zip it and then scan the files within.
  3.  etc.

I think everyone would like if clamav could do this automatically for select 
archive types. And I think the advantage would be that we would perhaps keep 
the extracted files in memory, or else at least delete the temp files as we go 
without extracting all of it to disk before starting to scan.

However, it would be far easier to make a shell script or a python script that 
wraps clamscan/clamdscan and uses native tools like "tar", "unzip", etc.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Andrew 
C Aitchison via clamav-users 
Sent: Wednesday, May 24, 2023 1:34 AM
To: ClamAV users ML 
Cc: Andrew C Aitchison 
Subject: Re: [clamav-users] Question About MaxFileSize

On Wed, 24 May 2023, Tachibanaki Nozomi (橘木 希美) wrote:

> Dear Sir or Madam,
>
> Thank you for your help always.
> I am contacting you to ask about MaxFileSize in clamd.conf.
>
> The following description is found in the configuration of
> /usr/local/etc/clamd.conf.
>
> MaxFileSize
> # Technical design limitations prevent ClamAV from scanning files greater than
> # 2 GB at this time.
>
> Is there any plan or possibility to change the technical design
> limitation that prevents scanning files larger than 2 GB in the
> future?

I believe that the intention is to remove this limit at some point.

I wonder whether the technical limitations are less severe for
archive formats such as tar and zip.
Could "small" files inside "large" archives be scanned
without the work necessary for full "large" file support ?

Apart from vulnerabilities caused by 2GB and 4GB limits themselves,
I think scanning inside large archives might solve many of the
reasons for scanning large files.

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How do I get something added to the ignore list

[Micah Snyder (micasnyd) via clamav-users]

If you wish to ignore the PUA.Doc.Tool.LibreOfficeMacro-2 signature, you can 
create a .ign2 signature file in your clamav database directory.

See 
https://docs.clamav.net/manual/Signatures/AllowLists.html#signature-ignore-lists
 for details.



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Tim 
McConnell via clamav-users 
Sent: Thursday, June 8, 2023 10:12 AM
To: Joel Esler ; ClamAV users ML 

Cc: Tim McConnell 
Subject: Re: [clamav-users] How do I get something added to the ignore list

Well I would assume the clam DB but I've no idea how or any of that. I would 
think the new Macro for Libre Office Calc would be in there already but I've 
been wrong before.

On Thu, 2023-06-08 at 13:03 -0400, Joel Esler wrote:
What db do you think you want to add it to?

—
Sent from my iPhone

On Jun 8, 2023, at 12:35, Tim McConnell via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:


Thanks for that AL, now how do I add to the DB? Two things I'm not is a 
programmer or DBA :-(

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Unix.Malware.Kaiji-10003916-0

[Micah Snyder (micasnyd) via clamav-users]

This is correct.  Kaiji-10003917-0 would be a separate signature, loosely 
related Kaiji-10003916-0.  If Kaiji-10003916-0 had been updated, it would be 
Kaiji-10003916-1.

If it were handwritten, we probably would have done that.  In this case, the 
signature was generated by an automated system, so it was simply thrown out.

-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Maarten 
Broekman via clamav-users 
Sent: Thursday, June 8, 2023 4:20 AM
To: ClamAV users ML 
Cc: Maarten Broekman 
Subject: Re: [clamav-users] Unix.Malware.Kaiji-10003916-0

> So how does Kaiji-10003917-0 to Kaiji-10003916-0 ? Does
> Kaiji-10003916-0 get thrown out, or does it get updated to
> Kaiji-10003917-0 ?

The way it was explained to me (years ago) is that they are separate 
signatures, unrelated expect in that they are related to Kaiji. If 10003916-0 
was updated, it would become 10003916-1.

Maarten

Sent from a tiny keyboard

> On Jun 8, 2023, at 06:37, Robert M. Stockmann via clamav-users 
>  wrote:
>
> On Wed, 7 Jun 2023, Al Varnell via clamav-users wrote:
>
>> Date: Wed, 7 Jun 2023 22:36:52 -0700
>> From: Al Varnell via clamav-users 
>> To: ClamAV users ML 
>> Cc: Al Varnell 
>> Subject: Re: [clamav-users] Unix.Malware.Kaiji-10003916-0
>>
>> Note that the signature was dropped in daily - 26932 which was
>> released several hours earlier than usual today.
>>
>
> [hubble:root]:(~)# sigtool -l | grep Unix.Malware.Kaiji
> Unix.Malware.Kaiji-7789500-0
> Unix.Malware.Kaiji-7789501-2
> Unix.Malware.Kaiji-7813991-0
> Unix.Malware.Kaiji-9760851-0
> Unix.Malware.Kaiji-9763185-0
> Unix.Malware.Kaiji-9969783-0
> Unix.Malware.Kaiji-9992785-0
> Unix.Malware.Kaiji-9993888-0
> Unix.Malware.Kaiji-1905-0
> Unix.Malware.Kaiji-10002375-0
> Unix.Malware.Kaiji-10002376-0
> Unix.Malware.Kaiji-10003612-0
> Unix.Malware.Kaiji-10003647-0
> Unix.Malware.Kaiji-10003670-0
> Unix.Malware.Kaiji-10003730-0
> Unix.Malware.Kaiji-10003731-0
> Unix.Malware.Kaiji-10003738-0
> Unix.Malware.Kaiji-10003739-0
> Unix.Malware.Kaiji-10003917-0
> Unix.Malware.Kaiji-7789499-1
> [hubble:root]:(~)# clamdscan -V
> ClamAV 0.103.8/26933/Thu Jun  8 09:26:06 2023
> [hubble:root]:(~)#
>
> So how does Kaiji-10003917-0 to Kaiji-10003916-0 ? Does
> Kaiji-10003916-0 get thrown out, or does it get updated to
> Kaiji-10003917-0 ?
>
>
> --
> Robert M. Stockmann - RHCE
> Network Engineer - UNIX/Linux Specialist
> crashrecovery.org  st...@stokkie.net
>
> ___
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] LibClamAV Error: cli_html_normalise: style chunk size underflow

[Micah Snyder (micasnyd) via clamav-users]

Hi Joe,

Can you identify the file that triggers this error, and would you be able to 
email it to me directly to investigate please?

You can ignore the error message otherwise.  It is a part of a safety bounds 
check that we added in a new feature in ClamAV 1.1.0. We did not expect that 
error message to occur within a normal file.

If you're doing a scan of the directory with clamscan, the filepath of the file 
that causes it should appear immediately after the error message.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Joe 
Sparks via clamav-users 
Sent: Wednesday, May 17, 2023 9:42 AM
To: clamav-users@lists.clamav.net 
Cc: Joe Sparks 
Subject: [clamav-users] LibClamAV Error: cli_html_normalise: style chunk size 
underflow

I recently installed clamscan on a Mac ARM PC. I am running scans of a 
directory and receiving this error: LibClamAV Error: cli_html_normalise: style 
chunk size underflow

Does anyone have any insight into the cause and mitigation steps?
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [ext] Segfaults with database version 26908

[Micah Snyder (micasnyd) via clamav-users]

Hi Mario, all,

Thank you for the extra info and the offer for help.

Last night I also received a backtrace and a sample that will reproduce the 
crash.
We should be able to figure out a fix for the bug from here.

Thanks again!

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Mario 
Yorck via clamav-users 
Sent: Tuesday, May 16, 2023 11:55 PM
To: ClamAV users ML 
Cc: Mario Yorck 
Subject: Re: [clamav-users] [ext] Segfaults with database version 26908

Here are some information:

It crashes when specific files are scanned. However, but it is unlikely that 
the file contains the bad signature (but im not sure). I have a sample file, 
but with personal data that I cannot share. Yesterday I was able to reproduce 
the crash, but today I no longer have the version 26908. If you send me the 
version of yesterday and describe what you need, I can try to debug something.

Here is my test from yesterday with version 0.103.8 on gentoo:

# clamscan clamav-0c216ef050250d78d59408a83f383ba1.tmp
LibClamAV Warning: Don't know how to create filter for: 
Win.Downloader.LNKAgent-10001628-0
LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie
Segmentation fault

# echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

# clamscan clamav-0c216ef050250d78d59408a83f383ba1.tmp
clamav-0c216ef050250d78d59408a83f383ba1.tmp: OK

The LibClamAV Warnings also came when scanning other files, but other files was 
successfully scanned without any crash.

clamscan[26247]: segfault at 7fd6907960bf ip 7fd5e36947a7 sp 
7ffe80983900 error 4 in libclamav.so.9.0.5[7fd5e3692000+116000] likely on 
CPU 0 (core 0, socket 0)

Hope this helps to find the problem.

PS: Thanks to my lifesaver Matthias for the tip about the whitelist yesterday.

Mario

Am Di., 16. Mai 2023 um 14:51 Uhr schrieb Matthias Rieber 
mailto:matthias%2bcla...@zu-con.org>>:
Hello,

On Tue, 16 May 2023, Ralf Hildebrandt via clamav-users wrote:

>> As far as I can tell this happens in
>>
>> 0x7fdfd44c377d 
>>
>> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>>
>> Has anyone seen this, too?
>
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago

yes, it turns out that you can mitigate this issue when you whitelist
this signature:

$ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

Regards,
Matthias

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [ext] Segfaults with database version 26908

[Micah Snyder (micasnyd) via clamav-users]

The daily database has been updated to drop the offending signature.

We're still investigating to understand what may cause a crash. I was able to 
see in https://github.com/Cisco-Talos/clamav/issues/923 that the crash may 
occur at database load time, and not during a scan.  So that is a relief.

But we of course still want to find and fix the bug.  If anyone has any 
additional leads or a backtrace / call stack from GDB that would be very 
helpful.

Thanks all,

Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Micah 
Snyder (micasnyd) via clamav-users 
Sent: Tuesday, May 16, 2023 1:09 PM
To: Ralf Hildebrandt via clamav-users 
Cc: Micah Snyder (micasnyd) 
Subject: Re: [clamav-users] [ext] Segfaults with database version 26908

All,

For those who experience the crashes - is this happening when scanning any 
specific files with this signature in the database? If so, can you please share 
that with me directly?

I see the same warning, but I haven't observed any crashes yet.  I will 
continue to debug and try to figure out what may cause a crash.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
Matthias Rieber 
Sent: Tuesday, May 16, 2023 5:50 AM
To: Ralf Hildebrandt via clamav-users 
Subject: Re: [clamav-users] [ext] Segfaults with database version 26908

Hello,

On Tue, 16 May 2023, Ralf Hildebrandt via clamav-users wrote:

>> As far as I can tell this happens in
>>
>> 0x7fdfd44c377d 
>>
>> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>>
>> Has anyone seen this, too?
>
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago

yes, it turns out that you can mitigate this issue when you whitelist
this signature:

$ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

Regards,
Matthias

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] End of life (EOL) policy change, 0.103 one year extension, 0.105 past end of life

[Micah Snyder (micasnyd) via clamav-users]

Hi Paul,

Unlike Java or C#, Rust does not have any additional runtime library 
requirement.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Paul 
Kosinski via clamav-users 
Sent: Monday, May 8, 2023 5:01 PM
To: clamav-users@lists.clamav.net 
Cc: Paul Kosinski 
Subject: Re: [clamav-users] End of life (EOL) policy change, 0.103 one year 
extension, 0.105 past end of life

Micah,

Great decision!

I was worried about needing Rust on some of our systems. Not only for 
compiling, but doesn't Rust also need its own run time libraries?

I'm still trying to figure out how to move from iptables to nftables, so not 
having also to use Rust "immediately" is a relief.

(They claim nftables is better, but their automatic translator doesn't handle 
all of the options iptables supported. This is probably because it looks that 
they just arbitrarily dropped some matchers, like 'u32', from the underlying 
engine.)



On Mon, 8 May 2023 17:55:57 +0000
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> Read this online at 
> https://blog.clamav.net/2023/05/end-of-life-eol-policy-change-0103-one.htm<https://blog.clamav.net/2023/05/end-of-life-eol-policy-change-0103-one.html>
>
>
> End of life (EOL) policy change
> ClamAV is making a minor change to our EOL 
> policy<https://docs.clamav.net/faq/faq-eol.html>.
>
> The original EOL policy stated that Long Term Support (LTS) versions will 
> lose access to signature updates on the same date that we end support for 
> additional patch versions.
>
> We are changing the policy to allow signature updates for at least one year 
> after we stop supporting the release with patch versions.
>
> 0.103 support extension
> We are also announcing a one-year extension of support for ClamAV 0.103 LTS.
>
> We decided to extend the life of the 0.103 LTS release because of the 
> significant changes to the build system in 0.104 and the change in 0.105 
> requiring the Rust programming language toolchain to compile ClamAV.
>
> The one-year support extension does not apply to future LTS releases.
>
> ClamAV 0.103.0 was initially released on Sept. 14, 2020. With the additional 
> year of support, and considering the change in the EOL Policy that allows one 
> additional year of access for signature updates, this means that EOL dates 
> for ClamAV 0.103 LTS are as follows:
>
>   *   Expected End of Life (EOL): Sept. 14, 2024
>   *   Patch versions continue until: Sept. 14, 2024
>   *   Internal signature load testing until: Sept. 14, 2024
>   *   Database downloads allowed until: Sept. 14, 2025
>
> 0.105 EOL
> Finally, we would like to remind everyone that as per the EOL Policy, the 
> release of ClamAV 1.1 heralds the end of patch versions supporting ClamAV 
> 0.105. There will no more patch versions for ClamAV 0.105.
>
> ClamAV 0.105 will continue to have access to signature updates for an 
> additional four months after the 1.1 release, which was on May 1, 2023. This 
> means that we may block 0.105 from further updates after Sept. 1, 2023.
>
> Posted by
> Micah Snyder <https://www.blogger.com/profile/07798916006145826441> at 1:24 
> PM<https://blog.clamav.net/2023/05/end-of-life-eol-policy-change-0103-one.html>
>  [https://img1.blogblog.com/img/icon18_email.gif]  
> <https://www.blogger.com/email-post.g?blogID=2366689974368239573=5032648864086091259>
> Email 
> This<https://www.blogger.com/share-post.g?blogID=2366689974368239573=5032648864086091259=email>BlogThis!<https://www.blogger.com/share-post.g?blogID=2366689974368239573=5032648864086091259=blog>Share
>  to 
> Twitter<https://www.blogger.com/share-post.g?blogID=2366689974368239573=5032648864086091259=twitter>Share
>  to 
> Facebook<https://www.blogger.com/share-post.g?blogID=2366689974368239573=5032648864086091259=facebook>Share
>  to 
> Pinterest<https://www.blogger.com/share-post.g?blogID=2366689974368239573=5032648864086091259=pinterest>
> Labels: 0.103<https://blog.clamav.net/search/label/0.103>, 
> 0.105<https://blog.clamav.net/search/label/0.105>, 
> eol<https://blog.clamav.net/search/label/eol>, 
> LTS<https://blog.clamav.net/search/label/LTS>
>
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0

[Micah Snyder (micasnyd) via clamav-users]

It appears that this warning was added by accident while fixing a bug shortly 
before release and no one noticed in review.  We'll remove the warning in 1.1.1 
and 1.2.0.

Sorry for the confusion!

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Ralf 
Hildebrandt via clamav-users 
Sent: Tuesday, May 16, 2023 1:08 AM
To: clamav-users@lists.clamav.net 
Cc: Ralf Hildebrandt 
Subject: [clamav-users] LibClamAV Warning: Don't know how to create filter for: 
Win.Downloader.LNKAgent-10001628-0

clamav-1.1.0-1:
===

May 16 10:00:23 de freshclam[864]: Tue May 16 10:00:23 2023 -> daily database 
available for update (local version: 26907, remote version: 26908)
May 16 10:00:23 de freshclam[864]: WARNING: Tue May 16 10:00:23 2023 ->  
*** RESULT 200, SIZE: 7213 ***

Why does an 200 return code ("OK") warrant a warning?

May 16 10:00:24 de freshclam[864]: Tue May 16 10:00:24 2023 -> Testing 
database: 
'/var/lib/clamav/tmp.c022cc91c3/clamav-9a70f6b397596656b8338e5caf1d6bc7.tmp-daily.cld'
 ...
May 16 10:00:27 de freshclam[816014]: Tue May 16 10:00:27 2023 -> [LibClamAV] 
Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
May 16 10:00:27 de freshclam[816014]: Tue May 16 10:00:27 2023 -> [LibClamAV] 
cli_ac_addsig: cannot use filter for trie

Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
sounds a bit worrying...

May 16 10:00:29 de freshclam[864]: Tue May 16 10:00:29 2023 -> Database test 
passed.

but alas, despite errors the Database test passed?

May 16 10:00:29 de freshclam[864]: Tue May 16 10:00:29 2023 -> daily.cld 
updated (version: 26908, sigs: 2034816, f-level: 90, builder: raynman)
May 16 10:00:29 de freshclam[864]: Tue May 16 10:00:29 2023 -> Clamd 
successfully notified about the update.
May 16 10:00:33 de clamd[686]: LibClamAV Warning: Don't know how to create 
filter for: Win.Downloader.LNKAgent-10001628-0
May 16 10:00:33 de clamd[686]: LibClamAV Warning: cli_ac_addsig: cannot use 
filter for trie

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [ext] Segfaults with database version 26908

[Micah Snyder (micasnyd) via clamav-users]

All,

For those who experience the crashes - is this happening when scanning any 
specific files with this signature in the database? If so, can you please share 
that with me directly?

I see the same warning, but I haven't observed any crashes yet.  I will 
continue to debug and try to figure out what may cause a crash.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
Matthias Rieber 
Sent: Tuesday, May 16, 2023 5:50 AM
To: Ralf Hildebrandt via clamav-users 
Subject: Re: [clamav-users] [ext] Segfaults with database version 26908

Hello,

On Tue, 16 May 2023, Ralf Hildebrandt via clamav-users wrote:

>> As far as I can tell this happens in
>>
>> 0x7fdfd44c377d 
>>
>> We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye.
>>
>> Has anyone seen this, too?
>
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago

yes, it turns out that you can mitigate this issue when you whitelist
this signature:

$ echo "Win.Downloader.LNKAgent-10001628-0" > /var/lib/clamav/bad_sig.ign2

Regards,
Matthias

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] End of life (EOL) policy change, 0.103 one year extension, 0.105 past end of life

[Micah Snyder (micasnyd) via clamav-users]

Read this online at 
https://blog.clamav.net/2023/05/end-of-life-eol-policy-change-0103-one.htm


End of life (EOL) policy change
ClamAV is making a minor change to our EOL 
policy.

The original EOL policy stated that Long Term Support (LTS) versions will lose 
access to signature updates on the same date that we end support for additional 
patch versions.

We are changing the policy to allow signature updates for at least one year 
after we stop supporting the release with patch versions.

0.103 support extension
We are also announcing a one-year extension of support for ClamAV 0.103 LTS.

We decided to extend the life of the 0.103 LTS release because of the 
significant changes to the build system in 0.104 and the change in 0.105 
requiring the Rust programming language toolchain to compile ClamAV.

The one-year support extension does not apply to future LTS releases.

ClamAV 0.103.0 was initially released on Sept. 14, 2020. With the additional 
year of support, and considering the change in the EOL Policy that allows one 
additional year of access for signature updates, this means that EOL dates for 
ClamAV 0.103 LTS are as follows:

  *   Expected End of Life (EOL): Sept. 14, 2024
  *   Patch versions continue until: Sept. 14, 2024
  *   Internal signature load testing until: Sept. 14, 2024
  *   Database downloads allowed until: Sept. 14, 2025

0.105 EOL
Finally, we would like to remind everyone that as per the EOL Policy, the 
release of ClamAV 1.1 heralds the end of patch versions supporting ClamAV 
0.105. There will no more patch versions for ClamAV 0.105.

ClamAV 0.105 will continue to have access to signature updates for an 
additional four months after the 1.1 release, which was on May 1, 2023. This 
means that we may block 0.105 from further updates after Sept. 1, 2023.

Posted by
Micah Snyder  at 1:24 
PM 
[https://img1.blogblog.com/img/icon18_email.gif]  

Email 
ThisBlogThis!Share
 to 
TwitterShare
 to 
FacebookShare
 to 
Pinterest
Labels: 0.103, 
0.105, 
eol, 
LTS



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.1.0 released

[Micah Snyder (micasnyd) via clamav-users]

Hey Andreas,

Yes, we did update the Talos PGP Public Key shortly before the previous one 
expired.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of A. 
Schulze via clamav-users 
Sent: Tuesday, May 2, 2023 10:21 AM
To: clamav-users@lists.clamav.net 
Cc: A. Schulze 
Subject: Re: [clamav-users] ClamAV 1.1.0 released



Am 01.05.23 um 23:19 schrieb Micah Snyder (micasnyd) via clamav-users:
> The ClamAV 1.1.0 feature release is now stable and available fordownload on 
> ClamAV.net <https://www.clamav.net/downloads>

Hello Micah,

Did you update the gpg signing-key?
Was the "Talos PGP Public Key" from  https://www.clamav.net/downloads changed?

Andreas
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.1.0 released

[Micah Snyder (micasnyd) via clamav-users]

Read this online at https://blog.clamav.net/2023/05/clamav-110-released.html




The ClamAV 1.1.0 feature release is now stable and available for download on 
ClamAV.net or through Docker 
Hub.

ClamAV 1.1.0 includes the following improvements and changes.


Major changes

  *   Added the ability to extract images embedded in HTML CSS 

Re: [clamav-users] Inquiry about ClamAV's MaxFileSize

[Micah Snyder (micasnyd) via clamav-users]

Hi Nozomi Tachibanaki,

In ClamAV 0.105 we increased the max file size and max scan size.
If your clamd.conf setting does not also raise the MaxScanSize setting, then it 
is likely you would experience the `Heuristics.Limits.Exceeded.MaxFileSize 
FOUND" alert in 0.103.7 and possibly also in 1.0.1, depending on the file 
you're scanning.

Sorry about the delayed response.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of 
Tachibanaki Nozomi (橘木 希美) 
Sent: Tuesday, April 18, 2023 7:27 PM
To: clamav-users@lists.clamav.net 
Cc: Hino Shogo (日野 翔豪) ; Sugawara Masatomo (菅原 正大) 

Subject: [clamav-users] Inquiry about ClamAV's MaxFileSize


Dear Sir or Madam,



Thank you for your help always.

The purpose of this email is to inquire about ClamAV's MaxFileSize.



We are currently using ClamAV version 0.103.7.

We are planning to update to version 1.0.1 and are testing it.

When AlertExceedsMax is set to yes and a file with the same number of bytes as 
MaxFileSize is scanned,

In version 0.103.7, the message "Heuristics.Limits.Exceeded.MaxFileSize FOUND 
with AlertExceedsMax" is output, but in version 1.0.1, the message is no longer 
displayed. Is this a specification?



The clamd.conf setting is as follows

・MaxFileSize 2048M



The log of clamd demon is as follows.

・clamd daemon 1.0.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)

・Limits: File size limit set to 2147483648 bytes.



The verification file was created using the following command

・fsutil file createnew 2.0G.dat 2147483648





I’m looking forward to hearing from you.

Yours sincerely,





Nozomi Tachibanaki




___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ssl peer certificate or ssh remote key was not ok

[Micah Snyder (micasnyd) via clamav-users]

I'm not sure this will help, but can you try using the CURL_CA_BUNDLE 
environment variable to see if that helps?

Ex:

CURL_CA_BUNDLE=/usr/local/share/ca-certificates/cert.crt freshclam

https://docs.clamav.net/faq/faq-freshclam.html?highlight=curl_#problem-with-the-ssl-ca-cert

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Petr 
Novák via clamav-users 
Sent: Monday, April 3, 2023 7:23 AM
To: clamav-users@lists.clamav.net 
Cc: Petr Novák 
Subject: [clamav-users] ssl peer certificate or ssh remote key was not ok

Hi guys,

I have an issue with freshclam.

We are setting up freshclam clients (Debian 11) which are downloading database 
via private mirror which is using HTTPS. When I tried to use freshclam on my 
Windows client, it worked, but on my Debian Client, I get error message "ssl 
peer certificate or ssh remote key was not ok".

I imported my private mirror's SSL certificate via this method:
cp cert.crt /usr/local/share/ca-certificates/
update-ca-certificates

But even after this, the error still persists.

Is there any way to make this work? I am a beginner in Linux, so I don't really 
know what to do next.

Thanks
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Clamav 1.1.0 release candidate available now

[Micah Snyder (micasnyd) via clamav-users]

Read this online at 
https://blog.clamav.net/2023/03/clamav-110-release-candidate-now.html



We are excited to announce the ClamAV 1.1.0 release candidate.

You may find the source code and installers for this release on:

  *   The clamav.net/downloads page, or
  *   The ClamAV GitHub release 
page

Tip: If you are downloading the source from the GitHub release page, the 
package labeled "clamav-1.1.0-rc.tar.gz" does not require an internet 
connection to build.  All dependencies are included in this package.  But if 
you download the ZIP or TAR.GZ generated by GitHub, located at the very bottom, 
then an internet connection will be required during the build to download 
additional Rust dependencies.

For Docker users, there is no specific Docker tag for the release candidate, 
but you can use the clamav:unstable or clamav:unstable_base tags.

The release candidate phase is expected to last two to three weeks before we 
publish the stable release or a second release candidate. Please take this time 
to evaluate ClamAV 1.1.0.

Please help us validate this release by providing feedback via the ClamAV 
mailing list or on our 
Discord.

ClamAV 1.1.0 includes the following improvements and changes:

Major changes

  *   Added the ability to extract images embedded in HTML CSS 

Re: [clamav-users] Clamav EOL Policy and Signatures

[Micah Snyder (micasnyd) via clamav-users]

Hi Scott,

> First, I see the planned EOL data on clamav.net is the same as then.  Is the
assessment about extending the support period still ongoing?

We discussed it and agreed to a 1-year extension for 0.103 LTS (specifically) 
but not all LTS versions. We have a blog draft in review at this moment to 
formally announce this and explain the finer details. I just asked for a hold 
on publishing this for a few days, given the next topic.

> Second, we had some discussions about distros patching for security updates
after the support period if needed.  I noticed today that the scheduled
termination date for being able to download signatures is the same as the EOL
date.  That's a problem.

You're right, our EOL policy states that signature download support is the same 
as security patch support for LTS versions.

I already had concerns that LTS versions will be so popular that immediately 
cutting it off on the EOL date would be a problem. And at the time we wrote the 
EOL policy, we failed to consider distributions wanting to backport security 
patches to continue support for those versions on their own.

For LTS versions, I believe we should consider supporting signature download 
after we stop security patch support for an extra 6-months, or maaaybe 
12-months.

It's also worth mentioning that new signatures may focus on features available 
in newer versions. For example, right now we're getting a lot of value out of 
image fuzzy hash signatures and those are not used by the 0.103 release. It is 
not quite the case right now, but in future years it is possible that much of 
the new signature content is not used by ClamAV versions past EOL. Our 
Cloudflare CDN is pretty expensive, so that is one argument I have heard for 
wanting to block downloads sooner than later.

Anyways, we have some folks on PTO right now, including my manager. I want to 
talk about it with them some more before we make any decisions. But I didn't 
want to leave you hanging either.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Scott 
Kitterman via clamav-users 
Sent: Thursday, March 23, 2023 2:32 PM
To: clamav-users@lists.clamav.net 
Cc: Scott Kitterman 
Subject: [clamav-users] Clamav EOL Policy and Signatures

I don't know if this is new or if I missed it before, but, now that I've
looked at https://docs.clamav.net/faq/faq-eol.html again, I have questions/
comments about the provision of signature support to EOL releases.

A little over a month ago (Feb 18) one of the Fedora clamav maintainers raised
concerns about the planned EOL date for 0.103.

First, I see the planned EOL data on clamav.net is the same as then.  Is the
assessment about extending the support period still ongoing?

Second, we had some discussions about distros patching for security updates
after the support period if needed.  I noticed today that the scheduled
termination date for being able to download signatures is the same as the EOL
date.  That's a problem.

If 0.103 is going to be unable to download signatures as soon as Sep-14 2023,
then that means it's useless after that date.  My recollection is that
historically signatures were only blocked for older versions when it was
technically unavoidable.  As long as users can download signatures, then
distros can support users on older releases for as long as they can manage to
backport security fixes.  If that's no longer the case, I don't know that it's
going to be feasible to ship it in a release.

Am I misunderstanding the table?

Scott K
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV EOL of 0.104.x versions

[Micah Snyder (micasnyd) via clamav-users]

Thanks for the heads up, Scott.

The URL should be https://docs.clamav.net/faq/faq-eol.html

I have fixed the blog post.



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Scott 
Kitterman via clamav-users 
Sent: Thursday, March 23, 2023 1:38 PM
To: clamav-users@lists.clamav.net 
Cc: Scott Kitterman 
Subject: Re: [clamav-users] ClamAV EOL of 0.104.x versions

On Thursday, March 23, 2023 4:23:28 PM EDT Micah Snyder (micasnyd) via clamav-
users wrote:
> Read this online at
> https://blog.clamav.net/2023/03/clamav-eol-of-0104x-versions.html

>
>
> Effective March 28, 2023, ClamAV 0.104.0 (and all patch versions) will no
> longer be supported in accordance with ClamAV's EOL
> policy<https://docs.clamav.net/>.

The link here isn't to the actual EOL policy.  If that's the page you want to
link to in these announcements, it should probably at least be referenced from
that page (or I can't read and it's there is another possibility).

Scott K
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV EOL of 0.104.x versions

[Micah Snyder (micasnyd) via clamav-users]

Read this online at 
https://blog.clamav.net/2023/03/clamav-eol-of-0104x-versions.html



Effective March 28, 2023, ClamAV 0.104.0 (and all patch versions) will no 
longer be supported in accordance with ClamAV's EOL 
policy.

End of life (EOL) for ClamAV means:

  *   We will no longer be testing against that version when we write 
signatures.
  *   That version may no longer be working as part of future updates.
  *   Signature updates for that version will be blocked when attempting to 
download from the mirror update system.

Please upgrade to a supported version of ClamAV, currently at 0.103.8, 0.105.2, 
and 1.0.1, available for download now.

Posted by Micah Snyder  
at 4:15 PM 
[https://img1.blogblog.com/img/icon18_email.gif]  

Email 
ThisBlogThis!Share
 to 
TwitterShare
 to 
FacebookShare
 to 
Pinterest
Labels: 0.104, 
clamav, 
eol



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How to get rid of or Fix clamonacc error

[Micah Snyder (micasnyd) via clamav-users]

> by the way: if you find another anti-virus for linux without using the 
> terminal (with GUI), let me know, have searched really long time and found 
> nothing (freeware or commerical).
> some companies (e.g eset) had linux version but now they stopped the 
> development.

If you need something for a business, Cisco Secure Endpoint has clients for 
Linux, Mac, and Windows. It is a cloud-based security suite so you basically 
login to console.amp.cisco.com and can monitor all of your connected clients 
for suspicious behavior.  The Linux and Mac clients use clamav for offline 
scans, but mostly use other methods for malware detection.

Here's a link if you're interested: 
https://www.cisco.com/site/us/en/products/security/endpoint-security/secure-endpoint/index.html

TBH I think that the Secure Endpoint website is kind of garbage as it has a lot 
of jargon that won't make sense to your average person looking for an AV 
solution.  But it is basically a type of AV solution built to protect 
enterprise network computers.

The "live demo" will show you want the admin dashboard looks like.  It's pretty 
cool, but maybe a bit overwhelming.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of 
newcomer01 via clamav-users 
Sent: Sunday, March 19, 2023 12:12 PM
To: Tim McConnell via clamav-users 
Cc: newcomer01 
Subject: Re: [clamav-users] How to get rid of or Fix clamonacc error

Hi again,

clamonacc you didn't really need.
Here i do not have this, i scan normally every 2 hours my e-mails and only on 
sunday my computer.
we are on linux., linux isn't so much effected for virsuses or something.
by the way: if you find another anti-virus for linux without using the terminal 
(with GUI), let me know, have searched really long time and found nothing 
(freeware or commerical).
some companies (e.g eset) had linux version but now they stopped the 
development.

kind greetings
Marc

Von / From: Clamav User Mailinglist 
An / To: Newcomer01 
CC / CC: Tim Mcconnell 
Gesendet / Sent: Sonntag, März 19, 2023 um 19:31 (at 07:31 PM) +0100
Betreff / Subject: Re: [clamav-users] How to get rid of or Fix clamonacc error
> Hi Marc,
> So apparently it was a bug(?) in ClamTK. The errors have gone away (for
> now). The big problem is I want Clam to do what Clamonacc does so
> removing it shouldn't be an option? I want it to run at certain times
> to check for malicious files, etc. I'll re-enable the schedule via Clam
> TK and see if it still hogs the CPU.
> If it does I may have to find another AV solution.
>

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Be wary of emails with attachments targeting clamav-users list members

[Micah Snyder (micasnyd) via clamav-users]

All,

Some users have reported receiving emails that appear to be a reply to a 
clamav-users mailing list thread but are in fact a phishing attempt have 
attached malware.

Most recently, Marc reported receiving an email that appeared to be a reply to 
an older clamav-users mailing list thread but was in fact a direct email 
targeting him.  It had this fairly generic phishing text:

"Would you please look through the last agreement? I have attached some extra 
details about it."

The attached file was some small HTML file containing malicious obfuscated 
javascript.

This isn't the first time we've heard of this type of phishing using our 
mailing list archives. Please be careful when you see any sort of attachment, 
even if it appears to be from this community.

If you receive this sort of phishing email, please report the attached HTML 
file to https://www.clamav.net/reports/malware

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] linux distribution including clamav-1.0.1

[Micah Snyder (micasnyd) via clamav-users]

Hi Orion,

> I've been looking into things and I think we will be able to update
clamav in EL7 and EL8 to 1.0.X once 0.103.X goes EOL.

This would be awesome!

I just looked at https://github.com/Cisco-Talos/clamav/issues/842 after reading 
your message. I'm sorry that I and no one on my team responded sooner.  It 
looks like you may be building directly into the source directory or else 
copying the source into the build directory.  Either way, somehow the encrypted 
test files from the source are getting colocated with the unencrypted test 
files inside the build/unit_tests/input/clamav_hdb_scanfiles directory, and 
that's confusing the tests and causing a failure.

My recommendation is to make a subdirectory for the build else just a separate 
directory entirely.  This keeps the source directory as clean as possible from 
any files written during the build.  I think our build system still adds a few 
extra files during the build to the source directory  (like .pyc files from 
running test scripts which I'm not terribly happy about), but it's largely 
untouched.

See also 
https://docs.clamav.net/manual/Installing/Installing-from-source-Unix.html#build-clamav

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Orion 
Poplawski via clamav-users 
Sent: Tuesday, March 7, 2023 4:07 PM
To: clamav-users@lists.clamav.net 
Cc: Orion Poplawski 
Subject: Re: [clamav-users] linux distribution including clamav-1.0.1

On 3/7/23 10:48, kumar bava via clamav-users wrote:
> Hi, please help me with the below question, thank you
>
> We have been using clamav-0.103.6 and would like to upgrade to the new
> LTS release(1.0.x).
> However, I can not find clamav-1.0.1 in EPEL distribution. Our systems
> are based on rhel7.
>
> So far , we have been able to install clamav-0.103.x from the EPEL repo
> and would like to do the same for the new LTS track(1.0.x) if it's possible.
>
>
> What are the possible installation options?

I've been looking into things and I think we will be able to update
clamav in EL7 and EL8 to 1.0.X once 0.103.X goes EOL.  We're basically
just waiting on one issue to get resolved at the moment:

https://github.com/Cisco-Talos/clamav/issues/842

We will probably provide a COPR repo for early adopters once that issue
is resolved.

--
Orion Poplawski
he/him/his  - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Long database load time, long clamscan scan time

[Micah Snyder (micasnyd) via clamav-users]

Hi Marc,

I'm sorry I didn't see your request sooner.  Yes the issue was fixed in the 
subsequent daily update.  I'm not certain of the exact time of the daily 
database update update, but yes it is every 24 hours.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
Newcomer01 via clamav-users 
Sent: Wednesday, March 1, 2023 11:23 AM
To: ClamAV users ML 
Cc: Newcomer01 
Subject: Re: [clamav-users] Long database load time, long clamscan scan time

Dear Micah,

thanks for this information. Please let us know, if the problem is solved.
By the way, what is Cisco's or Talo's definition of the word "daily"?
Means that, on every day beginning on 12 am?

Kind regards
Marc


Am 1. März 2023 18:59:57 schrieb "Micah Snyder \(micasnyd\) via clamav-users" 
:

All,

We're aware of the issue with the latest daily database update causing 
extremely long database load times and thus extremely long clamscan scan times.

We found the issue and will push out a fix as soon as we are able.  We are also 
preparing guardrails so that this won't happen again in this way.

Our apologies for the inconvenience.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Long database load time, long clamscan scan time

[Micah Snyder (micasnyd) via clamav-users]

All,

We're aware of the issue with the latest daily database update causing 
extremely long database load times and thus extremely long clamscan scan times.

We found the issue and will push out a fix as soon as we are able.  We are also 
preparing guardrails so that this won't happen again in this way.

Our apologies for the inconvenience.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] 0 length bytecode.cvd causing problems with clamav daemon

[Micah Snyder (micasnyd) via clamav-users]

The bytecode.cvd​ file is the original.
When there is an update, we publish two things:

  1.  a bytecode.cdiff​ patch file that will update the older bytecode.cvd​ to 
the newest version.  This is the "scripted update" mechanism.

If using the .cdiff​ patch file to update, it should replace the old 
bytecode.cvd​ with a new bytecode.cld​.  We may issue an empty patch file 
(zero-bytes) to tell freshclam​ to download the whole bytecode.cvd​ instead. We 
do this if the patch is so big it is better to just download the whole file, or 
if is a bug preventing the patch file from working correctly, which there 
presently is for bytecode signatures (sad!).

This .cdiff​ update mechanism would not be used in your situation because 
ScriptedUpdates is disabled.

  2.  a new bytecode.cvd​.

This should only be downloaded in two cases: A) If you do not have the old 
bytecode.cvd​ (or cld​) and thus cannot use the patch file to update.  And B) 
If the bytecode.cdiff​ patch file is empty.

The issue you're facing feels to me like an issue with what the private mirror 
is serving. Can you please check if it is serving an empty bytecode.cvd​?  It 
feels like it may be serving both the empty bytecode.cvd​ and a bytecode.cld​.

If that's not the case, then we may have a bug in freshclam​ and I would love 
some more information on what freshclam​ is downloading when it runs in order 
to get into this strange state.

Best,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Kevin 
O'Connor via clamav-users 
Sent: Monday, February 27, 2023 11:12 AM
To: ClamAV users ML 
Cc: Kevin O'Connor 
Subject: Re: [clamav-users] 0 length bytecode.cvd causing problems with clamav 
daemon

Marc,

I had a similar understanding of that document.  That is; if there is no 
bytecode.cvd pushed by the ClamAV team, it should not exist on my local 
scanners. When I checked the mirror and there was no bytecode.cvd file, yet it 
appeared on my scanner machines with 0 length, I figured that the new release 
had highlighted a misconfiguration in my freshclam.conf that the earlier 
version was more forgiving of.  However I have not found what that might be.

Your idea of removing all the files in the /var/lib/clamav directory is what I 
found worked initially, but that seems like a poor workaround as I need this 
running all the time.  I don't know when our clients will drop files on us that 
need a scan.

Thanks for looking at it.

Kevin

On Mon, Feb 27, 2023 at 1:11 PM Marc via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:
i would suggest, to delete alle libraries in /var/lib/clamav and download all 
complete new.
CLD Files comes not regularly, normally we have CVD only.

If i understand this well, CLD Files comes only when error occures while 
updating.
https://blog.clamav.net/2021/03/clamav-cvds-cdiffs-and-magic-behind.html


Von / From: Kevin O'connor 
>
An / To: Newcomer01 >
Gesendet / Sent: Montag, Februar 27, 2023 um 18:38 (at 06:38 PM) +0100
Betreff / Subject: Re: [clamav-users] 0 length bytecode.cvd causing problems 
with clamav daemon
> Heh, good question.  Just checked again, and it looks like that was a 
> copy-paste error.  There is only one PrivateMirror line.
> Kevin
>
> On Mon, Feb 27, 2023 at 12:02 PM newcomer01 via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
>
> why you have set two times the "PrivateMirror" with identically IP's?
> Can't believe that this happens with the automated PostInst 
>
>
> Von / From: Clamav User Mailinglist 
> >
> An / To: Newcomer01 >
> CC / CC: Kevin O'connor 
> >
> Gesendet / Sent: Montag, Februar 27, 2023 um 16:58 (at 04:58 PM) +0100
> Betreff / Subject: [clamav-users] 0 length bytecode.cvd causing problems with 
> clamav daemon
> > I am having an issue with 0 length bytecode.cvd files on my scanner 
> > instances.  This seems to have started sometime on 22 Feb, I'm afraid I 
> > don't have an exact time. The clamav daemon produces logs like the 
> > following:
> >
> > Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: cli_cvdverify: 
> > Can't read CVD header
> > Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: Can't load 
> > /var/lib/clamav/bytecode.cld: Broken or not a CVD file
> > Feb 27 14:39:11 av-scan-wrhn clamd[163614]: LibClamAV Error: 
> > cli_loaddbdir(): error loading database /var/lib/clamav/bytecode.cld
> > Feb 27 14:39:11 av-scan-wrhn clamd[163614]: Mon Feb 27 14:39:11 2023 -> 
> > !Broken or not a CVD file
> > Feb 27 14:39:11 av-scan-wrhn systemd[1]: clamav-daemon.service: Main 
> > process exited, code=exited, status=1/FAILURE
> > Feb 27 14:39:11 av-scan-wrhn 

Re: [clamav-users] about ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published

[Micah Snyder (micasnyd) via clamav-users]

Matus is correct.  The issue has nothing to do with what your file system is.  
It has to do with scanning archives that use the HFS+ filesystem.  
Specifically, HFS+ is commonly used in DMG archives.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Matus 
UHLAR - fantomas 
Sent: Monday, February 27, 2023 11:14 PM
To: clamav-users@lists.clamav.net 
Subject: Re: [clamav-users] about ClamAV 0.103.8, 0.105.2 and 1.0.1 patch 
versions published

On 28.02.23 12:41, takahiro suzuki via clamav-users wrote:
>Does the information in the following URL affect even if the NAS file
>system is BTRFS?

since the patches only mengion DMS files and HFS+ files, I don't see  any
reason they should affect BTRFS filesystems.

>Will it be affected even if the client uses HFS or dmg?
>https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

It does not matter what the client uses. ClamAV fill scan files as you pass
them to ClamAV.

ClamAV can scan filesystem images, unpack those filesystem images and scan
files within those filesystems.

This is where bugs were fixed - those images were parsed incorrectly which
causes the mentioned bugs.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Probably banned IP

[Micah Snyder (micasnyd) via clamav-users]

Hi Łukasz,

Looking at https://www.maxmind.com/en/geoip-demo, MaxMind seems to think your 
IP is in Poland.

I looked checked in our (Cisco's) own regional address lists used to comply 
with sanctions. I see
I don't see 91.220.164.0/24 block in the list.  I do see that we block 
91.220.163.0/24 and  91.220.166.0/24, but not 164.

My colleague checked our logs in Cloudflare and does not see your IP triggering 
any firewall events.

But it's possible that Cloudflare blocks it before it would arrive at our 
rules. Your IP is in a very similar IP range to some of those we block.  And IP 
ranges do tend to change hands and change geolocations pretty frequently.  So 
it's entirely likely that some filters believe your IP to be located in Russia.

We can't really tell any more than that unless you can share the Ray ID 
included in the HTTP response.  Freshclam should show that information if you 
run it with the --verbose​ option.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of 
newcomer01 via clamav-users 
Sent: Friday, February 24, 2023 10:53 AM
To: clamaV User Mailinglist 
Cc: newcomer01 
Subject: Re: [clamav-users] Probably banned IP

oh and by the way: if you are using an russian ip, it can also be blocked and 
will not be unblocked.
this you can find on a discussion on talos github


Von / From: Clamav User Mailinglist 
An / To: Newcomer01 
CC / CC: Łukasz Baniecki 
Gesendet / Sent: Freitag, Februar 24, 2023 um 12:55 (at 12:55 PM) +0100
Betreff / Subject: [clamav-users] Probably banned IP
> Hi,
> some time ago I run freshclam on a lot of machines that are under one
> public IP, therefore I generated a lot of requests and my company IP
> was probably blocked. Now I created my own mirror of cvd, but it is on
> the same IP address and it is not updating daily.cvd. I get:
> cvdupdate-1.0.2 ERROR Failed to download daily.cvd from
> https://database.clamav.net/daily.cvd?version=26821
> I also run simple python request to database.clamav.net with my uuid,
> and it worked fine from different IP address and from that blocked
> address I get 403 forbidden. My local firewall is not an issue cause I
> can make connection to database.clamav.net on port 443, so it must be
> banned.
>
> Can you please check if my IP address (91.220.164.241) is banned and un-ban 
> it?
>

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] What is the actual danger of this?

[Micah Snyder (micasnyd) via clamav-users]

This alert means that the JPEG is slightly malformed.  Many applications will 
probably be fine with it.  ClamAV thinks it is a little odd.  The risk is 
probably pretty low, but perhaps looking at a little to see if any other 
antivirus products think it is suspicious.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
newcomer01 via clamav-users 
Sent: Wednesday, February 22, 2023 10:48 AM
To: clamav-users 
Cc: newcomer01 
Subject: Re: [clamav-users] What is the actual danger of this?

for me look it like that the jpeg files cannot be read from heuristics scan as 
reason that something is wrong with it
i would not think frist, that is be an exploit


Von / From: Clamav User Mailinglist 
An / To: Newcomer01 
CC / CC: Musc 
Gesendet / Sent: Mittwoch, Februar 22, 2023 um 18:18 (at 06:18 PM) +0100
Betreff / Subject: [clamav-users] What is the actual danger of this?
> A clamdscan flagged quite a few files on my system as 
> Heueristics.Broken.Media.JPEG.JFIFmarkerBadPosition. What kind of exploit is 
> that? And what kind of danger does it pose? (What does it do?) Is it for all 
> systems? Or just for Windows?
>
> A whole lot of web searching turned up nothing. Does anyone know?
>
> TIA.
> ___
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Future support of clamav in EPEL7 and EPEL8

[Micah Snyder (micasnyd) via clamav-users]

Hi Scott, Michael, Orion,

You make some good points. In particular as Linux/Unix distributions are still 
learning how to package Rust software.

We're starting the discussion within Cisco to consider this ask.  We do not 
expect to extend ClamAV's LTS policy, but we will discuss the specific case of 
0.103 LTS because of the added complications caused by the switch to a hybrid 
C/Rust project. We adopted the Rust toolchain within ClamAV and while a big 
step, it is one that we maintain is right for the project.

I'm certain there have been discussions along how to package/distribute Rust 
itself within each distro. I am a fan of the approach that OpenSUSE has taken: 
https://en.opensuse.org/Rust I hope that some of the other distributions adopt 
a similar strategy.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Scott 
Kitterman via clamav-users 
Sent: Saturday, February 18, 2023 5:43 PM
To: ClamAV users ML 
Cc: Scott Kitterman 
Subject: Re: [clamav-users] Future support of clamav in EPEL7 and EPEL8



On February 19, 2023 1:26:44 AM UTC, Michael Orlitzky via clamav-users 
 wrote:
>On 2023-02-18 15:40:55, Orion Poplawski via clamav-users wrote:
>>
>> This email is to start a discussion of what will happen with clamav
>> support in EPEL7 and EPEL8.  In particular, to inform everyone that it
>> will be impossible to build clamav 1.X in EPEL7 and EPEL8 due to lack of
>> rust support.  Fedora packaging policies prohibit the downloading of
>> files from the internet during builds, and the rust/rpm versions in
>> EL7/EL8 are too old to support the current Fedora rust ecosystem.
>
>I'll be backporting security fixes for as long as that's less work
>than removing clamav from our mail system (or until newer signatures
>are incompatible with the old engine). Feel free to watch the Gentoo
>tree and steal our patches.

We'll do the same after 0.103 is no longer supported.  It would be nice to get 
upstream support for a little while longer though.

Scott K
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] about ”Can't allocate memory ERROR”

[Micah Snyder (micasnyd) via clamav-users]

Hi Tsutomu, all,

I would like to clarify one thing from this message in regard to our support 
policy.  ClamAV 0.103 is still supported by LTS, which means we continue to 
provide patch versions.  ClamAV 0.103.4 is still able to download signatures 
but is not​ supported for bug fixes.  You should stay up to date with the 
latest patch version for the 0.103 release, which as of yesterday is 0.103.8.

If the bug still exists in 0.103.8 (and in this case, it probably does still 
exist), then we could try to fix it for 1.1 and perhaps 0.103.9.  But even for 
LTS version we can't promise to backport every bug fix.  We only put a priority 
on severe bugs.  All other fixes only go into the next feature version, which 
will be ClamAV 1.1.  I realize that because Rust support for AIX is incomplete, 
you're effectively stuck on 0.103, so perhaps we should place a priority on 
backporting these specific issues if we can find and fix them.  But I maybe 
should also point out that 0.103 LTS end of life is Sep-14 2023, which is just 
under 7 months out.  That's a little awkward.  I'm not sure what else to say 
there.


In regard to the specific errors you're seeing, they appear to be when scanning 
EXE/DLL and JAR files, and appear to be specific to AIX, which I believe is a 
big-endian system.  I suspect this represents 1 or 2 big endian compatibility 
bugs.

I suspect that the EXE/DLL errors may be fixed by this PR: 
https://github.com/Cisco-Talos/clamav/pull/814  But I can't be sure without 
setting up a big endian test environment and scanning these files.
I think I found a couple versions of one of these files, through VirusTotal: 
https://www.virustotal.com/gui/search/name%253Alwiservice.exe
Scanning these on my little endian Linux machine didn't result in an error 
though, which was expected.

I suspect that the JAR errors may be an endianness issue as well, but someone 
would need to debug them and find out where the error happens exactly.

You are welcome to create a Github Issue and attach the affected files for 
investigation, or provide links to them.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Tsutomu 
Oyamada 
Sent: Thursday, February 9, 2023 5:51 AM
To: ClamAV users ML 
Subject: Re: [clamav-users] about ”Can't allocate memory ERROR”

Hi, Andy.

Thanks for your reply.

I am aware that version 0.103.4 is still supported by LTS.
Some of the scan logs for this time are shown below.

[2023-01-12 19:03:11.015] Thu Jan 12 10:23:19 2023 - /esa/bin/lwiservice.exe: 
Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:23:19 2023 - 
/esa/bin/lwiserviceicon.exe: Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:23:19 2023 - 
/esa/bin/lwiserviceiconremove.exe: Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:23:50 2023 - 
/esa/runtime/core/eclipse/features/com.ibm.lwi.application.feature_8.1.0.3-LWI/installHandler.jar:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:25:26 2023 - 
/esa/runtime/core/eclipse/plugins/com.ibm.rcp.base_6.2.1.20091117-1800/win32/x86/eclipse_1114.dll:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:26:22 2023 - 
/esa/runtime/core/eclipse/plugins/org.eclipse.core.filesystem.win32.x86_1.1.0.v20080604-1400.jar:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:26:23 2023 - 
/esa/runtime/core/eclipse/plugins/org.eclipse.core.resources.win32.x86_3.4.0.v20071204.jar:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.015] Thu Jan 12 10:26:34 2023 - 
/esa/runtime/core/eclipse/plugins/org.eclipse.equinox.security.win32.x86_1.0.0.v20080529-1600/jnicrypt.dll:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.031] Thu Jan 12 10:26:46 2023 - 
/esa/runtime/core/eclipse/plugins/org.eclipse.update.core.win32_3.2.100.v20080107.jar:
 Can't allocate memory ERROR
[2023-01-12 19:03:11.031] Thu Jan 12 10:33:08 2023 - 
/opt/IBM/ibm-java-ppc64-60/docs/launchpad/ScriptLauncher.exe: Can't allocate 
memory ERROR
[2023-01-12 19:03:11.031] Thu Jan 12 10:33:13 2023 - 
/opt/IBM/ibm-java-ppc64-60/docs/launchpad.exe: Can't allocate memory ERROR

Nearly 150 other files are in the same state.

Also, my system is AIX. Does that have an effect?
I would like to try it with the latest version.

Thanks,
T.O

On Wed, 1 Feb 2023 21:11:01 +
"Andy Ragusa \(aragusa\) via clamav-users"  
wrote:

> Hi,
>
> That version is pretty old, have you tried using version 1.0?
>
> When I opened that zip file, I am only seeing the following (no log files)
>
> com.ibm.websphere.LIBERTY.shared_013_all.all_x_8.5.5003.201407301652.zip
> lwiservice.exe
> NativeFile.dll
> org.eclipse.core.filesystem.win32.x86_1.1.0.v20070510.jar
>
> Thanks,
> Andy
>
> 
> From: clamav-users  on behalf of 
> Tsutomu Oyamada 
> Sent: Wednesday, February 1, 2023 8:36 AM
> To: ClamAV users ML 
> Subject: [clamav-users] about ”Can't 

[clamav-users] ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published

[Micah Snyder (micasnyd) via clamav-users]

Read this online at 
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

-


Today, we are releasing the following critical patch versions for ClamAV:

  *   0.103.8
  *   0.105.2
  *   1.0.1

ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) 
policy and will not be patched. 
Anyone using ClamAV 0.104 must switch to a supported version. All users should 
update as soon as possible to patch for two remote code execution 
vulnerabilities that we recently discovered and patched.

The release files are available for download on 
ClamAV.net, on the Github Release 
page, and through Docker 
Hub.

1.0.1

ClamAV 1.0.1 is a critical patch release with the following fixes:

  *   
CVE-2023-20032: 
Fixed a possible remote code execution vulnerability in the HFS+ file parser. 
The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 
and earlier. Thank you to Simon Scannell for reporting this issue.

  *   
CVE-2023-20052: 
Fixed a possible remote information leak vulnerability in the DMG file parser. 
The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 
and earlier. Thank you to Simon Scannell for reporting this issue.

  *   Fix an allmatch detection issue with the preclass bytecode hook.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/825

  *   Update the vendored libmspack library to version 0.11alpha.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/828

0.105.2

ClamAV 0.105.2 is a critical patch release with the following fixes:

  *   
CVE-2023-20032: 
Fixed a possible remote code execution vulnerability in the HFS+ file parser. 
The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 
and earlier. Thank you to Simon Scannell for reporting this issue.

  *   
CVE-2023-20052: 
Fixed a possible remote information leak vulnerability in the DMG file parser. 
The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 
and earlier. Thank you to Simon Scannell for reporting this issue.

  *   Fixed an issue loading Yara rules containing regex strings with an 
escaped forward-slash (\/) followed by a colon (:).

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/695

  *   Moved the ClamAV Docker files for building containers to a new Git 
repository. The Docker files are now in 
https://github.com/Cisco-Talos/clamav-docker. This change enables us to fix 
issues with the images and with the supporting scripts used to publish and 
update the images without committing changes directly to files in the ClamAV 
release branches.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/765

  *   Update the vendored libmspack library to version 0.11alpha.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/829

0.103.8

ClamAV 0.103.8 is a critical patch release with the following fixes:

  *   
CVE-2023-20032: 
Fixed a possible remote code execution vulnerability in the HFS+ file parser. 
The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 
and earlier. Thank you to Simon Scannell for reporting this issue.

  *   
CVE-2023-20052: 
Fixed a possible remote information leak vulnerability in the DMG file parser. 
The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 
and earlier. Thank you to Simon Scannell for reporting this issue.

  *   Update the vendored libmspack library to version 0.11alpha.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/830




Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV Private Mirror Question

[Micah Snyder (micasnyd) via clamav-users]

Very close.  The 49192 number is for the version of (now defunct) 
safebrowsing.cvd.

But yes, if they're able to access DNS and compare the version of 
daily/main/bytecode with what is in the DNS record then that will also be 
useful.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
newcomer01 via clamav-users 
Sent: Monday, January 30, 2023 10:43 AM
To: ClamAV User Mailinglist 
Cc: newcomer01 
Subject: Re: [clamav-users] ClamAV Private Mirror Question

additional you can do this little more complcated like me:

$(host -W "60" -t TXT "current.cvd.clamav.net")

and cut all needed informations from descriptive text

for example:

# current.cvd.clamav.net descriptive text 
"0.103.7:62:26777:1673344800:1:90:49192:333"

0.103.7 is the suggested software version
62 is version of main.cld or main.cvd
26777 is version of daily.cld or cvd
1673344800 unixdate when the files created from clamav
90 is the f-level for daily.cld or daily.cvd
49192 is probably the version of freshclam.dat (i'm not sure, but it can't 
really be anything else)
333 is the version of bytecode.cvd

Am I right Micah?

i had once found an explanation of the descriptive txt but i can't find it 
anymore


Von / From: Clamav User Mailinglist 
An / To: Newcomer01 
CC / CC: Micah Snyder \(Micasnyd\) , Bryan Whipkey 

Gesendet / Sent: Montag, Januar 30, 2023 um 18:33 (at 06:33 PM) +0100
Betreff / Subject: Re: [clamav-users] ClamAV Private Mirror Question
> Hello,
>
> You can use this command to print the build information which will include 
> the date it was published:
>
> |sigtool --info /path/to/database|​
>
> For example:
>
> ❯ sigtool --info /var/lib/clamav/daily.cld
> File: /var/lib/clamav/daily.cld
> Build time: 30 Jan 2023 03:24 -0500
> Version: 26797
> Signatures: 2018753
> Functionality level: 90
> Builder: raynman
> Verification OK.
>
> Is that what you're looking for?
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> --
> *From:* clamav-users  on behalf of 
> Bryan Whipkey via clamav-users 
> *Sent:* Sunday, January 29, 2023 2:01 AM
> *To:* clamav-users@lists.clamav.net 
> *Cc:* Bryan Whipkey 
> *Subject:* [clamav-users] ClamAV Private Mirror Question
> Hello,
>
> I have setup a private mirror for ClamAV. I have pointed it to the private 
> mirror on freshclam.conf. My question is how do i test this to make sure I am 
> pulling the most up to date definitions from the private mirror to the server 
> being scanned? Thanks in advance.
>
> Sent from my iPhone. Please excuse any typos.
> ___
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
> ___
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

Re: [clamav-users] ClamAV Private Mirror Question

[Micah Snyder (micasnyd) via clamav-users]

Hello,

You can use this command to print the build information which will include the 
date it was published:

 sigtool --info /path/to/database​

For example:

❯ sigtool --info /var/lib/clamav/daily.cld
File: /var/lib/clamav/daily.cld
Build time: 30 Jan 2023 03:24 -0500
Version: 26797
Signatures: 2018753
Functionality level: 90
Builder: raynman
Verification OK.

Is that what you're looking for?

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Bryan 
Whipkey via clamav-users 
Sent: Sunday, January 29, 2023 2:01 AM
To: clamav-users@lists.clamav.net 
Cc: Bryan Whipkey 
Subject: [clamav-users] ClamAV Private Mirror Question

Hello,

I have setup a private mirror for ClamAV. I have pointed it to the private 
mirror on freshclam.conf. My question is how do i test this to make sure I am 
pulling the most up to date definitions from the private mirror to the server 
being scanned? Thanks in advance.

Sent from my iPhone. Please excuse any typos.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Upgrade to 1.0.0

[Micah Snyder (micasnyd) via clamav-users]

How did you install ClamAV?

We had a similar issue in the release candidate for 1.0.0.  As far as I know, 
that was completely resolved.

Is this your github issue? https://github.com/Cisco-Talos/clamav/issues/818
It sounds like the same issue, but I haven't observed it myself and haven't 
heard of any widespread issues.


Yes, wget and similar tools are intentionally blocked and discouraged because 
they waste precious bandwidth by downloading whole signature databases when 
only a small update is required, or no update is required.  See 
https://docs.clamav.net/faq/faq-freshclam.html?highlight=wget#http-error-codes 
for more details.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Jorge 
Bastos 
Sent: Thursday, January 26, 2023 2:11 PM
To: ClamAV users ML 
Subject: [clamav-users] Upgrade to 1.0.0


Hi Guys!

I upgraded to 1.0.0, and boom, now I have a problem!!

Freshclam can't download/verify signatures databases.

I'm always getting this info below, the only thing that happened was the 
upgrade!
For some reason I can't test the download with wget, maybe it's forbidden, if I 
try it on my windows desktop i can download it.
Would it be some issue with freshclam with the user agent that is being issued 
when downloading?

Thanks in avanced,


root@fastmail:/var/log/clamav# freshclam --version
ClamAV 1.0.0
root@fastmail:/var/log/clamav#


Thu Jan 26 10:09:00 2023 -> --
Thu Jan 26 10:09:00 2023 -> freshclam daemon 1.0.0 (OS: Linux, ARCH: x86_64, 
CPU: x86_64)
Thu Jan 26 10:09:00 2023 -> ClamAV update process started at Thu Jan 26 
10:09:00 2023
Thu Jan 26 10:09:00 2023 -> daily database available for download (remote 
version: 26793)
Thu Jan 26 10:09:02 2023 -> ERROR: Verification: Can't verify database integrity
Thu Jan 26 10:09:02 2023 -> Trying again in 5 secs...
Thu Jan 26 10:09:07 2023 -> daily database available for download (remote 
version: 26793)
Thu Jan 26 10:09:08 2023 -> ^Can't download daily.cvd from 
https://database.clamav.net/daily.cvd
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] About scanning files larger than 2 GB in size

[Micah Snyder (micasnyd) via clamav-users]

> Tsutomu Oyamada asked what actually happens when a large file is
> scanned, not why the limit is there.

The default behavior is to treat the file as clean if any of the scan limits 
are exceeded (scan time, scan size, file size, etc).

If you want an alert if the limits are exceeded, then you can use the following 
options:
For ClamD, set "AlertExceedsMax yes" in the "clamd.conf" file.
For ClamScan, use the "--alert-exceeds-max" option on the command line.

This will cause clamav to report one of the following signatures when the 
limits are exceeded:
  - Heuristics.Limits.Exceeded.MaxFileSize
  - Heuristics.Limits.Exceeded.MaxScanSize
  - Heuristics.Limits.Exceeded.MaxFiles
  - Heuristics.Limits.Exceeded.MaxRecursion
  - Heuristics.Limits.Exceeded.MaxScanTime
  - Heuristics.Limits.Exceeded.EmailLineFoldcnt
  - Heuristics.Limits.Exceeded.EmailHeaderBytes
  - Heuristics.Limits.Exceeded.EmailHeaders
  - Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage
  - Heuristics.Limits.Exceeded.EmailMIMEArguments
and possibly more with the "Heuristics.Limits.Exceeded." prefix.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: Andrew C Aitchison 
Sent: Wednesday, January 25, 2023 10:59 PM
To: Micah Snyder (micasnyd) via clamav-users 
Cc: Micah Snyder (micasnyd) 
Subject: Re: [clamav-users] About scanning files larger than 2 GB in size

On Thu, 26 Jan 2023, Micah Snyder (micasnyd) via clamav-users wrote:

> Paul is sort-of correct but the 2GB limit isn't artificial as he has implied.

Paul did not answer the original poster's question.
Tsutomu Oyamada asked what actually happens when a large file is
scanned, not why the limit is there.

> On Sun, 22 Jan 2023 05:40:18 +0900
> Tsutomu Oyamada  wrote:
>
>> How do I set up clamd?
>> Setting MaxFileSize to "0" is unlimited, but internally files
>> larger than 2GB in size cannot be scanned.  In this case, do you
>> treat the file as clean without scanning it at all?

> ClamAV code contains a lot of signed and unsigned 32bit variables
> that must be upgraded to 64bit variables to support larger files.
> Before raising the limit, a tedious audit process must be completed
> to ensure that all variables are upgraded in all modules.  We cannot
> simply remove the limit and cross our fingers.

A static analyzer such as cppcheck, PVS-Studio or the ones built into
gcc and clang may be useful tools in the tedious audit.

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] About scanning files larger than 2 GB in size

[Micah Snyder (micasnyd) via clamav-users]

P.S. Do many current commercial AV suites for Windows have this limit?

I have no idea.  Does anyone else know?


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: Paul Kosinski 
Sent: Thursday, January 26, 2023 11:32 AM
To: Micah Snyder (micasnyd) ; clamav-users@lists.clamav.net 

Subject: Re: [clamav-users] About scanning files larger than 2 GB in size

I don't think I implied that the 2 GiB limit was "artificial" in the sense of 
trivial, or made up. I think I very clearly stated that
"It's a holdover from when 32-bit numbers were all that CPUs supported" and now 
"the 2 GiB limit is quite an anachronism".

Note that this question has been around for at least 7 years:
  
https://security.stackexchange.com/questions/107132/linux-antivirus-and-files-bigger-than-4gb

Clearly, much code review would have to be done. But Linux file I/O interfaces 
were successfully updated from 32-bit to 64-bit sizes and offsets some years 
ago, so the infrastructure is there. Also, the analogous Y2038 problem, which 
requires going from 32 to 64 bit as well (for time-stamps), is being seriously 
worked on. (And note that the Y2K problem, which was a *much* bigger issue, was 
indeed fixed.)

Paul

P.S. Do many current commercial AV suites for Windows have this limit?



On Thu, 26 Jan 2023 00:14:27 +
"Micah Snyder (micasnyd)"  wrote:

> Paul is sort-of correct but the 2GB limit isn't artificial as he has implied.
>
> ClamAV code contains a lot of signed and unsigned 32bit variables that must 
> be upgraded to 64bit variables to support larger files.  Before raising the 
> limit, a tedious audit process must be completed to ensure that all variables 
> are upgraded in all modules.  We cannot simply remove the limit and cross our 
> fingers.
>
> Regards,
> Micah
>
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] About scanning files larger than 2 GB in size

[Micah Snyder (micasnyd) via clamav-users]

Paul is sort-of correct but the 2GB limit isn't artificial as he has implied.

ClamAV code contains a lot of signed and unsigned 32bit variables that must be 
upgraded to 64bit variables to support larger files.  Before raising the limit, 
a tedious audit process must be completed to ensure that all variables are 
upgraded in all modules.  We cannot simply remove the limit and cross our 
fingers.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Paul 
Kosinski via clamav-users 
Sent: Saturday, January 21, 2023 8:02 PM
To: clamav-users@lists.clamav.net 
Cc: Paul Kosinski 
Subject: Re: [clamav-users] About scanning files larger than 2 GB in size

On Sun, 22 Jan 2023 05:40:18 +0900
Tsutomu Oyamada  wrote:

> How do I set up clamd?
> Setting MaxFileSize to "0" is unlimited, but internally files larger than 2GB 
> in size cannot be scanned.
> In this case, do you treat the file as clean without scanning it at all?


I've complained about the 2 GiB limit now and then for several years. It's a 
holdover from when 32-bit numbers were all that CPUs supported, and lots of 
code used C's signed "int" for file size and offset.

Way back in 1996, FAT32 had this limit, but even it was extended to 4 GiB (via 
unsigned 32-bit numbers) when Large File Support was added.

These days, media files are often bigger than 2 GiB, as are some archive files 
(esp. disk images). Furthermore, almost all recent versions of standard OSes 
are 64-bit, and very few 32-bit CPUs are even being sold. In other words, the 2 
GiB limit is quite an anachronism.

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Decommission of unused clamav-binary mailing list

[Micah Snyder (micasnyd) via clamav-users]

Hello everyone,

The clamav-binary mailing list fell into disuse many years ago.  We have found 
that we're able to communicate effectively with binary package maintainers as 
needed through the clamav-announce, clamav-devel, and clamav-users mailing 
lists.

Although we have not been using the clamav-binary list, we occasionally receive 
requests to join the list.  So, to avoid confusion, we have decided to 
decommission the clamav-binary mailing list.

I have already started the process to remove references to this list.  In the 
future we will remove the list entirely.

Best regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Documentation: Installing, Unix From Source

[Micah Snyder (micasnyd) via clamav-users]

Sorry Scott, just saw this catching up on emails from over the holidays.  Yes, 
absolutely we can the instructions to use apt instead of pip.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Scott 
Kitterman via clamav-users 
Sent: Friday, December 23, 2022 8:58 AM
To: ClamAV users ML 
Cc: Scott Kitterman 
Subject: [clamav-users] Documentation: Installing, Unix From Source

It looks like the Ubuntu/Debian instructions are somewhat out of date
regarding installing CMake.  Likely others too.  In the currently published
instructions:

https://docs.clamav.net/manual/Installing/Installing-from-source-Unix.html

There's a note that says:

Note: Many of the instructions below rely on Python 3's Pip package manager to
install CMake. This is because many distributions do not provide a new enough
version of CMake required to build ClamAV.

According to the 1.0.0 CmakeLists.txt, the required version is 3.14:

cmake_minimum_required( VERSION 3.14 )

This was released a very long time ago:

https://github.com/Kitware/CMake/tree/v3.14.0 (March 14, 2019)

For Debian, Cmake 3.18 or newer is available in the current stable release
(the only one that's fully supported).

For Ubuntu 3.16 or newer is available for Ubuntu 20.04 LTS, Focal Fossa and
newer.  Ubuntu 18.04 LTS is still supported for a few more months, but I doubt
people still on a releast that's two LTS releases ago are building new
software for it.

Would it be possible to add something to suggest just installing the cmake
package for Debian/Ubuntu instead of going the pip route?

Scott K
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Testing for Big Endian Architectures

[Micah Snyder (micasnyd) via clamav-users]

Thanks Scott, Sebastian, and Orion. I'll keep an eye out for the patch PR.

Best,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Scott 
Kitterman via clamav-users 
Sent: Saturday, January 7, 2023 10:18 PM
To: ClamAV users ML 
Cc: Scott Kitterman 
Subject: Re: [clamav-users] Testing for Big Endian Architectures



On January 8, 2023 5:40:55 AM UTC, Orion Poplawski  wrote:
>On 1/6/23 14:29, Scott Kitterman via clamav-users wrote:
>> On Thursday, January 5, 2023 8:51:27 AM EST Scott Kitterman via clamav-users
>> wrote:
>>> We finally have Clamav 1.0.0 in Debian Unstable.
>>>
>>> Unfortunately, unit tests fail on all big endian archs (shown in the PowerPC
>>> build log [1] - it's the same tests failing on all of them).  Does upstream
>>> testing include big endian?
>>>
>>> Does anyone have suggestions on how to fix it?  I have access to hardware to
>>> test fixes if there are patches.
>>>
>>> Scott K
>>>
>>> [1]
>>> https://buildd.debian.org/status/fetch.php?pkg=clamav=powerpc=1.0.
>>> 0%2Bdfsg-4=1672878929=0
>>
>> My Debian collaborator Sebastian Siewior confirmed there are endianness 
>> issues
>> in libclamav/pe.c.  We have a patch we're testing which we will submit
>> upstream to fix this.
>>
>> Scott K
>
>There is this: https://github.com/Cisco-Talos/clamav/issues/759  which perhaps 
>are the same failures you are seeing?  A patch would be appreciated.

Likely the same.

With the patch, all the unit tests pass on s390x now:

https://salsa.debian.org/clamav-team/clamav/-/blob/unstable/debian/patches/libclamav-pe-Use-endian-wrapper-in-more-places.patch

We will submit it more formally, but it's there if anyone wants it in the 
meantime.

Scott K
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Scanning result in socket connection for each file under a folder?

[Micah Snyder (micasnyd) via clamav-users]

I don't think it's possible unless you send each file to be scanned instead of 
scanning the directory.  clamd only sends back FOUND for files, or else OK for 
the directory.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Jorge 
Elissalde via clamav-users 
Sent: Tuesday, January 10, 2023 10:24 AM
To: newcome...@posteo.de ; ClamAV users ML 

Cc: Jorge Elissalde 
Subject: Re: [clamav-users] Scanning result in socket connection for each file 
under a folder?

Hi,

I'm trying to avoid log reading.
What I wish to have is the scanning status sent back for every scanned file 
using the clamd socket connection; the same socket I've used to send the SCAN 
[folder] command.
Thanks

Jorge

El mar, 10 ene 2023 a las 15:14, newcomer01 via clamav-users 
(mailto:clamav-users@lists.clamav.net>>) 
escribió:
you can do tis on a similar way:

> #!/bin/sh
>  #
>  #   @(#)maillog_report_clamav_matches 2022-11-25 Sylvain Robitaille
>  #
>  # report on which clamav signatures have matched, and how many times
>  # each have matched from the latest maillog file (or the file(s) named
>  # as argument(s).
>
>  PATH=/usr/local/bin:/usr/bin:/bin
>  # 
>  IFS="
>  "
>  export PATH;
>  export IFS;
>  umask 022
>
>  # if we have no arguments, we'll default to the current maillog file;
>  # else the arguments are the list;
>  if [ "$*" ]; then
> MAILLOG=$*
>  else
> MAILLOG="/var/log/maillog"
>  fi
>
>  # That's it ...
>  grep -w FOUND ${MAILLOG} |\
> awk '{print $(NF-1)}' |\
> sort -h |\
> uniq -c |\
> sort -rh |\
> awk '{total+=$1; print} END {if (NR > 1) print "total:", total}'



Von / From: Clamav User Mailinglist 
>
An / To: Newcomer01 >
CC / CC: Jorge Elissalde 
>
Gesendet / Sent: Dienstag, Januar 10, 2023 um 16:16 (at 04:16 PM) +0100
Betreff / Subject: [clamav-users] Scanning result in socket connection for each 
file under a folder?
> Hi,
>
> When I scan a folder using socket connection to clamd (SCAN [folder]) I don't 
> get an individual result for each file in the connection.
> For example, if I send to scan the folder c:\testme, I will get (if 
> everything goes ok) only the line: c:\testme: OK
> Individual files scanned and result are stored in the log file, like this one:
>
> LOG> c:\testme\file1: OK
> LOG> c:\testme\file2: OK
> SOCKET> c:\testme: OK
>
> Is there a chance to get every individual scanned file result also reported 
> in the socket connection?
>
> Thank you
>
> Jorge
>
> ___
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] linux.cvd database question

[Micah Snyder (micasnyd) via clamav-users]

To add to what Andy wrote... The linux.cvd was created to supplement a product 
that has online hash look-ups and behavioral detection features.  It isn't 
advertised for public used because it isn't intended for public use.  And I'm 
not certain it is actually used anywhere.

But I should caution that it doesn't have a lot of detection content.  
Linux.cvd has basically no hash-based signatures, and a relatively tiny number 
of signatures in general.  And, for example, linux.cvd lacks any signatures for 
monitoring html links for phishing.

If this is your ticket to ticking the AV compliance checkbox then I guess go 
ahead.  It is updated frequently. But it doesn't have all that much in it.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Andy 
Ragusa (aragusa) via clamav-users 
Sent: Monday, December 12, 2022 7:25 PM
To: ClamAV users ML 
Cc: Andy Ragusa (aragusa) 
Subject: Re: [clamav-users] linux.cvd database question

The linux.cvd is kept up to date with linux-specific signatures, but obviously 
doesn't have the coverage that the rest of the signature databases have.

Thanks,
Andy

From: clamav-users  on behalf of Jimmy F 
via clamav-users 
Sent: Sunday, December 11, 2022 11:10 PM
To: clamav-users@lists.clamav.net 
Cc: Jimmy F 
Subject: [clamav-users] linux.cvd database question

Hi, question re the linux.cvd database. Our company has a number of Linux 
laptops running with 8 gigs of memory. We need AV for compliance reasons, and 
would like to use ClamAV, but the 1.2G memory footprint is a bit much, so we're 
looking at possibly using just the linux.cvd database which is considerably 
smaller.

My question is how often is that linux.cvd updated and does it have latest 
virus signatures? Using the sigtool it appears that it's updated from the 
previous day. But I'm not clear on its relationship to the daily.cvd or main 
databases. What percentage of daily.cvd are linux/unix based viruses?

Thanks!

Jimmy
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Maintenance outage planned for legacy bugzilla server, Friday

[Micah Snyder (micasnyd) via clamav-users]

Hello all,

There will be a maintenance outage for the legacy Bugzilla server this Friday 
around 8am EST.
The server will be offline for approximately 4 hours while we apply updates.

We are keeping Bugzilla around for reference. GitHub will continue to be the 
preferred site for issue tracking.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Renumbered name server.

[Micah Snyder (micasnyd) via clamav-users]

Hi Grant,

I'm the community manager for ClamAV now. Your previous contact was likely Joel 
Esler who has moved on to new adventures.
We can continue this conversation in direct emails.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Grant 
Keller 
Sent: Tuesday, November 29, 2022 9:44 AM
To: clamav-users@lists.clamav.net 
Subject: [clamav-users] Renumbered name server.

Hello,

I'm trying to reach someone at clamav to updated the ip for
ns3e.clamav.net. We have moved our nameserver to new ip space, and this
is the final record to update. We have reached out to the contact we
have on file but have not gotten a response yet. Who should we be
contacting about this?

Thanks.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.0.0 LTS released

[Micah Snyder (micasnyd) via clamav-users]

Read this online at https://blog.clamav.net/2022/11/clamav-100-lts-released.html


ClamAV 1.0.0 LTS released

The ClamAV 1.0.0 feature release is now stable and available for download on 
ClamAV.net or through Docker 
Hub.

ClamAV 1.0.0 includes the following improvements and changes.

Major changes

  *   Support for decrypting read-only OLE2-based XLS files that are encrypted 
with the default password. Use of the default password will now appear in the 
metadata JSON.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/700

  *   Overhauled the implementation of the all-match feature. The newer code is 
more reliable and easier to maintain.

 *   This project fixed several known issues with signature detection in 
all- match mode:

*   Enabled embedded file-type recognition signatures to match when a 
malware signature also matched in a scan of the same layer.

*   Enabled bytecode signatures to run in all-match mode after a match 
has occurred.

*   Fixed an assortment of all-match edge case issues.

 *   Added multiple test cases to verify correct all-match behavior.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/687

  *   Added a new callback to the public API for inspecting file content during 
a scan at each layer of archive extraction.

 *   The new callback function type is clcb_file_inspection defined in 
clamav.h.

 *   The function cl_engine_set_clcb_file_inspection() may be used to 
enable the callback prior to performing a scan.

 *   This new callback is to be considered unstable for the 1.0 release. We 
may alter this function in a subsequent feature version.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/170

  *   Added a new function to the public API for unpacking CVD signature 
archives.

 *   The new function is cl_cvdunpack(). The last parameter for the 
function may be set to verify if a CVD's signature is valid before unpacking 
the CVD content to the destination directory.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/690

  *   The option to build with an external TomsFastMath library has been 
removed. ClamAV requires non-default build options for TomsFastMath to support 
bigger floating point numbers. Without this change, database and Windows 
EXE/DLL authenticode certificate validation may fail. The 
ENABLE_EXTERNAL_TOMSFASTMATH build is now ignored.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/742

  *   Moved the Dockerfile and supporting scripts from the main ClamAV 
repository over to a new repository: 
https://github.com/Cisco-Talos/clamav-docker

The separate repository will make it easier to update the images and fix issues 
with images for released ClamAV versions.

Any users building the ClamAV Docker image rather than pulling them from Docker 
Hub will have to get the latest Docker files from the new location.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/764

  *   Increased the SONAME major version for libclamav because of ABI changes 
between the 0.103 LTS release and the 1.0 LTS release.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/778

Other improvements

  *   Add checks to limit PDF object extraction recursion.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/629

  *   Increased the limit for memory allocations based on untrusted input and 
altered the warning message when the limit is exceeded so that it is more 
helpful and less dramatic.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/723

  *   Dramatically improved the build time of libclamav-Rust unit tests. The 
unit test build is included in the time limit for the test itself and was 
timing out on slower systems. The ClamAV Rust code modules now share the same 
build directory, which also reduces the amount of disk space used for the build.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/694

  *   For Windows: The debugging symbol (PDB) files are now installed alongside 
the DLL and LIB library files when built in "RelWithDebInfo" or "Debug" mode.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/669

  *   Relaxed the constraints on the check for overlapping ZIP file entries so 
as not to alert on slightly malformed, but non-malicious, Java (JAR) archives.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/561

  *   Increased the time limit in FreshClam before warning if the DNS entry is 
stale. In combination with changes to update the DNS entry more frequently, 
this should prevent false alarms of failures in the database publication system.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/597

  *   Docker: The C library header files are 

[clamav-users] Second ClamAV 1.0.0 release candidate AND updated packages for 0.105.1

[Micah Snyder (micasnyd) via clamav-users]

​Read this online at 
https://blog.clamav.net/2022/11/second-clamav-100-release-candidate-and.html


Today we are publishing a second release candidate for ClamAV 1.0.0. If you 
haven't gotten a chance to test the 1.0.0 release candidate yet, please have a 
look before we publish the stable release. You can find the ClamAV 1.0.0-rc2 
release candidate files on the ClamAV.net Downloads 
page.

We expect to publish the stable 1.0.0 release in two weeks.

Today we are also publishing updated packages for ClamAV 0.105.1.

Why we updated the 0.105.1 packages, again

On October 31st, we repackaged all currently supported ClamAV versions to patch 
the bundled libxml2 and zlib library dependencies. For 0.105.1, this was 
intended to also include bug fixes for the jpeg and tiff Rust-based libraries 
that are bundled with the source code tarball. Unfortunately, those fixes were 
not all release-ready in time for the 0.105.1-2 packages. We have fixed the 
issue and are now publishing a third revision for ClamAV 0.105.1 packages.

Where to find the updated packages

The new packages have a "-3" suffix to indicate the package revision. For 
example, clamav-0.105.1-3.macos.universal.pkg is the updated package replacing 
clamav-0.105.1-2.macos.universal.pkg.

As always, you can get the updated packages from the ClamAV.net Downloads 
page. The original packages have been hidden 
on the web page and replaced by the updated packages. If you need the 
originals, the URLs to download them still work.

1.0.0-rc2 release notes

ClamAV 1.0.0-rc2 includes the following improvements and changes.

Major changes:

  *   Support for decrypting read-only OLE2-based XLS files that are encrypted 
with the default password. Use of the default password will now appear in the 
metadata JSON.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/700

  *   Overhauled the implementation of the all-match feature. The newer code is 
more reliable and easier to maintain.

 *   This project fixed several known issues with signature detection in 
all- match mode:

*   Enabled embedded file-type recognition signatures to match when a 
malware signature also matched in a scan of the same layer.

*   Enabled bytecode signatures to run in all-match mode after a match 
has occurred.

*   Fixed an assortment of all-match edge case issues.

 *   Added multiple test cases to verify correct all-match behavior.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/687

  *   Added a new callback to the public API for inspecting file content during 
a scan at each layer of archive extraction.

 *   The new callback function type is clcb_file_inspection defined in 
clamav.h.

 *   The function cl_engine_set_clcb_file_inspection() may be used to 
enable the callback prior to performing a scan.

 *   This new callback is to be considered unstable for the 1.0 release. We 
may alter this function in a subsequent feature version.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/170

  *   Added a new function to the public API for unpacking CVD signature 
archives.

 *   The new function is cl_cvdunpack(). The last parameter for the 
function may be set to verify if a CVD's signature is valid before unpacking 
the CVD content to the destination directory.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/690

  *   The option to build with an external TomsFastMath library has been 
removed. ClamAV requires non-default build options for TomsFastMath to support 
bigger floating point numbers. Without this change, database and Windows 
EXE/DLL authenticode certificate validation may fail. The 
ENABLE_EXTERNAL_TOMSFASTMATH build is now ignored.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/742

Other improvements:

  *   Add checks to limit PDF object extraction recursion.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/629

  *   Increased the limit for memory allocations based on untrusted input and 
altered the warning message when the limit is exceeded so that it is more 
helpful and less dramatic.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/723

  *   Dramatically improved the build time of libclamav-Rust unit tests. The 
unit test build is included in the time limit for the test itself and was 
timing out on slower systems. The ClamAV Rust code modules now share the same 
build directory, which also reduces the amount of disk space used for the build.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/694

  *   For Windows: The debugging symbol (PDB) files are now installed alongside 
the DLL and LIB library files when built in "RelWithDebInfo" or "Debug" mode.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/669
  *   Relaxed 

Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1

[Micah Snyder (micasnyd) via clamav-users]

> [Micah, I've just noticed that '-c file' doesn't appear in the 'man'
page for clamd.conf but '--config-file=file' does.  I *think* I've
mentioned it before but I don't have time to check right now.  The
short version does work instead of the long one, I guess you know.]

Thanks. Perhaps we should add this issue to 
https://github.com/Cisco-Talos/clamav/issues/731

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of G.W. 
Haywood via clamav-users 
Sent: Monday, November 7, 2022 8:59 AM
To: An Schall via clamav-users 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1

Hello again,

On Mon, 7 Nov 2022, An Schall via clamav-users wrote:

> the command we are using is:
>
> sudo -H clamdscan -v -c /etc/clamd.d/scan.conf --multiscan --fdpass

Try it without '--fdpass'.  What do you mean the '-H' to do for you?

[Micah, I've just noticed that '-c file' doesn't appear in the 'man'
page for clamd.conf but '--config-file=file' does.  I *think* I've
mentioned it before but I don't have time to check right now.  The
short version does work instead of the long one, I guess you know.]

> We do see the errors in /var/log/clamdscan.log as defined in the
> configuration file /etc/clamd.d/scan.conf (see below). The exact error
> messages are as follows:
>
> Mon Nov  7 13:50:21 2022 -> 
> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: 
> Can't access file ERROR
> Mon Nov  7 13:50:21 2022 -> 
> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: 
> Can't access file ERROR
> Mon Nov  7 13:50:21 2022 -> 
> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: 
> Can't access file ERROR
> Mon Nov  7 13:50:21 2022 -> 
> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: 
> Can't access file ERROR
> Mon Nov  7 13:50:21 2022 -> 
> /data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdtop: 
> Can't access file ERROR

Can you confirm that the above log extract shows exactly five lines of
the log?  This is to allow tracking exactly what code in the source
actually wrote those log lines.  From my reading of the source code I
would not expect to see 'newline' characters between the filename and
the text of the message "Can't access ..." but you seem to have them
in your mail.

> Basically, all the files that we try to scan are triggering the above
> error. For some files though the scan fives an "OK" and not above
> error message. However, we fail to see any system / correlation for
> which files the scans fail and for which the scans are successful. It
> seems rather random.

Which do you mean:

(1) it's random whether scanning any particular file will cause the
error message or not  or

(2) scanning some files does not cause the error message, and scanning
these same files never causes the error message; scanning other files
always causes the error message; but you see no common factors which
link (or differentiate) the two sets of files?

> Below you can find the output of clamconf -n:
> ...

Can you explain how you came to be using all the non-default numbers?
Some of them look very optimistic to me.

> MaxThreads = "30"

This is on the high side, I believe the default is 10.

> MaxQueue = "200"

Ditto, default 100.

> ExcludePath = ".*\.nc$", ".*\.bin$", ".*\.xml$", ".*\.hdf$", ".*\.h5$"

This might deserve closer inspection than I can give it but I don't
think it's relevant to the issue.

> MaxDirectoryRecursion = "200"

Default 15.

> FollowDirectorySymlinks = "yes"
> FollowFileSymlinks = "yes"

Both default no.

Might be an issue if you're crossing filesystems.  Are you?

> MaxScanTime = "120"

Twenty minutes; default 12 seconds.  It won't be your issue, but are
you sure you want to do that?

> MaxScanSize = "4194304000"
> MaxFileSize = "4194304000"

These numbers are wishful thinking.  The defaults are 100M and 25M
respectively.  ClamAV cannot yet handle files bigger than 2GB, that's
clear in the 'man' page for clamd.conf if you'd like to look at it.

> MaxRecursion = "200"

Default 17.

> MaxFiles = "500"

Default 1

> MaxZipTypeRcg = "5242880"

Again see the 'man' page.  This applies also to

MaxThreads*MaxRecursion  +  MaxQueue  -  MaxThreads  +  6

which for your configuration I calculate to be

30 * 200 + 200 - 30 + 6 = 6176

which bodes ill if, as is likely, RLIMIT_NOFILE on your system is 1024.
Check it.

> As mentioned earlier, for all the files that were failed to scan, we
> tried to check access permissions, whether they exist, etc. pp. Those
> are regular files with correctly configured ACLs. I also tried to run
> clamdscan as root but it results in a similar problem.

You didn't answer my question about running clamd as root but I think
given the non-default lines in your config we're probably beyond that.

> Interestingly, when first escalating privileges via "sudo su" and then
> 

Re: [clamav-users] ClamAV signatures have been released to detect malware exploiting CVE-2022-3602 and CVE-2022-3786 OpenSSL 3.0.x security vulnerabilities

[Micah Snyder (micasnyd) via clamav-users]

If you're interested in monitoring what virustotal has seen, you can do a 
search like this: 
https://www.virustotal.com/gui/search/Multios.Exploit.CVE_2022_3602-9976476-0/files

At present, it only shows a single .pcap​ network traffic recording as having 
matched with the signature.

That is for revision 0 of the signature, though.  The signature has been 
updated and there is a newer one: Multios.Exploit.CVE_2022_3602-9976476-1

Searching for this signature does not show any hits on VirusTotal, yet: 
https://www.virustotal.com/gui/search/Multios.Exploit.CVE_2022_3602-9976476-1

I imagine additional files will appear with time.

Unfortunately, I do not have a sample that I can share for this signature.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
Turritopsis Dohrnii Teo En Ming via clamav-users 
Sent: Monday, November 7, 2022 5:21 AM
To: ClamAV users ML 
Cc: Turritopsis Dohrnii Teo En Ming ; 
c...@teo-en-ming-corp.com 
Subject: Re: [clamav-users] ClamAV signatures have been released to detect 
malware exploiting CVE-2022-3602 and CVE-2022-3786 OpenSSL 3.0.x security 
vulnerabilities



On Mon, 7 Nov 2022 at 08:39, Al Varnell via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:
Those are vulnerability signatures, not necessarily for any existing malware. 
Anything that attempts to exploit those vulnerabilities should be caught.

Noted with thanks.

Mr. Turritopsis Dohrnii Teo En Ming
Targeted Individual in Singapore
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] version numbers of updated libraries in 0.105.1-2

[Micah Snyder (micasnyd) via clamav-users]

Hello Anjana, Ged,

I'm both grateful and embarrassed that you tracked this down.  I believe the 
fault is mine.

We built 0.105.1-2, tested it, signed it, and even staged it on the website in 
preparations for release on Monday.  However, the tiff​ project released an 
update on Saturday so we rebuilt/tested/signed the release files for 0.105.1-2 
on Monday to get the tiff​ fixes in.  I removed the old 0.105.1-2 release files 
from the website and uploaded the new ones*.

*I think this is where things went wrong.  I double-checked my local files. The 
second set of packages for 0.105.1-2 does have the newer image-tiff​ version, 
but the one on the website does not.  My best guess is that I simply 
re-uploaded the first set packages from Friday instead of the ones from Monday.

With regards to the jpeg-decoder​ version update, it seems that the image 
library and image-tiff​ libraries still the minimum required jpeg-decoder​ 
release set to the previous version.  I am working with them now to update that 
so we can include the latest jpeg-decoder​ version.

I apologize for the mistake. We will publish another update to the 0.105.1 
packages as soon as we're able to include the updates to both the tiff​ and 
jpeg​ libraries.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of G.W. 
Haywood via clamav-users 
Sent: Wednesday, November 2, 2022 6:03 AM
To: Anjana Patel via clamav-users 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] version numbers of updated libraries in 0.105.1-2

Hi there,

On Wed, 2 Nov 2022, Anjana Patel via clamav-users wrote:

> During the build process of 0.105.1-2 on a RHEL7 system (installing
> from source) I noticed the following scroll up (I've only listed the
> two that are relevant) :
>
> Compiling jpeg-decoder v0.2.6
> Compiling tiff v0.7.3
>
> The email announcement said that the issues in the JPEG and TIFF
> libraries were resolved in image-tiff version 0.7.4 and jpeg-decoder
> version 0.3.0.  I have double-checked that I had downloaded the
> correct tar file (clamav-0.105.1-2.tar.gz).  Should I be seeing the
> later version numbers during the build?

Yes, I'd have thought so.

Micah says in his announcement that critical vulnerabilities exist in
the 'jpeg-decoder' and 'tiff' rust libraries which are bundled with
the source tarball for 0.105.1.  He further says that these have been
addressed in 0.105.1-2, and 1.0.0-rc.  I'm still unfamiliar with the
new build system but so far I've found no evidence that the packages
for the libraries in the tarballs have changed since 0.105.1:

8<--
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ 
clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ 
clamav-0.105.1-2/libclamav_rust/.cargo/vendor/tiff/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ 
clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ 
clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/tiff/
$
8<--

Here's the change log for example for jpeg-decoder bundled in 0.105.1-2:

8<--
$ head clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/CHANGELOG.md
# Change Log
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).

## v0.2.6 (2022-05-09)

- Another fix to allow usage in WASM target.
- Decoding in the WASM target is now actively tested in CI.

## v0.2.5 (2022-05-02)
8<--

As you can see it's still at 0.2.6.

Maybe we're missing something?

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [Clamav-announce] New packages for ClamAV 0.103.7, 0.104.4, 0.105.1 to resolve CVE's

[Micah Snyder (micasnyd) via clamav-users]

Ged,

Augh indeed!  It looks like the clamav-0.105.1.tar.gz (and sig file) were the 
only files not correctly hidden.  The -2​ variant is available right next to it 
though. The old one is hidden, now.

As for 0.103.7, the tarball has not changed at all.  Only 0.105.1's source 
tarball was updated, because of bug fixes in Rust vendored dependencies in that 
tarball.

For 0.103.7, only the installer packages (RPM, DEB, PKG, ZIP, MSI) have been 
updated.  So, there is no need to rebuild the 0.103.7 source tarball unless you 
also built ClamAV with using static library dependencies. If you're using 
distro-provided shared libraries in your build, they would be updated 
separately from ClamAV, and you just want to make sure those are up-to-date 
with with their latest package revisions.

> FWIW the problem went away when I used autotools instead of CMake:

Oh!  Yes, CMake for 0.103 was experimental.  Honestly, I had forgotten it even 
existed for 0.103 until you said something.  I am not surprised that there is 
an issue there.  It is much more stable in 0.104 and later.

I'm glad you have everything working again.

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of G.W. 
Haywood via clamav-users 
Sent: Tuesday, November 1, 2022 4:32 PM
To: Micah Snyder (micasnyd) via clamav-users 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] [Clamav-announce] New packages for ClamAV 0.103.7, 
0.104.4, 0.105.1 to resolve CVE's

Hi Micah,

On Tue, 1 Nov 2022, Micah Snyder (micasnyd) via clamav-users wrote:
> On Tue, 1 Nov 2022, G.W. Haywood via clamav-users wrote:
> > On Mon, 31 Oct 2022, Micah Snyder (micasnyd) wrote:
> >
> > > Today we are publishing updated packages for ClamAV 0.103.7 ...
> >
> > Maybe I've done something stupid...
> >
> > Nov  1 17:16:48 mail6 x3[3078]: 2A1HGPGJ007261: xm_clamav_scan( 2425): 
> > [74.121.52.251], [AS19795], Response from ClamAV daemon [ENGINE VERSION 
> > MISMATCH: devel-11aaa24dd != 0.103.7. ERROR]
>
> It seems that your libclamav is from a different build than your clamd.

Yeah. :)  I don't know how, though.

> The number on the right is the version number for clamd.  The
> 0.103.7 version is what I would expect.

Ack.

> The number on the left is the version number for libclamav.  The
> short-hash represents this git commit:
> https://github.com/cisco-Talos/clamav/commit/11aaa24dd.  This is a
> different version string, and even different commit hash, than I
> would expect.

Agh.

> The release materials for 0.103.7-2 were generated from our
> rel/0.103​ branch
> https://github.com/Cisco-Talos/clamav/commits/rel/0.103 so I would
> at least think that hash would be 416cd0b78.

Am I using the right tarball?

$ ls -l clamav-0.103.7.tar.gz
-rw-r--r-- 1 ged ged 16501741 Jul 26 22:54 clamav-0.103.7.tar.gz
$ md5sum clamav-0.103.7.tar.gz
9138e4678fabfb39bbe1844001ff4815  clamav-0.103.7.tar.gz

I grabbed it from the download page.  Your mail said the old versions
were hidden, but the date there looks wrong and it doesn't have the
suffix -2.  It's still the same on the download page as I write.

> Of course, I would actually expect the version to be 0.103.7 for
> both, and not have the hash.

The code in .../clamd/session.c is

 if (strcmp(engine_ver, clamd_ver)) {
 mdprintf(desc, "ENGINE VERSION MISMATCH: %s != %s. ERROR%c",
  engine_ver, clamd_ver, term);
 return;
 }

so it's going to die anyway for *any* commit hash for engine_ver. :(

> If I remember correctly, the version string showing a commit hash
> means that clamav was built from within a Git clone directory,
> rather than building from an un-tarred source tarball.  By chance
> did you build and install libclamav from a git clone?

No, all from source.  I don't remember using git to build ClamAV at
any time.  There isn't even a git executable on the machine which is
running this clamd.  I think last time I built 0.103.x it was with
autotools.  This time I tried CMake which seemed to work and then it
all went pear-shaped at runtime.  Maybe that's another problem?  Or
maybe the main one?

It's an arm7 box, Raspberry Pi 4B.  I did try to build 0.105 on there
a few days earlier.  That failed, I posted the error at the time.

When  I've got more time I'll dig into this but if you can confirm
that the tarball on the download page is wrong that will be a good
place to start.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing li

Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

[Micah Snyder (micasnyd) via clamav-users]

Hi Andrew,

> Should cli_cvdverify() even be used to verify .cld files ?

Indeed, it should not.

Here is my PR to fix the issue.  Are you able to try it out to help verify it 
resolves the issue on your end?
https://github.com/Cisco-Talos/clamav/pull/740
[https://opengraph.githubassets.com/fe53b48c8ddd353921519a3075391788df3c30af039e250ba6728bbf35776e86/Cisco-Talos/clamav/pull/740]
Clam 2167 freshclam cld incremental update by micahsnyder · Pull Request #740 · 
Cisco-Talos/clamav
Freshclam: fix incremental update on CLD database When adding the 
cl_cvdunpack() API that (optionally) verifies the database signature, we used 
it in libfreshclam in a place where it may also unpac...
github.com

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: Andrew C Aitchison 
Sent: Wednesday, November 2, 2022 8:40 AM
To: Micah Snyder (micasnyd) 
Cc: ClamAV users ML ; Andrew C Aitchison 

Subject: Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

On Tue, 1 Nov 2022, Micah Snyder (micasnyd) wrote:

> Oh I see! It is on the second incremental update that the failure occurs -- 
> when the CLD is unpacked to be updated. That should be a very easy fix.
>
> If you can help test it, I will share something as soon as it is ready.

I think I have found the problem.

These .cld files have headers like

ClamAV-VDB:01 Nov 2022 03-52 -0400:26706:2009713:90:X:X:raynman:1667289154

with X in place of both the MD5 and the Digital signature
so cli_cvdverify() has nothing to match and thus fails.

Do *downloaded* .cld files (as opposed to updated and repacked files)
have MD5 and the Digital signature ?

Should cli_cvdverify() even be used to verify .cld files ?

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

[Micah Snyder (micasnyd) via clamav-users]

Oh I see! It is on the second incremental update that the failure occurs -- 
when the CLD is unpacked to be updated. That should be a very easy fix.

If you can help test it, I will share something as soon as it is ready.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Andrew 
C Aitchison via clamav-users 
Sent: Sunday, October 30, 2022 3:34 AM
To: ClamAV users ML 
Cc: Andrew C Aitchison 
Subject: Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

On Fri, 28 Oct 2022, Yasuhiro Kimura wrote:

> From: Ralf Hildebrandt via clamav-users 
> Subject: Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available
> Date: Fri, 28 Oct 2022 09:10:46 +0200
>
>> * Micah Snyder (micasnyd) via clamav-users :
>>
>>> We are excited to announce the ClamAV 1.0.0 release candidate!
>>
>> I'm seeing log entries like this for the machines with 1.0.0-rc
>> indicating the daily.cld update failed:
>
> I experienced same problem while I'm working to update FreeBSD ClamAV
> port to 1.0.0-rc. It happens if ClamAV is built with external
> TomsFastMath library (that is, ENABLE_EXTERNAL_TOMSFASTMATH option is
> ON).
>
> See issue #736 for more detail.
>
> https://github.com/Cisco-Talos/clamav/issues/736

I am building from the tarball at
https://www.clamav.net/downloads/production/clamav-1.0.0-rc.tar.gz
on Ubuntu kinetic 22.10 (released this month) and have the same problem,
but have not (yet?) managed to resolve it with the internal TomsFastMath
library.

I started by copying the database directory from one built by freshclam v103.7
which has had no problems with recent updates, including yesterday and today.
The freshclam.conf files have different UpdateLogFile and DatabaseDirectory but
are otherwise identical, including
 DatabaseMirror db.local.clamav.net
 DatabaseMirror database.clamav.net

Yesterday freshclam suggested that I checked again later, but today
it is downloading the .cvd after failing to patch the .cld

Should I, or you, be concerned that after just two days, freshclam
switches to a large download ?

Joel asked:
> You wouldn¢t download the cld from the server.
> Or am I reading this thread wrong.

No, but the database directory has an existing .cld to update.

In mkdir_and_chdir_for_cdiff_tmp() libfreshclam_internal.c I see:

 /*
  * 3) Unpack the existing CVD/CLD database to this directory.
  */
 if (CL_SUCCESS != cl_cvdunpack(cvdfile, tmpdir, false)) {
 logg(LOGG_ERROR, "mkdir_and_chdir_for_cdiff_tmp: Can't unpack %s 
into %s\n", cvdfile, tmpdir);
 cli_rmdirs(tmpdir);
 goto done;
 }
but chasing cl_cvdunpack, the verify routines only mention cvd.
Do they verify .cld files too, or is that the real problem ?



(Whilst the .cvd downloads, the line
 Time:   21.7s, ETA:0.0s [>]   
57.34MiB/57.34MiB
flickers a lot; does it need to redraw every 0.1 seconds ?)



# host db.local.clamav.net ; host database.clamav.net
db.local.clamav.net is an alias for db.local.clamav.net.cdn.cloudflare.net.
db.local.clamav.net.cdn.cloudflare.net has address 104.16.219.84
db.local.clamav.net.cdn.cloudflare.net has address 104.16.218.84
db.local.clamav.net.cdn.cloudflare.net has IPv6 address 2606:4700::6810:db54
db.local.clamav.net.cdn.cloudflare.net has IPv6 address 2606:4700::6810:da54
database.clamav.net is an alias for database.clamav.net.cdn.cloudflare.net.
database.clamav.net.cdn.cloudflare.net has address 104.16.219.84
database.clamav.net.cdn.cloudflare.net has address 104.16.218.84
database.clamav.net.cdn.cloudflare.net has IPv6 address 2606:4700::6810:da54
database.clamav.net.cdn.cloudflare.net has IPv6 address 2606:4700::6810:db54


Sat Oct 29 12:30:06 2022 -> --
Sat Oct 29 12:30:06 2022 -> ClamAV update process started at Sat Oct 29 
12:30:06 2022
Sat Oct 29 12:30:06 2022 -> daily database available for update (local version: 
26702, remote version: 26703)
Sat Oct 29 12:30:06 2022 -> WARNING: [LibClamAV] CVD verification failed for: 
daily.cld
Sat Oct 29 12:30:06 2022 -> ERROR: mkdir_and_chdir_for_cdiff_tmp: Can't unpack 
daily.cld into 
/var/lib/clamav-1.0.0-rc/tmp.b1a2031575/clamav-a369f6069be4efb91a43123096659109.tmp
Sat Oct 29 12:30:06 2022 -> The database server doesn't have the latest patch 
for the daily database (version 26703). The server will likely have updated if 
you check again in a few hours.
Sat Oct 29 12:30:06 2022 -> main.cld database is up-to-date (version: 62, sigs: 
6647427, f-level: 90, builder: sigmgr)
Sat Oct 29 12:30:06 2022 -> bytecode.cld database is up-to-date (version: 333, 
sigs: 92, f-level: 63, builder: awillia2)
Sun Oct 30 09:22:40 2022

Re: [clamav-users] [Clamav-announce] New packages for ClamAV 0.103.7, 0.104.4, 0.105.1 to resolve CVE's

[Micah Snyder (micasnyd) via clamav-users]

It seems that your libclamav is from a different build than your clamd.

The number on the right is the version number for clamd.  The 0.103.7 version 
is what I would expect.

The number on the left is the version number for libclamav.
The short-hash represents this git commit: 
https://github.com/cisco-Talos/clamav/commit/11aaa24dd.
This is a different version string, and even different commit hash, than I 
would expect.
The release materials for 0.103.7-2 were generated from our rel/0.103​ branch 
https://github.com/Cisco-Talos/clamav/commits/rel/0.103 so I would at least 
think that hash would be 416cd0b78.  Of course, I would actually expect the 
version to be 0.103.7 for both, and not have the hash.

If I remember correctly, the version string showing a commit hash means that 
clamav was built from within a Git clone directory, rather than building from 
an un-tarred source tarball.  By chance did you build and install libclamav 
from a git clone?

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of G.W. 
Haywood via clamav-users 
Sent: Tuesday, November 1, 2022 10:21 AM
To: ClamAV users ML 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] [Clamav-announce] New packages for ClamAV 0.103.7, 
0.104.4, 0.105.1 to resolve CVE's

Hi there,

On Mon, 31 Oct 2022, Micah Snyder (micasnyd) wrote:

> Today we are publishing updated packages for ClamAV 0.103.7 ...

Maybe I've done something stupid...

Nov  1 17:16:48 mail6 x3[3078]: 2A1HGPGJ007261: xm_clamav_scan( 2425): 
[74.121.52.251], [AS19795], Response from ClamAV daemon [ENGINE VERSION 
MISMATCH: devel-11aaa24dd != 0.103.7. ERROR]

Very pressed at the moment, all observations welcome.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

[Micah Snyder (micasnyd) via clamav-users]

Hi Ralf,

I spent some time playing with this yesterday but far I have been unable to 
reproduce this issue.  I will continue to investigate.  If you find any other 
clues as to what the trigger may be, please let me know.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: Ralf Hildebrandt 
Sent: Friday, October 28, 2022 12:15 AM
To: Micah Snyder (micasnyd) via clamav-users ; 
Micah Snyder (micasnyd) 
Subject: Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

> Fri Oct 28 09:07:10 2022 -> --
> Fri Oct 28 09:07:10 2022 -> freshclam daemon 1.0.0-rc (OS: Linux, ARCH: 
> x86_64, CPU: x86_64)
> Fri Oct 28 09:07:10 2022 -> ClamAV update process started at Fri Oct 28 
> 09:07:10 2022
> Fri Oct 28 09:07:10 2022 -> daily database available for update (local 
> version: 26700, remote version: 26701)
> Fri Oct 28 09:07:10 2022 -> WARNING: [LibClamAV] CVD verification failed for: 
> daily.cld
> Fri Oct 28 09:07:10 2022 -> ERROR: mkdir_and_chdir_for_cdiff_tmp: Can't 
> unpack daily.cld into 
> /var/lib/clamav/tmp.3bbb7ed4d7/clamav-bfba84844f1170e4c4210f03d1759097.tmp
> Fri Oct 28 09:07:10 2022 -> The database server doesn't have the latest patch 
> for the daily database (version 26701). The server will likely have updated 
> if you check again in a few hours.
> Fri Oct 28 09:07:10 2022 -> main.cvd database is up-to-date (version: 62, 
> sigs: 6647427, f-level: 90, builder: sigmgr)
> Fri Oct 28 09:07:10 2022 -> bytecode.cvd database is up-to-date (version: 
> 333, sigs: 92, f-level: 63, builder: awillia2)
> Fri Oct 28 09:07:10 2022 -> --

Another data point - I checked another machine which successfully
updated to 26701 (yesterday already!):

Thu Oct 27 10:00:06 2022 -> --
Thu Oct 27 11:00:06 2022 -> Received signal: wake up
Thu Oct 27 11:00:06 2022 -> ClamAV update process started at Thu Oct 27 
11:00:06 2022
Thu Oct 27 11:00:06 2022 -> daily database available for update (local version: 
26699, remote version: 26701)
Thu Oct 27 11:00:06 2022 -> WARNING: [LibClamAV] CVD verification failed for: 
daily.cld
Thu Oct 27 11:00:06 2022 -> ERROR: mkdir_and_chdir_for_cdiff_tmp: Can't unpack 
daily.cld into 
/var/lib/clamav/tmp.bfd8f6c0fe/clamav-91f69d4433a1975076fd9905e1f5ca06.tmp
Thu Oct 27 11:00:06 2022 -> WARNING: Incremental update failed, trying to 
download daily.cvd
Thu Oct 27 11:00:09 2022 -> Testing database: 
'/var/lib/clamav/tmp.bfd8f6c0fe/clamav-4ad0a44cd8a0ebe2bf630a0b92819105.tmp-daily.cvd'...
Thu Oct 27 11:00:19 2022 -> Database test passed.
Thu Oct 27 11:00:19 2022 -> daily.cvd updated (version: 26701, sigs: 2009238, 
f-level: 90, builder: raynman)
Thu Oct 27 11:00:19 2022 -> main.cld database is up-to-date (version: 62, sigs: 
6647427, f-level: 90, builder: sigmgr)
Thu Oct 27 11:00:19 2022 -> bytecode.cld database is up-to-date (version: 333, 
sigs: 92, f-level: 63, builder: awillia2)
Thu Oct 27 11:00:19 2022 -> --

So the issue is with the incremenatal update daily.cld only, once it
falls back to daily.cvd it's working as it should

--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.0.0 release candidate now available

[Micah Snyder (micasnyd) via clamav-users]

Hi Andrew,

We don't actually create a clamav.spec file for building the RPM, or the 
equivalent for the DEB package.  These packages are created by CMake's CPack 
tool.

The only special settings we add for supporting building RPM's and DEB's is 
this: https://github.com/Cisco-Talos/clamav/blob/main/CMakeLists.txt#L418-L437

At build time, we also set -D CPACK_DEBIAN_PACKAGE_RELEASE=1 , or -D 
CPACK_RPM_PACKAGE_RELEASE=1  and then after the build we run cpack -G DEB  or  
cpack -G RPM  and  CPack does everything.

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Andrew 
C Aitchison via clamav-users 
Sent: Friday, October 28, 2022 11:45 AM
To: clamav-users@lists.clamav.net 
Cc: Andrew C Aitchison 
Subject: Re: [clamav-users] ClamAV 1.0.0 release candidate now available


On Tue, 25 Oct 2022, Micah Snyder (micasnyd) via clamav-users wrote:

> Read this announcement online at
> https://blog.clamav.net/2022/10/clamav-100-release-candidate-now.html
>
> We are excited to announce the ClamAV 1.0.0 release candidate!
>
> You may find the source code and installers for this release on:
>
>  *   the clamav.net/downloads<https://www.clamav.net/downloads>, or
>  *   the ClamAV GitHub release
> page<https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.0.0-rc>
>
> Note: If you are looking for the source code on
> clamav.net/downloads<https://www.clamav.net/downloads> - there is an
> issue preventing the "Source" section from showing for release
> candidates. Until we fix this issue, you find it under the "Linux"
> section.
>
> Tip: If you are downloading the source from the GitHub release page,
> the package labeled "clamav-1.0.0-rc.tar.gz" does not require an
> internet connection to build.  All dependencies are included in this
> package.  But if you download the ZIP or TAR.GZ generated by GitHub,
> located at the very bottom, then an internet connection will be
> required during the build to download additional Rust dependencies.

It would be great if you could put the source debian/ directory and the
clamav.spec file (for rpm
builds) up with the source tarball.

Tradition would say make the debian dir available as eg:
 clamav-1.0.0-rc-1.debian.tar.gz

If you put clamav.spec at the top level (I think that means
clamav-1.0.0-rc/clamav.spec
) then we can build the rpm straight from the tarball, with
 rpmbuild --ta clamav-1.0.0-rc.tar.gz
This worked for RedHat 6, I don't have a current RedHat system to confirm.

I know that you have mussels, but switching to CMake and adding Rust
seems like enough for an OS packager trying to upgrade from one LTS to the
next (0.103 to 1.0).

Thanks,

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] New packages for ClamAV 0.103.7, 0.104.4, 0.105.1 to resolve CVE's

[Micah Snyder (micasnyd) via clamav-users]

Read this announcement online at 
https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html



Today we are publishing updated packages for ClamAV 0.103.7, 0.104.4, and 
0.105.1.

Why we updated the installer packages

The ClamAV RPM, DEB, PKG, MSI and ZIP installer packages come with all library 
dependencies bundled. The updated installer packages resolve the following 
CVE's:

  *   CVE-2022-37434 - A 
critical severity vulnerability in the zlib library.
  *   CVE-2022-40303 - A high 
severity vulnerability in the libxml2 library. Note: As of writing, the details 
of this CVE are not published. However, you can find additional details on 
other sites.
  *   CVE-2022-40304 - A high 
severity vulnerability in the libxml2 library. Note: As of writing, the details 
of this CVE are not published. However, you can find additional details on 
other sites.

Why we updated the 0.105.1 source package

Starting with ClamAV 0.105.1, some of the ClamAV project is written in Rust and 
depends on Rust libraries. To make it possible for our users to build ClamAV 
offline, we bundle in the Rust dependencies.

There are no CVEs present for the Rust libraries bundled in the original 
0.105.1 package. However, there are several critical bugs in the JPEG and TIFF 
image processing libraries in the original 0.105.1 source package. The known 
issues were resolved in image-tiff version 
0.7.4 and 
jpeg-decoder version 
0.3.0. The 
clamav-0.105.1-2.tar.gz source package includes the updated libraries.

Linux/Unix package maintainers are encouraged to publish new revisions of their 
own packages for ClamAV 0.105.1 to get these fixes. Anyone who built ClamAV 
from the original clamav-0.105.1.tar.gz source package is encouraged to 
reinstall from the newer source package.


Where to find the updated packages

The new packages have a "-2" suffix to indicate the package revision. For 
example, clamav-0.105.1-2.macos.universal.pkg is the updated package replacing 
clamav-0.105.1.macos.universal.pkg.

As always, you can get the updated packages from the ClamAV.net Downloads 
page. The original packages have been hidden 
on the web page and replaced by the updated packages. If you need the 
originals, the URLs to download them still work.


What about the Docker images

The official ClamAV docker image has been updated to patch the zlib and libxml2 
vulnerabilities. The following tags have been updated to point to the new 
images:

  *   clamav/clamav:latest
  *   clamav/clamav:latest_base
  *   clamav/clamav:stable
  *   clamav/clamav:stable_base
  *   clamav/clamav:0.105
  *   clamav/clamav:0.105_base
  *   clamav/clamav:0.105.1
  *   clamav/clamav:0.105.1_base

Be sure to use docker pull to get the latest version of the image. For example:

docker pull clamav/clamav:0.105_base

Posted by Micah Snyder at 
3:15 
PM[https://img1.blogblog.com/img/icon18_email.gif]




Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV on RHEL9 with FIPS enabled

[Micah Snyder (micasnyd) via clamav-users]

We plan to migrate away from MD5, and eventually stop supporting MD5 hash 
signatures as well.  I'm hopeful we can do it in the next feature version.  An 
internal MD5 implementation may be required if we can't fully migrate, but I 
suspect we should be able to.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Andrew 
C Aitchison via clamav-users 
Sent: Thursday, October 27, 2022 12:40 AM
To: Orion Poplawski via clamav-users 
Cc: Andrew C Aitchison 
Subject: Re: [clamav-users] ClamAV on RHEL9 with FIPS enabled

On Wed, 26 Oct 2022, Orion Poplawski via clamav-users wrote:

> On 10/24/22 11:03, Hoevenaar, Jeffrey (GE Aerospace, US) via clamav-users
> wrote:
>> Hello,
>>
>> It would appear ClamAV will not run on RHEL9 with FIPS enabled.
>>
>> Has anyone else seen this issue?
>
> Known issue: https://github.com/Cisco-Talos/clamav/issues/564
>
> which it seems you have already found.

I guess that including an internal implementation of md5 would
enable ClamAV to run on FIPS enabled/compliant machines,
but that even so, this would not be the right thing to do ?

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV 1.0.0 release candidate now available

[Micah Snyder (micasnyd) via clamav-users]

Read this announcement online at 
https://blog.clamav.net/2022/10/clamav-100-release-candidate-now.html



We are excited to announce the ClamAV 1.0.0 release candidate!

You may find the source code and installers for this release on:

  *   the clamav.net/downloads, or
  *   the ClamAV GitHub release 
page

Note: If you are looking for the source code on 
clamav.net/downloads - there is an issue 
preventing the "Source" section from showing for release candidates. Until we 
fix this issue, you find it under the "Linux" section.

Tip: If you are downloading the source from the GitHub release page, the 
package labeled "clamav-1.0.0-rc.tar.gz" does not require an internet 
connection to build.  All dependencies are included in this package.  But if 
you download the ZIP or TAR.GZ generated by GitHub, located at the very bottom, 
then an internet connection will be required during the build to download 
additional Rust dependencies.

For Docker users, there is no specific Docker tag for the release candidate, 
but you can use the clamav:unstable or clamav:unstable_base tags.

The release candidate phase is expected to last two to three weeks before we 
publish the stable release or a second release candidate. Please take this time 
to evaluate ClamAV 1.0.0.

Please help us validate this release by providing feedback via the ClamAV 
mailing list or on our 
Discord.

ClamAV 1.0.0 includes the following improvements and changes.

Major changes

  *   Support for decrypting read-only OLE2-based XLS files that are encrypted 
with the default "VelvetSweatshop" password. Use of the VelvetSweatshop 
password will now appear in the metadata JSON.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/700
  *   Overhauled the implementation of the all-match feature. The newer code is 
more reliable and easier to maintain.

 *   This project fixed several known issues with signature detection in 
all- match mode:
*   Enabled embedded file-type-recognition-signatures to match when a 
malware signature also matched in a scan of the same layer.
*   Enabled bytecode signatures to run in all-match mode after a match 
has occurred.
*   Fixed an assortment of all-match edge case issues:
 *   Added multiple test cases to verify correct all-match behavior.
 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/687
  *   Added a new callback to the public API for inspecting file content during 
a scan at each layer of archive extraction.

 *   The new callback function type is clcb_file_inspection defined in 
clamav.h.
 *   The function cl_engine_set_clcb_file_inspection() may be used to 
enable the callback prior to performing a scan.
 *   This new callback is to be considered unstable for the 1.0 release. We 
may alter this function in a subsequent feature version.
 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/170
  *   Added a new function to the public API for unpacking CVD signature 
archives.

 *   The new function is cl_cvdunpack(). The last parameter for the 
function may be set to verify if a CVD's signature is valid before unpacking 
the CVD content to the destination directory.
 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/690

Other improvements

  *   Add checks to limit PDF object extraction recursion.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/629
  *   Increased the limit for memory allocations based on untrusted input and 
altered the warning message when the limit is exceeded so that it is more 
helpful and less dramatic.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/723
  *   Dramatically improved the build time of libclamav-Rust unit tests. The 
unit test build is included in the time limit for the test itself and was 
timing out on slower systems. The ClamAV Rust code modules now share the same 
build directory, which also reduces the amount of disk space used for the build.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/694
  *   Windows: The debugging symbol (PDB) files are now installed alongside the 
DLL

  *   and LIB library files when built in "RelWithDebInfo" or "Debug" mode.

 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/669
  *   Relaxed the constraints on the check for overlapping ZIP file entries so 
as not to alert on slightly malformed, but non-malicious, Java (JAR) archives.

 *   Talos escalations issues:
 *   GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/561
  *   Increased the time limit in FreshClam before warning if the DNS 

Re: [clamav-users] RE : i have often an error in the scan

[Micah Snyder (micasnyd) via clamav-users]

The error message does not mean it is a threat.  Unless you see a signaturs 
"FOUND" message, I wouldn't worry about it.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Dorian 
ROSSE via clamav-users 
Sent: Wednesday, October 19, 2022 11:11 AM
To: clamav-users@lists.clamav.net 
Cc: Dorian ROSSE 
Subject: [clamav-users] RE : i have often an error in the scan

Does this is real that I need to run it in administrator for remove all the 
threat? I have found some threat but only few threat were remove,

Thanks you in the advance for your answer,

Regards.


Dorian Rosse.

From: clamav-users  on behalf of 
clamav-users-requ...@lists.clamav.net 
Sent: Wednesday, October 19, 2022 2:00:05 PM
To: clamav-users@lists.clamav.net 
Subject: clamav-users Digest, Vol 215, Issue 9

Send clamav-users mailing list submissions to
clamav-users@lists.clamav.net

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.clamav.net/mailman/listinfo/clamav-users
or, via email, send a message with subject or body 'help' to
clamav-users-requ...@lists.clamav.net

You can reach the person managing the list at
clamav-users-ow...@lists.clamav.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of clamav-users digest..."
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] i have often an error in the scan

[Micah Snyder (micasnyd) via clamav-users]

Hi Dorian, all:

The error you found is this issue: 
https://github.com/Cisco-Talos/clamav/issues/604

The certificate verification feature is essentially broken because of this bug. 
 It isn't letting malware slip by, but it is preventing us from trusting 
software signed by trusted signing certificates.

Regards,
Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of G.W. 
Haywood via clamav-users 
Sent: Tuesday, October 18, 2022 4:05 AM
To: Dorian ROSSE via clamav-users 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] i have often an error in the scan

Hi there,

On Tue, 18 Oct 2022, Dorian ROSSE via clamav-users wrote:

> I have often an error in the scan below on my windows system :
> LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed 
> with 1
> I don't understand why I am got this error often,
> If this is a bad error thanks you in advance to repair it,

The message would not normally mean that ClamAV is broken, but it's
possible; at present there are ongoing changes in this part of ClamAV.
The developers read this list and I would expect that they would tell
us if they knew that something was broken.  When ClamAV gives you that
message, it is telling you something about "signed" code.

Signed code was introduced by Microsoft many years ago:

https://blog.clamav.net/2013/02/authenticode-certificate-chain.html

Unfortunately I think it's fair to say that the signed code feature
has not been a great success:

https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks/

I personally would ignore the ClamAV message, but you do need to know
that I use no Windows machines, and only very rarely scan filesystems;
I only scan mail.  If someone sent me some code in a mail message, it
would automatically, without the involvement of a human, be reported
to several anti-virus organizations and then be sent to the trash can.

> Does this is dangerous to use this option for pass the errors:
>
> '--nocerts'

You need to make that judgement for yourself.  ClamAV can alert you to
something which it thinks isn't right.  Whether or not you then choose
to do anything about it is up to you.  Be aware that a *lot* of things
are "not right" in most computer systems, but that doesn't necessarily
mean that they are dangerous problems.  Forged signatures in drivers
and other code is a very well-known problem, but as you can see from
the article above, checks which use the proper methods of verification
do not necessarily protect you.  I'm afraid it's a minefield.

> Thanks you in advance for your answer smart,

May I suggest that you try to use a translation Website?  I have had
good results from this one, at least for a few languages:

https://www.deepl.com/en/translator

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] clamav-users

[Micah Snyder (micasnyd) via clamav-users]

Mailman is indeed obscure about these things, and even more obscure in the 
admin web interface.

Speaking of which, I just updating the email footer settings to specifically 
mention "unsubscribe".  Hopefully that helps.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Γιώργος 
Κωστόπουλος via clamav-users 
Sent: Saturday, September 10, 2022 5:35 AM
To: ClamAV users ML 
Cc: Γιώργος Κωστόπουλος 
Subject: Re: [clamav-users] clamav-users

>
> unfortunately, subscribing is often easier than unsubscribing which is not
> good.
>
> --

At the bottom of the mail, there's  the related link:

> https://lists.clamav.net/mailman/listinfo/clamav-users
>

Open it,  and (again) at the very bottom of the page, there's the
"Unsubscribe or edit options" button.

I suppose, Mailman is somewhat obscure when dealing with it, for the 1st time.
Bye!!!
G.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] remove me

[Micah Snyder (micasnyd) via clamav-users]

But seriously, ... please don't throw insults here.

If I see mild insults from users here, I will moderate those accounts.  If I 
see more serious insults, repeated bad behavior, or get tired of moderating a 
lot of email, I will block those accounts.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Marc 

Sent: Friday, September 9, 2022 5:29 AM
To: ClamAV users ML 
Subject: Re: [clamav-users] remove me

>
> perhaps it could contain better unsubscribe info, the top-down link:
> https://docs.clamav.net/#mailing-lists-and-chat
> does not contain unsubscribe

What about doing some sort of IQ test before users subscribe something like 
2+2=?

;)
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] remove me

[Micah Snyder (micasnyd) via clamav-users]

Hopefully this helps: 
https://github.com/Cisco-Talos/clamav-documentation/commit/b89efe513dd34689cf7b47e73ba2e96fd9561906


Changing the contact page takes a little more effort.  I'll put in a ticket 
with our web team.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Matus 
UHLAR - fantomas 
Sent: Monday, September 12, 2022 7:09 AM
To: clamav-users@lists.clamav.net 
Subject: Re: [clamav-users] remove me

>> On 09.09.22 12:29, Marc wrote:
>>> What about doing some sort of IQ test before users subscribe something like 
>>> 2+2=?

>> On Sep 9, 2022, at 12:40 PM, Matus UHLAR - fantomas  
>> wrote:
>> making unsubscribe easier would spare us from solving problems like these.
>>
>> unfortunately, subscribing is often easaier than unsubscribing which is not 
>> good.

On 12.09.22 09:41, Joel Esler via clamav-users wrote:
>Subscribing and unsubscribing is the same amount of steps, from the same
> webpage.  I don’t understand why people are able to join a technical
> command line driven antivirus client email list, but can’t remove
> themselves.

neither do I - I can only guess
- they forgot they subscribed once their problem was solved
- they inherited someone other's e-mail address
- their spam filter blocked unsubscribe confirmation request

however:

when I followed the bottom-most message, I've had to click two times, enter
my e-mail and click "unsubscribe" again. That's too much expecially for 2nd
case

- putting information about "unsubscribe" in addition to "subscribe" to
https://docs.clamav.net/#mailing-lists-and-chat
and
https://www.clamav.net/contact.html#ml

- pointing to the latter link from e-mail

- highlighting the info that unsubscription must be explicitly confirmed and
that spam folder should be checked for confirmation e-mail if it doesn't
arrive

they could make it easier to unsubscribe.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout

[Micah Snyder (micasnyd) via clamav-users]

Hi Nozomi Tachibanaki,

You may add this option to your clamd.conf​ to enable alerts when the scan 
limits are exceeded: AlertExceedsMax yes​

It should cause signature alerts like these when one of the limits causes the 
scan to end early:
- Heuristics.Limits.Exceeded.MaxFileSize​ FOUND
- Heuristics.Limits.Exceeded.MaxScanSize​​ FOUND
- Heuristics.Limits.Exceeded.MaxFiles​​ FOUND
- Heuristics.Limits.Exceeded.MaxRecursion​​ FOUND
- Heuristics.Limits.Exceeded.MaxScanTime​​ FOUND

If you do enable this, just keep in mind that when these alerts happen that it 
does not mean there is anything wrong with the file, just that the scan was 
incomplete because it exceeded one of the scan limits.

These heuristic alerts should work most of the time, although I am actively 
working on improvements to error handling and alert reporting as I work on 
overhauling the allmatch-mode feature (for reporting more than one signature 
alert). I am hopeful that my current work will make these scan limit alerts 
even more reliable in the future.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of 
Tachibanaki Nozomi (橘木 希美) 
Sent: Tuesday, August 23, 2022 10:23 PM
To: clamav-users@lists.clamav.net 
Cc: Hino Shogo (日野 翔豪) ; Sugawara Masatomo (菅原 正大) 

Subject: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout


Dear Sir or Madam,



I am Tachibanaki from Ricoh IT Solutions Co., Ltd..

Thank you for your recent response to my inquiry.



The purpose of this email is to inquire about ClamAV's clamdscan scan timeout.



  1.  Is there any way to check when a scan timeout occurs? (e.g., display a 
message, etc.)
  2.  I scanned a ZIP file(1.7GB) containing a test virus file with clamdscan 
and it exited successfully without detecting any virus. Is this a specification?

The scan.conf settings are as follows：

・ReadTimeout 120

・MaxScanTime 12

・MaxScanSize 2048M

・MaxFileSize　2048M

・MaxZipTypeRcg 2048M



I look forward to hearing from you soon.

Yours sincerely,





Nozomi Tachibanaki






___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Meaning of the exit code -1073740791

[Micah Snyder (micasnyd) via clamav-users]

Hi Anastasiia,

The exit code `-1073740791` means the program crashed (on Windows).  This type 
of issue may be a security vulnerability, depending on what is going on.

If you could share the PDF file with my team privately, I would like to 
investigate.  You can email it to me directly in an encrypted / password 
protected zip archive, or send it to Cisco PSIRT using these instructions, and 
they will relay it to me for investigation: 
https://github.com/Cisco-Talos/clamav/security/policy#vulnerability-reporting-best-practices
[https://github.githubassets.com/images/modules/open_graph/github-logo.png]
Security Policy · Cisco-Talos/clamav · 
GitHub
ClamAV Security Policy What constitutes a security issue / vulnerability? A 
security issue, or vulnerability, may be any bug that represents a threat to 
the security of the ClamAV users or any issue that a malicious person could use 
to cause a Denial of Service (DoS) attack on a network service running ClamAV, 
such as a mail filter or file upload scanner.
github.com

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of 
Anastasiia Korzhylova 
Sent: Tuesday, August 9, 2022 2:12 AM
To: clamav-users@lists.clamav.net 
Cc: Ingo Rieping 
Subject: [clamav-users] Meaning of the exit code -1073740791


Dear Sir or Madam,



I am using ClamAV for work in my company and am contacting you to inquire about 
an exit code, which the software returns at my attempt to scan an ordinary, 
virus-free PDF file:



-1073740791.



Could you, please, tell me, what the exit code stands for, as I have not found 
any information on it in the documentation on your website.



Thank you in advance.



Kind regards,

Anastasiia Korzhylova

Software Developer





RIEPING SoftwareConsulting GmbH

Gewerbepark Grüner Weg 26

59269 Beckum

Germany



Phone: +49 2521 823725-0



Email: anastasiia.korzhyl...@r-sc.de

Website: http://www.r-sc.de



Managing Director Dr. Ingo Rieping

Münster District Court, HRB 14351


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] freshclam error - ^downloadFile: Unexpected response (502) ...Can't Download CVD

[Micah Snyder (micasnyd) via clamav-users]

An HTTP 502 error is a "bad gateway error" or "proxy error". I suspect either 
the proxy settings are misconfigured, or the proxy settings in freshclam.conf 
are misconfigured.

Ganesh, did you say you're using a proxy and a private mirror?  What sort of 
proxy are you using?  Maybe if you could share some (anonymized) configuration 
options (at least the freshclam.conf options) someone can spot what is wrong.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Ganesh 
Kachare, Vodafone (External) via clamav-users 
Sent: Monday, August 8, 2022 3:51 AM
To: ClamAV users ML 
Cc: Ganesh Kachare, Vodafone (External) 
Subject: [clamav-users] freshclam error - ^downloadFile: Unexpected response 
(502) ...Can't Download CVD


Hi Team,



I am trying to download the clamav updates from private local mirror on my 
custom clamav alpine docker image and  I am keep getting ^downloadFile: 
Unexpected response (502) error from freshclam.



Its not able to download main.cvd, daily.cvd, bytecode.cvd and eventually my 
pod fails after maximum retry. I did tried increasing timeouts and disabling it 
in freshclam.conf file but it did not work.



I have validated my proxy and private mirror server and they are able to 
connect with alpine clamav docker image.



Does anyone face similar issue.. I am using clamav and freshclam v0.104.3-r0 on 
alpine 3.16



Logs ---



Host: localmirror.clamavdatabase.com

user-agent: ClamAV/0.104.3 (OS: Linux, ARCH: x86_64, CPU: x86_64, UUID: 
a37614fe-f1f8-4c49-a7a5-e0330ea8b945)

accept: */*

connection: close



* old SSL session ID is stale, removing

< HTTP/2 502

< content-type: text/html; charset=UTF-8

< referrer-policy: no-referrer

< content-length: 332

< date: Mon, 08 Aug 2022 10:16:27 GMT

< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

<

Time:9.0s, ETA:0.0s [>]   332B/332B

* Connection #0 to host localmirror.clamavdatabase.com.com left intact

Mon Aug  8 10:16:27 2022 -> ^downloadFile: Unexpected response (502) from 
https://localmirror.clamavdatabase.com/daily.cvd

Mon Aug  8 10:16:27 2022 -> ^Can't download daily.cvd from https:// 
localmirror.clamavdatabase.com/daily.cvd

Mon Aug  8 10:16:27 2022 -> Trying again in 5 secs...



Regards,

Ganesh




C2 General
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat