Re: [clamav-users] reduce memory footprint by removing somevirusdefinitions on a low memory server
hi all even though i removed daily.cld main.cld bytecode.cld mirrors.dat all of these has been recreated automatically i am not running freshclam via a cron job help required in disabling clam updates rajesh - Original Message - From: Sophie Loewenthal [mailto:sop...@klunky.co.uk] To: clamav-users@lists.clamav.net Sent: Fri, 26 Jan 2018 10:12:12 +0100 Subject: Thanks for the suggestions h.rei...@thelounge.net <mailto:h.rei...@thelounge.net> and 24x7ser...@24x7server.net <mailto:24x7ser...@24x7server.net> and alvarn...@mac.com <mailto:alvarn...@mac.com> Daily removed for the timebeing anyway. > On 26 Jan 2018, at 09:55, Rajesh M <24x7ser...@24x7server.net> wrote: > > hi > > this is what i did on my mail server > > cd /var/lib/clamav > > mv daily.cld daily.cld.BAK > mv main.cld main.cld.BAK > mv bytecode.cld bytecode.cld.BAK > mv mirrors.dat mirrors.dat.BAK > > kept foxhole_all and badmacro.ndb unoffical which handles all kinds of bad > attachments / macros. > > also have spam-assassin with oledb macro plugin. > > things seem to work now > > rajesh > > > - Original Message - > From: Sophie Loewenthal [mailto:sop...@klunky.co.uk] > To: clamav-users@lists.clamav.net > Sent: Fri, 26 Jan 2018 09:41:38 +0100 > Subject: > > Hi everybody, > > Would removing some of the virus definitions on a memory sparse server still > leave a semi-usable clamav scanner? > > e.g if I just left > main.cvd > bytecode.cvd > > and dropped daily.cvd? > > Or some other config. > > e.g just kept the unoffical sigs and the bytecode. > > I realize this is reducing clamav’s effectiveness, but my other option is to > remove clamav. > > Kind regards, > Sophie > > > > > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] reduce memory footprint by removing some virusdefinitions on a low memory server
hi this is what i did on my mail server cd /var/lib/clamav mv daily.cld daily.cld.BAK mv main.cld main.cld.BAK mv bytecode.cld bytecode.cld.BAK mv mirrors.dat mirrors.dat.BAK kept foxhole_all and badmacro.ndb unoffical which handles all kinds of bad attachments / macros. also have spam-assassin with oledb macro plugin. things seem to work now rajesh - Original Message - From: Sophie Loewenthal [mailto:sop...@klunky.co.uk] To: clamav-users@lists.clamav.net Sent: Fri, 26 Jan 2018 09:41:38 +0100 Subject: Hi everybody, Would removing some of the virus definitions on a memory sparse server still leave a semi-usable clamav scanner? e.g if I just left main.cvd bytecode.cvd and dropped daily.cvd? Or some other config. e.g just kept the unoffical sigs and the bytecode. I realize this is reducing clamav’s effectiveness, but my other option is to remove clamav. Kind regards, Sophie ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
yes all our servers are stuck disabled official signatures we have sanesecurity foxhole foxhole_all.cdb -- customized for our use which blocks all bad attachments it seems to work now. rajesh - Original Message - From: Reindl Harald [mailto:h.rei...@thelounge.net] To: clamav-users@lists.clamav.net Sent: Fri, 26 Jan 2018 09:22:14 +0100 Subject: Am 26.01.2018 um 09:19 schrieb Marco: > Il 26/01/2018 09:00, Reindl Harald ha scritto: >> freshclam and a custom script downloads anything to >> /var/lib/clamav-download and then for the two "/var/lib/clamav" and >> "/var/lib/clamav-sa" basend on file-lists hardlinks are set - from the >> official only "safebrowsing" is active > > We have the same problem: I confirm that without official signature > Clamav works! looks like "freshclam" needs something like a downgrade option when bad signatures can lead to such a massive fuckup ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Identifying jar virus file
- Original Message - From: Shaun Hurley [mailto:shahu...@sourcefire.com] To: clamav-users@lists.clamav.net Sent: Wed, 21 Oct 2015 07:29:57 -0400 Subject: Re: [clamav-users] Identifying jar virus file Al, This is not a false positive. The file is malicious. I am working on making detection signatures for the malware. Thanks, Shaun Hurley On Tue, Oct 20, 2015 at 9:00 PM, Alex wrote: > Hi, > > > On Tue, Oct 20, 2015 at 11:57 AM, Al Varnell wrote: > > According to this, Sophos should see it as Troj/JavaBz-ZO: > > < > https://www.virustotal.com/en/file/f97ea502099c1bea8eb36e2f90e94feabf1a79652cd5c0f4384f91f65410aa9f/analysis/> > submitted yesterday. > > > > Microsoft detects it as Trojan:Java/Adwind.P > > and Kaspersky calls it Trojan.Java.Adwind.af > > Yes, I just submitted it to them and now they have it in their signatures. > > I'm just very surprised to see this virus wasn't already being > detected by both clamav and sophos. It wasn't until the customer > alerted me that their desktop scanner had caught it that we were made > aware :-( > > Thanks, > Alex > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml hi as on today it is very difficult for clam to detect viruses. If you are running an email service it better to disallow all jar files using sane security foxhole database. pl see my previous post for the sane security foxhole_all.cdb to block all such possible virus carrier extensions. rajesh ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Trouble with foxhole
steve i am writing this on the basis of the experience of over 18500 corporate users -- and they have no complaints at all. basically people sending all these different file exe, jar and other forbidden extensions directly or within zip rar etc are 99.999 percent spammers / botnet the only people who mentioned the issue are software developers who happened to send exe or jar etc with their emails. however once i explained to them and and provided them ftp accounts for transmitting such files they were happy. also genuine senders are intimated correctly that their email has not been sent so there is no loss of communications. the internet is getting to be an extremely dangerous place -- and i have seen several incidences of people opening these exe or scr files within zip files and having their entire pc locked up / companies losing millions because their employees' pcs were hacked. antivirus is only as good as the signature -- many many many many times clam fails -- even now word / excel macro virus documents are not detected. badfile names --- very very difficult to keep updating those. i would rather block the root cause (though a few people may complain) and than have the pcs of a huge number of people at risk. rajesh - Original Message - From: Steve Basford [mailto:steveb_cla...@sanesecurity.com] To: clamav-users@lists.clamav.net Sent: Wed, 14 Oct 2015 08:19:32 +0100 Subject: Re: [clamav-users] Trouble with foxhole On Wed, October 14, 2015 7:37 am, Rajesh M wrote: > > Sanesecurity.Foxhole.7z:CL_TYPE_7Z > Sanesecurity.Foxhole.Rar:CL_TYPE_RAR etc.. Hi rajesh, Yep, the above will work... but could cause high FP's for some people which they might find unacceptable, depending on their setup. If anyone has a nice malware zip/7z/rar etc. collection it might be nice to create a "database" of their "common" bad filenames, which I can add into foxhole_filename.cdb. I've made start on the above and will shortly be adding thise into foxhole_filename.cdb Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Trouble with foxhole
hi foxhole_all.cdb is basically a text file the content is as given below which you can edit to suit your convenience. i have also attached the same file. what i have will block all the following extensions even they are hidden within 7z, rar, zip, arj, cab files. you would need to copy this file inside /var/lib/clamav/ or whichever folder is having your daily.cld file and then restart clam Sanesecurity.Foxhole.7z:CL_TYPE_7Z:*:(?i)\.(ace|ade|adp|arc|arj|b64|bat|bhx|cab|chm|cmd|com|cpl|dll|exe|hqx|hta|inf|ins|iso|isp|jar|js|jse|lib|lnk|lzh|mim|msp|mst|pif|reg|scf|scr|sct|shb|shs|sys|taz|tgz|tz|url|uu|uue|vb|vbe|vbs|vxd|wsc|wsf|wsh|xxe|z)$:*:*:*:*:*:* Sanesecurity.Foxhole.Rar:CL_TYPE_RAR:*:(?i)\.(ace|ade|adp|arc|arj|b64|bat|bhx|cab|chm|cmd|com|cpl|dll|exe|hqx|hta|inf|ins|iso|isp|jar|js|jse|lib|lnk|lzh|mim|msp|mst|pif|reg|scf|scr|sct|shb|shs|sys|taz|tgz|tz|url|uu|uue|vb|vbe|vbs|vxd|wsc|wsf|wsh|xxe|z)$:*:*:*:*:*:* Sanesecurity.Foxhole.Zip:CL_TYPE_ZIP:*:(?i)\.(ace|ade|adp|arc|arj|b64|bat|bhx|cab|chm|cmd|com|cpl|dll|exe|hqx|hta|inf|ins|iso|isp|jar|js|jse|lib|lnk|lzh|mim|msp|mst|pif|reg|scf|scr|sct|shb|shs|sys|taz|tgz|tz|url|uu|uue|vb|vbe|vbs|vxd|wsc|wsf|wsh|xxe|z)$:*:*:*:*:*:* Sanesecurity.Foxhole.Arj:CL_TYPE_ARJ:*:(?i)\.(ace|ade|adp|arc|arj|b64|bat|bhx|cab|chm|cmd|com|cpl|dll|exe|hqx|hta|inf|ins|iso|isp|jar|js|jse|lib|lnk|lzh|mim|msp|mst|pif|reg|scf|scr|sct|shb|shs|sys|taz|tgz|tz|url|uu|uue|vb|vbe|vbs|vxd|wsc|wsf|wsh|xxe|z)$:*:*:*:*:*:* Sanesecurity.Foxhole.Cab:CL_TYPE_MSCAB:*:(?i)\.(ace|ade|adp|arc|arj|b64|bat|bhx|cab|chm|cmd|com|cpl|dll|exe|hqx|hta|inf|ins|iso|isp|jar|js|jse|lib|lnk|lzh|mim|msp|mst|pif|reg|scf|scr|sct|shb|shs|sys|taz|tgz|tz|url|uu|uue|vb|vbe|vbs|vxd|wsc|wsf|wsh|xxe|z)$:*:*:*:*:*:* rajesh - Original Message - From: Hartmann, Jan [mailto:j.hartm...@kirchhoff-automotive.com] To: clamav-users@lists.clamav.net Sent: Wed, 14 Oct 2015 06:23:41 + Subject: [clamav-users] Trouble with foxhole Hi, Today we had a lot problems with exe files hidden in zip archives I tried to add the foxholedb to our clamav, but sadly it didn’t recognize the exe in the zip. clamscan --database=/var/lib/clamav/foxhole_generic.cdb fatuousness\ paging\ policy\ work\ regulations.zip fatuousness paging policy work regulations.zip: OK Mit freundlichen Grüßen / Best Regards i. A. Jan Hartmann IT Administrator Groupware phone: +49 2371 820 298 mobile: +49 171 865 962 2 fax: +49 2371 211 443 e-mail: j.hartm...@kirchhoff-automotive.com KIRCHHOFF Witte GmbH c/o KIRCHHOFF Automotive GmbH Stefanstrasse 2 58638 Iserlohn Germany KIRCHHOFF Witte GmbH | HRB 6370 Amtsgericht Iserlohn | Sitz der Gesellschaft: 58640 Iserlohn | Geschäftsführer: Dipl.-Ing. Jürgen Wolfgang Kirchhoff, Andreas Haase, Dipl.-Ing. Stefan Leitzgen | http://www.kirchhoff-automotive.com Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. --- SCAN SUMMARY --- Known viruses: 185 Engine version: 0.98.7 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.05 MB Data read: 0.02 MB (ratio 2.60:1) ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] concerning foxhole databases
- Original Message - From: Steve Basford [mailto:steveb_cla...@sanesecurity.com] To: clamav-users@lists.clamav.net Sent: Thu, 23 Apr 2015 12:29:39 +0100 Subject: Re: [clamav-users] concerning foxhole databases On Thu, April 23, 2015 12:03 pm, Rajesh M wrote: > i am using foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb but > does not work > > how do i block .cab extension even if they are within zip or rar or 7z > files. Hi Rajesh In your sample...a-to-z_moving_and_delivery.zip Using database foxhole_all.cdb: a-to-z_moving_and_delivery.zip: Sanesecurity.Foxhole.Cab_scr.UNFFICIAL FOUND Using database phish.ndb: a-to-z_moving_and_delivery.zip: Sanesecurity.Malware.24866.ExeHeur.Cab.UNOFFICIAL FOUND Looks like something isn't working at your end. If you clamscan --database=foxhole_all.cdb a-to-z_moving_and_delivery.zip does it work? If not, might need a debug output from above command Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml hi i am using a compiled version for qmailtoaster i do not use any other sanesecurity database files other than foxhole. if i send an email with an exe file inside a zip file then i get the error your email was rejected because it contained sanesecurity.foxhole.zip_exe. So foxhole is working. however if i first have a zip file then cab file then exe inside then as in case of a-to-z_moving_and_delivery.zip it does not get detected. OUTPUT WITH .scr inside cab inside zip # clamscan --database=/var/lib/clamav/foxhole_all.cdb a-to-z_moving_and_delivery.zip a-to-z_moving_and_delivery.zip: OK --- SCAN SUMMARY --- Known viruses: 116 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.09 MB Data read: 0.02 MB (ratio 6.00:1) Time: 0.025 sec (0 m 0 s) OUTPUT WITH .exe inside .zip # clamscan --database=/var/lib/clamav/foxhole_all.cdb a-to-z_moving_and_delivery1.zip a-to-z_moving_and_delivery1.zip: Sanesecurity.Foxhole.Zip_exe.UNOFFICIAL FOUND --- SCAN SUMMARY --- Known viruses: 116 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.02 MB (ratio 0.00:1) Time: 0.011 sec (0 m 0 s) could you kindly let me have the link to download the latest foxhole database ie the direct link that will work with .98.6 rajesh ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] concerning foxhole databases
hi i am using qmail toaster with clam version clamav-0.98.6 there are a lot malware coming in the form of zipped attachments zip > cab > .scr files these contain bitlocker which encrypts the entire pc clam is not able detect and stop these. i wish to prevent .cab attachments from coming thru even if they are within zip files. i am using foxhole_all.cdb foxhole_filename.cdb foxhole_generic.cdb but does not work how do i block .cab extension even if they are within zip or rar or 7z files. thanks rajesh ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] sanesecurity file size limit
steve MaxZipTypeRcg 1M increasing the above parameter to 3 mb solved the issue. thank you very much for your guidance and wishing you a very enjoyable holiday . rajesh - Original Message - From: Steve Basford [mailto:steveb_cla...@sanesecurity.com] To: clamav-users@lists.clamav.net Sent: Wed, 27 Aug 2014 21:44:59 +0100 Subject: Re: [clamav-users] sanesecurity file size limit On Wed, August 27, 2014 12:25 pm, Rajesh M. wrote: > in my clamd.conf file the size upto which the files will be scanned is 30 > mb ie max email size in my smtp session. > > how do we solve this issue. Sorry for this being brief/incorrect as I'm on holiday-ish ;) Qmail... http://major.io/2008/03/24/setting-the-maximum-mail-size-in-qmail/ clamd.conf... # Close the connection when the data size limit is exceeded. # The value should match your MTA's limit for a maximum attachment size. # Default: 25M #StreamMaxLength 10M # Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger # than this value will skip the step to potentially reanalyze as PE. # Note: disabling this limit or setting it too high may result in severe damage # to the system. # Default: 1M #MaxZipTypeRcg 1M Does the file scan ok with clamscan and/or clamdscan... Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] sanesecurity file size limit
hi we are using clamav with qmailtoaster with sane security. we use foxhole to block any exe file that is zipped / rar. however noted that if such files are over 1 mb then they are not detected in my clamd.conf file the size upto which the files will be scanned is 30 mb ie max email size in my smtp session. how do we solve this issue. rajesh ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] detected zipped exe as virus
Doug thanks for your reply. i read thru the file but still am not 100 percent sure will this be the command in case i want all zipped exe files to be detected as virus. i tried this command but does not work sigtool --md5 Ziptest:0:.*\.exe:*:*:*:*:*:* > virusexe.zmd can you please check the above and let me know thanks very much rajesh ps : i dont wish to use sanesecurity because it cause a lot of false positives in my email system. > You can use a zmd signature detailed in this doc: > http://www.clamav.net/doc/latest/signatures.pdf > > Here is an example signature for detecting files with the .sh extension: > Ziptest:0:.*\.sh:*:*:*:*:*:* > > - Doug > > > > On Tue, Sep 17, 2013 at 7:08 AM, Rajesh M <24x7ser...@24x7server.net> > wrote: > >> hi >> >> i wish to know the steps to prepare signature so that clamav will detect >> all zipped files containing files with extensions pif, scr, exe, com, >> bat, >> cmd, vbs, lnk, cpl, vbs as virus -- immaterial of whether they contain >> virus or not. >> >> what is the process for this. >> >> is there is any documentation which describes this ? >> >> thank you very much. >> >> rajesh >> >> >> >> >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml >> > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] detected zipped exe as virus
hi i wish to know the steps to prepare signature so that clamav will detect all zipped files containing files with extensions pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbs as virus -- immaterial of whether they contain virus or not. what is the process for this. is there is any documentation which describes this ? thank you very much. rajesh ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] html files containing java script links to virus files
hi we use qmailtoaster with clam our users sometimes receive html files as attachment this contains some kind of coded javascript which downloads virus from thirdparty websites nod32 catches such html files is there a feature in clam that can carry this out rajesh ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] concerning new virus
hi i am new to this list so please excuse me if i am wrong in posting here i am using qmail toaster with clam for over 3 years now i am getting a virus by email as such it can be dowloaded using the link below http://24x7server.net/v.zip the actual file name is Xerox_doc.exe i have zipped it up. if i use clamscan for scanning the file directly, clam does not detect the virus kaspersky detects it as Trojan.Win32.Agent2.lnw i have submitted this on the clam website several times but there seems to be no update on this Even on the qmail-toaster list people have chkd this out confirmed that clam does not detect this virus Could somebody check this out and help please. ## [r...@ns1 ~]# /usr/bin/clamscan Xerox_doc.exe Xerox_doc.exe: OK --- SCAN SUMMARY --- Known viruses: 817679 Engine version: 0.96.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.05 MB Data read: 0.05 MB (ratio 1.00:1) Time: 8.089 sec (0 m 8 s) ## thanks rajesh ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml