Re: [clamav-users] Blocked Access to ClamAV Database

[Steve Basford via clamav-users]

On 17 May 2024 13:26:27 Julia Korhonen via clamav-users 
 wrote:
Upon running command curl http://database.clamav.net, I received a message 
indicating that my access was blocked. However, upon reviewing my network 
settings and conducting diagnostic tests, I could not find any explicit 
indication of a block.


Hi Julia,

You hve to use freshclam to download signatures... curl and wget are 
blocked by default.




I would greatly appreciate it if you could investigate this matter further 
and provide any insights or assistance in resolving the block. If there are 
any actions required on my end or additional information needed, please let 
me know, and I will promptly provide the necessary details.


Thank you for your attention to this matter, and I look forward to your 
prompt response.


Sincerely,
Julia
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat



Cheers,

Steve
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Failed to open file. ERROR.

[Steve Basford via clamav-users]

On 30 April 2024 10:42:39 Nathan Millard via clamav-users 
 wrote:
Hi, when I am scanning using clamav on windows I am getting lots of errors 
staying “Failed to open file. ERROR”




Does anyone know how to solve this? Seems like it would be a permissions 
problem?


Hi.

While there is a windows remove unc bug..

https://github.com/Cisco-Talos/clamav/issues/839#issuecomment-1982145731

Yous is probably due to locked files (in use) on the windows system you are 
scanning.


Maybe use excludes... eg for pagefile.sys etc

--exclude= --exclude=





Kind regards,

Nathan

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat



Cheers,

Steve
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Announcing Fangfrisch release 1.9.0

[Steve Basford via clamav-users]

On 8 March 2024 13:20:53 Ralph Seichter via clamav-users 
 wrote:




I am also happy to report that the new HTTP mirror for SaneSecurity
signature files is chugging along nicely. Over the last days, I have
counted 4672 unique client connections accessing these files, with a
slow but steady increase in numbers according to the logs.

-Ralph

Hi Ralph,

Thanks for the update and glad to see the mirror getting increased traffic.

Rsync mirrors ghave recently been given a boost with a couple of extra 
hosts, which is also welcome news.


Cheers,

Steve
sanesecurity.com
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.3.0 release candidate published

[Steve Basford via clamav-users]

On 15 December 2023 16:49:49 "Micah Snyder \(micasnyd\) via clamav-users" 
 wrote

Fixed an issue decrypting some PDF's with an empty password.

Hi Micah,

Just tested and it's decoding URLs now :)

I also wanted to say a huge Thank You for all the programming bug fixes/new 
features and support work you've done for ClamAV this year.


Have a Happy Holiday ClamAV team 

Cheers,

Steve
sanesecurity.com
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] since clamav version 1.2.0, false/positive pihole links?

[Steve Basford via clamav-users]

On 31 August 2023 09:30:46 energynorman--- via clamav-users 
 wrote:



Dear clamav Teams,


we are using some Debian 12 servers with PiHole Systems:


OS: Debian GNU/Linux 12 (bookworm) aarch64
Host: Raspberry Pi 4 Model B Rev 1.4
Kernel: 6.1.21-v8+
Uptime: 4 hours
Packages: 2830 (dpkg), 14 (snap)
Shell: zsh 5.9
Resolution: 2560x1440
Terminal: /dev/pts/0
CPU: BCM2835 (4) @ 2.000GHz
Memory: 1754MiB / 7811MiB

and since we installed the new clamav 1.2.0 (from source an the rasapi)
or from the deb file on the other Debian servers with PiHole with amd64,
we see now these alerts:


/etc/pihole/list.74.raw.githubusercontent.com.domains: 
sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL 
FOUND
/etc/pihole/list.22.v.firebog.net.domains: 
sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL 
FOUND

/etc/pihole/list.83.v.firebog.net.domains: YARA.davivienda.UNOFFICIAL FOUND


The above signatures while 3rd party are produced by me.

There must be downloaded from a script... So worth checking configuration 
for pihole or other download scripts.



Cheers,

Steve
Sanesecurity.com
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] since clamav version 1.2.0, false/positive pihole links?

[Steve Basford via clamav-users]

On 31 August 2023 09:33:24 energynorman--- via clamav-users 
 wrote:



..additional, also these were found now by the version 1.2.0
(whitelisting?):



--- SCAN SUMMARY ---
Known viruses: 8862874
Engine version: 1.2.0
Scanned directories: 91
Scanned files: 416
Infected files: 0
Data scanned: 84.71 MB
Data read: 39.88 MB (ratio 2.12:1)
Time: 78.263 sec (1 m 18 s)
Start Date: 2023:08:31 05:09:59
End Date:   2023:08:31 05:11:17




/usr/lib/firefox-esr/browser/omni.ja:
Sanesecurity.Foxhole.Zip_fs186.UNOFFICIAL FOUND


Hi.

Sanesecurity signatures are produced by me.

The foxhole signatures are really only for incoming mail.

You can either create a list of signatures to ignore when scanning, in an 
ign2 database...


Eg. Create a text file Ignore.ign2

Make the first line


Sanesecurity.Foxhole.Zip_fs186


Put the ignore.ign2 file in the ClamAV database folder and reload ClamAV.

If you want to remove the foxhole sigs completely... Look for foxhole*.* in 
the ClamAV database folder or remove from your download script.


Foxhole sigs are really good for lots of reasons... but in your case you 
might need to fine tune your setup.


Hope this helps.


Cheers,

Steve
www.sanesecurity.com
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Unix.Malware.Kaiji-10003916-0

[Steve Basford via clamav-users]

Multi False Positive reports... Just a heads up.

Cheers,

Steve
Sanesecurity.com
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.0.1

[Steve Basford via clamav-users]

On 24 May 2023 21:57:33 Steve Basford via clamav-users 
 wrote:
Could you do a ls of the clamav database folder... So I can see what 
databases you are using

Sorry all should have been of list... Duh ;)

Cheers,

Steve
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.0.1

[Steve Basford via clamav-users]

Could you do a ls of the clamav database folder... So I can see what 
databases you are using


Does the database name appear in the logs when clamd.con

# Enable verbose logging.
# Default: no
LogVerbose yes
If you run clamscan -- database=clamav database folder test.file does it 
report database errors

How much memory/disk space

What download script... Any errors logs there to look at?

Sorry for the number of questions...
On 24 May 2023 19:54:57 Paul Netpresto  wrote:

Hi Steve
Note it would be nice if clamd said which db it did not like ..
I reckon the start of the problem is "Database reload failed, keeping the 
previous instance" when there is no previous instance.

Mon May 22 13:04:40 2023 -> Reading databases from /var/lib/clamav/
Mon May 22 13:05:01 2023 -> ERROR: reload_th: Database load failed: 
Malformed da

tabase
Mon May 22 13:05:02 2023 -> Database reload completed.
Mon May 22 13:05:02 2023 -> WARNING: Database reload failed, keeping the 
previou

s instance
Mon May 22 13:06:30 2023 -> ERROR: cl_engine_addref() failed
Mon May 22 13:06:30 2023 -> ERROR: Command dispatch failed
Mon May 22 13:06:30 2023 -> ERROR: INSTREAM: Can't write to temporary file.
Mon May 22 13:06:30 2023 -> ERROR: cl_engine_addref() failed
Mon May 22 13:06:30 2023 -> ERROR: Command dispatch failed
Mon May 22 13:06:30 2023 -> ERROR: INSTREAM: Can't write to temporary file.
Mon May 22 13:06:46 2023 -> ERROR: cl_engine_addref() failed
Mon May 22 13:06:46 2023 -> ERROR: Command dispatch failed
Mon May 22 13:08:31 2023 -> ERROR: cl_engine_addref() failed
Mon May 22 13:08:31 2023 -> ERROR: Command dispatch failedLots more of the 
above snipped
Note a /tmp/clamav-*** is created for each connection containing whatever 
was submitted till max files open limit is reached.


Then this starts
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files

3.5 G later /var/ is full !!
On 24/05/2023 19:39, Steve Basford via clamav-users wrote:

On 24 May 2023 18:52:04 Paul Netpresto  wrote:

Hi
I have found that 1.0.1 and 0.103.8 both behave badly if they find a 
malformed db. Agreed freshclam checks out the clamav/cisco db's.
I have yet to determine what unofficial db caused the failure. They should 
all have been verified before being placed in /var/lib/clamav/

How are you downloading the 3rd party sigs...

This script checks integrity... before copying to live folder...


https://github.com/extremeshok/clamav-unofficial-sigs

I check db integrity before uploading to mirrors.

Please email me off list with some logs

Cheers,

Steve
Twitter: @sanesecurity

_

Re: [clamav-users] ClamAV 1.0.1

[Steve Basford via clamav-users]

On 24 May 2023 18:52:04 Paul Netpresto  wrote:

Hi


I have found that 1.0.1 and 0.103.8 both behave badly if they find a 
malformed db. Agreed freshclam checks out the clamav/cisco db's.


I have yet to determine what unofficial db caused the failure. They should 
all have been verified before being placed in /var/lib/clamav/


Also this fab download script

https://github.com/rseichter/fangfrisch


Cheers,

Steve
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.0.1

[Steve Basford via clamav-users]

On 24 May 2023 18:52:04 Paul Netpresto  wrote:

Hi


I have found that 1.0.1 and 0.103.8 both behave badly if they find a 
malformed db. Agreed freshclam checks out the clamav/cisco db's.


I have yet to determine what unofficial db caused the failure. They should 
all have been verified before being placed in /var/lib/clamav/

How are you downloading the 3rd party sigs...

This script checks integrity... before copying to live folder...


https://github.com/extremeshok/clamav-unofficial-sigs

I check db integrity before uploading to mirrors.

Please email me off list with some logs

Cheers,

Steve
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.0.1

[Steve Basford via clamav-users]

On 23 May 2023 21:59:22 Paul Netpresto  wrote:


Hello

What should the behaviour of a running clamd be when it comes across a
malformed database during a signature-reload.

Clamd.conf has setting "ConcurrentDatabaseReload no"

Regards Paul



Hi Paul,

Is there is a malformed database freshclam will ignore it and shouldn't update.

If it's a manually updated database, clamd will report the error in logs.

That options means

concurrentDatabaseReload BOOL
Enable non-blocking (multi-threaded/concurrent) database reloads. This 
feature will temporarily load a second scanning engine while scanning 
continues using the first engine. Once loaded, the new engine takes over. 
The old engine is removed as soon as all scans using the old engine have 
completed. This feature requires more RAM, so this option is provided in 
case users are willing to block scans during reload in exchange for lower 
RAM requirements.

Default: yes


Cheers,


Steve
Sanesecurity.com
3rdparty ClamAV signatures




___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat



Cheers,

Steve
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Fwd: Problem with current databases

[Steve Basford via clamav-users]

On 4 May 2023 14:04:26 newcomer01 via clamav-users 
 wrote:



Hi there,

do we have currently a problem with the database files?
my cronjob, stops without any error or something on scanning files and in 
case did not delete his tmp files.

What version of clamav? What linux version? Memory/disk space?

Cheers,

Steve
Twitter: @sanesecurity
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members

[Steve Basford via clamav-users]

The attached file was some small HTML file containing malicious obfuscated 
javascript.


Just to note that at my workplace 1 user received a similar email, using 
older email threads to make it look convincing

and a with a single html attachment.

0/55 av's so far 6 hours after submitting..

In case this helps...

https://www.virustotal.com/gui/file/8cb4b28d9c452dfa77e8a061791158bb851681550c889e579a0acc4cb0ff2c86

Cheers,

Steve
Twitter: @sanesecurityhttps://fosstodon.org/@sanesecurity
Sanesecurity.com
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] clamscan exclude-dir on Windows

[Steve Basford via clamav-users]

On 28 January 2023 16:07:04 Richard Rosner via clamav-users 
 wrote:
Very interesting to know. Sadly that doesn't help. I added 
--exclude-dir="C:\\PROGRA~2\\" --exclude-dir="C:\\PROGRA~1\\" and tried 
running in both PowerShell and CMD, no success, it always ends up scanning 
Program Files.


Richard


Hi,

How about...

--exclude-dir="c:\\program files"



Cheers,

Steve
SaneSecurity.com
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Mail contains virus ? MBL_162040584.UNOFFICIAL and some errors.

[Steve Basford via clamav-users]

On 22 July 2022 10:15:27 Thomas Barth via clamav-users 
 wrote:



Hello,

I use ClamAV unofficial signatures and it seems that I get a false
positiv, I m not sure. A known person with a gmail-address and MS
Outlook 16.0 X-Mailer tries to send me a mail with a link to google docs
(Google Sheets) and Amavis refuses to accept this mail. I scanned this
file in the quarantaine again and I get the detection again and some
other errors.

[more yyerror() ]
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11389
duplicate identifier "zeroaccess_js4"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11414
duplicate identifier "zerox88_js2"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11444
duplicate identifier "zerox88_js3"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11472
duplicate identifier "zeus_js"
LibClamAV Warning: load_oneyara: yara rule contains too many subsigs
(1019, max: 64), skipping YARA.Backdoor_PHP_WPVCD_TempExecution
LibClamAV Warning: cli_loadyara: failed to parse or load 70 yara rules
from file /var/lib/clamav/rfxn.yara, successfully loaded 713 rules.
/root/virusmail.txt: MBL_162693783.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Known viruses: 12844114
Engine version: 0.103.6
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.01 MB (ratio 0.00:1)
Time: 61.839 sec (1 m 1 s)
Start Date: 2022:07:22 10:59:19
End Date:   2022:07:22 11:00:21

I opened the file in the console. It s a multipart message, it contains
the text and the typical ms html part of the message. I can't see where
the danger lurks.

Any suggestions what I can do?

Thomas B


Hi Thomas,

The yara rule errors are due to the ClamAV's built in yara engine not fully 
understanding the yara files.


The MBL_162693783 sig is the once to check.

If you used sigtool to decode the sig you'll see what it's looking for.

Mbl used to block Google docs links... so maybe that's why.

If you need to you can put the signature name in a ignore. ign2 file and 
reload clamd but only do this once you have see the sig decode.


Cheers,

Steve
Twitter: @sanesecuritySanesecurity.com
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] MS Word Follina - CVE-2022-30190

[Steve Basford via clamav-users]

On 9 June 2022 13:17:29 Vangelis Katsikaros via clamav-users 
 wrote:

Hi

I am not a security person so I apologize if the question sounds stupid. 
I'd like to ask if there is a signature in the clamav DB to recognise 
Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote 
code execution vulnerability.


I've added a few signatures into phish.ndb quite a few days ago to detect 
Follina... including some of the poc versions that use pdf files.


There are some Follina sigs in the official signatures as well.

Hope this is a reassurance.

Cheers,

Steve
Twitter: @sanesecurity
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] human friendly signatures

[Steve Basford]

On 16 March 2022 22:16:05 Eric Tykwinski  wrote:

Steve,

I like the idea, but why the hex; hex?


Sorry, should have been clearer... not just hex but

Test;Engine:81-255,Target:0;(b0);0f0f0f*0b0b0b;0/blah*(?:[4-7]|[8003]\d)/
etc...>Just thinking about my recent issues with direct deposit phishing 
emails from gmail.com and they are written probably by people, so I can’t 
really hash it, and have to regex it.



Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] human friendly signatures

[Steve Basford]

On 16 March 2022 22:16:05 Eric Tykwinski  wrote:

Steve,

I like the idea, but why the hex; hex?
Just thinking about my recent issues with direct deposit phishing emails 
from gmail.com and they are written probably by people, so I can’t really 
hash it, and have to regex it.







On Mar 16, 2022, at 5:10 PM, Steve Basford  
wrote:


On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users" 
 wrote:

yara rule loading logic works right now.



(3) a way to specify that a rule is to match in
(a) mail headers only or
(b) mail body only or
(c) both;
Just a random early thought... could .ldb be extended... by reading the 
whole message processing  as normal... but if its a header line mark as h, 
body with a b...



So if the ldb could be extended with h/b... you could still use the normal 
ldb logic...



Test;Engine:81-255,Target:0;(h0=0);hex;hex


Test;Engine:81-255,Target:0;(b0);

h=headers only line
b=body only line

So h0 hex will only match if its a header line
So b0 hex will only matt h if its a body line
Sorry for the formatting.. on mobile.


Cheers,

Steve
Twitter: @sanesecurity
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] human friendly signatures

[Steve Basford]

On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users" 
 wrote:

yara rule loading logic works right now.



(3) a way to specify that a rule is to match in
(a) mail headers only or
(b) mail body only or
(c) both;
Just a random early thought... could .ldb be extended... by reading the 
whole message processing  as normal... but if its a header line mark as h, 
body with a b...



So if the ldb could be extended with h/b... you could still use the normal 
ldb logic...



Test;Engine:81-255,Target:0;(h0=0);hex;hex


Test;Engine:81-255,Target:0;(b0);

h=headers only line
b=body only line

So h0 hex will only match if its a header line
So b0 hex will only matt h if its a body line
Sorry for the formatting.. on mobile.


Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Steve Basford]

On 28 April 2021 15:25:32 Robert Kudyba  wrote:
Since the signature name has .UNOFFICIAL and starts with MBL I believe 
that's Malware Block List. I've submitted a sample to fp (at) 
malwarepatrol.net. Is more than one sample needed? I'm posting here to let 
others know and as they don't appear to acknowledge nor reply.


Hi...

This issue has cropped up lots of times unfortunately (search the list archive)

This is on their blog:

https://www.malwarepatrol.net/block-lists-protect-against-ransomware-infections/

They really should have a main block  list with Google drive links in... 
and a separate one for the whole Google drive domain (for people that don't 
mind the high FP's)


This hasn't been fixed as far as I can see since 2018-ish...

Obviously there are script tweaks to remove Google drive sigs before moving 
to the ClamAV database folder...


... Or just stop using them and save yourself the headache.

Their sig name changes each time too, otherwise I could add a sig to the 
unofficial mirrors to stop it.


When you report the issue to them make sure you report the blocked domain 
as drive dot Google dot com etc. as the normal text domain might get 
blocked using their own signatures.


Sorry I can't help much more.

Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] malwarepatrol.db invalid

[Steve Basford]

On 29 March 2021 15:04:17 Steve Hanselman  wrote:

Is anyone able to successfully use the malwarepatrol.db file?



I’m running clamav 0.102.4, I’ve verified the md5 of the download, but 
every single time I try it dies with database integrity tested BAD.




LibClamAV Error: Malformed pattern line 827

LibClamAV Error: Problem parsing database at line 827


Could you post 5 lines before and 5 lines after line 827...

Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

[Steve Basford]

On 24 March 2021 14:16:33 Robert Kudyba  wrote:
Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several 
emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was 
a link forwarded as an attachment of a Google Drive folder.



Hi Robert,

It's best to report this to Malware Patrol themselves.

I do have the ability to ignore this signature from the mirrors... but they 
change the signature name... so it's a bit like whack a mole.




Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can we consume .ldb files in ClamAV Ubuntu?

[Steve Basford]

On 22 December 2020 07:28:53 Luca Sironi via clamav-users 
 wrote:

Hello,
are those signatures coming from FireEye github already included on the 
regular update ?


Hi...

Joel indicated the other day sigs to detect the problem files are already 
in the official Databases :)


Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav blocking libreoffice macro

[Steve Basford]

Could I have a sample too.

I've got a test sig to block libreoffice samples but would like to confirm 
more.


On 9 September 2020 13:31:49 Giovanni Bechis  wrote:


On 9/9/20 1:52 PM, G.W. Haywood via clamav-users wrote:

Hi Hugo,

On Wed, 9 Sep 2020, Hugo Boss via clamav-users wrote:


... we have issues with Emotet malware ...


If you have a sample of a malicious message which you wouldn't mind
sending to me privately I'd be happy to see if my milter can persuade
ClamAV to detect it.

I am interested in a sample as well, Apache SpamAssassin could be improved 
to detect this kind of malicious messages (if it doesn't catch them atm).

Giovanni

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] libclamunrar.dll being quarantined by Vipre Enterprise

[Steve Basford]

On 2020-02-18 13:58, Brian Fluet wrote:

File libclamunrar.dll from ClamAV 0.102.2 win x86 portable is being
quarantined by Sunbelt Vipre Enterprise as Trojan.GenericKD.42582612.

The first detection was at 5:44 PM EST on Friday Feb 14.

Microsoft is the only product that flags it as infected on VirusTotal
as Trojan:Win32/Detplock.

I submitted the file as a false positive to Sunbelt yesterday but
have not heard back.

I apologize if this ends up being a duplicate post.  I attempted one
yesterday that has not appeared in the archives.



 SHA-256 
8244bc93e71a78be156adf1bfef0785b4f3cd6725d095ffe7ed528ff08e8458c


Other AV's are also flagging... but maybe the same FP signature:

https://www.virustotal.com/gui/file/8244bc93e71a78be156adf1bfef0785b4f3cd6725d095ffe7ed528ff08e8458c/detection


--
Cheers,

Steve
Sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamav-unofficial-sigs download script updated

[Steve Basford]

Hi All,

eXtremeSHOK.com's clamav-unofficial-sigs download script has been 
updated:


https://github.com/extremeshok/clamav-unofficial-sigs

Change Log

Version 7.0.1 (Updated 25 January 2020)

Disable yara project rules duplicated in rxfn.yara (Thanks 
@dominicraf)

Incremented the config to version 91

Version 7.0.0 (Updated 24 January 2020)

eXtremeSHOK.com Maintenance
Added urlhaus database
Added extra yararulesproject databases
Added new linuxmalwaredetect yara file
Automatic upgrades ( --upgrade )
Added --upgrade command line option
Option to disable automatic upgrades ( allow_upgrades )
Option to disable update checks (allow_update_checks)
Increase download time to 1800 seconds from 600 seconds
os.conf takes preference over os.***.conf
Warn if there are multiple os.***.conf files
More sanity checks to help users and prevent errors
Better output of --info
Fix all known bugs
Implement all suggestions
Fixed yararulesproject database names
Correctly silence curl and wget
New linuxmalwaredetect logic
New malwarepatrol logic
Suppress --- and === from the logs
Update the documentation / guides
Increase minimum clamav version for yara rules to 0.100 or above
Fix systemd.timer and systemd.service files
More travis-ci tests
Added os.alpine.conf
Added debug options/mode to config
Set minimum config required to 90
Lots of refactoring and optimizing
Only check for and notify about script updates every 12hours
Incremented the config to version 90

Version 6.1.1 (Updated 02 September 2019)

eXtremeSHOK.com Maintenance
Update os.archlinux.conf, thanks @amishmm
master.conf set default dbs rating to medium
user.conf better suggested values
Default to using curl, less logic required (lower cpu)
force_curl replaced with force_wget
Fix: suppress all non-error output under cron/non interactive 
terminal
Fix: check log file is not a link before setting permissions, only 
set if owned by root.

Fix: failed to create symbolic link
Fix: curl --compress ->> curl --compressed
Minor enhancement to travis-ci checks
Incremented the config to version 77

Version 6.1.0 (Updated 27 August 2019)

eXtremeSHOK.com Maintenance
Thanks Reio Remma & Oliver Nissen
fail added to all curl commands
Fix: Missing logic for LOWMEDIUMONLY | MEDIUMHIGHONLY | HIGHONLY 
databases
Support for either os.osname.conf or os.conf files (no more needing 
to rename the os.osname.conf to os.conf)

Where possible replaced echo with xshok_pretty_echo_and_log
Refactor xshok_pretty_echo_and_log and make all notices styles 
consistent

Silence output when run under cron
add MAILTO=root to the generated cron file
Add full proxy support for wget, curl, rsync, dig, host
Better support for proxy config variables
New config variable: git_branch (defaults to master for the update 
checks)

allow -w signature for quicker whitelisting
Sanitize whitelist input string (Remove quotes and .UNOFFICIAL)
Added Full support for Hash-based Signature Databases
User.conf is pre-configured with default options to allow for 
quicker setup

Default sanesecurity and LinuxMalwareDetect to enabled
Increase default retries from 3 to 5
Ensure log file permissions are correct
Better update comparison check, only notify if newer
Incremented the config to version 76


--
Cheers,

Steve
Sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Stop clamdscan from stepping on itself?

[Steve Basford]

On 18 October 2019 16:19:23 Ian via clamav-users 
 wrote:




This doesn't seem like a difficult problem for clamav to solve -- clamd is 
asked to scan the file system and it creates temp files to accomplish this
I know I'm mainly a win user... So sorry in advance... but if you created a 
Linux ram drive... Pointed clamav temp files to the ram drive... Would that 
get around the issue...


https://www.linuxbabe.com/command-line/create-ramdisk-linux/amp

Clamd.conf...

# Optional path to the global temporary directory.

  77 # Default: system specific (usually /tmp or /var/tmp).
  78 #TemporaryDirectory /var/tmp


So when clamav scans ... its temporary files are in the ram disc.


Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Continuous increase of startup time (is daily.cld broken?)

[Steve Basford]

On 7 October 2019 15:25:41 "J.R. via clamav-users" 
 wrote:



I don't know how the viruses are tracked, but maybe to reduce size (if
applicable) some of the more ancient viruses that only affect EOL
operating systems (or programs that should have long since been
patched) could be spun-off into a separate definition file (that could
be optionally disabled)? Seems like it would be quite a waste of
resources for most if there were like a million definitions that only
affected Windows XP or Office 2003 or something like that...


If you also take a peek at hashes:




Number of hashes:




36,49,543 main.hdb

23,657,708 daily.hdb




248,06,499 main.hsb

905,00,729 daily.hsb







file Size:




36,49,543 main.hdb

23,657,708 daily.hdb




24,806,499 main.hsb

905,00,729 daily.hsb




Example:




grep "130ae8f338cc705a26fa5fa635d8673a" daily.hsb




130ae8f338cc705a26fa5fa635d8673a:92160:Doc.Dropper.Agent-1453138:73







https://www.virustotal.com/gui/file/06f0af676b49d13c51b36e4d61f2d8751bd5ef5d5241a68e99691d68617c7415/detection




First Seen In The Wild ---> 2016-06-03 20:34:00

Last Submission ---> 2016-06-03 20:37:03

Document Name: Rotech AG_Faktur dot doc




So, is the above hash still relevant or should it moved into archived.hsb, 
which by default doesn't load ?





Perhaps, daily.* are hashes up to a year old, main.* for hashes two years 
old and everything else into archive.*





Or jsut drop document hashes over a year old ??




It's a difficult one to suit all uses of ClamAV I guess.
Cheers,


Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How do you add specific files to white list ?

[Steve Basford]

On 20 August 2019 21:41:30 "Micah Snyder \(micasnyd\) via clamav-users" 
 wrote:

Hi Asok,



I’m extremely curious about the `--memory` you’re using with clamscan.  I’m 
under the impression that is a feature added in some versions of ClamWin – 
but as far as I know, ClamWin hasn’t had a release 0.99.4.  If I may ask, 
where did you get this version of ClamAV?

The core engine from clamwin...

http://oss.netfarm.it/clamav/

0.99.4...

http://www.clamwin.com/content/view/18/46/

Cheers,


Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] pipermail signature lists

[Steve Basford]

Just a quick one.

Sometimes it's useful to check on signature updates

eg...

https://lists.clamav.net/pipermail/clamav-virusdb/

https://lists.clamav.net/pipermail/clamav-virusdb/2019-August/date.html

But when you want to get to the detail:

https://lists.clamav.net/pipermail/clamav-virusdb/2019-August/006919.html

"An embedded and charset-unspecified text was scrubbed..."

Can it be fixed, so we can see what sigs were added/dropped... as I'm 
sure it used to work?



--
Cheers,

Steve
Sanesecurity.com: 3rd Party ClamAV Signatures
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] SecuriteInfo.com.Spam-12370

[Steve Basford]

On 24 June 2019 21:45:25 Bowie Bailey  wrote:


Anyone else having issues with this signature?



 IVIRUS NAME: SecuriteInfo.com.Spam-12370


Yes.. Just seen a few twitter posts and had a couple of emails about that sig.

I'm sure I'll be fixed by them shortly.

Cheers,


Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [External] Re: Scan very slow

[Steve Basford]

On 2019-04-09 22:29, Micah Snyder (micasnyd) via clamav-users wrote:

Maarten,


Looking at a few of the Phish.Phishing signatures, these appear to
have the same issue (href="http:// prefix).  In testing with scan of a
PDF document, I was able to reduce the scan time from 31.987 sec down
to 2.632 sec simply by changing the start of the Phishtank signatures
for the following:


Hi Micah,

Just in case this helps, a slow loading db issue a while back:

https://bugzilla.clamav.net/show_bug.cgi?id=11017



--
Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [External] Re: Scan very slow

[Steve Basford]

On 2019-04-09 12:02, Brent Clark via clamav-users wrote:

Cant those be adopted / managed by Sanesecurity?

For all you know, those are already in Sanesecurity.


They are... and have been for quite some time:


"The following databases are distributed by Sanesecurity, but produced 
by Porcupine Signatures"


phishtank.ndb.

Briefly...

Number of sigs in phishtank.ndb: 9,309

eg:

PhishTank.Phishing.6002281, matches:

https://www.phishtank.com/phish_detail.php?phish_id=6002281

So, there is going to be some possible cross over now that 
Phish.Phishing.REPHISH_ID_20190404_67-6931549-0
type signatures names from PhishTank feed are in daily.ldb and 
daily.ndb.


I'll check back on the thread later.

--
Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scan very slow

[Steve Basford]

On 7 April 2019 17:25:56 Arnaud Jacques  wrote:




... and one day I created a *huge* ign2 file and it crashed clamd. Ign2
files may not be appropriate to ignore tons of signatures.


From memory.. daily.info (inside the daily.cvd) contains the database names 

included.

If all phishtank sigs were moved into phishtank.ldb etc. and that name was 
placed into the daily.info as a separate entry..


Freshclam could exclude that database loading during the loading of 
databases.. If it matched an exclude pishtank.ldb command in 
freshclam.conf.  Or maybe create a dataset.ign3 file which contains 
database names not to load at all.



Bigger picture would be move all android sigs into android.ldb etc and you 
could exclude those if needed to release memory and resources... All 
Windows sigs into a separate dataset etc.



The default would be to load all datasets.. but doing something like this 
would give endusers a choice without using ign2 entries for millions of 
sigs and without wasting time loading them into memory.


Both would need changes to freshclam and sigs.


Cheers,


Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scan very slow

[Steve Basford]

On 2019-03-25 10:52, Mark Allan via clamav-users wrote:

Hi all,


te.


Hopefully this helps someone to narrow things down a bit.

Mark



18/3/19		10m 49s		TXT from DNS: 
0.101.1:58:25392:1552904941:1:63:48507:328	***


Here's the changes for the above update:

https://lists.gt.net/clamav/virusdb/75154

You can also check sigs quickly per update:

https://lists.gt.net/clamav/virusdb/



--
Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Slow reload

[Steve Basford]

On 2019-03-19 14:35, Bowie Bailey wrote:

I do have a bunch of third party signatures installed from Sanesecurity 
and

SecuriteInfo.  Is there a way to get timing information on which
signature files are
taking the longest to load?  Or is this mainly a function of file size?


Here's a quick sorted output of scanning each database with 1 file to 
test db loading and scan times


eg.

clamscan --database=x.xxx


Sanesecurity:

MiscreantPunch099-Low.ldb   Execution time  10.534 s
phish.ndb   Execution time  4.400 s
scamnailer.ndb  Execution time  4.070 s
junk.ndbExecution time  1.840 s
spear.ndb   Execution time  1.610 s
blurl.ndb   Execution time  1.387 s
scam.ndbExecution time  1.292 s
phishtank.ndb   Execution time  1.124 s
jurlbl.ndb  Execution time  1.062 s
winnow_extended_malware.hdb Execution time  1.017 s
foxhole_filename.cdbExecution time  1.013 s
MiscreantPunch099-INFO-Low.ldb  Execution time  1.007 s
porcupine.ndb   Execution time  0.990 s
jurlbla.ndb Execution time  0.974 s
doppelstern.hdb Execution time  0.953 s
doppelstern-phishtank.ndb   Execution time  0.945 s
rogue.hdb   Execution time  0.945 s
foxhole_all.ndb Execution time  0.937 s
foxhole_js.ndb  Execution time  0.932 s
foxhole_generic.cdb Execution time  0.931 s
bofhland_malware_URL.ndbExecution time  0.930 s
winnow.complex.patterns.ldb Execution time  0.928 s
winnow_phish_complete_url.ndb   Execution time  0.926 s
foxhole_all.cdb Execution time  0.922 s
lott.ndbExecution time  0.919 s
malware.expert.ndb  Execution time  0.919 s
bofhland_cracked_URL.ndbExecution time  0.917 s
foxhole_mail.cdbExecution time  0.917 s
winnow_malware.hdb  Execution time  0.917 s
winnow.attachments.hdb  Execution time  0.916 s
winnow_bad_cw.hdb   Execution time  0.916 s
crdfam.clamav.hdb   Execution time  0.915 s
winnow_extended_malware_links.ndb   Execution time  0.915 s
spearl.ndb  Execution time  0.914 s
badmacro.ndbExecution time  0.913 s
foxhole_js.cdb  Execution time  0.913 s
winnow_malware_links.ndbExecution time  0.913 s
winnow_spam_complete.ndbExecution time  0.911 s
bofhland_phishing_URL.ndb   Execution time  0.910 s
malware.expert.ldb  Execution time  0.910 s
bofhland_malware_attach.hdb Execution time  0.909 s
doppelstern.ndb Execution time  0.909 s
winnow_phish_complete.ndb   Execution time  0.908 s
shelter.ldb Execution time  0.907 s
spamattach.hdb  Execution time  0.905 s
spamimg.hdb Execution time  0.896 s
malware.expert.hdb  Execution time  0.895 s
spam.ldbExecution time  0.889 s

and the same setup for ClamAV Official DB's:

daily.ldb Execution time35.893 s
main.mdb  Execution time13.474 s
daily.hsb Execution time10.514 s
daily.hdb Execution time3.533 s
main.ndb  Execution time2.676 s
main.hsb  Execution time2.020 s
daily.mdb Execution time1.610 s
main.hdb  Execution time1.054 s
daily.ndb Execution time0.983 s
daily.pdb Execution time0.946 s
daily.ldu Execution time0.942 s
daily.idb Execution time0.940 s
daily.ign2Execution time0.937 s
daily.ign Execution time0.930 s
daily.fp  Execution time0.921 s
daily.wdb Execution time0.919 s
daily.ftm Execution time0.918 s
main.sfp  Execution time0.914 s
daily.hsu Execution time0.911 s
daily.sfp Execution time0.910 s
daily.cfg Execution time0.909 s
daily.crb Execution time0.907 s
daily.msu Execution time0.906 s
daily.hdu Execution time0.902 s
daily.msb Execution time0.902 s
daily.ndu Execution time0.902 s
daily.cdb Execution time0.901 s
main.msb  Execution time0.896 s
main.crb  Execution time0.894 s
main.fp   Execution time0.891 s
daily.mdu Execution time0.889 s

Just in case that's useful for anyone ;)

--
Cheers,

Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Slow reload

[Steve Basford]

On 19 March 2019 21:01:03 Bowie Bailey  wrote:


On 3/19/2019 4:27 PM, Bowie Bailey wrote:




Is there a way to get the details on how long each file take to load, or do 
I just

have to test them one by one?
A very simple per Database scan time test... Sorry not sorted in time order 
but might help anyway...


badmacro.ndb: 984 ms

blurl.ndb: 1469 ms

bofhland_cracked_URL.ndb: 875 ms

bofhland_malware_attach.hdb: 891 ms

bofhland_malware_URL.ndb: 891 ms

bofhland_phishing_URL.ndb: 890 ms

crdfam.clamav.hdb: 891 ms

doppelstern-phishtank.ndb: 891 ms

doppelstern.hdb: 890 ms

doppelstern.ndb: 906 ms

foxhole_all.cdb: 891 ms

foxhole_all.ndb: 921 ms

foxhole_filename.cdb: 1000 ms

foxhole_generic.cdb: 907 ms

foxhole_js.cdb: 890 ms

foxhole_js.ndb: 875 ms

foxhole_mail.cdb: 891 ms

junk.ndb: 1812 ms

jurlbl.ndb: 1047 ms

jurlbla.ndb: 937 ms

lott.ndb: 890 ms

malware.expert.hdb: 875 ms

malware.expert.ldb: 875 ms

malware.expert.ndb: 906 ms

MiscreantPunch099-INFO-Low.ldb: 953 ms

MiscreantPunch099-Low.ldb:
Possible Performance Issue: 10422 ms

phish.ndb: 4406 ms

phishtank.ndb: 1156 ms

porcupine.ndb: 969 ms

rogue.hdb: 922 ms

scam.ndb: 1235 ms

scamnailer.ndb: 4016 ms

shelter.ldb: 906 ms

spam.ldb: 922 ms

spamattach.hdb: 906 ms

spamimg.hdb: 891 ms

spear.ndb: 1594 ms

spearl.ndb: 906 ms

winnow.attachments.hdb: 891 ms

winnow.complex.patterns.ldb: 891 ms

winnow_bad_cw.hdb: 891 ms

winnow_extended_malware.hdb: 984 ms

winnow_extended_malware_links.ndb: 891 ms

winnow_malware.hdb: 907 ms

winnow_malware_links.ndb: 890 ms

winnow_phish_complete.ndb: 890 ms

winnow_phish_complete_url.ndb: 875 ms

winnow_spam_complete.ndb: 875 ms


Cheers,


Steve
Twitter: @sanesecurity

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

[Steve Basford]

On Wed, December 12, 2018 8:59 am, Al Varnell wrote:
> You mentioned earlier that ClamAV has recently added signatures from
> PhishTank, but I've noticed over the last few days that most, if not all
> of them have been removed. Should I conclude that the PhishTank
> organization signatures are resulting in a high False Positive count? Are
> they simply accepting all the submissions they get as valid fishing
> attempts and not QAing them before release?

Not sure but just to add that phishtank.ndb is still up and running and
has been for quite some time...  so might end up with some duplicates for
those already using phishtank.ndb:

eg

phishtank.ndb:

VIRUS NAME: PhishTank.Phishing.5433945
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
{STRING_ALTERNATIVE:.|/}trck DOT me/459690/

vs

daily.ndb:

VIRUS NAME: Phishtank.Phishing.PHISH_ID_5433945-6762532-0
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
http://trck DOT me/459690/

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

[Steve Basford]

On Tue, December 11, 2018 1:58 pm, Sunny Marwah wrote:

Hi Sunny/All,

Here's the summary

The phishing attempt looks like this html code:

h-t-t-p-s:/-/-pastebin DOT com/TL5WUJZh

This first link is just a hijacked graphic and won't be in safebrowsing...

h-t-t-p-s:-/-/gokdenizhealthtourism DOT com/js/logo.gif

This next link, is the bad" phishing link is:

h-t-t-p-s:/-/-nompao DOT com/boa.php

The above link is currently blank and isn't in currently safebrowsing,
however, you can report it here:

https://safebrowsing.google.com/safebrowsing/report_badware/

VirusTotal is showing a clean link too on the phishing link:

https://www.virustotal.com/#/url/27abfb7ec2849ebadf75dcf899bc0f2aa3a491897bcef3ad2179ed30bb2eb258/detection


You can submit the sample to ClamAV to add detection of the phish contents
here (regardless of the url's that are being used)

https://www.clamav.net/reports/malware

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Detecting Word docs with macros

[Steve Basford]

On 10 December 2018 17:21:05 "G.W. Haywood"  wrote:


Hi there,

On Mon, 10 Dec 2018, Steve Basfordwrote:


... MiscreantPunch099-Low.ldb for additional detection but can hit
scanning performance.


Can you give any estimate (however rough) of the performance hit?


Scanning a small file... With each database... Not hugely scientific... 
Just relative to each other...


badmacro.ndb: 937 ms

blurl.ndb: 1125 ms

bofhland_cracked_URL.ndb: 859 ms
bofhland_malware_attach.hdb: 859 ms
bofhland_malware_URL.ndb: 844 ms
bofhland_phishing_URL.ndb: 828 ms
crdfam.clamav.hdb: 844 ms
doppelstern.hdb: 844 ms
doppelstern.ndb: 844 ms
doppelstern-phishtank.ndb: 828 ms
foxhole_all.cdb: 844 ms
foxhole_all.ndb: 844 ms
foxhole_filename.cdb: 938 ms
foxhole_generic.cdb: 860 ms
foxhole_js.cdb: 828 ms
foxhole_js.ndb: 828 ms
foxhole_mail.cdb: 828 ms

junk.ndb: 1750 ms

jurlbl.ndb: 985 ms
jurlbla.ndb: 906 ms
lott.ndb: 859 ms
malware.expert.hdb: 828 ms
malware.expert.ldb: 860 ms
malware.expert.ndb: 859 ms
MiscreantPunch099-INFO-Low.ldb: 922 ms

MiscreantPunch099-Low.ldb: Possible Performance Issue: 10407 ms

phish.ndb: 4282 ms

phishtank.ndb: 1172 ms

porcupine.ndb: 922 ms
rogue.hdb: 859 ms

scam.ndb: 1156 ms

scamnailer.ndb: 3953 ms

shelter.ldb: 843 ms
spam.ldb: 844 ms
spamattach.hdb: 891 ms
spamimg.hdb: 844 ms

spear.ndb: 1532 ms

spearl.ndb: 828 ms
winnow.attachments.hdb: 829 ms
winnow.complex.patterns.ldb: 860 ms
winnow_bad_cw.hdb: 844 ms
winnow_extended_malware.hdb: 937 ms
winnow_extended_malware_links.ndb: 844 ms
winnow_malware.hdb: 828 ms
winnow_malware_links.ndb: 843 ms
winnow_phish_complete.ndb: 843 ms
winnow_phish_complete_url.ndb: 828 ms
winnow_spam_complete.ndb: 844 ms


Cheers,

Steve
Twitter: @sanesecurity
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Detecting Word docs with macros

[Steve Basford]

On Mon, December 10, 2018 2:58 pm, Eric Tykwinski wrote:
> Default clam sigs obviously are not catching these, but wondering if
> anyone has them included in a third party that rather FP friendly.
>
> I also just tested a yara from here, and it seems to work, but not
> certain about FPs from it either.
>
Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much
cover a lot of those... MiscreantPunch099-Low.ldb for additional detection
but can hit scanning performance.

ClamAV settings in clamd.conf can also be tweaked to block documents with
macro and or passwords.


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Adding a custom signature for spam

[Steve Basford]

On Mon, November 12, 2018 8:54 am, turgut kalfaoğlu wrote:
> Hello there. I was fed up with some repeated spam that was coming our
> way, and had the idea that it would be great if the clamd could stop these.

Are these being detected with 3rd party signatures?

> $ echo This is a text line from the annoying spam | sigtool --hex-dump
>

Try -n

eg.

echo -n This is a text line from the annoying spam|sigtool --hex-dump
5468697320697320612074657874206c696e652066726f6d2074686520616e6e6f79696e67207370616d

echo This is a text line from the annoying spam|sigtool --hex-dump
5468697320697320612074657874206c696e652066726f6d2074686520616e6e6f79696e67207370616d0d0a

Note that line feed 0d0a etc. at the end of the signature, which may
cause it to fail.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ICON_HASH signature for PE files

[Steve Basford]

On Fri, November 9, 2018 9:00 am, Irshad wrote:
> Hi,
>

>
> My apologies, if I am missing something obvious. I spent around 3 hours

Hi Irshad

Not sure if this will help but there are a few icon based sigs I think in
the current daily.cvd

So unpack them and then grep for IconG, something like this:

sigtool --unpack-current=daily
grep "IconG" daily.ldb

You can then see some examples on how they are used.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV 0.101.0 beta rar issue

[Steve Basford]

Hi,

Using a cdb sig in this format:

Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for
quotation.{0,30}\.exe$:*:*:*:2:*:*

The above sig will work on a Rar pre v5 format file, to catch a *single*
exe in a rar file.

In ClamAV 0.101.0 beta (which has Rar v5 support), the above
wasn't decting anything, but should have.

According to the documents... CDB signature:

FilePos
:  file  position  in  container  (counting  from  *1*);  absolute  value  or
range


In a Rar v3 archive, with a SINGLE exe inside using Clamav-0.99.4:

LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for
quotation:182253:378880:0:2:1173764330
:

(note: the :2: part for FilePos)

In a Rar v3 archive, with a SINGLE exe inside using ClamAV 0.101.0 beta:

LibClamAV debug: CDBNAME:CL_TYPE_RAR:182253:request for
quotation:182253:378880:0:1:1173764330
:

(note: the :1: part for FilePos)


In a Rar v5 archive, with a SINGLE exe inside, using ClamAV 0.101.0 beta:

LibClamAV debug: CDBNAME:CL_TYPE_RAR:402906:Request For Quotation
142537.exe:402906:3851480:0:1:4067430729:

(note: the :1: part for FilePos)


So, Clamav-0.99.4 on a Rar v3 file reports the *first* file as 2 for the
FilePos.

ClamAV 0.101.0 beta on a Rar v3 or v5 arhive... reports the *first* file
as 1 for the FilePos.

Which is a bit of an issue for backwards compatibility...

I could change Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request
for quotation.{0,30}\.exe$:*:*:*:2:*:* to match any file positioneg:
Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for
quotation.{0,30}\.exe$:*:*:*:*:*:* but might have a higher FP rate.

I guess the old rar unpacker starts at filepos 2, the new one, starts at
filepos 1, which matched the documentation.

I guess the new unpacker could be changed to just add a +1 to the filepos
and then adjust the documents ?

The above was tested using: clamav-0.101.0-beta-win-x86-portable

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] More MBL FPs

[Steve Basford]

All whitelisted this morning anyway.

Cheers,

Steve
Twitter: @sanesecurity

On 29 October 2018 10:21:13 am Paul Stead  wrote:

MBL_17895395

MBL_17662054

MBL_17962226


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] MBL_17713260 false positive!

[Steve Basford]

On 26 October 2018 12:30:45 Paul Stead  wrote:


Woo, more -

MBL_17674787
MBL_17784910


Personally I'd stop using them... as Malware Patrol don't seem to want to 
improve the situation.


So although I do whitelist.. like I have with the above ones... it'll be an 
ongoing task/pain.




Tried to post to the Sanesecurity list but didn't seem to come through (


Hmmm... Odd I'll test later.

Cheers,

Steve
Twitter: @sanesecurity




Paul

--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
Direct: 01706 902018
Web: zen.co.uk

Winner of 'Services Company of the Year' at the UK IT Industry Awards

This message is private and confidential. If you have received this message 
in error, please notify us and remove it from your system.


Zen Internet Limited may monitor email traffic data to manage billing, to 
handle customer enquiries and for the prevention and detection of fraud. We 
may also monitor the content of emails sent to and/or from Zen Internet 
Limited for the purposes of security, staff training and to monitor quality 
of service.


Zen Internet Limited is registered in England and Wales, Sandbrook Park, 
Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] MBL_17713260 false positive!

[Steve Basford]

On Wed, October 24, 2018 9:05 am, Al Varnell wrote:
> I cannot argue that malware does not show up in Google Docs which is wide
> open to anybody that wants to post there, as I know it has occurred. Not
> sure how big a problem it has become for Google to police. I think it
> would be better if malwarepatrol were to list the specific site where the
> malware was reportedly found, rather than condemning the entire
> sub-domain.

Agreed

Plus as the signature name changes for the blocked domain... you'd have to
do something like:

grep "68747470733a2f2f646f63732e676f6f676c652e636f6d"| cut -d "=" -f1 >
mbl.ign2

... each time you download... and re-generate the whitelist name.



-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Sanesecurity FP Alert

[Steve Basford]

@sanesecurity:

News: Sanesecurity.Rogue.0hr.20181004-1536 is causing FPs.

Fixed but reload signatures ASAP

Will investigate what went wrong.

Cheers,

Steve
Twitter: @sanesecurity
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On 18 September 2018 16:33:28 Paul Stead  wrote:


Yet another Malwarepatrol FP:

MBL_14437114


White listing as we speak... Sigh
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Rar unpacker

[Steve Basford]

On 16 September 2018 00:03:06 Paul  wrote:


Hello

Is support for a RAR V5  unpacker in the pipeline


Yes :)

https://bugzilla.clamav.net/show_bug.cgi?id=11959

Cheers,

Steve
Twitter: @sanesecurity
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On 4 September 2018 18:52:04 Mark G Thomas  wrote:


Hi,

Good grief! Yet another.  So much for Malware patrol!


Sigh.



# sigtool --find-sigs MBL_13497693|  sigtool --decode-sigs


Pushing out a whitelist entry to the mirrors as I type.

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On 31 August 2018 17:52:26 Mark G Thomas  wrote:


Hi,

And YET ANOTHER today. I figured others here might want the heads up.

[root@imx0 conf]# sigtool --find-sigs MBL_13226139 |  sigtool --decode-sigs


Sigh.

I've just added to the main Sansecurity whitelist.

Thanks for the heads up.

Cheers,

Steve
Twitter: @sanesecurity



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

Had a reply back regarding the false positives


Hello,
?
?Thank you for contacting us and for reporting potential problems with our 
ClamAV signatures. The two entries mentioned were removed from the block 
lists and data feeds a few days ago. Our users and customers should be able 
to download new versions of the feeds according to their subscriptions.

?
?Our means of communication for reporting problems or to ask for assistance 
is via this email address: supp...@malwarepatrol.net. We'd appreciate if 
you could direct anybody with inquiries to directly contact us.

?
?Once again, thank you for reporting this issue.
?
?Regards,
?
?Luciana
?Malware Patrol Team


So if anyone else sees FPs the above email should be a starting point.

Cheers,

Steve
Twitter: @sanesecurity
On 29 August 2018 18:52:31 "Steve Basford"  
wrote:



On Tue, August 21, 2018 12:31 pm, Al Varnell wrote:

OK, I don't think there is anything that ClamAV can do about it since
it's an UNOFFICIAL.

Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.


I've just sent them an email and a contract form entry on the issues we've
been seeing of late... basically asking them to improve their quality
control and not giving other 3rd party signatures or indeed ClamAV a bad
name.

Not sure if it'll help but we'll see.

FPs will happen... but it's about freqency of them... and how quickly they
get fixed that's the key issue.

--
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On Tue, August 21, 2018 12:31 pm, Al Varnell wrote:
> OK, I don't think there is anything that ClamAV can do about it since
> it's an UNOFFICIAL.
>
> Maybe Steve Basford from SaneSecurity can put some pressure on them. He
> usually reads what's posted here.

I've just sent them an email and a contract form entry on the issues we've
been seeing of late... basically asking them to improve their quality
control and not giving other 3rd party signatures or indeed ClamAV a bad
name.

Not sure if it'll help but we'll see.

FPs will happen... but it's about freqency of them... and how quickly they
get fixed that's the key issue.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

Just whitelisted for those using download scripts.. using the ign2 file on 
the Sanesecurity mirrors.


Cheers,

Steve
Twitter: @sanesecurity
On 27 August 2018 19:16:49 Mark G Thomas  wrote:


Hi,

This seems to be an ongoing trend.

I can't believe someone thought this would be a good idea!

   # sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs
   VIRUS NAME: MBL_13087222
   DECODED SIGNATURE:
   https://docs.google.com


On Tue, Aug 21, 2018 at 04:31:28AM -0700, Al Varnell wrote:

OK, I don't think there is anything that ClamAV can do about it since
it's an UNOFFICIAL.
Maybe Steve Basford from SaneSecurity can put some pressure on them. He
usually reads what's posted here.
-Al-
On Tue, Aug 21, 2018 at 04:27 AM, Dave McMurtrie wrote:

They did this in April, 2017 also.  When I reported it as a false
positive at that time, they responded with:
"Thank you for contacting us.  There is a file hosted there with a
vague
AV classification.  After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."
I'm beginning to get the feeling they don't have any type of review
process in place.
On Mon, 20 Aug 2018, Al Varnell wrote:

Submit to fp (at) [1]malwarepatrol.net.
-Al-
On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:

Hi, fyi
# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
[2]https://drive.google.com





--
Mark G. Thomas (m...@misty.com), KC3DRE
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On Tue, August 21, 2018 12:27 pm, Dave McMurtrie wrote:
>
> I'm beginning to get the feeling they don't have any type of review
> process in place.

I whitelisted the sig on the Sanesecurity mirrors this morning UK time:

21/08/2018 @ 11:37

It's usually quicker to do that, if not ideal.


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Bytecode 86 failed to run

[Steve Basford]

That suggests that the actual default value of --bytecode-timeout might
be 5000.


Yep...

https://github.com/Cisco-Talos/clamav-devel/blob/76d0d93d4f11a43f237cce495765b0f95d4352d1/shared/optparser.c

Ie...

   { "BytecodeTimeout", "bytecode-timeout", 0, CLOPT_TYPE_NUMBER, 
MATCH_NUMBER, 5000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN,

"Set bytecode timeout in milliseconds.","5000"},

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] After 0.100.1 Update, clamd crashes

[Steve Basford]

Just posting a little regarding the Yara issue with 0.100.x:

After a little bit of testing last week... here's what was found:

It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has
*multiple* rules inside the single Yara file, it seems to crash linux
versions of ClamAV.


If the Yara rule uses pe.imports (which  btw, isn't supported in CLamAV)
and changed from:

all of ($user*) and pe.imports("advapi32.dll")

to:


all of ($user*)


Then ClamAV doesn't crash in 0.100.x.

Whereas leaving the rule intact (in pre 0.100.x) it just didn't crash.


There a buzilla about it here:


https://bugzilla.clamav.net/show_bug.cgi?id=12077#c14


My little issue is with this statement:

"It wasn't quite clear at the offset of this bug, but ClamAV cannot
support unofficial signatures from a development standpoint. For numerous
reasons, we do not regress against those signatures, and in cases where
sig writers publish non-functional signatures due to insufficient testing
(which then cause crashes in newer versions of clam) we cannot devote our
resources to fixing that problem." (above Bugzilla)


I can see where the above is coming from generally... *but* it's always
been known that Yara pe module import was an issue...

eg:


https://blog.clamav.net/2015/06/clamav-099b-meets-yara.html

"There are currently a few limitations of YARA rules within ClamAV 0.99
beta1, due either to nonexistent ClamAV capabilities or to YARA features
that did not fit well into the ClamAV processing model. We hope to further
evaluate and include as much of this functionality as possible in
subsequent releases. YARA rules using any of the following features will
be  flagged in error, and the respective rules will be disabled  :

* Modules – A YARA feature intended to provide modular extensions to the
YARA core. Modules are normally activated using the import keyword. "


So, I feel that the issue is not the fact that ClamAV isn't supporting the
import module... but the fact that now ClamAV crashes on 0.100.x where
before it didn't.

Yararules won't change their rules which need the pe.import module,
because well, that's how Yara will detect things on non-ClamAV software.



-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Strange Problem with a Virus inside a rar file

[Steve Basford]

On Thu, July 26, 2018 10:49 am, Tech wrote:

> Last week we got a mail which contained a scr file inside a rar
> clamav-milter let it through and saying it's clean. After that the windows
> security essentials software on one of our clients detected the virus
> inside the rar package.

Hi Drees,

Unrar library might not be installed correctly (from memory)

or

It may be a Rar v5 archive, which ClamAV can't currently unpack.

see:

https://bugzilla.clamav.net/show_bug.cgi?id=11959

If you can load 7zip on your system.. do a list and see if it's a type Rar5:

eg 7z l Swift_Copy.rar

Type = Rar5

or send me a sample off-list and I'll check for you.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to run clamav 0.100.1 on Win server 2012 version?

[Steve Basford]

On Wed, July 18, 2018 10:35 am, Tiến Hưng Phan wrote:
> Hello clamav support team,
>
>
> I'm using clamav 0.100.1 on Windows server 2012.
> When I run clamscan.exe to scan a file, it show a dialog that I'm missing
> "api-ms-win-crt-runtime-l1-1-0.dll". How can I run clamav on Windows
> server 2012? I can run old version of clamav 0.99.4 with success.

Seem to remember that you need this installed:

Visual C++ Redistributable for Visual Studio 2015

eg:

https://www.microsoft.com/en-in/download/details.aspx?id=48145=(6873096a8e01f546d1e9545ed4426a4e)(266696)(1544997)(06-3676874-11-000)()


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] VirusDB Updates Broken?

[Steve Basford]

On Wed, June 27, 2018 11:32 am, Joel Esler (jesler) wrote:
> Just fixed it.
>
>
Thanks Joel... all working now...

main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder:
sigmgr
)
Downloading daily-24686.cdiff [100%]
Downloading daily-24687.cdiff [100%]
Downloading daily-24688.cdiff [100%]
Downloading daily-24689.cdiff [100%]
Downloading daily-24690.cdiff [100%]
Downloading daily-24691.cdiff [100%]
Downloading daily-24692.cdiff [100%]
Downloading daily-24693.cdiff [100%]
Downloading daily-24694.cdiff [100%]
Downloading daily-24695.cdiff [100%]
Downloading daily-24696.cdiff [100%]
Downloading daily-24697.cdiff [100%]
Downloading daily-24698.cdiff [100%]
Downloading daily-24699.cdiff [100%]
Downloading daily-24700.cdiff [100%]
daily.cld updated (version: 24700, sigs: 1995321, f-level: 63, builder: neo)
Downloading bytecode-322.cdiff [100%]
bytecode.cld updated (version: 322, sigs: 90, f-level: 63, builder: neo)
Database updated (6561660 signatures) from db.gb.clamav.net (IP:
104.16.185.138)

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] VirusDB Updates Broken?

[Steve Basford]

On Wed, June 27, 2018 2:42 am, Joel Esler (jesler) wrote:
> Db.us should be good on both now.
>

> Worked perfectly from California, but with .cdiff updates, not the entire


Just checked and gb doesn't work


ClamAV update process started at Wed Jun 27 09:37:20 2018
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: clamav-0.99.4 Recommended version: 0.100.0
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder:
sigmgr
)
WARNING: Can't get information about db.gb.clamav.net: Unknown error
WARNING: getpatch: Can't download daily-24686.cdiff from db.gb.clamav.net
WARNING: Can't get information about db.gb.clamav.net: Unknown error
WARNING: getpatch: Can't download daily-24686.cdiff from db.gb.clamav.net
WARNING: Can't get information about db.gb.clamav.net: Unknown error
WARNING: getpatch: Can't download daily-24686.cdiff from db.gb.clamav.net
WARNING: Can't get information about db.gb.clamav.net: Unknown error
WARNING: getpatch: Can't download daily-24686.cdiff from db.gb.clamav.net
WARNING: Can't get information about db.gb.clamav.net: Unknown error
WARNING: getpatch: Can't download daily-24686.cdiff from db.gb.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
WARNING: Can't get information about db.gb.clamav.net: Unknown error
WARNING: Can't download daily.cvd from db.gb.clamav.net

I then checked...

ping db.gb.clamav.net


Which fails to ping

Where as us works

ping db.us.clamav.net

Pinging db.us.clamav.net.cdn.cloudflare.net [104.16.187.138] with 32 bytes
of data:

Reply from 104.16.187.138: bytes=32 time=22ms TTL=60
Reply from 104.16.187.138: bytes=32 time=25ms TTL=60

uk workds

ping db.uk.clamav.net

Pinging db.uk.clamav.net.cdn.cloudflare.net [104.16.188.138] with 32 bytes
of data:

Reply from 104.16.188.138: bytes=32 time=29ms TTL=60


So, db.gb.clamav.net needs fixing
-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] [Fwd: Sad News: Tom Shaw]

[Steve Basford]

 Original Message 
Subject: Sad News: Tom Shaw
From:"Steve Basford" 
Date:Tue, June 5, 2018 9:30 am
To:  sanesecur...@freelists.org
Cc:  sanesecurity_annou...@freelists.org
--

It is with great sadness that I have to report that Tom Shaw of oitc.com
(winnow signatures) has passed away.

Tom was involved in the early days of 3rd Party ClamAV signatures (around
2009) and since then his signatures have helped many users block both spam
and malware alike.

Rest in peace Tom, you'll be sorely missed.
  _
(\o/)
 /_\


--

You are receiving this email because you opted in to receive these types
of emails from us.

If you would rather not receive this type of communication please email
priv...@sanesecurity.com to unsubscribe. or to unsubscribe from our normal
mailing lists  visit https://sanesecurity.com/support/mailing-list/

Alternatively, you can keep up to date via Twitter @sanesecurity or via
the website www.sanesecurity.com


Steve
Sanesecurity.com
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Attachments

[Steve Basford via clamav-users]

--- Begin Message ---

On Tue, May 15, 2018 12:57 pm, Todd Aiken via clamav-users wrote:
> ___
> clamav-users mailing list clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
>
> http://www.clamav.net/contact.html#ml
>
>

Which reminds me... could this be fixed too...

Clicks needed:

http://lists.clamav.net/pipermail/clamav-virusdb/2018-May/date.html
http://lists.clamav.net/pipermail/clamav-virusdb/2018-May/005886.html

"An embedded and charset-unspecified text was scrubbed..."

http://lists.clamav.net/pipermail/clamav-virusdb/attachments/20180501
/8057fecf/attachment.ksh

Before you get to this bit...

"ClamAV Signature Publishing Notice

Datefile:   daily
Version:24529
Publisher:  Alain Zidouemba
New Sigs:   408
Dropped Sigs:   0
Ignored Sigs:   593"


-- 
Cheers,

Steve
Twitter: @sanesecurity

--- End Message ---
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

[Steve Basford]

On Sun, April 29, 2018 3:29 am, Micah Snyder (micasnyd) wrote:
> What I think Joel is saying is that your MBL signatures are coming
> through SaneSecurity, not from Cisco/Talos official ClamAV rule set.
>
>
Hi Micah,

MBL signatures are produced and distributed by MalwarePatrol, nothing to
do with Sanesecurity.

MalwarePatrol can be added as an option from the main download script here:

https://github.com/extremeshok/clamav-unofficial-sigs

MalwarePatrol FP's can be reported here:  fp (_a_t_) malwarepatrol.net

On the Sanesecurity mirrors, sigwhitelist.ign2 has the following whitelist
entries:

MBL_6882958
MBL_6888621
MBL_6913896

So, that might help a little until they fix the issues.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

[Steve Basford]

Hi Alex...

I've whitelisted the two sigs... until they fix them.. so that might help a 
little.


Cheers,

Steve
Twitter: @sanesecurity
On 28 April 2018 04:23:51 Alex  wrote:

Hi,

I can't imagine outright blocking https://goo.gl is not a mistake.

MBL_6882958 and MBL_6888621 both hit on https://goo.gl.



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Another Open Source anti-malware project

[Steve Basford]

On 23 March 2018 19:25:08 Paul Kosinski  wrote:

I just came across this Open Source anti-malware project called "Linux
Malware Detect". Anybody know anything about this?

https://hydrasky.com/network-security/linux-malware-detect-lmd/

It's been going a while and can also be enabled with other sigs here:

https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/README.md

Cheers,

Steve
Twitter: @sanesecurity




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] .0-rc has been posted!

[Steve Basford]

On Thu, March 22, 2018 9:44 pm, Joel Esler (jesler) wrote:

> ClamAV 0.100.0-rc has been posted!

Just a quick bit of feedback with a few test VM's:

32bit Windows XP:

"fails" - "is not a valid Win32 application"

** Where as ClamAV-0.99.4 runs fine on XP **

https://stackoverflow.com/questions/35664861/how-to-target-windows-xp-in-microsoft-visual-studio-c


32 bit Vista: runs ok
64 bit Win7:  runs ok

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Daily version 24256

[Steve Basford]

>I would like to reproduce the problem again to force the error in order to
>be able to establish a system alarms or warnings with Nagios scripting

>Anybody knows how can I get daily.cld version 24256? Any link to download
>it?

You could create this: badsig.ldb:

Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:20
7075626c69632073756220;0:2073756220;EOF-15:203d202272652220656e6420696620;657865
202f63207374617274

(watch the line wraps)

On windows, for example, using the sig:


clamscan --database=badsig.ldb testfile

LibClamAV Warning: cli_unlink: failure - Permission denied

but as it's a Warning... error level is still 0.


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] False positive -- I hope

[Steve Basford]

I *think* that this signature flags *all* zipped JS files, and (IIRC)
both Firefox and Thunderbird have JS-containing JAR files. I hope that
is all it is.



Yep that's it.

Foxhole_filename. Foxhole_all. Foxhole_generic and Foxhole_js all have 
different fp levels...depending on what your see your risks as.


Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with Max Open desciptor Files limit

[Steve Basford]

On Fri, January 26, 2018 3:35 pm, Dianne Skoll wrote:
> On Fri, 26 Jan 2018 15:18:10 +
> David Shrimpton  wrote:
>
>
>> I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and
>> restarting clamd fixed the problem.
>
> Thank you!  That was immensely helpful.

Thanks!

Dropped on the Sanesecurity mirrors using sigwhitelist.ign2.

I'll remove tomorrow or when the sig is fixed.

As 3rd party sigs are downloading hourly, it may fix it for some people
quicker than their normal freshclam settings.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.

[Steve Basford]

Could you list the signatures in you clamav database folders.

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Improving clamscan speed?

[Steve Basford]

What can I do to speed up the clamscan process?


Hi Dan,

Sorry this is a little brief...

Skipping files you aren't interested in scanning might help a little...

clamscan --exclude='\.(jpg|jpeg|png|gif)$'

Choose a smaller file size to scan..

--max-filesize=300M --max-scansize=300M

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamav-0.99.3-beta1-win32

[Steve Basford]

Probably just a post for windows users but...

If you are using:

clamav-0.99.3-beta1-win32.msi, under Vista and get an error:


Vista etc:

VCRUNTIME140.dll is missing (running on 32 bit Vista)

Fix by installing Visual C++ Re distributable for Visual Studio 2015


Under Windows XP:


sigtool.exe etc. "

"not a valid win32 application" (running on Windows XP Virtual)


Joel: Is XP/Vista being dropping in the next build, if it is, I think
a blog statement would be good before the 0.99.3 release hits so XP
VM users etc. are aware.

I did spot a way to build XP, if that's an easy fix:

Possible build fix (building the executable with the v140_xp toolset?)

https://msdn.microsoft.com/en-us/library/jj851139.aspx

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Unable to download database

[Steve Basford]

On Wed, August 23, 2017 8:26 am, lukn555 wrote:
> Good Day ClamAV List
>
>
> Since yesterday at around noon CET I've been having issues downloading
> the ClamAV database:


Same here in the UK...

Can't query daily.0.82.0.1.814301DA.ping.clamav.net
Wed Aug 23 08:14:39 2017 -> Giving up on db.gb.clamav.net...
Wed Aug 23 08:14:39 2017 -> ClamAV update process started at Wed Aug 23
08:14:39
Wed Aug 23 08:14:39 2017 -> main.cld is up to date (version: 58, sigs:
4566249,
Wed Aug 23 08:14:41 2017 -> WARNING: getpatch: Can't download
daily-23699.cdiff
Wed Aug 23 08:14:41 2017 -> WARNING: getpatch: Can't download
daily-23699.cdiff
Wed Aug 23 08:14:41 2017 -> WARNING: getpatch: Can't download
daily-23699.cdiff
Wed Aug 23 08:14:41 2017 -> WARNING: getpatch: Can't download
daily-23699.cdiff
Wed Aug 23 08:14:41 2017 -> ERROR: getpatch: Can't download
daily-23699.cdiff fr
Wed Aug 23 08:14:41 2017 -> WARNING: Incremental update failed, trying to
downlo
Wed Aug 23 08:14:41 2017 -> Trying host database.clamav.net (129.67.1.218)...
Wed Aug 23 08:15:14 2017 -> Downloading daily.cvd [100%]
Wed Aug 23 08:15:15 2017 -> WARNING: Mirror 129.67.1.218 is not synchronized.
Can't query daily.0.82.0.1.814301DA.ping.clamav.net
Wed Aug 23 08:15:15 2017 -> Giving up on database.clamav.net...
Wed Aug 23 08:15:15 2017 -> Update failed. Your network may be down or
none of t
Wed Aug 23 08:15:15 2017 -> --

and

Can't connect to port 80 of host db.gb.clamav.net (IP: 81.91.100.173)
Trying host db.gb.clamav.net (129.67.1.218)...
nonblock_recv: giving up due to excessive bogus loops
WARNING: getfile: Error while reading database from db.gb.clamav.net (IP:
129.67
.1.218): Unknown error
WARNING: getpatch: Can't download daily-23697.cdiff from db.gb.clamav.net
WARNING: getpatch: Can't download daily-23697.cdiff from db.gb.clamav.net
WARNING: getpatch: Can't download daily-23697.cdiff from db.gb.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Downloading daily.cvd [100%]
LibClamAV debug: Initialized 0.99.2 engine
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = f01678b14488419c5e8f5206c7bb4786
LibClamAV debug: cli_cvdverify: MD5 verification error
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
ERROR: Verification: Can't verify database integrity
Trying again in 5 secs...
ClamAV update process started at Wed Aug 23 09:12:31 2017
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder:
sigmgr
)
LibClamAV debug: in cli_untgz()



-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] sanesecurity: Permission denied

[Steve Basford]

On Thu, August 3, 2017 3:06 pm, Reindl Harald wrote:
>

>
>
> frankly you have one or more mirrors which just don't work at all for a
> long time, a friend just looked for a working one, hardcoded the IP and
> has never seen that errors again

The problem was fixed on 1 mirror but seems to have come back again... so
I've just removed the 1 mirror... for further testing.

Aslo, please don't hardcode the IP it may have been a simple workaround..
but longer term it doesn't help.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Signature not detected

[Steve Basford]

On Mon, July 17, 2017 10:22 pm, Alex wrote:
> Hi guys, just submitted an "ace" archive with a .cmd inside.
>
>
> # sha1sum PROFORMA\ INVOICE_xls.ace
> 97757622d5d568b01faa9d662818eebd40b1e0c0  PROFORMA INVOICE_xls.ace
>

Hi,

I've added Sanesecurity.Malware.27099.AceHeur.Cmd​ to the detections...​

> We've now disabled "ace" files (who even knew they existed?)

I used to use .ace a lg time ago... but for those that don't know...

" ACE is a proprietary data compression archive file format developed by
Marcel Lemke, and later bought by e-merge GmbH. The peak of its popularity
was 1999–2001, when it provided slightly better compression rates than
RAR, which has since become more popular."
Source: https://en.wikipedia.org/wiki/ACE_(compression_file_format)

Also, a few .ace files that have come through... aren't really ace files
but renamed rar files... in this case though it's an ace file.


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] sanesecurity: Permission denied

[Steve Basford]

On Mon, July 3, 2017 11:58 am, Reindl Harald wrote:
> issues like below are also reported by a friend on his machines for some
> days, randomly with different files

I'm looking into it -- will email off-list

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] WannaCry

[Steve Basford]

Sorry for the slightly off-topic post but just in case this helps...

MS17-01 Summary


1. malwarehash.hsb

175+ hashes in malwarehash.hsb (Sanesecurity.MalwareHash.WannaCry) added
over the weekend

2. MS17-010 nmap network scan script

https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse

usage:

nmap -sC -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010.nse
X.X.X.X/X

Source: https://gist.github.com/Neo23x0/60268852ff3a5776ef66bc15d50a024a


3. MS17-01 Windows Patches

http://www.catalog.update.microsoft.com/Search.aspx?q=MS17-010

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] disabling a database

[Steve Basford]

On Thu, May 11, 2017 6:40 am, Al Varnell wrote:
> while Spam detection is all done using UNOFFICIAL sigs.

Not quite Malware, Phishing and Spam...

http://sanesecurity.com/usage/signatures/

And a lot of people decide the emails fate with "pam_score_maps" scoring..

eg:

http://sanesecurity.com/support/problems/


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FilenameRegex and case sensitivity

[Steve Basford]

On Wed, May 3, 2017 8:19 am, kionez wrote:
> Hi all,
>
>
> I wonder how I can use a case-insensitive FilenameRegex in signatures
> based on container metadata.
>
> I.E.: if I would like to match "word", "Word" and "worD" (abd so on), my
> rule will be something like:
>
> TEST.TestFilename.001:CL_TYPE_ZIP:*:[wW][oO][rR][dD]:*:*:*:*:*:*
>
>
> Is there a way to avoid this unreadable way? Something like "/word/i" ?
> :)
Foxhole_filename.cdb etc. use this sort of thing...

Sanesecurity.Foxhole.test:CL_TYPE_ZIP:*:(?i)word\.xls$:*:*:*:*:*:*

Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Need help: clamd stops after starting without any error message

[Steve Basford]

On Wed, April 19, 2017 10:13 am, Torge Riedel wrote:
> Well, was not enabled. After setting
>
>
> LogSyslog true

Might be worth turning on debug temporarily... clamd.conf and freshclam.conf

# Enable debug messages in libclamav.
# Default: no


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Identify Threat Risk Level with ClamAV

[Steve Basford]

On 14 April 2017 17:31:21 Reindl Harald  wrote:


SanSecurity creating signature database files based and it showing risk
status of malware


sanesecurity shows *risk of false-positives*
don't confuse such basics


That's correct it's a *very rough* fp guide for each database as each 
user's fp risk view could be different.


Malware, adware, ransomware, Trojans  etc. are all bad... just with 
slightly different end results.


Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Java.Malware fps

[Steve Basford]

On Fri, April 7, 2017 7:24 am, Henrik K wrote:
>

> Whos' flooding crappy samples around, and why is ClamAV making sigs of
> tiny class files like
> org/eclipse/aether/impl/RemoteRepositoryManager.class?
>
>
The odd few I've checked are hashes in daily.hsb:

cd9bcebd235258962913a210ff938a5a:2623:Java.Malware.Agent-6205983-0:73
b6aa66e635ff2c1225d734c3f2577994:1452:Java.Malware.Agent-6205984-0:73

So, possibly part of the auto-generated ones.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav antivm.yar malicious_document.yar and errors

[Steve Basford]

On Wed, April 5, 2017 3:24 pm, Rejaine Monteiro wrote:
>

> Hello, I'm having some errors with these signatures in clamav-0.99.2.
> Any tips on what it is about or how to solve?
>

See here: 3rd Party download script:

https://github.com/extremeshok/clamav-unofficial-sigs/issues/151

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems with 3rd party sigs

[Steve Basford]

On 31 March 2017 18:45:58 Mark Foley  wrote:


Per advice on this list, I downloaded and installed the clamav-unofficial-sigs
scripts from the link on Sanesecurity.


2. I run a cron'd clamscan job to scan mail folders several time a day. I get
the following errors which are new since installing the unofficial-sigs:


See...

you can comment out these lines in the master.conf:

#email/EMAIL_Cryptowall.yar|LOW # CryptoWall Resume phish
#Antidebug_AntiVM/antidebug_antivm.yar|LOW # anti debug and anti 
virtualization techniques used by malware


See... issues page from here...

https://github.com/extremeshok/clamav-unofficial-sigs

Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] MailFollowUrl alternative?

[Steve Basford]

On 31 March 2017 19:14:36 Steven Morgan  wrote:


Mauro,

It is not clear what MailFollowURL did. Have a look at
docs/phishsigs_howto.pdf for a description of how to scan for URLs. This
may have subsumed MailFollowURL.


It did a curl on any urls found in the body and fetched the content... 
before scanning the content... bit of a summary here...


https://lists.gt.net/clamav/users/22230




Cheers,

Steve
Twitter: @sanesecurity


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] False Positive of IObit product by ClamAV

[Steve Basford]

On Fri, March 31, 2017 8:44 am, Arnaud Jacques / SecuriteInfo.com wrote:
> Received this message :
>
>
> --  Message transmis  --
>
> This is Coco from IObit (www.iobit.com).
>
>
> Your program ClamAV reports the file RegistryDefragBootTime.exe as
> Win.Trojan.Agent-5776271-0 which is absolutely clean without any Trojan.

Looks like it's a ClamAV hash signature...

daily.hsb:a500f83ecc7aad400ee677b096193a95:24352:Win.Trojan.Agent-5776271-0:73
-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Filetype.ZipWithJS

[Steve Basford]

On Tue, March 28, 2017 1:23 pm, Reindl Harald wrote:
>

>
> Am 28.03.2017 um 14:20 schrieb Matteo Dessalvi:
>
>> Hello.
>>
>>
>> Regarding your fist question you can execute the following
>> tools from the command line:
>>
>> sigtool --find-sigs=Heuristics.Filetype.ZipWithJS-6162396-0 | sigtool
>> --decode-sigs
>>
>
> Heuristics are *not* signatures

Except in this case... it's was a .cdb signature which *was* called
Heuristics.Filetype.ZipWithJS-6162396-0:

It was dropped...

http://lists.clamav.net/pipermail/clamav-virusdb/attachments/20170327/a00f1950/attachment.ksh

Dropped Detection Signatures:
Heuristics.Filetype.ZipWithJS-6162396-0

So, slightly confusing... but that's why sigtool --decode-sigs worked:

VIRUS NAME: Heuristics.Filetype.ZipWithJS-6136370-0
CONTAINER TYPE: CL_TYPE_ZIP
CONTAINER SIZE: ANY
FILENAME REGEX: \.[A-Za-z]{3}\.js$
COMPRESSED FILESIZE: ANY
UNCOMPRESSED FILESIZE: ANY
ENCRYPTION: IGNORED
FILE POSITION: 1
CRC SUM: ANY


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Filetype.ZipWithJS

[Steve Basford]

> 1. Where can I find information about what kind of threat this?

\.[A-Za-z]{3}\.js$

FP Source example:
https://www.mobileread.com/forums/showthread.php?p=3496981

Ie. any .js inside a zip file that's starts with 3 letters will get blocked.


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP: ScamNailer.Phish.en_notification_AT_made-in-china.com

[Steve Basford]

On Thu, March 23, 2017 2:05 pm, Reindl Harald wrote:
> [ScamNailer.Phish.en_notification_AT_made-in-china.com.UNOFFICIAL(ad638b8
> abc0d0af59ded4aa2835061e3:293969)]

Thanks for the report, I've removed the sig.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] how to find Html.Phishing.Auction-214

[Steve Basford]

On Wed, March 22, 2017 12:52 pm, Hajo Locke wrote:
> Hello,
>
>
> have an issue here with this signature. Html.Phishing.Auction-214 is found
VIRUS NAME: Html.Phishing.Auction-214

Here you go...

TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
sein, weil sie ei[][][]nen fehler gemacht haben, als sie ihre details
eingetragen habe
n, oder dass das konto {WILDCARD_ANY_STRING(LENGTH>=1&&<=7)}berhaupt nicht
aktua
lisiert wurde

remove [][][]


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamWin Portable DLL Hijack

[Steve Basford]

On Thu, March 9, 2017 11:03 am, Groach wrote:
> So what are we saying?
>
> Clamwin people need to be made aware of this?  Or ARE aware of this and
> complicit?
ClamWin should be aware of this by now... let's hope they make a statement
of what (if any the issues are) and what versions.

For example, here's how notepad++ handled the issue:
https://notepad-plus-plus.org/news/notepad-7.3.3-fix-cia-hacking-issue.html

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamWin Portable DLL Hijack

[Steve Basford]

On Thu, March 9, 2017 11:09 am, Al Varnell wrote:
> Or is it based on older versions, like most of the items contained in
> those documents?  I suspect that the ClamWin developers are the only ones
> that can tell us what has been or will be done about it.

Exactly, it could just be old version... but a ClamWin statement would
be nice...

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamWin Portable DLL Hijack

[Steve Basford]

Just for those who hasn't spotted ClamWin in the leak:

https://wikileaks.org/ciav7p1/cms/page_27262995.html

Clam Portable
http://portableapps.com/apps/security/clamwin_portable

ClamWin:
http://www.clamwin.com/

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Daily 23161 broke Clam

[Steve Basford]

On Fri, March 3, 2017 7:20 pm, Alain Zidouemba wrote:
> We're pulling the signature causing the issue now, while we investigate
> the cause.
>
> - Alain
Hi Alain,

I think the fix is... Replace ? with ?P  when the PCRE library is old

ie.  ?< to ?P<

On...

Doc.Macro.GenericHeuristic-5901772-0
Doc.Macro.GenericHeuristic-5931846-1


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Daily 23161 broke Clam

[Steve Basford]

It's a macro detecting ldb Sig that fails due to an old pcre engine being used.

The Sig can be rewritten to work on older pcre versions .. or you need to 
update.


Sorry I can't help more.

Cheers,

Steve
Twitter: @sanesecurity



On 3 March 2017 17:39:48 "Aaron C. Bolch"  wrote:


Greetings,

After Daily Update 23161 was applied, the following error happened:

Database initialization error: can’t compile engine: Malformed Database

When starting Clamd:

LibCLamAV Error: cli_pcre_compile: PCRE compilation failed at offset 52: 
unrecognized character after (?<

LibClamAV Error: cli_pcre_build: failed to build pcre regex

Would this be a problem with the update, or something on my end?

--Aaron


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Javascript file not recognized

[Steve Basford]

On Thu, February 16, 2017 7:55 pm, Markus Egg wrote:
> The attached file was in an email as attachment as "bill":
> 319598.js
Detected:

phish.ndb: Sanesecurity.Malware.26652.JsHeur
shelter.ldb: Sanesecurity.Shelter.Malware.JSHeur.004

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] SpoofedDomain FOUND

[Steve Basford]

On Thu, February 16, 2017 1:03 pm, Reindl Harald wrote:

> give a man a fish and you feed him for a day; teach a man to fish and you
> feed him for a lifetime ___

Are you are that's correct... wasn't it...

Give a man a fish , he eats for a day. Teach a man to fish, he sits in a
boat and drinks beer all day.

I'll get my coat :)

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml