Re: [clamav-users] Windows packaging
On 06/25/2012 05:26 PM, Tom Judge wrote: On 25/06/2012 10:10, aCaB wrote: FYI unrar license is incompatible with the GPL. That was the rationale in the packaging. Yes that is why they are separate binaries. As far as we can tell there is nothing that states that you can't put them in the same archive file for users to install. No one else separates them in their packages so why should we? I don't know about the Windows world, but plenty of people separate them on Linux: Debian has a separate libclamunrar6 package in non-free: http://packages.qa.debian.org/libc/libclamunrar.html FedoraEPEL completely remove libclamunrar: http://pkgs.org/fedora-17/fedora-updates-x86_64/clamav-lib-0.97.5-1700.fc17.x86_64.rpm.html http://pkgs.org/centos-6-rhel-6/epel-x86_64/clamav-0.97.3-3.el6.x86_64.rpm.html Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Deprecation of Basic signature format
On 06/14/2012 08:29 PM, Matt Olney wrote: Nathan, There are no current plans to remove support for that signature format. However, you should investigate the alternate formats in case that changes in a future version of ClamAV. In particular look at the .hdb format that matches both size and MD5. Matt Matt, I think we should follow our own ML's rules, otherwise how can we expect users to do so? http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Rules: - Do NOT top-post (see http://wiki.clamav.net/Main/TopPost) Best regards, -- Edwin A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Deprecation of Basic signature format
On 06/14/2012 08:29 PM, Matt Olney wrote: Nathan, There are no current plans to remove support for that signature format. However, you should investigate the alternate formats in case that changes in a future version of ClamAV. In particular look at the .hdb format that matches both size and MD5. Matt Matt, I think we should follow our own ML's rules, otherwise how can we expect users to do so? http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Rules: - Do NOT top-post (see http://wiki.clamav.net/Main/TopPost) Best regards, -- Edwin A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Deprecation of Basic signature format
On 06/14/2012 08:29 PM, Matt Olney wrote: Nathan, There are no current plans to remove support for that signature format. However, you should investigate the alternate formats in case that changes in a future version of ClamAV. In particular look at the .hdb format that matches both size and MD5. The .ndb format would be a better replacement for .db as they both deal with patterns in the file (ndb is just more advanced than .db). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Identifying safebrowsing domains
On 06/07/2012 11:23 PM, Alex wrote: Hi, M:displayhostname.com:www.myrealhostname.com The M is the type flag for simple hostname comparisons. There are other types for regular expressions if you need it. Replace the hostnames appropriately and add a line like that to your local whitelist (.wdb not .ign2) and you should be good to go. That is correct for the anti-phishing feature, but it won't work for safebrowsing matches. (whitelist_check never reached, if url_hash_match). See phishsigs_howto.pdf GDB format, it describes how to whitelist safebrowsing matches in a local.gdb. Okay, that worked, thanks. Am I reading it correctly that the only way to whitelist it is using its hash value? Currently yes. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Identifying safebrowsing domains
On 06/07/2012 09:57 PM, David Raynor wrote: The safebrowsing feature of ClamAV uses a separate domain list and whitelist from the other signatures. The blacklisted domains are stored in .pdb files, and the whitelist is stored in .wdb files. These process domains from URLs instead of virus signatures, so that's why trying to use your local .ign2 whitelist didn't help. You'll need both the real URL and the displayed URL from the weblink to whitelist a link. Here's an example of a safebrowsing whitelist item. To whitelist a link that displays displayhostname.com with a real URL target of www.myrealhostname.com, the line will look like this: M:displayhostname.com:www.myrealhostname.com The M is the type flag for simple hostname comparisons. There are other types for regular expressions if you need it. Replace the hostnames appropriately and add a line like that to your local whitelist (.wdb not .ign2) and you should be good to go. That is correct for the anti-phishing feature, but it won't work for safebrowsing matches. (whitelist_check never reached, if url_hash_match). See phishsigs_howto.pdf GDB format, it describes how to whitelist safebrowsing matches in a local.gdb. Dave R. PS: As for Google's Safebrowsing list, they offer a page to check the status for any domain. They do have some transparency on why a domain was placed on the list, and links for web administrators to seek remediation. http://www.google.com/safebrowsing/diagnostic?site=bestwesternsupply.com Best regards, --Edwin -- Dave Raynor Senior Research Engineer, VRT On Thu, Jun 7, 2012 at 2:26 PM, Alex mysqlstud...@gmail.com wrote: Hi, How can I determine what domains the pattern Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net contains? I thought it was only a single domain, but it appears to contain numerous? If that's the case, then I'd prefer to not ignore the whole rule, but whitelist one of the domains within the rule. Is that possible? If I were to disable this rule, would adding it as it is displayed above to the ign2 file be the correct way? For some reason that doesn't seem to work here. Thanks, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV support for AIX 7.1
On 2012-03-08 15:58, Steve G Harnett wrote: Hi Edwin, as discussed: # more libclamunrar_iface.la # libclamunrar_iface.la - a libtool library file # Generated by ltmain.sh (GNU libtool) 2.2.6b Debian-2.2.6b-2 # # Please DO NOT delete this file! # It is necessary for linking the library. # The name that we can dlopen(3). dlname='' This should not be empty. # ./libtool --config # Which release of libtool.m4 was used? macro_version=2.2.6b macro_revision=1.3017 # Whether or not to build static libraries. build_old_libs=yes # Whether or not to build shared libraries. build_libtool_libs=no This should be 'yes'. Check config.log on why libtool doesn't support shared libraries on your platform. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd high memory use
On 2012-05-25 23:25, andrew fabbro wrote: I'm running clamd on a CentOS 6 Linux VPS with 1.2GB of overall memory. clamd is using 300MB of memory - a quarter of the box's memory. (309m VIRT/272m RES). Recycling clamd results in very similar usage right after startup (296m/271m) I'm wondering if there is a way to reduce this memory footprint? Which version, and do you use extra databases? I have much lower mem usage: 2008 clamav20 0 211m 140m 6260 S0 1.8 6:27.44 clamd --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd high memory use
On 2012-05-25 23:46, andrew fabbro wrote: On Fri, May 25, 2012 at 1:30 PM, Török Edwin ed...@clamav.net wrote: Which version, and do you use extra databases? I have much lower mem usage: 2008 clamav20 0 211m 140m 6260 S0 1.8 6:27.44 clamd ClamAV 0.97.4 - pretty much stock. Try changing MaxThreads to balance memory usage and concurrency, and check Pool memory usage with clamdtop. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Licensing DLLs
On 05/15/2012 12:26 AM, Paul Smith wrote: We could talk to clamd using TCP/IP, but since the clamd protocol doesn't seem to be clearly documented, that would involve reverse engineering clamdscan and rewriting it. The protocol is described in: man 8 clamd --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus information database?
On 05/07/2012 09:44 PM, Al Varnell wrote: On 5/7/12 10:49 AM, Pepijn Schmitz cla...@pepsoft.org wrote: Hi Chuck, On 07-05-12 19:17, Chuck Swiger wrote: VirusTotal is a site at https://www.virustotal.com/ which lets one upload files and scan them against all of the major malware engines. This will show you all of the false-positive matches and let you see what the malware is being called by the various vendors-- that might help track down what the payload is and does, and also give you some idea as to which vendors you ought to contact and submit your software to as a false-positive. Yes I know. Virus Total is what told me that ClamAV (and only ClamAV) is identifying my file as containing a trojan: https://www.virustotal.com/file/2a7b249b52e7c42c8ca56e97bc4165e0a5e68f8c43808e fd8c322e274a34b211/analysis/ Also, you can run sigtool from ClamAV to see what the hex string that is being matched is: % sigtool -fTrojan.Agent-281708 [daily.mdb] 133632:74da9128149f4e678783b4125095d396:Trojan.Agent-281708 Thanks, good to know. Seems like that hex string is not distinctive enough! I already reported the file as a false positive (using ClamTk). Are those reports generally responded to quickly? Is there any way I can help to speed along the process? The hex string being matched is the MD5 of the file, but it doesn't match the one listed in VirusTotal so I'm confused here. Its the MD5 of a section of your executable file [*] Virustotal doesn't print those. [*] a typical executable has several sections used to store code, data, resources, and so on. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [sanesecurity] Re: Long DB refresh times
On 04/26/2012 08:37 PM, Michael Orlitzky wrote: On 04/26/2012 10:32 AM, Dennis Peterson wrote: On 4/25/12 7:34 AM, Michael Orlitzky wrote: On 04/25/12 07:55, Török Edwin wrote: I don't know if this can help speeding up the process but I collected some statistics on clamscan of a small file (wallclock duration: ~25sec): I think I'm missing some context here: which DB files are slow to load? The official ones? Just the sanesecurity ones? Any particular DB from the sanesecurity ones? My problem isn't so much that it takes a while to load the signatures, but that clamd (and thus the mail server) is effectively down the entire time. This has been a problem on every Sparc system I've ever installed ClamAV on and that goes back quite a few years. I still use in on several Netra 500 mHz pizza boxes. It is also quite a memory hole which is more related to the available memory and number of sigs, so on memory constrained systems I've cut back on the number of SS signatures. And at my peril, I might add, as they have long been the most valuable in terms of results. And because of the dead time when reloading I've cut freshclam to once a day. That has resulted in a net improvement in detections because of the higher availability time. The signature databases are created once, and loaded thousands of times. They should just be sorted, so that lookups are instantaneous. Then it's trivial to update the databases in the background, because you can quickly determine if a particular signature was added or deleted. The wall-time-elapsed would be a bit worse, but nobody would care. Its a bit more complicated than that. To ensure fast pattern-matching the signatures are loaded into an Aho-Corasick trie for example. It would be possible to add to the trie (thats what happens when loading signatures), but removing is more tricky. And to determine what to remove you need to go through all the signatures in the database anyway. Also updating the loaded signature database would require the scanning threads to take read locks, which would slow things down and make updating it harder (right now the loaded signature database is never modified, hence no locks are needed). It would be easier to just move reload_db to a different thread and allow scanning with the old database during the DB reload. Then when the DB reload is finished atomically replace the engine pointer and free the old engine. Downside would be that you get twice the memory usage during reload, but you don't have downtime, so this should probably be controlled by a flag in clamd.conf. https://bugzilla.clamav.net/show_bug.cgi?id=790#c14 Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [sanesecurity] Re: Long DB refresh times
On 04/25/2012 02:33 PM, Pierre Dehaen wrote: On 24 Apr 2012 at 18:11, Steve Basford wrote: Has anyone else seen these kinds of delays? Is there any way to get these databases to load faster or to allow ClamAV to continue scanning when the database is being reloaded? Sorry for the briefness here, as I'm currently sorting out my home internet access... For those having issues: a) what databases are loaded b) what OS are you running It could be, as someone else suggested a tipping point in memory, but we need to get a handle on db's used etc. Perhaps we can then get a set of test data and create a bugzilla clamav entry I don't know if this can help speeding up the process but I collected some statistics on clamscan of a small file (wallclock duration: ~25sec): I think I'm missing some context here: which DB files are slow to load? The official ones? Just the sanesecurity ones? Any particular DB from the sanesecurity ones? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [sanesecurity] Re: Long DB refresh times
On 04/25/2012 03:13 PM, Steve Basford wrote: I think I'm missing some context here: which DB files are slow to load? The official ones? Just the sanesecurity ones? Any particular DB from the sanesecurity ones? Hi Edwin, I'm emailed you off-list... but think I've found the issue and work-around. Sorry for the cross-post to clamav-users. Most of the time is spent here: 96.19% lt-clamscan libclamav.so.6.1.13 [.] cli_ac_addpatt 2.42% lt-clamscan libc-2.13.so [.] __memcmp_sse2 :if(!ph_add_after ph-partno = pattern-partno (!ph-next || ph-next-partno pattern-partno)) ▒ 47.55 : bc098: movzwl 0x4a(%r12),%eax ▒ 2.34 : bc09e: cmp%ax,0x4a(%rbp) ▒ 0.09 : bc0a2: ja bbf74 cli_ac_addpatt+0x294 ▒ 0.02 : bc0a8: mov0x58(%rbp),%rdx ▒ 2.03 : bc0ac: test %rdx,%rdx ▒ 0.24 : bc0af: je bc127 cli_ac_addpatt+0x447 ▒ 3.94 : bc0b1: cmp0x4a(%rdx),%ax ▒ 5.13 : bc0b5: cmovb %rbp,%r13 ◆ 7.47 : bc0b9: jmpq bbf74 cli_ac_addpatt+0x294 Thats because all all sigs share a quite long, common prefix as you've found it (in bofhland_malware_URL.ndb). Perhaps it'd be faster to load these sigs into the BM matcher instead of AC (as they don't use any NDB features). Best regards, --Edwin Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to build pdf signatures
On 04/25/2012 07:32 PM, Benny Pedersen wrote: where do i find docs for making signatures for pdf ? lets say i like to scan pdf content for m...@junc.org how should i then create this signature that ONLY hits if its in a pdf ? Look at logical signatures (.ldb), and for Container: CL_TYPE_PDF. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to build pdf signatures
On 04/25/2012 09:01 PM, Benny Pedersen wrote: Den 2012-04-25 18:43, Török Edwin skrev: Look at logical signatures (.ldb), and for Container: CL_TYPE_PDF. tryed google it, but ended in google adwords sites with logins :( www.clamav.net/doc/latest/signatures.pdf --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Google Chrome infected?
On 04/24/2012 05:43 PM, aCaB wrote: On 04/24/12 01:31, Frank Chan wrote: 5974bc2d26dc0f1e9755ccc2806cfda2 chrome.dll I got this file, but its not detected by ClamAV now (and the FP submission form won't accept it). 9652e7d2d40f72c4f4acec0e2dea28a1 chrome.7z The 7z is different for me though (but maybe just beacuse my version is different) 4D22AB683E7772F82C642F99BA9B6A28 chrome.7z I'm sorry Frank, it appears the upload wasn't successful. I can't find neither :/ --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Scanning time
On 04/22/2012 01:57 AM, Alexandre Dias wrote: Hello, I would like to find out how much time it takes for ClamAV to scan a given file (without counting with the initialization phase - just the file scanning). When a scan is ran, the time given by ClamAV includes the initialization phase, correct? Is there any way to just get the scanning time, without changing the source code? Start clamd, and use clamdscan. That will report just the file scanning time (plus queuing time in clamd, but if you're the only one using clamd that should be close to zero). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote: Is there an alternative way of submitting FP's? Are you using this page? http://www.clamav.net/lang/en/sendvirus/submit-fp/ Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
On 04/19/2012 04:10 PM, Ralf Hildebrandt wrote: I just tested and it worked fine for me. What's exactly the problem on your side? I keep getting: Under maintenance. Try again later. How big is the file that you're trying to upload? --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
On 04/19/2012 04:21 PM, Ralf Hildebrandt wrote: How big is the file that you're trying to upload? I'm not getting a form, all I get is Under maintenance. Try again later. - must be a cachin issue somewhere Varnish (reverse proxy) is giving my this: $ telnet proxy.charite.de 8080 Trying 141.42.1.205... Connected to proxy.charite.de. Escape character is '^]'. GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 HTTP/1.0 503 Service Unavailable Can you try flushing your varnish cache, and trying again? Maybe for some reason it cached an older 503 page. I get this when connecting directly to cgi.clamav.net: GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 HTTP/1.1 200 OK Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g Vary: Accept-Encoding Content-Type: text/html; charset=ISO-8859-1 X-Cacheable: VarnishResNoCacheHost Content-Length: 2495 Accept-Ranges: bytes Date: Thu, 19 Apr 2012 13:25:30 GMT X-Varnish: 216809903 Age: 0 Via: 1.1 varnish Connection: close Server: Varnish Content-Type: text/html; charset=utf-8 Retry-After: 5 Content-Length: 284 Accept-Ranges: bytes Date: Thu, 19 Apr 2012 13:20:02 GMT X-Varnish: 216808379 Age: 0 X-Cache: MISS from proxy-cvk-1 Via: 1.1 varnish, 1.0 proxy-cvk-1 (squid/3.1.19-20120412-r10444) Connection: close ?xml version=1.0 encoding=utf-8 ? !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd; html head titleMaintenance/title /head body h1Under maintenance. Try again later./h1 /body /html Connection closed by foreign host. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV detecting SSN in mail
On 04/18/2012 06:38 PM, Stephen Guglielmo wrote: Hello, I have a mail system with virus filtering via ClamAV. It has been working well, I've tested it with the EICAR check successfully. However, ClamAV has been detecting false positives in certain emails with the detection Heuristics.Structured.SSN. This is the most recent email it flagged as Heuristics.Structured.SSN, but is a false positive. http://lists.freebsd.org/pipermail/freebsd-announce/2012-April/001417.html It is a announcement on a FreeBSD mailing list. It has no viruses or social security numbers. Is there a way to decrease the sensitivity of this? Set StructuredSSNFormatStripped to No in clamd.conf (which is the default). Parts of the MD5/SHA256 from that email are identified as valid SSNs otherwise. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Hi I look over the source-code
On 04/03/2012 08:20 PM, cosmin Tanase wrote: Hi I look over the source-code and I can't find the registration to Windows Security Center SecurityCenter2 / AntiVirusProduct system ClamAV doesn't register there. The source-code of clamAV is not complete ? It is, but you probably need to look elsewhere for the WSC stuff. Maybe you're confusing ClamWin with ClamAV. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Question on processing Jar files
On 03/26/2012 12:06 PM, TR Shaw wrote: Does ClamAV teat .jar files in a similar fashion as to .zip's? They are zip files, just with some special filenames inside (META-INF/), so yes ClamAV should unpack them just as it does with zip files. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Error updating CLAMAV 0.97.4
On 03/16/2012 01:36 AM, Sergio wrote: Ok, sorry for the missing information, my server is RHEL 6, 64 bits with WHM/CPanel 11.30.6. I will force update again CLAMAV and see if I can get more info about the missing libraries and I post it here. Thanks for your help. Might want to try to update bzip2/libbz2. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV 0.97.4 - 2 notices
On 03/16/2012 02:35 PM, Andreas Schulze wrote: Hello, 1. I just compiled the new version in my autobuild system for multiple version of SuSE Linux Enterprise Servers. I noticed this RPMLINT report which I like to forward to you for inforamation: RPMLINT report: === clamav.i586: W: shared-lib-calls-exit /usr/lib/libclamav.so.6.1.13 exit@GLIBC_2.0 This library package calls exit() or _exit(), probably in a non-fork() context. Doing so from a library is strongly discouraged - when a library function calls exit(), it prevents the calling program from handling the error, reporting it to the user, closing files properly, and cleaning up any state that the program has. It is preferred for the library to return an actual error code and let the calling program decide how to handle the situation. Could it be possible that the _exit() is intentional correct? Then I would like to add an exeption for my rpmlint... It is LLVM that uses exit/_exit in Program::Execute for example. We don't call that function though. 2. Avira, a german antivirus vendor, may(*) classify the sourcecode tarball as malicious: clamav-0.97.4/test/.split/split.clam-pespin.exeaa PCK/PESpin ; packer ; File has been compressed with an unusual runtime compression tool (PCK/PESpin). Please verify the origin of the file That is part of the test-file for clamav's PESpin unpacker support. Obviously that is clam.exe packed by PESpin, and not malware. I informed avira and got the response that their av-envine finds unusual runtime compression tool commonly used by malware :-( Yeah, thats why ClamAV has a PESpin unpacker (to unpack malware that uses it), and a testfile for it (so we make sure it actually works). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV support for AIX 7.1
On 03/08/2012 12:03 PM, Steve G Harnett wrote: Hi Edwin, FYI Latest version of ClamAV Compiles and runs on AIX 7.1 Thanks, does it also detect all the clam* files in test/ when you scan it with clamscan? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV support for AIX 7.1
On 03/08/2012 01:25 PM, Steve G Harnett wrote: Hi Edwin, It looks like all but the rar files ( we cant run update due to a lack of internet on the test system!) # pwd /swdist/ClamAV/clamav-0.97.3/test # /usr/local/bin/clamscan . LibClamAV Warning: Cannot dlopen libclamunrar_iface: file not found - unrar support unavailable You can try clamscan --debug to see where it searches for the unrar library, and then check where it actually got installed and whats its name is. Does AIX support shared libraries? (.so files) If it doesn't then thats probably why it cannot load the unrar lib. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV support for AIX 7.1
On 03/08/2012 02:33 PM, Steve G Harnett wrote: Hi, # ./clamscan --debug LibClamAV debug: searching for unrar, user-searchpath: /usr/local/lib LibClamAV debug: searching for unrar: libclamunrar_iface.so.6.1.12 not found LibClamAV debug: searching for unrar: libclamunrar_iface.so.6 not found LibClamAV debug: searching for unrar: libclamunrar_iface.so not found LibClamAV debug: searching for unrar: libclamunrar_iface.a not found LibClamAV Warning: Cannot dlopen libclamunrar_iface: file not found - unrar support unavailable # ls -l /usr/local/lib/libclamunrar_iface.a -rw-r--r--1 root system32772 Mar 8 11:12 /usr/local/lib/libclamunrar_iface.a Not sure why it doesn't see this file ?? Is it dlopen-able? What does 'file /usr/local/lib/libclamunrar_iface.a' say? AIX does have Shared libraries - but none were built in /usr/local/lib I think AIX has the weirdness that it calls both its shared libraries and static libraries '.a'. # ls /usr/local/lib libclamav.alibclamunrar.lapkgconfig libclamav.la libclamunrar_iface.a libclamunrar.a libclamunrar_iface.la Not sure if those are shared libs or not, can you paste what 'libclamunrar_iface.la' contains? And ./libtool --config output too. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV support for AIX 7.1
On 03/08/2012 04:15 PM, Steve G Harnett wrote: # ./libtool --config # Which release of libtool.m4 was used? macro_version=2.2.6b macro_revision=1.3017 # Whether or not to build static libraries. build_old_libs=yes # Whether or not to build shared libraries. build_libtool_libs=no There's your problem: libtool decided NOT to build shared libraries. You can try forcing it with ./configure --enable-shared --disable-static, and see if that works. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV support for AIX 7.1
On 03/07/2012 04:18 PM, Steve G Harnett wrote: Hello all, Can anyone tell me if ClamAV is capable of running on AIX 7.1 and if there are any users using it please? We got occasional compile error reports on AIX 5.x/6.x, and fixed those. I don't remember any bugreports about AIX 7, so either nobody is using it, or ClamAV works flawlessly. If you have access to an AIX 7.1 system here is what you can do: 1. Download ClamAV 0.97.3 (see http://www.clamav.net/lang/en/download/sources/) 2. Build it: $ ./configure make 3. Run make check: $ make check If you find any problems report it on our bugzilla: https://bugzilla.clamav.net/ Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode run timed out
On 03/06/2012 12:46 PM, Ben Stuyts wrote: On 5 mrt. 2012, at 15:42, Ben Stuyts wrote: On 5 mrt. 2012, at 11:07, Török Edwin wrote: On 03/05/2012 11:33 AM, Ben Stuyts wrote: Hi, Since two days, I'm getting lots of these messages while scanning one of the servers here: LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: Bytcode 3 failed to run: Unknown error code This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar 5 01:34:31 2012. This brings scanning this server to a crawl, unfortunately, so I had to kill the nightly scans. Does this indicate a problem in the signatures, or is there a problem with the local scanner? Can you find out which file is causing this? (run clamscan -v to see what file it is scanning) Then please open a bug and attach the file. Meanwhile you can try setting the timeout lower, using --bytecode-timeout/BytecodeTimeout (it is 6 ms by default). I will do this for the next daily run and get back to you tomorrow. I ran: /usr/local/bin/clamscan -rv --bytecode-timeout=1 /home It didn't produce any errors this time. Maybe a recent update of the signature database fixed this? There were no updates to bytecode recently. Maybe the file that caused the problem is gone already? --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] My outdated Clam
On 03/06/2012 12:43 PM, Steve Kirkby wrote: I can't get through the tech. complexity of upgrading my ClamAV, version 2.2.2. You mean ClamXav, which is a graphical frontend to ClamAV. Apparently ClamXav 2.2.2 comes with ClamAV engine version 0.97.2. The latest version of the ClamAV engine is 0.97.3. I am not a computer engineer, just a user. On getting the daily message in Console that my ClamAV engine is outdated (don't panic), I deleted Clam and its associated files from my machine and redownloaded it from your site. Which site? Did you download from clamav.net (that is our site), or clamxav.com (this is not our site)? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] My outdated Clam
On 03/06/2012 02:23 PM, shuttlebox wrote: On Tue, Mar 6, 2012 at 11:43 AM, Steve Kirkby k...@today.plus.com wrote: I can't get through the tech. complexity of upgrading my ClamAV, version 2.2.2. I am not a computer engineer, just a user. On getting the daily message in Console that my ClamAV engine is outdated (don't panic), I deleted Clam and its associated files from my machine and redownloaded it from your site. I still get the message. I have read the FAQ: no help. I have checked that I have only one clam application. I once tried to upgrade just the engine but it was too complicated to do. Surely downloading the current version from your site would result in an up-to-date version? What to do please? (Perhaps Clam is too unfriendly for ordinary users.) Thanks for any help (but no unix code or complex multi-step instructions please). http://windows.microsoft.com/en-US/windows/products/security-essentials Does that work on Mac OS X? X-Mailer shows 'Apple Mail', and version 2.2.2 seems to refer to ClamXav, so I'd guess the OP is running Mac OS X. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode run timed out
On 03/06/2012 01:18 PM, Ben Stuyts wrote:
On 6 mrt. 2012, at 11:47, Török Edwin wrote:
There were no updates to bytecode recently. Maybe the file that caused the
problem is gone already?
I doubt it as I got many of those errors during a single run, so I assume
there where multiple files.
Lets try something else then.
It says here that bytecode 3 failed to run:
LibClamAV Warning: Bytcode 3 failed to run: Unknown error code
Run this to find out what is the name of bytecode 3:
$ clamscan --debug /dev/null 21|grep 'cbc(3)'
For me it says (but it might depend if you have cvd or cld):
LibClamAV debug: Bytecode 814800.cbc(3) has logical signature:
BC.Exploit.CVE_2010_1885;Engine:52-255,Target:3;0;6863703a2f2f{25-700}736372697074{1-3}6465666572
@Alain: I see we also have BC.Exploit.CVE_2010_1885-2 published, can we just
drop BC.Exploit.CVE_2010_1885?
Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode run timed out
On 03/05/2012 11:33 AM, Ben Stuyts wrote: Hi, Since two days, I'm getting lots of these messages while scanning one of the servers here: LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: Bytcode 3 failed to run: Unknown error code This is on FreeBSD-8 with ClamAV 0.97.3/14583/Mon Mar 5 01:34:31 2012. This brings scanning this server to a crawl, unfortunately, so I had to kill the nightly scans. Does this indicate a problem in the signatures, or is there a problem with the local scanner? Can you find out which file is causing this? (run clamscan -v to see what file it is scanning) Then please open a bug and attach the file. Meanwhile you can try setting the timeout lower, using --bytecode-timeout/BytecodeTimeout (it is 6 ms by default). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] (no subject)
On 03/03/2012 04:44 PM, Jayson Brush wrote: Hello I currently have ClamSMTP and ClamAV 0.97.3 installed on CentOS with postfix and dovecot. The setup works and ClamAV properly scans all emails and detects viruses. However, I have enabled the DLP module in Clamd to detect CC numbers and SSNs and lowered the threshold to 1 for each. When I send and SSN number Clam properly logs that there was a SSN attempted to be sent. When I send any formatted Credit Card number, ClamAV does not recognize that there is a credit card number contained in the body of the text or as an attachment. Does anyone have any knowledge about this? Am I missing something? By default you need to have at least 3 Credit Card numbers to trigger a detection: # This option sets the lowest number of Social Security Numbers found # in a file to generate a detect. # Default: 3 #StructuredMinSSNCount 5 Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Time to add a new virus?
On 02/13/2012 12:57 PM, Henri Salo wrote: On Mon, Feb 13, 2012 at 05:04:34AM -0500, Michael Richards wrote: Do the sigmakers just waste their time sifting through tons of duplicate submissions? I sure hope not. I am more than happy to help creating faster process for this if ClamAV guys can tell what they need or at least old system should be documented somehow. Why not create this as a open-source :) If I am correct the duplicates mostly come from big av-check sites. They send reports with old signatures and/or when they send the file it is not in fact known, but it is known when ClamAV guys starts to add the signature. The duplicate submissions are not bit-to-bit identical. Bit-to-bit identical submissions are thrown away/merged automatically early in the process, and they don't get reported to clamav-virusdb@. Same with files that are already detected by ClamAV. The duplicates (Same as) mean that ClamAV detects them _now_ with the same virusname, but at the time of the submission they were not detected at all. It is easy to see why this could happen: - if it is a file infector then we get a unique submission for each file it infected. It is still the same malware, and if a signature gets added to detect one particular instance of the infection then the other infected files should get detected as well - if it is a polymorphic virus then each instance is unique, and depending on how good the signature is it may detect many instances of the malware with the same virus name - the signature might be generic, so it detects more than one malware under the same name - ... etc. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] multiple viruses detected
On 02/13/2012 04:01 PM, Matus UHLAR - fantomas wrote: On Mon, Feb 13, 2012 at 12:15:02PM +0100, Matus UHLAR - fantomas wrote: What I need is to pass phishes sent to one particular address (abuse@, since we should knnow when our customers send phishes) On 13.02.12 13:45, Henri Salo wrote: You might be looking for these arguments of clamscan. You can also control this in clamd.conf. Default is marked as (*). I am not looking for any currently existing arguments to clam(d)scan nor clamd. With them, the only possible way of checking for phishes etc is to scan twice - once with phishingsignatures, once without them. This is not nice no matter if I call clamscan (which takes long to load the signature database), or clamd (would require 2 clamd processes running), or combination of these two. Try --heuristic-scan-precedence=yes (similar clamd option exists too). It will cause ClamAV to stop and report on the first Heuristics.* match it finds. Phishing is part of Heuristics.* The default behaviour is 'no', so when it sees a Heuristics.* it keeps scanning and if a malware is found, then that is reported instead of the Heuristics. The problem is that Heuristics.* is not only phishing, but some other stuff as well. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Question about not recognized malware IN a zipfile
On 02/10/2012 03:45 PM, Matthias Egger wrote: Hello List Yesterday we received a lot of DHL Delivery Notification Messages with a zip File as attachment. The zip file contains an exe file which is obviously some kind of malware. Since clamav let this email pass through i went to the malware submition page and uploaded this file. The message i received then was, that this file is still known as malware. So why did clamav let the attachment pass trough? I found the solution: # clamscan -v DHL_Post_oder_Notification-INF6782654.zip DHL_Post_oder_Notification-INF6782654.zip: Suspect.Bredozip-zippwd-2 FOUND The detection is based on the filename inside the zip file. # clamscan -v DHL_Post_oder_Notification-DATA.exe DHL_Post_oder_Notification-DATA.exe: OK There is no filename here because you are scanning the file itself, and not a container, hence ClamAV cannot detect the malware with this signature. So clamav recognizes the zipfile as malware, but not the containing exe. This is bad, since amavis does extract the submitted zip file and then checks the extracted exe file. So the question is... how can i fix this? Pass the full email to ClamAV, not just the attachments. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Question about not recognized malware IN a zipfile
On 02/10/2012 05:08 PM, Matthias Egger wrote: Hello Edwin Thank you for your reply. On 10.02.2012 15:06, Török Edwin wrote: # clamscan -v DHL_Post_oder_Notification-INF6782654.zip DHL_Post_oder_Notification-INF6782654.zip: Suspect.Bredozip-zippwd-2 FOUND The detection is based on the filename inside the zip file. I am curious... isn't this relay unsafe? I have just checked a second of these DHL emails. The Subject and the ZIP Name was different, but the content was the same file. So what happens if a spammer not only changes the subject and zip-name but also changes everytime the filename of the exe? Would it not make sense to use something like an md5 sum of the exe file? I think the effort to change the names of the exe is much lower than changing the malware for every email. But hey... i am just thinking loud... I don't want to step on anybody's feet. As i said... i am just curious. -zippwd means that sometimes the file is encrypted. In that case obviously we cannot know the md5 of the extracted file because we cannot extract it, so filename is only thing left. So the question is... how can i fix this? Pass the full email to ClamAV, not just the attachments. Hmm... okay, i give a look on it. Thank you Edwin! Best regards Matthias ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Multiple clamd daemons
On 02/10/2012 10:53 PM, Chuck Swiger wrote: On Feb 10, 2012, at 12:19 PM, Reynolds, David C. wrote: I am (will be) running on a relatively large SGI Origin with a couple of hundred processors available. Is there an easy configuration setting to enable multiple clamd daemons to support multiple clamdscan clients in multiscan mode? Sure, clamd is threaded and likely has a default value of MaxThreads 10-- check clamd.conf. Each of the clamdscans are processing a particular set of subdirectories. Minimal scan time is critical for this operation so that the more processors that can be applied to the scan operation is important. Is there a practical limit to the number clamd threads that can be supported by one daemon? You should probably increase your ulimit -n too, the number of open files, to something around 3 if you have 500 threads. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Untit Testing
On 02/06/2012 09:39 PM, Reynolds, David C. wrote: I've recently installed .97.3 on an SGI Origin 3000 running TRIX v6.5.28 using gcc 3.2.1. Thats a weird version number. GCC 3.3, 3.4 was working I think, I don't think I ever used gcc 3.2.1, it might be buggy or might not be. (I did need to make some source file modifications). I was able to run clamscan against a directory seemingly without error. However, I would like to run some tests which would indicate catching an infected file without actually putting an infected file on our system. This is a totally Trusted Irix environment. I've had problems trying to build the check package as recommended in the ClamAV documentation in this IRIXS environment. Any suggestions as to how run some unit tests that would indicate that an infected file would actually be found? You can scan the files in test/, or contrib/testfiles. Those are not actual viruses, just the ClamAV-Test-File. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Heuristics.OLE2.ContainsMacros false positive
On 01/25/2012 05:02 PM, [Cardiff] Tugdual de LASSAT wrote: Hello the list.. I have a problem, i wish to submit to your review... We run 4 years discontinuating, an Exim+Clamav mail server solution that ran smoothly to our needs, until recent internal false positive has been signaled... One of our members is trying to send internally an email containing a powerpoint that is virus free (check with 3 antivirus), and that I have checked through clamav on the machine that detects it as virus.. Result of clamscan is eloquent : #clamscan selsia.ppt selsia.ppt: OK --- SCAN SUMMARY --- Known viruses: 2300132 Engine version: 0.97.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 1.21 MB Data read: 0.33 MB (ratio 3.68:1) Time: 12.030 sec (0 m 12 s) But as soon as it is sent by email : Here is the return of the clamd daemon running on socket : Wed Jan 25 15:27:16 2012 - Accepted connection from 127.0.0.1 on port 1725, fd 12 Wed Jan 25 15:27:16 2012 - stream(127.0.0.1@1725): Heuristics.OLE2.ContainsMacros(41bd4de162009c267a78bca387d83f99:157035) FOUND This just means that your document contains macros (whether malicious or not) Either remove the macros from the document, or disable this check. Are the macros required in the document? Sending to exim a reject that is logged as : 2012-01-25 15:27:16 1Rq3oh-00055z-TW H=xxx.ip.network-consulting.fr (glenmorangie.x.fr) [79.98.xx.xx] F=x...@x.fr rejected after DATA: This message contains a virus or other harmful content (virus_in_message:157035)) I do understant that it is the function OLE2ContainsMacros function I activated that is in cause, but aren't signatures used between daemon and clamscan the same ? You have OLE2BlockMacros on in clamd.conf. Disable it if you don't need it. clamscan doesn't have a similar option, probably a bug. Why does this false positive happen and does anyone have an idea how to solve it without removing this scan (we happen to have occasionnal real virus attempts in ppt) Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] sigtool verifies but freshclam fails
On 01/24/2012 01:05 AM, Greg Cirino wrote: Ok, I'm not sure what is happening, but I did a wget of the main.cvd and ran the sigtool against it with the following command: sigtool --info=main.cvd and got this: File: main.cvd Build time: 11 Oct 2011 10:34 -0400 Version: 54 Signatures: 1044387 Functionality level: 60 Builder: sven MD5: ef015484e18b983ddf08425e2dad6a3f Digital signature: WOgEPNPkB4L0W5K9p1Wc+TE9DQOctxVBHGoR4pTqupMF6kJEVukelj0SPR6jTyczszfodstR+HPHG8mHjkvEtLzmmAz8WflU8vlf/XYW8Gjc6QuEetMN7yNy4JditkLVWCb/nf0gD943JTQ6lI+t7IoSqEk04jQncQ7nwNLIcZd Verification OK. Running freshclam marks it as broken, and starts to download it again. Anybody have any idea as to what's up? Did you try to change your zlib version to a more recent one? The one you are using is not supported. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [LibClamAV] cli_tgzload: Invalid checksum for file main.mdb
On 01/24/2012 12:46 AM, Greg Cirino wrote: Why is libclamav looking for main.mdb on a linux system? main.cvd consists of a number of signature files, one of which is a .mdb file. A .mdb file is a plain text file that stores MD5 hash signatures in this format: size:hash:VirusName Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] freshclam Verification: Can't verify database integrity
On 01/23/2012 07:29 PM, Greg Cirino wrote: Hello Since upgrading from 0.97 to 0.97.3 it's been less then satisfying on a fedora c3 server, I have a 7.3 server without issues Every time (it seems) i run freshclam on the FC3 machine it wants to redownload the main.cvd database over and over, not sure why as that database doesn't appear to change, but it keeps giving me messages such as Malformed database and Can't verify database integrity. Happens after it was successful once before. Note: this sporadically happens with daily.cvd and occasionally bytecode.cvd Might be bad RAM, run a memtest to make sure thats not the case. configure command option --disable-zlib-vcheck the actual version is 1.2.1 Thats quite old, do you still have problems if you upgrade to latest version? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Bytecode runtime error
On 01/18/2012 07:26 PM, TR Shaw wrote: $ clamdscan -V ClamAV 0.97.3/14323/Wed Jan 18 09:09:29 2012 LibClamAV Warning: Bytecode runtime error at line 0, col 0 LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytecode 36 failed to run: Error during bytecode execution 109544.cf.exebr Can you attach the file causing this to a bugreport please? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] All midi files reported as positives
On 01/17/2012 11:00 AM, Anne Wilson wrote: On 16/01/12 13:55, Török Edwin wrote: On 01/16/2012 03:53 PM, Anne Wilson wrote: I run clamav on my mail server, and my daughter runs clamwin on Windows 7, on my recommendation. This morning's scan showed midi files that have been on my server for 2 years or more as being infected, e.g.: /Data1/Midi/AudigyCD/SYMPHONY.MID: BC.Exploit.CVE_2012_0003 FOUND Soon after reading this, I got a phone call from my daughter saying that clamwin had quarantined all midi files supplied in the Creative Soundblaster X-Fi installation. The screenshot she sent me shows nothing but the midi files. Please submit some of those false positives here (make sure you choose the 'A false positive' radiobox): http://cgi.clamav.net/sendvirus.cgi Thanks. I've done that. I was careful to mark it as a false positive but got the message This virus is already recognized by ClamAV 0.97.3/14314/Mon Jan 16 - I assume that I can ignore that? I'll submit one from her Windows box as soon as she emails it to me. I have told her not to worry for now, but is there a way to mark these as not infected and remove them from quarantine? Create a file called local.ign2 in your database directory and add this line to it: BC.Exploit.CVE_2012_0003 Done that too. Thanks for the prompt reply. I'm not very familiar with Windows' organisation of this sort of thing, so can you suggest where I should tell her to put the ignore file? Should she just search for daily.cld to find the directory, or is it labelled some other way in Windows? daily.cld or daily.cvd. Not sure where ClamWin puts its database directory, perhaps in Application Data. The offending bytecode was dropped in the meantime, so the false positive detections should've stopped for now. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] All midi files reported as positives
On 01/16/2012 03:53 PM, Anne Wilson wrote: I run clamav on my mail server, and my daughter runs clamwin on Windows 7, on my recommendation. This morning's scan showed midi files that have been on my server for 2 years or more as being infected, e.g.: /Data1/Midi/AudigyCD/SYMPHONY.MID: BC.Exploit.CVE_2012_0003 FOUND Soon after reading this, I got a phone call from my daughter saying that clamwin had quarantined all midi files supplied in the Creative Soundblaster X-Fi installation. The screenshot she sent me shows nothing but the midi files. Please submit some of those false positives here (make sure you choose the 'A false positive' radiobox): http://cgi.clamav.net/sendvirus.cgi I have told her not to worry for now, but is there a way to mark these as not infected and remove them from quarantine? Create a file called local.ign2 in your database directory and add this line to it: BC.Exploit.CVE_2012_0003 Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Database directory location confusion
On 01/14/2012 03:29 PM, Stephen Butler wrote: Both freshclam.conf and clamd.conf have the following entry : #DatabaseDirectory /var/lib/clamav # means the entry is commented, its just an example. I'm a bit confused, I thought my signature database files were located here by default/usr/local/share/clamav I'd welcome any cure to my confusion :) I'm using clamav 0.97.2 Your comments are appreciated. Run clamconf -n to find where your databases are. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd and IPv6
On 12/26/2011 10:11 AM, Sergey wrote: Hello. Does anybody use clamd with IPv6 ? I attempted to do it, but it not works. All complicated by the fact that it is my first experience with IPv6 also. I attemted to bind clamd to localhost. clamd doesn't support IPv6. Only freshclam does. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Calling Clamd INSTREAM on blocks of data, can a virus sneak by the edge of a block?
On 12/25/2011 07:48 AM, John-Charles D. Sokolow wrote: I am experimenting with a python script which uses http://xael.org/norman/python/pyclamd/ to scan blocks of data. Here is my scenario, I read one block, ( 4096 bytes in my case ) from a socket. I call pyclamd.scan_stream( block ), which I assume is in turn calling either INSTREAM, or STREAM, ( I don't know since the docs for pyclamd don't specify which actual calmd call occurs when calling scan_stream. ) I then check the return code from calmd if it returns None (NULL) I know that the block is safe and I pass it along, otherwise I throw an exception and close the connection. My question is this since I'm breaking the stream up into blocks and scanning each block separately am I running the risk of a virus sneeking by the edge of the blocks and not matching a pattern. For example take the block 'Hello Vir' and the block 'us World' assume that the sub string 'Virus' is the actual virus, since neither 'Vir' ( the last 3 bytes of the first block ) nor 'us'( the first two bytes of the second block ) are 'Virus' it would seem that clamd would miss Virus and not return a match, letting the virus essentially sneak through the sides as it were. Is this true? If so, is there a work around? Or do I need to save the complete stream to disk then call clamd.scan_file(/tmp/tfile.bin) before re-transmitting the file? Clamd needs the entire file, without that you won't get the results you are expecting. Scanning 4k blocks at a time is not a good idea. It appears to be a limitation of the python wrapper you are using: you don't need to send all your data at once. You can send the STREAM/INSTREAM command, and then stream your data when you get it. You don't necesarely have to save the file to disk prior to scanning though, you can just stream all your blocks using INSTREAM (which will create the tempfile on clamd's end). The format for INSTREAM on the socket is: 1. send the INSTREAM command: zINSTREAM\0, or nINSTREAM\n 2. send length (big endian, 4 bytes) 3. send the chunk of data corresponding to the above length 4. repeat at 2 as long as you have more blocks to send 5. send a 0-length block to mark end of stream And STREAM is similar to FTP, you get port back where you can send the entire data. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Disable specific virus signatures?
On 12/01/2011 09:55 PM, Alex wrote:
Hi,
I happen to have a similar issue and thought I could append to this
thread with my questions.
Is there a way to delete a signature that you are not interested in?
I'd like to create a local whitelist for patterns that create false
positives in my environment from attachments in email. Here's an
example:
Dec 1 10:47:55 mail01 amavis[18312]: (18312-02) Blocked INFECTED
(PUA.Script.PDF.EmbeddedJavaScript), [204.XXX.YYY.21]
[204.XXX.YYY.21] us...@example.com, quarantine:
virus-06232854a5c3b09c7451be840f81fc58-20111201T104753-18312-02.gz,
Message-ID: 01b601ccb040$933b3bf0$b9b1b3d0$@us...@example.com,
mail_id: 539J2GR60fLp, Hits: -, size: 1288479, 1411 ms
Dec 1 10:47:55 mail01 postfix/smtp[18345]: 081AC160468:
to=us...@example.com, orig_to=ad...@example.com
, relay=127.0.0.1[127.0.0.1]:10024, delay=7.3, delays=5.9/0/0.01/1.4,
dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded,
id=18312-02 - INFECTED: PUA.Script.PDF.EmbeddedJavaScript)
I understand I can add PUA.Script.PDF.EmbeddedJavaScript to
sigwhitelist.ign2 for it to be whitelisted, correct?
However, this will be overwritten, so I'd like to create one of my
own. Do I just create a new file in that directory, and signal clamd
to re-read the database?
Yes, you can use any filename as long as its extension is .ign2.
Is it possible to whitelist based on the name of a file?
No.
This also seems like a very generic signature. To determine the
pattern that matched within the attachment, is this the correct way to
do that?
# sigtool -fPUA.Script.PDF.EmbeddedJavaScript
[daily.ndu]
PUA.Script.PDF.EmbeddedJavaScript:0:0:255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c)
Yes.
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Scanner memory and CPU usage
On 11/22/2011 08:32 PM, Shobana Narayanaswamy wrote: Is there a way to reduce the memory footprint of the scanner? It appears to take about 220M in memory to load the virus db. Are you using 0.97.3? There were some improvements in the 0.97 series regarding memusage. Also are you using only official DBs, or third-party as well? Also, it takes up all of the machine's CPU while running. Is there a way to limit this (probably a general question and not specific to the scanner). Check MaxThreads in clamd.conf Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] libclamav warning
On 11/20/2011 12:45 AM, Ben Stuyts wrote: On 19 nov. 2011, at 17:19, Ben Stuyts wrote: On 18 nov. 2011, at 21:20, René Bellora wrote: hi! i'm getting some warnings when scanning a directory: LibClamAV Warning: Bytcode 4 failed to run: Error during bytecode execution LibClamAV Warning: Bytecode run timed out in interpreter after 221135000 opcodes LibClamAV Warning: Bytcode 4 failed to run: Unknown error code what are these? i'm running ClamAV 0.97.3 Similar problems here: LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytcode 11 failed to run: Unknown error code ... clamscan -V: ClamAV 0.97/13965/Sat Nov 19 00:09:18 2011 I'll upgrade to 0.97.3 and see if that makes a difference. Just tried, same result. clamscan -V ClamAV 0.97.3/13966/Sat Nov 19 21:07:07 2011 I've dropped the bytecode (in bytecode.cvd 154), it will get added back once its fixed. Those warnings simply mean that one particular bytecode encountered an error and was stopped, but all the other signatures and bytecodes should still work as normal. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] problems with daily.cld 13960
On 11/17/2011 06:57 PM, David Alix wrote: Is anyone else having problems with clamd after the daily.cld updated to version 13960. I'm running clamd 0.97.1, on Solaris 9 SPARC. SInce 13960 was installed, clamd abends, with no error messages anywhere. Sometimes clamd will run for up to 20 minutes; Ideally it should stay up forever, and not crash every X minutes. Try 0.97.3 and it should work better. For example this bug might cause it to crash: https://bugzilla.clamav.net/show_bug.cgi?id=2818 Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clamav on Ubunt 10.04
On 11/14/2011 03:20 PM, Michael Kolowicz wrote: Hello, ClamAV Win32 Devel clamav-team-wi...@lists.clamav.net I have installed Clamav via apt-get install on my Ubuntu 10.04 64bit. Now I want to redirect the databases. I have create the folder /media/Proxy/ClamaAV. Followed from chown clamav:clamav /media/Proxy/ClamAV/ Is /media/Proxy removable media? If so is the filesystem something else than FAT(32)? chmod 755 /media/Proxy/ClamAV/ When I start freshclam it comes up: ERROR: Can't create temporary directory /media/Proxy/ClamAV/clamav-4fe8632d0bcb213dd26f6e97f4927a70 Hint: The database directory must be writable for UID 105 or GID 113 Does this work (run as root): su clamav -s /bin/touch /media/Proxy/ClamAV/test Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clamav on Ubunt 10.04
On 11/14/2011 05:05 PM, Michael Kolowicz wrote: Thanks for your answer I will start with the end: Does this work (run as root): su clamav -s /bin/touch /media/Proxy/ClamAV/test Yes - that´s works. In the dir a new file is created Is /media/Proxy removable media? If so is the filesystem something else than FAT(32)? No, isn´t a removable media. It´s a mountpoint of a harddisk. That with ext3 filessystem formatted I hope that helps to find out Maybe its due to the AppArmor policy then, see https://help.ubuntu.com/community/AppArmor. Try putting apparmor in complain mode for freshclam, and then see if it works and if it logs any errors. If it works then you can create a custom AppArmor policy, or just keep it turned off for freshclam. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
On 11/10/2011 09:02 PM, Jim Preston wrote:
On 11/09/2011 02:44 PM, Török Edwin wrote:
[snip]
Well of course there have to be limits somewhere, and I recall one issue is
malevalent attachments designed specifically to crash extractors.
A second issue I recall from the past is the sending of password protected
archives - the scanner is unable to check it, but of course a user taken in
by the message may well open it. So that's a
separate consideration - whether to allow password protected archives or to
reject them.
There is BlockEncrypted for that purpose.
Best regards,
--Edwin
Now the question is, is there a BlockUnscanned (due to whatever reason) or
should this be a feature request submitted by the OP?
There isn't. There used to be the Oversized.Zip/Rar detections, but see aCaB's
reply.
I don't think we want Oversized.* detections back in the official release at
this time (too many FP reports),
but give this patch a try (untested):
diff --git a/libclamav/scanners.c b/libclamav/scanners.c
index 93cdc71..882d528 100644
--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@@ -2122,6 +2122,11 @@ static void emax_reached(cli_ctx *ctx) {
}
+static int limit(cli_ctx *ctx, const char *name)
+{
+*ctx-virname = name;
+return cli_found_possibly_unwanted(ctx);
+}
static int magic_scandesc(int desc, cli_ctx *ctx, cli_file_t type)
{
@@ -2582,9 +2587,13 @@ static int magic_scandesc(int desc, cli_ctx *ctx,
cli_file_t type)
switch(ret) {
case CL_EFORMAT:
+ ret_from_magicscan(limit(ctx, Unscanned.Badformat));
case CL_EMAXREC:
+ ret_from_magicscan(limit(ctx, Unscanned.Oversized.MaxRec));
case CL_EMAXSIZE:
+ ret_from_magicscan(limit(ctx, Unscanned.Oversized.MaxSize));
case CL_EMAXFILES:
+ ret_from_magicscan(limit(ctx, Unscanned.Oversized.MaxFiles));
cli_dbgmsg(Descriptor[%d]: %s\n, desc, cl_strerror(ret));
case CL_CLEAN:
perf_start(ctx, PERFT_CACHE);
Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] How can I have clamd reject items that can't be scanned?
On 11/09/2011 10:42 PM, Simon Hobson wrote: Per Jessen wrote: The OP started by saying there are ways to limit the level of archive that will be scanned as well as the size of the entities to be scanned, which are performance optimizing options one can use if desired. To which I commented that it's not about a message that can't be scanned, but whether your limits allow it to be scanned. Remove the limits, and everything is scanned (presumbly only limited by hardware resources). Well of course there have to be limits somewhere, and I recall one issue is malevalent attachments designed specifically to crash extractors. A second issue I recall from the past is the sending of password protected archives - the scanner is unable to check it, but of course a user taken in by the message may well open it. So that's a separate consideration - whether to allow password protected archives or to reject them. There is BlockEncrypted for that purpose. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd unexpected termination: ... Failure in bytecode testmode
On 2011-10-24 14:55, Matthias Egger wrote: Hello all On 24.10.2011 12:13, Matthew Slowe wrote: I'm seeing a problem on a bunch of Solaris 10 SPARC servers running 0.97.x since about 00:55 BST this morning. Just wanted to confirm what Matthew sees. * Also on Solaris 10 SPARC Machines * Same Error since 01:52 MEST this Morning (which should be 00:55 BST?) * Error occurs every 10 Minutes (SelfCheck 600) * upgraded from 0.97.1 to 0.97.3 from scratch (with new definitions) Since we monitor the service it get's restarted every 10min, but this creates always a warning. So i prefer to solve the problem :-) I just published bytecode.cvd version 150 (and 151 should come out soon too). Does it fix the problem? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd unexpected termination: ... Failure in bytecode testmode
On 2011-10-24 15:03, Török Edwin wrote: On 2011-10-24 14:55, Matthias Egger wrote: Hello all On 24.10.2011 12:13, Matthew Slowe wrote: I'm seeing a problem on a bunch of Solaris 10 SPARC servers running 0.97.x since about 00:55 BST this morning. Just wanted to confirm what Matthew sees. * Also on Solaris 10 SPARC Machines * Same Error since 01:52 MEST this Morning (which should be 00:55 BST?) * Error occurs every 10 Minutes (SelfCheck 600) * upgraded from 0.97.1 to 0.97.3 from scratch (with new definitions) Since we monitor the service it get's restarted every 10min, but this creates always a warning. So i prefer to solve the problem :-) I just published bytecode.cvd version 150 (and 151 should come out soon too). Does it fix the problem? 152 is out which should include the fix for this crash on Sparc. Once it reaches your mirrors and freshclam confirms that you got bytecode.cvd 152 can you test again to see if it fixed the crash for you? --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd unexpected termination: ... Failure in bytecode testmode
On 2011-10-24 15:40, Pierre Dehaen wrote: On 24 Oct 2011 at 15:23, Török Edwin wrote: On 2011-10-24 15:03, Török Edwin wrote: On 2011-10-24 14:55, Matthias Egger wrote: Hello all On 24.10.2011 12:13, Matthew Slowe wrote: I'm seeing a problem on a bunch of Solaris 10 SPARC servers running 0.97.x since about 00:55 BST this morning. Just wanted to confirm what Matthew sees. * Also on Solaris 10 SPARC Machines * Same Error since 01:52 MEST this Morning (which should be 00:55 BST?) * Error occurs every 10 Minutes (SelfCheck 600) * upgraded from 0.97.1 to 0.97.3 from scratch (with new definitions) Since we monitor the service it get's restarted every 10min, but this creates always a warning. So i prefer to solve the problem :-) I just published bytecode.cvd version 150 (and 151 should come out soon too). Does it fix the problem? 152 is out which should include the fix for this crash on Sparc. Once it reaches your mirrors and freshclam confirms that you got bytecode.cvd 152 can you test again to see if it fixed the crash for you? Edwin, The update just hit my server 2 minutes ago. In freshclam.log: ClamAV update process started at Mon Oct 24 14:37:00 2011 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cld is up to date (version: 13843, sigs: 15910, f-level: 60, builder: guitar) Downloading bytecode-150.cdiff [100%] Downloading bytecode-151.cdiff [100%] Downloading bytecode-152.cdiff [100%] bytecode.cld updated (version: 152, sigs: 38, f-level: 60, builder: edwin) Database updated (1060335 signatures) from db.be.clamav.net (IP: 193.1.193.64) Clamd successfully notified about the update. In clamd.log: Mon Oct 24 14:36:15 2011 - Algorithmic detection enabled. Mon Oct 24 14:36:15 2011 - Portable Executable support enabled. Mon Oct 24 14:36:15 2011 - ELF support enabled. Mon Oct 24 14:36:15 2011 - Mail files support enabled. Mon Oct 24 14:36:15 2011 - OLE2 support enabled. Mon Oct 24 14:36:15 2011 - PDF support enabled. Mon Oct 24 14:36:15 2011 - HTML support enabled. Mon Oct 24 14:36:15 2011 - Self checking every 600 seconds. Mon Oct 24 14:36:15 2011 - /var/run/MIMEDefang/mdefang- p9OCaCjA011594/Work/INPUTMBOX: Sanesecurity.Jurlbl.14950.UNOFFICIAL FOUND Mon Oct 24 14:37:06 2011 - Reading databases from /opt/clamav/share/clamav Mon Oct 24 14:37:27 2011 - ERROR: Database initialization error: can't compile engine: Failure in bytecode testmode Yes it still had the old one loaded, when you restart clamd now does it work? Try clamdscan --reload and see if it still gives the ERROR. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd unexpected termination: ... Failure in bytecode testmode
On 2011-10-24 16:48, David Alix wrote: Unfortunately, it may not be fixed on Solaris 9. My earlier problem went away with the update to daily.cld 13840. This different problem began yesterday with the update to daily.cld 13842. This is the update I saw in freshclam.log: Received signal: wake up ClamAV update process started at Mon Oct 24 05:46:02 2011 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cld is up to date (version: 13843, sigs: 15910, f-level: 60, builder: guitar) connect_error: getsockopt(SO_ERROR): fd=5 error=146: Connection refused Can't connect to port 80 of host db.us.clamav.net (IP: 69.12.162.28) Downloading bytecode-151.cdiff [100%] Downloading bytecode-152.cdiff [100%] bytecode.cld updated (version: 152, sigs: 38, f-level: 60, builder: edwin) Database updated (1060335 signatures) from db.us.clamav.net (IP: 64.22.33.90) -- and the next datacheck produced this in clamd.log: Mon Oct 24 06:27:15 2011 - No stats for Database check - forcing reload Mon Oct 24 06:27:16 2011 - Reading databases from /opt/ClamAV/share/clamav Mon Oct 24 06:27:27 2011 - ERROR: Database initialization error: can't compile engine: Failure in bytecode testmode This is because it still had the old bytecode loaded, which triggers the bug. Try starting clamd manually (now that you have version 152), and then it should work, even after a --reload of self-check. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Mirror issues
On 10/23/2011 05:33 PM, Jim Popovitch wrote: Is it my lack of clue, or are there a fair amount of mirror issues today? I'm not seeing any issues with the mirror I use, what error messages do you see? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd abending at selfcheck
On 10/21/2011 04:29 PM, David Alix wrote: when I start gdb with the command: gdb /opt/ClamAV/sbin/clamd 6761 I get the message: Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as sparc-sun-solaris2.9... Attaching to program `/opt/ClamAV/sbin/clamd', process 6761 /proc/6761: Value too large for defined data type. You probably have 64-bit kernel, but run a 32-bit gdb. Try running a 64-bit gdb. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Phishing and ClamAV
On 10/20/2011 01:59 PM, Ivan Ivanov wrote: Hello, I am newbie with ClamAV and I am trying to improve phising accurance on an e-mail server installation. Unfortunatley I as not able to understand how to do that in details. Should I use daily.pdb or phising signatures are included already in another databases? It appears that even after enblening using of phishing signatures in clamd.conf freshclam does not download daily.pdb. daily.pdb is included inside daily.cvd already. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Phishing and ClamAV
On 10/20/2011 02:40 PM, Ivan Ivanov wrote: Hello Torok, Thank you for your fast responce. Is it possible to have additional .pbd with cistomized values included in ClamAV configuration and dastabases directory? Content exampel of such local.pdb: H:somelocalbank.ctld Yes, just place a file named local.pdb (or something else than main.* or daily.*) and add your entries there. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Phishing and ClamAV
On 10/20/2011 03:05 PM, Ivan Ivanov wrote: Hello Edwin, Thank you for your e-mail. I've added a local.pdb in /var/lib/clamav with contenct: H:localbankaddress.ctld But it appeasr that message passed as clean. Please see log entry returned by amavis (Postfix+amavis-new+ClamAV): amavis[17914]: (17914-04) Passed CLEAN Save the message to a file, and then post the stderr output of 'clamscan -d/var/lib/clamav/local.pdb /path/to/youremail --debug' (for example: clamscan -d/var/lib/clamav/local.pdb /path/to/youremail --debug 2log; post contents of log) Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Phishing and ClamAV
On 10/20/2011 03:31 PM, Ivan Ivanov wrote: Hello Edwin. Here is: clamscan -d /var/lib/clamav/local.pdb message.eml message.eml: OK --- SCAN SUMMARY --- Known viruses: 1 Engine version: 0.97.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.021 sec (0 m 0 s) # cat message.eml The file should be a mail message, so add these 4 lines (including blank one) at the beginning: From t...@example.com From: t...@example.com To: t...@example.com a href=http://www.w3schools.com/; target=_blankVisit testbank.lan/a There is the problem, .lan is not a valid TLD and ClamAV doesn't recognize testbank.lan as a URL. Try using valid TLDs, for example testbank.example.com and then ClamAV should block your message. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd exits with libclamav error
On 2011-10-19 21:53, Alex wrote: Hi, kernel: [73788.355981] [Hardware Error]: Machine check events logged kernel: [73914.635576] CPU4: Package temperature above threshold, cpu clock throttled (total events = 5538406) kernel: [73914.635581] CPU0: Package temperature above threshold, cpu clock throttled (total events = 5538398) Since your CPU had thermal protection, it's supposed to take effect before the hardware is permanently damaged, but the thermal stress might have affected it, or other components like memory or the PSU. [29016.445470] clamd[1110] general protection ip:30df2c3981 sp:7fffa08f4fe0 error:0 in libclamav.so.6.1 .11[30df20+9ce000] I've now switched the hard disks to the old server (also an x86_64 arch) and it has been running fine with no 'general protection' errors for more than twelve hours. I think it's safe to assume there is no software bug causing these errors? I've also been stress testing the new hardware separately. It succeeded through two full passes of memtest86 without any errors. It's now been running mprime for more than twelve hours and has not failed. When these 'general protection' errors were produced, the system was typically under high load and high IO. I realize this may be a hardware issue, but does anyone have any ideas how to determine what is really going on? There are some packages for stress-testing, like cpuburn. cpuburn in MMX mode is quite good at raising your CPU temperature, I suggest you keep an eye on the CPU sensors (sensors -l) if you do run it. Try running one cpuburn on each CPU core for a while. Of course its also possible that your hardware was fine before and you'll damage it by running the stress tests (if you have inadequate cooling for example), so you do so on your own risk! Is there a way to stress-test clamav on the new hardware, to try and induce an error through high IO? For high I/O try this: run updatedb to update your locate database, and at the same time launch a clamd multiscan: clamdscan -m / Another test that you can do is to compile some large pieces of software (Linux kernel, OpenOffice, etc.) with make -j N, where N = nr_cores * 2. GCC uses a _lot_ of pointer manipulation and will randomly crash on faulty hardware, although in that case memtest usually detects the errors too. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Value too large for defined data type
On 10/14/2011 11:49 AM, Simon Friedberger wrote:
Hello everybody,
I'm getting the following error trying to scan a file:
WARNING: myfilename: Can't access file
myfilename: Value too large for defined data type
This probably comes from the stat() system call.
It can happen if you use an XFS with inode64 option and 32-bit apps for
example, and it'll happen with any 32-bit app (try gcc).
It seems that this error can be caused by different problems like a wrong
inode number when mounting CIFS or very large files. (Suggested by some
websites and old mailing list entries.)
What is your filesystem? What is your kernel ('uname -mrsp')?
Are you running a 32-bit or 64-bit ClamAV? ('file /usr/bin/clamscan' will tell
you)
I have three questions:
1. How do I find out which value really causes the issue?
Does 'stat myfilename' work?
2. How do I scan very large files?
I don't think its the file's size the problem, but rather its inode.
Use a 64-bit clamscan/clamd if your filesystem uses 64-bit inodes.
3. How do I find out what the current maximum file size for scanning is? The
man page says the default is 25 MB but it is not set in /etc/clamav/ anywhere
and I have scanned files larger than that.
If you scan something outside the limits you don't get an error, you get an OK.
Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Value too large for defined data type
On 10/14/2011 04:13 PM, Simon Friedberger wrote: Does it print an error? Yes, it does. stat failed: Value too large for defined data type Now what does that mean? :) I think I got it: off_t st_size;/* total size, in bytes */ The st_size member of the stat buffer is a signed value, so any file over 2GB in size would be negative. stat() won't allow that so instead it returns an error telling us we should use the stat64() call probably. Please open a bugreport, the fix is likely to detect the errno and simply skip scanning such files (on 32-bit anyway). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd exits with libclamav error
On 2011-10-10 10:24, Alex wrote:
Hi,
I have a fedora15 x86_64 box with clamav-0.97.2, postfix-2.8.4, and
amavisd-new-2.6.6 with spamassassin-3.3.2 that has been running fine
for quite a while. Recently, clamd has died with an error similar to
this:
Oct 10 02:55:56 mail02 amavis[25696]: (25696-18) (!)run_av
(ClamAV-clamscan) FAILED - unexpected exit 2, output=LibClamAV
Error:cli_hex2str(): Malformed hexstring: 22|20 (length: 5)\nLibClamAV
Error: cli_parse_add(): Problem adding signature (3).
scanners.c:1667 returns a string split using '|' as delimiter, so I don't see
how
hex2str at 1672 can report that it still has a '|'.
Try running memtest86(+) to check that your RAM is fine.
Also what does the clamav-unofficial-sigs log say about the InetMsg database?
Does it report that the integrity test worked when it tested the database with
clamscan?
Is this a corrupt database? I'm using the clamav-unofficial-sigs
script to verify the updates and it hasn't reported a problem.
Restarting clamd apparently resolves the issue temporarily.
It has failed two or three times now over the course of about five
days, so it generally works properly.
The content of INetMsg-SpamDomains-2w.ndb at line 40734 is:
INetMsg.SpamDomain-2w.lakecharmvila_com:4:*:(2e|2f|40|20|3c|5f)6c616b65636861726d76696c612e636f6d(27|22|20|2f|3d|5f|3e|0a|0d)
This is a valid database entry, are you sure this is the one causing clamscan
to fail with the above message?
Maybe the database got updated in the meantime with a corrected entry.
# md5sum INetMsg-SpamDomains-2w.ndb
06d95496ef6e60fdee63dcf431c06b48 INetMsg-SpamDomains-2w.ndb
# sigtool --find-sigs INetMsg.SpamDomain-2w.lakecharmvila_com |
sigtool --decode-sigs
VIRUS NAME: INetMsg.SpamDomain-2w.lakecharmvila_com
TARGET TYPE: MAIL
OFFSET: *
DECODED SIGNATURE:
{CHAR_ALTERNATIVE:.|/|@| ||_}lakecharmvila.com{CHAR_ALTERNATIVE:'||
|/|=|_||
}
Thanks for any ideas.
Alex
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] clamd exits with libclamav error
On 2011-10-10 11:25, Alex wrote: Hi, I have a fedora15 x86_64 box with clamav-0.97.2, postfix-2.8.4, and amavisd-new-2.6.6 with spamassassin-3.3.2 that has been running fine for quite a while. Recently, clamd has died with an error similar to Was it clamd that died or both clamd and clamscan? this: Oct 10 02:55:56 mail02 amavis[25696]: (25696-18) (!)run_av (ClamAV-clamscan) FAILED - unexpected exit 2, output=LibClamAV The error message refers to clamscan, but maybe because that is the backup scanner? Error:cli_hex2str(): Malformed hexstring: 22|20 (length: 5)\nLibClamAV Error: cli_parse_add(): Problem adding signature (3). scanners.c:1667 returns a string split using '|' as delimiter, so I don't see how hex2str at 1672 can report that it still has a '|'. Try running memtest86(+) to check that your RAM is fine. I ran it before putting the server into production about two weeks ago, and it has been running fine ever since. Also what does the clamav-unofficial-sigs log say about the InetMsg database? Does it report that the integrity test worked when it tested the database with clamscan? There hasn't bee any reports of a failed integrity test in recent past. Only messages like these: Oct 10 03:52:33 INFO - Successfully updated Sanesecurity production database file: INetMsg-SpamDomains-2w.ndb Was there an integrity tested good message before that? The content of INetMsg-SpamDomains-2w.ndb at line 40734 is: INetMsg.SpamDomain-2w.lakecharmvila_com:4:*:(2e|2f|40|20|3c|5f)6c616b65636861726d76696c612e636f6d(27|22|20|2f|3d|5f|3e|0a|0d) This is a valid database entry, are you sure this is the one causing clamscan to fail with the above message? Maybe the database got updated in the meantime with a corrected entry. The database was last updated around 02:51:52 and the error was reported at 02:55:56, so that is the correct database, to the best of my knowledge. It does look like it was updated one time after that: Oct 10 03:52:32 INFO - Clamscan reports Sanesecurity INetMsg-SpamDomains-2w.ndb database integrity tested good However the timestamp on the file doesn't reflect that: # ls -la INetMsg-SpamDomains-2w.ndb -rw-r--r-- 1 amavis amavis 10688391 Oct 10 02:46 INetMsg-SpamDomains-2w.ndb Is there a way to have it automatically restarted when something like this happens or be more tolerant of database problems, with notifications of those problems, in the future? Restarting won't help if the database is corrupted, or is there is some problem parsing the database. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd exits with libclamav error
On 2011-10-10 19:15, Alex wrote: Hi, I have a fedora15 x86_64 box with clamav-0.97.2, postfix-2.8.4, and amavisd-new-2.6.6 with spamassassin-3.3.2 that has been running fine for quite a while. Recently, clamd has died with an error similar to Was it clamd that died or both clamd and clamscan? It looks like both: Oct 10 01:11:02 mail02 amavis[31956]: (31956-07-4) ClamAV-clamd: Can't send to socket /var/spool/amavisd/clamd.sock: Transport endpoint is not connected, retrying (1) And here is clamd failing: Oct 10 12:03:29 mail02 amavis[14313]: (14313-03-6) (!)ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 2, output=LibClamAV Error: cli_loadhash: Problem parsing database at line 662180\nLibClamAV Error: Can't load main.mdb: Malformed database\nLibClamAV Error: cli_tgzload: Can't load main.mdb\nLibClamAV Error: Can't load /var/lib/clamav/main.cvd: Malformed database\nERROR: Malformed database at (eval 91) line 596. main.cvd was last updated in 2010, and it is definitely not broken. So this random database parsing failure can be 2 things: - hardware issue - memory corruption bug in libclamav For the 1st all I can suggest is to run memtest again, but you probably can't afford to take down a production server just to do that. There is another one, memtester which can be run from userspace without rebooting, you can try that. Of course it could be some other HW problem, but RAM is the one that fails most often. For the 2nd you can try running clamscan under valgrind and see if it reports any warnings, i.e. valgrind clamscan /dev/null. I notice that it's not always the same database or line number that it is failing on, and it's now just happened again, so it's now more frequent. I suppose it could be a hardware problem, but it's a kvm virtual machine running on new x86_64 Xeon hardware that was stress tested before putting into production. It ran without any difficulties for probably a week prior to the first occurrence of the problem. The next time this happens (or if you can still reproduce the problem) take a backup of the database directory (cp -a), upload it somewhere, open a bug and put the link there, will take a look if there's anything wrong with the parsing code. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd exits with libclamav error
On 2011-10-10 19:29, Alex wrote: Hi, Is there a way to have it automatically restarted when something like this happens or be more tolerant of database problems, with notifications of those problems, in the future? If bug 2727 is any indication, don't bet on it. I don't think it's that bug, since I have a version greater than 0.97.0.2, and this bug was resolved in April. Restarting won't help if the database is corrupted, or is there is some problem parsing the database. Correct, if you mess up a sig DB on a system, you've messed up the ClamAV on the system. And most of the time it doesn't log a thing, it just dies. Lots of fun. :-) In my case, restarting does fix the problem. Is there anything I should watch for, or do when it happens again? How can I manually check the integrity of all the databases when it fails? Run clamscan /dev/null (or any file), and it will print an error if any database is wrong. Official databases have digital signatures, and clamscan (and freshclam) checks it. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] NetBSD with 97.2
On 09/30/2011 03:59 PM, Phil Schilling wrote: On Sep 29, 2011, at 9:01 AM, Török Edwin wrote: On 09/29/2011 04:32 PM, Phil Schilling wrote: I just installed 0.97.2 on a NetBSD 5.1 x86 box. When running freshclam it hangs after Downloading daily-13703.cdiff [100%]. It can sit there forever and not give the console back. There are two running freshclam processes while this happens. It also does the same thing with clamd when starting the process. It will give you the Bytecode: Security mode set to TrustSigned and then not give the console back. If you CTRL-C it will give you the console and the clamd process continues to run as normal. This may be due to a change in configuration that I have been unable to find, if so a good hit with the clue bat would be appreciated. I have not seen this problem on any other box. Thanks Shouldn't hang, thats a bug. Doesn't freshclam timeout after a while though? If you run clamscan --debug, what are the last lines that it prints? Torok, I gave freshclam one half hour and it did not time out. Here are the last lines from the console and it hangs there, no return to console prompt. LibClamAV debug: emax_reached: marked parents as non cacheable LibClamAV debug: cli_magic_scandesc: returning 0 at line 1981 LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: cache_check: 5b19bc7252468a9a6c21fc9c0c768b6d is negative LibClamAV debug: Recognized ASCII text LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: in cli_scanscript() LibClamAV debug: cache_add: 5b19bc7252468a9a6c21fc9c0c768b6d (level 0) LibClamAV debug: cli_magic_scandesc: returning 0 at line 2388 LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up LibClamAV debug: entconv: Destroying iconv pool:0x8287f40 LibClamAV debug: entconv: closing iconv:0x81de9a0 At that point it should just exit. Can you open clamscan in gdb, and hit Ctrl-C where it hangs and then take a stacktrace? (See clamav.net/bugs). Then open a bug and attach the stacktrace. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] NetBSD with 97.2
On 09/29/2011 04:32 PM, Phil Schilling wrote: I just installed 0.97.2 on a NetBSD 5.1 x86 box. When running freshclam it hangs after Downloading daily-13703.cdiff [100%]. It can sit there forever and not give the console back. There are two running freshclam processes while this happens. It also does the same thing with clamd when starting the process. It will give you the Bytecode: Security mode set to TrustSigned and then not give the console back. If you CTRL-C it will give you the console and the clamd process continues to run as normal. This may be due to a change in configuration that I have been unable to find, if so a good hit with the clue bat would be appreciated. I have not seen this problem on any other box. Thanks Shouldn't hang, thats a bug. Doesn't freshclam timeout after a while though? If you run clamscan --debug, what are the last lines that it prints? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Encrypted Documents
On 2011-09-28 17:57, Bryan Blackwell wrote: I don't see how that's possible on incoming attachments unless you get all your senders to use a known key, or some cracking technology built into ClamAV. Am I missing something? I assume he just wants to block any encrypted attachments, as opposed to scanning for malicious content inside them. --Bryan On Sep 28, 2011, at 6:20 AM, Pedro Gomez wrote: I wanted to know if ClamAV detects Microsoft Office or OpenOffice encrypted documents. And in the next version? Only Zip, RAR and PDF for now. Please open an enhancement request on bugs.clamav.net and attach some encrypted file samples. For example take one file, encrypt it and save it in the various formats supported by MSOffice and OpenOffice, with different versions of above programs, and in different file formats. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Configuring LogFacility
On 2011-09-27 13:13, Forlani M. wrote: Hi all, i'm new here, please excuse my little english. I have a centralized syslog server and i've configured clamd to send logs as LogFacility local1. It's working fine, but this is what i'm obtaining: files/folders clamd can't access as local1.warning files infected local1.info There's a way to set local1.critical or alert for infected files? No you can't configure it from clamd.conf, please open an enhancement request on bugs.clamav.net: You could write a virusevent script, put VirusEvent /path/to/yourscript in clamd.conf, and in yourscript: #!/bin/sh /usr/bin/logger -t clamd -p local1.alert $CLAM_VIRUSEVENT_FILENAME: $CLAM_VIRUSEVENT_VIRUSNAME FOUND It's more simply find a critical/alert message in syslog, and in this way i can refine logs and reports. I'm using clamav on centos 5.5, installed from rpmforge repository: ClamAV 0.97.2/13679 Thanks If you're using rsyslogd it should be possible to match on msg content FOUND and send the output to a different place, or override the loglevel. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Configuring LogFacility
On 2011-09-27 15:56, Forlani M. wrote: Thanks for the answer, yes i'm using rsyslogd, could you put me on docs on how to match on msg? man rsyslog.conf, look for Property based filters, and Property replacer. They allow to filter on any property, like HOSTNAME, syslogtag and msg. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV Virus Database Search
On 09/25/2011 03:52 AM, Al Varnell wrote: When I go to http://clamav-du.securesites.net/cgi-bin/clamgrok and enter OSX I get a list of 34 hits for Mac OS signatures, but at least one is missing. When I open my daily.cld I can find the following: MacOSX.Revir-1;Engine:51-255,Target:9;(012);string;string which was added late yesterday but is not in the above list. Any idea why it wouldn't show up? That is a logical signature (.ldb). Just a guess but maybe the site is using an old version of ClamAV's sigtool that doesn't support that (0.95.3?), or they unpack the CVD but don't search in .ldb files. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Obfuscated IP address.
On Sep 19, 2011, at 19:04, Bowie Bailey bowie_bai...@buc.com wrote:
On 9/19/2011 11:46 AM, Michael Orlitzky wrote:
A hostname cannot be all digits and except when the IP is used there
will be a TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore the spaces they are there to let this post slip by most antispam
detection) then you can surmise it is an attempt at obfuscation.
I don't get it, what's the pattern we're looking for? An IP address is a
number. Any way you specify it is fine. 123456789 is no more obfuscated
than whatever it would be if you converted it to dotted quad. They both
represent the same number.
If you're trying to match a text pattern against an integer, you're
doing it wrong.
He is not trying to match the IP address. He is trying to match an
unusual way of presenting the IP address that seems to occur primarily
in spam.
Whether this is something that should be done in ClamAV or would be
better done by something like SpamAssassin is another question altogether.
Try adding this to a local.pdb file in your dbdir (untested):
R:[0-9]{1,10}(\.[0-9]{1,10}){0,2}:.+
Of course you can improve the regex to detect hexadecimal encoded numbers, etc.
Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On 09/12/2011 10:54 PM, Dan wrote: Is there a way to make freshclam grab and verify database files from a local directory? Yes, but they don't work for fetching incremental updates from local dir (DatabaseCustomURL, PrivateMirror). What you could try is set DatabaseMirror to a local webserver, which fetches CDIFFs/CVDs from torrents on demand. FWIW fetching small cdiffs (1kb) via torrents is probably a bad idea as it'll take a lot more for you to find peers than to download from a mirror. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Source RPM for RHEL?
On 2011-08-23 21:48, C. Bensend wrote: Hey folks, So, I can't seem to find an SRPM for RHEL that actually matches its checksum, which makes me a bit .. uneasy, given the nature of the software. The RPMforge one fails its MD5 sum check. The second site listed on clamav.net doesn't even have it that I could find. You have to import the repository's key, and then it works: $ wget http://pkgs.repoforge.org/clamav/clamav-0.97.2-1.rf.src.rpm $ wget http://apt.sw.be/RPM-GPG-KEY.dag.txt $ rpm --import RPM-GPG-KEY.dag.txt $ rpm -K clamav-0.97.2-1.rf.src.rpm clamav-0.97.2-1.rf.src.rpm: (sha1) dsa sha1 md5 gpg OK If you get something else maybe your download got corrupted. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Source RPM for RHEL?
On 2011-08-23 22:27, C. Bensend wrote: On 2011-08-23 21:48, C. Bensend wrote: Hey folks, So, I can't seem to find an SRPM for RHEL that actually matches its checksum, which makes me a bit .. uneasy, given the nature of the software. The RPMforge one fails its MD5 sum check. The second site listed on clamav.net doesn't even have it that I could find. You have to import the repository's key, and then it works: $ wget http://pkgs.repoforge.org/clamav/clamav-0.97.2-1.rf.src.rpm $ wget http://apt.sw.be/RPM-GPG-KEY.dag.txt $ rpm --import RPM-GPG-KEY.dag.txt $ rpm -K clamav-0.97.2-1.rf.src.rpm clamav-0.97.2-1.rf.src.rpm: (sha1) dsa sha1 md5 gpg OK If you get something else maybe your download got corrupted. Thanks for that... However, I still get the same problem: rpm -ivh clamav-0.97.2-1.rf.src.rpm 1:clamavwarning: user dag does not exist - using root warning: group dag does not exist - using root ### [100%] error: unpacking of archive failed on file /home/rpm/SOURCES/clamav-0.97.2.tar.gz;4e53fe2c: cpio: MD5 sum mismatch (I hand-transcribed that but I think it's accurate) I think this is because your RPM lacks SHA256 support, and the .src.rpm uses SHA256: https://bugzilla.redhat.com/show_bug.cgi?id=490613 If I try your rpm -ihv command on a RHEL 5.x box indeed I get same error as you, if I try it on something modern like Fedora 14 its all OK. Just use rpm --no-md5 -ihv for now, you verified the digital signature with -K so it should be fine. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] make check....
On 08/22/2011 12:12 AM, Frans de Boer wrote: Hello, I see the next results listing every time when I do a make check: git-clamav-devel/unit_tests' PASS: check_clamav PASS: check_freshclam.sh PASS: check_sigtool.sh SKIP: check_unit_vg.sh PASS: check1_clamscan.sh PASS: check2_clamd.sh PASS: check3_clamd.sh PASS: check4_clamd.sh SKIP: check5_clamd_vg.sh SKIP: check6_clamd_vg.sh SKIP: check7_clamd_hg.sh SKIP: check8_clamd_hg.sh SKIP: check9_clamscan_vg.sh == All 7 tests passed (6 tests were not run) == Wat are the suffixes _vg and _hg meaning? Am I missing something? _vg stands for valgrind, _hg stands for helgrind. These tests are disabled by default. You can run them with 'make check VG=1' for example, but you need a recent version of valgrind, system libs, etc. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How to disable / ignore Heuristics.Encrypted.PDF ?
On 2011-08-19 20:33, Paul Enlund wrote: Hi Still having problems with some PDF's being flagged as Heuristics.Encrypted.PDF even with version 0.97.2. Version 0.97 does not have this problem. Example PDF which is not encrypted available if required. Please open a bug and attach it (attachments are private by default). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] The error log message milter=clmilter, tempfail
On 08/18/2011 01:05 PM, Michael Wu wrote: Hello, In the /var/log/maillog, sometimes we will see the log message milter=clmilter, tempfail. Is there anything that we should notice? The Clamd service is still running and quarantines the suspicious mails normally. We compile the clamav from the source ( the latest stable release 0.97.2 ) and use sendmail ( 8.13.8 ) as the mail server. Is there anything in the clamav milter's logs? (note that those logs are separate from clamd's, unless you use SysLog of course). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamav dies unexpectly
On 2011-08-11 21:12, ulises gonzalez wrote: Hello everybody: I've been using Clamav since 2005 on Ubuntu and Debian sistems, since one year I've been compiling it with the clamuko module (versions 0.96.2 to 0.97.2 excluding 0.97.1) joined to this I've been compiling to dazukofs. With all theese versions of clamav clamav dies sudenly How? Is it a SIGSEGV/SIGBUS/something else? Grep your dmesg for messages about clamd (segfaults are usually logged there). Also see if clamd created a core file. See here for instructions on how to get a stacktrace: http://www.clamav.net/lang/en/bugs/ Then open a bug on bugs.clamav.net. Also does this happen only if you enable Clamuko in clamd.conf, or does it happen if you disable it too? when arrives the selfcheck time (clamd.conf setting) if I restart it, it starts with out complains I've been using 2 wokaraunds: 1 - In PC that not runs 24 hours I put a high SelfCheck, higher than it normal uptime. This way SelfCheck never happens 2 - With de versions 0.96.x I used to run safe_camd but In versions 0.97x it does not work it complains with the following error host@ligero1:/etc/exec.mfp$ ./safe_clamd trap: 119: SIGHUP: bad trap Please open a separate bug for this. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamav dies unexpectly
On 2011-08-11 22:02, ulises gonzalez wrote: On Thursday 11 August 2011 02:29:17 pm Török Edwin wrote: How? Is it a SIGSEGV/SIGBUS/something else? Excuse me, how I can do this...?? Following the instructions on the clamav website on how to attach gdb to clamd, then wait for the selfcheck (or trigger it with clamdscan --reload). Then instead of crashing completely it should stop in gdb and tell you _why_ it stopped. Grep your dmesg for messages about clamd (segfaults are usually logged there). Also see if clamd created a core file. There is nothing in dmesg servergrupo:~/clamv-clamuko-squeeze# dmesg | grep clamav servergrupo:~/clamv-clamuko-squeeze# dmesg | grep clamd servergrupo:~/clamv-clamuko-squeeze# See here for instructions on how to get a stacktrace: http://www.clamav.net/lang/en/bugs/ I'll do this Then open a bug on bugs.clamav.net. Also does this happen only if you enable Clamuko in clamd.conf, or does it happen if you disable it too? No, if I don't enable clamuko it selfcheck correctly Thu Aug 11 14:55:59 2011 - PDF support enabled. Thu Aug 11 14:55:59 2011 - HTML support enabled. Thu Aug 11 14:55:59 2011 - Self checking every 72 seconds. Thu Aug 11 14:57:11 2011 - No stats for Database check - forcing reload Thu Aug 11 14:57:12 2011 - Reading databases from /var/lib/clamav Thu Aug 11 14:57:18 2011 - Database correctly reloaded (1018481 signatures) It only happens with clamuko enabled ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Phishing.Heuristics.Email.SpoofedDomain
On 2011-08-02 02:56, Al Varnell wrote: On Jul 26, 2011, at 2:06 PM, Török Edwin ed...@clamav.net wrote: On 07/26/2011 11:59 PM, Al Varnell wrote: Is there something going on with subject infections? I see that it's listed on the clamav home page as a Current Threat. We got several users asking about this in the ClamXav Forum (including a Linux user?) and I can't seem to find it in the signature database any more. It is an engine detection (actually it is Heuristics.Phishing.Email.SpoofedDomain). All engine detections are prefixed with 'Heuristics.'. This detection is for phishing emails, you can look in daily.pdb to see a list of 'protected' domains (i.e. if a phishing email targets one of those domains we should detect it). Thanks for that explanation, that helps a lot. Is there any reason why clamscan would be making such detections and clamd not? Maybe someone edited clamd.conf and turned off phishing detection? (PhishingScanURLs no). clamscan uses the default settings that can be overriden by command-line flags, it doesn't use the clamd.conf settings. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-announce] announcing ClamAV 0.97.2
On 07/29/2011 06:36 PM, Nathan Gibbs wrote: On 7/29/2011 11:03 AM, polloxx wrote: When will the package be available in Debian Squeeze? When the package maintainer gets around to putting it there It just got packaged for unstable: http://packages.qa.debian.org/c/clamav/news/20110729T152659Z.html , and then of course it needs to come down from testing. Stable is still at 0.97 Isn't stable at 0.97.1? (via stable-updates): http://packages.qa.debian.org/c/clamav/news/20110704T135601Z.html Candidate: 0.97.1+dfsg-1~squeeze1 Version table: 0.97.1+dfsg-1~squeeze1 0 500 http://cdn.debian.net/debian/ squeeze-updates/main amd64 Packages 0.97+dfsg-2~squeeze1 0 500 http://cdn.debian.net/debian/ squeeze/main amd64 Packages Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-announce] announcing ClamAV 0.97.2
On 07/29/2011 07:30 PM, Nathan Gibbs wrote: On 7/29/2011 11:41 AM, Török Edwin wrote: On 07/29/2011 06:36 PM, Nathan Gibbs wrote: Stable is still at 0.97 Isn't stable at 0.97.1? (via stable-updates): http://packages.qa.debian.org/c/clamav/news/20110704T135601Z.html Candidate: 0.97.1+dfsg-1~squeeze1 Version table: 0.97.1+dfsg-1~squeeze1 0 500 http://cdn.debian.net/debian/ squeeze-updates/main amd64 Packages 0.97+dfsg-2~squeeze1 0 500 http://cdn.debian.net/debian/ squeeze/main amd64 Packages maybe it hasn't come over to i686 land yet. Here is what I am seeing on my hosts. 0.97+dfsg-2~squeeze1 It will get here eventually. :-) Do you have squeeze/updates and squeeze-updates in your /etc/apt/sources.list? --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Phishing.Heuristics.Email.SpoofedDomain
On 07/26/2011 11:59 PM, Al Varnell wrote: Is there something going on with subject infections? I see that it's listed on the clamav home page as a Current Threat. We got several users asking about this in the ClamXav Forum (including a Linux user?) and I can't seem to find it in the signature database any more. It is an engine detection (actually it is Heuristics.Phishing.Email.SpoofedDomain). All engine detections are prefixed with 'Heuristics.'. This detection is for phishing emails, you can look in daily.pdb to see a list of 'protected' domains (i.e. if a phishing email targets one of those domains we should detect it). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clamd network access control
On 07/23/2011 07:03 AM, Nathan Gibbs wrote: Does clamd support tcpwrappers? It looks like clamav-milter does, but not clamd itself. H'mm, for now it looks like firewalls are the only defense when you bind clamd to an IP address. I think that a very simple way of limiting which machines have access to clamd is via an SSH tunnel. You bind clamd to localhost on the server, and each client does SSH port forwarding to get access: autossh -fN -M 4 -L localhost:3310:localhost:3310 youruser@clamdserverip And if you don't trust the users on either of the machines you can forward the Unix sockets [*] CLAMD_FORWARDED_SOCKET=/var/run/clamd-forwarded.socket REMOTE_CLAMD_SOCKET=/var/run/clamd.socket umask 007 socat UNIX-LISTEN:$CLAMD_FORWARDED_SOCKET,unlink-early,su=clamav,fork EXEC:ssh youruser@clamdserverip socat STDIO UNIX-CONNECT\:$REMOTE_CLAMD_SOCKET And then use Unix permissions to control access to the CLAMD_FORWARDED_SOCKET (i.e. clamav group). You should also probably use ssh-agent otherwise this'll prompt for the ssh key password everytime someone connects [*] Idea based on http://www.debian-administration.org/users/dkg/weblog/68 Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] CLAMAV-MILTER, sighup
On 07/23/2011 05:40 AM, Steve Fatula wrote: It would appear that sighup, in clamav 0.97.1, should re-open the log files when it receives a sighup. In our case, it simply ends clamav-milter, no message logged anywhere I can find. Do I read this correctly, that is what SHOULD happen (reload)? There's no signal handling done in clamav-milter, it is done by libmilter. Looking at libmilter sources it intercepts SIGHUP, SIGTERM, SIGINT in its own thread, and blocks the signals in all other threads, so clamav-milter can't intercept SIGHUP even if it wanted to. If you want a signal to reopen log files it has to be a different one from the above three, but can't you just restart the milter process? Restarting should be very fast, it doesn't need to load the database or anything that takes time. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] daily.cvd update issue.
On 07/19/2011 08:57 PM, Dan wrote: At 5:20 PM +0200 7/19/2011, Luca Gibelli wrote: Anyone else seeing this issue? There is a cache in front of the website, which is causing the lag between the website and the actual daily.cvd release. I lowered the expire timeout to 1h. I suggest that you rely on our twitter feed for real time info (twitter.com/clamav) The feed saying 13334 is available is an hour+ old. But I'm getting this: ClamAV update process started at Tue Jul 19 13:40:36 2011 main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven) WARNING: getfile: daily-13332.cdiff not found on remote server (IP: 69.163.100.14) WARNING: getpatch: Can't download daily-13332.cdiff from database.clamav.net Downloading daily-13332.cdiff [100%] Downloading daily-1.cdiff [100%] daily.cld updated (version: 1, sigs: 159245, f-level: 60, builder: ccordes) What does 'host -t TXT current.cvd.clamav.net' output? Does it say :13334: or :1:? Also whats the TTL on it? Should be something like 15m, if larger your DNS server might be caching these entries longer than its supposed to. bytecode.cld is up to date (version: 144, sigs: 41, f-level: 60, builder: edwin) Database updated (1005500 signatures) from database.clamav.net (IP: 194.47.250.218) Clamd successfully notified about the update. -- ClamAV update process started at Tue Jul 19 13:55:26 2011 main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven) daily.cld is up to date (version: 1, sigs: 159245, f-level: 60, builder: ccordes) bytecode.cld is up to date (version: 144, sigs: 41, f-level: 60, builder: edwin) fwiw, - Dan. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
