Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Reio Remma]

Thanks!

fd's holding steady now.

Maybe I should go clean some logs now before nightly Logwatch kicks in.

Good luck!
Reio

On 26.01.2018 19:38, Joel Esler (jesler) wrote:

Reio,

Thanks, I was just about to send this out.  A new daily.cvd is now shipping.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 26, 2018, at 12:35 PM, Reio Remma 
> wrote:

Hello!

News from the front:

daily.cld updated (version: 24258, sigs: 1836466, f-level: 63, builder: neo)

Good luck!
Reio



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Reio Remma]

Hello!

News from the front:

daily.cld updated (version: 24258, sigs: 1836466, f-level: 63, builder: neo)

Good luck!
Reio


On 26.01.2018 19:29, Joel Esler (jesler) wrote:

Steve Morgan, a developer here at Cisco that worked on ClamAV for about the 
past five years or so, decided to retire.  Monday was his last day.  On top of 
that, one our other developers (Micah) was out of the office today for a 
holiday, and so that only left, essentially myself and a couple other people to 
see this action on the list.

So while we regret the issue that this signature caused (and we will fix, not 
only the signature, but the code itself in an upcoming release), I am super 
proud of the community that came together and solved the problem.



--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 26, 2018, at 10:02 AM, Dianne Skoll 
> wrote:

On Fri, 26 Jan 2018 06:44:30 -0800
"Jason J. W. Williams" 
> wrote:

We started seeing this problem last night as well. Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet
(as of 24257), or am I wrong?

Not only has it not been fixed, there hasn't been a peep out of the
developers.

This is NOT the way to deal with issues like this, especially in
security-sensitive software.

Regards,

Dianne.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Joel Esler (jesler)]

Steve Morgan, a developer here at Cisco that worked on ClamAV for about the 
past five years or so, decided to retire.  Monday was his last day.  On top of 
that, one our other developers (Micah) was out of the office today for a 
holiday, and so that only left, essentially myself and a couple other people to 
see this action on the list.

So while we regret the issue that this signature caused (and we will fix, not 
only the signature, but the code itself in an upcoming release), I am super 
proud of the community that came together and solved the problem.



--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 26, 2018, at 10:02 AM, Dianne Skoll 
> wrote:

On Fri, 26 Jan 2018 06:44:30 -0800
"Jason J. W. Williams" 
> wrote:

We started seeing this problem last night as well. Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet
(as of 24257), or am I wrong?

Not only has it not been fixed, there hasn't been a peep out of the
developers.

This is NOT the way to deal with issues like this, especially in
security-sensitive software.

Regards,

Dianne.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Jason J. W. Williams]

HI Marcus,

Any chance you'd be willing to share your copy of 24255?

-J

On Fri, Jan 26, 2018 at 7:07 AM, Marcus Schopen  wrote:

> Am Freitag, den 26.01.2018, 07:02 -0800 schrieb Jason J. W. Williams:
> > How does one manually download an old daily.cld?
>
> Good question. workaround: got the old version from my backup.
>
> Ciao!
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Marcus Schopen]

Am Freitag, den 26.01.2018, 07:02 -0800 schrieb Jason J. W. Williams:
> How does one manually download an old daily.cld?

Good question. workaround: got the old version from my backup.

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Jason J. W. Williams]

How does one manually download an old daily.cld?

-J

On Fri, Jan 26, 2018 at 7:00 AM, Paul  wrote:

> On 26/01/2018 14:56, Marcus Schopen wrote:
>
> Am Freitag, den 26.01.2018, 07:48 -0700 schrieb Rafael Ferreira:
>>
>>> Nope, latest is still
>>>
>>> File: daily.cvd
>>> Build time: 26 Jan 2018 04:24 -0500
>>> Version: 24257
>>> Signatures: 1835982
>>> Functionality level: 63
>>> Builder: neo
>>> MD5: 3b3092994fdf9aa39aae480c38fb31ab
>>> Digital signature:
>>> D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3
>>> cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ
>>> 7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg
>>>
>>> which appears to have the issue, we, scanii.com ,
>>> are having quite a bit of run today because of it.
>>>
>> What about replacing the current daily.cld with an older one, e.g. with
>> 24255? Disable freshclam, stop clamd, replace daily.cld by old one
>> (24255) and start clamd again. Wouldn't that work until a fixed
>> daily.cld is provided?
>>
>> Ciao!
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>> This has worked for me all day
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Dianne Skoll]

On Fri, 26 Jan 2018 06:44:30 -0800
"Jason J. W. Williams"  wrote:

> We started seeing this problem last night as well. Reading through the
> thread, it doesn't appear that ClamAV has fixed the signatures yet
> (as of 24257), or am I wrong?

Not only has it not been fixed, there hasn't been a peep out of the
developers.

This is NOT the way to deal with issues like this, especially in
security-sensitive software.

Regards,

Dianne.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Paul]

On 26/01/2018 14:56, Marcus Schopen wrote:


Am Freitag, den 26.01.2018, 07:48 -0700 schrieb Rafael Ferreira:

Nope, latest is still

File: daily.cvd
Build time: 26 Jan 2018 04:24 -0500
Version: 24257
Signatures: 1835982
Functionality level: 63
Builder: neo
MD5: 3b3092994fdf9aa39aae480c38fb31ab
Digital signature:
D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3
cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ
7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg

which appears to have the issue, we, scanii.com ,
are having quite a bit of run today because of it.

What about replacing the current daily.cld with an older one, e.g. with
24255? Disable freshclam, stop clamd, replace daily.cld by old one
(24255) and start clamd again. Wouldn't that work until a fixed
daily.cld is provided?

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



This has worked for me all day


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Marcus Schopen]

Am Freitag, den 26.01.2018, 07:48 -0700 schrieb Rafael Ferreira:
> Nope, latest is still 
> 
> File: daily.cvd
> Build time: 26 Jan 2018 04:24 -0500
> Version: 24257
> Signatures: 1835982
> Functionality level: 63
> Builder: neo
> MD5: 3b3092994fdf9aa39aae480c38fb31ab
> Digital signature:
> D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3
> cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ
> 7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg
> 
> which appears to have the issue, we, scanii.com ,
> are having quite a bit of run today because of it. 

What about replacing the current daily.cld with an older one, e.g. with
24255? Disable freshclam, stop clamd, replace daily.cld by old one
(24255) and start clamd again. Wouldn't that work until a fixed
daily.cld is provided?

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Rafael Ferreira]

Nope, latest is still 

File: daily.cvd
Build time: 26 Jan 2018 04:24 -0500
Version: 24257
Signatures: 1835982
Functionality level: 63
Builder: neo
MD5: 3b3092994fdf9aa39aae480c38fb31ab
Digital signature: 
D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg

which appears to have the issue, we, scanii.com , are 
having quite a bit of run today because of it. 


> On Jan 26, 2018, at 7:44 AM, Jason J. W. Williams  
> wrote:
> 
> We started seeing this problem last night as well. Reading through the
> thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
> 24257), or am I wrong?
> 
> -J
> 
> On Fri, Jan 26, 2018 at 6:24 AM, Dianne Skoll 
> wrote:
> 
>> On Fri, 26 Jan 2018 13:50:27 +0100
>> Ralf Hildebrandt  wrote:
>> 
>>> If I had to guess: they used the beta for testing, but the release
>>> versions (both 0.99.2 and 0.99.3!) fail to operate properly...
>> 
>> No, I bet that's not what happened.  A file descriptor leak doesn't show
>> up right away.  They probably tested the signatures on a lightly-loaded
>> server and didn't notice any problems.
>> 
>> ClamAV QA team: In future, please run new signatures against a clamd
>> process a few thousand times to check for possible resource leakage.
>> 
>> Regards,
>> 
>> Dianne.
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Jason J. W. Williams]

We started seeing this problem last night as well. Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
24257), or am I wrong?

-J

On Fri, Jan 26, 2018 at 6:24 AM, Dianne Skoll 
wrote:

> On Fri, 26 Jan 2018 13:50:27 +0100
> Ralf Hildebrandt  wrote:
>
> > If I had to guess: they used the beta for testing, but the release
> > versions (both 0.99.2 and 0.99.3!) fail to operate properly...
>
> No, I bet that's not what happened.  A file descriptor leak doesn't show
> up right away.  They probably tested the signatures on a lightly-loaded
> server and didn't notice any problems.
>
> ClamAV QA team: In future, please run new signatures against a clamd
> process a few thousand times to check for possible resource leakage.
>
> Regards,
>
> Dianne.
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Dianne Skoll]

On Fri, 26 Jan 2018 13:50:27 +0100
Ralf Hildebrandt  wrote:

> If I had to guess: they used the beta for testing, but the release
> versions (both 0.99.2 and 0.99.3!) fail to operate properly...

No, I bet that's not what happened.  A file descriptor leak doesn't show
up right away.  They probably tested the signatures on a lightly-loaded
server and didn't notice any problems.

ClamAV QA team: In future, please run new signatures against a clamd
process a few thousand times to check for possible resource leakage.

Regards,

Dianne.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml