Re: [clamav-users] Question About MaxFileSize / news of upcoming Large Archive Scanner tool

2023-11-16 Thread Micah Snyder (micasnyd) via clamav-users 
We are primarily creating the large archive scanning to support the use case of 
scanning bundled collections of software, VM images, etc.

Large MP4/MOV/AVI/etc media files are not traditional archives even if they do 
technically archive media streams. But media streams are not a significant 
threat concern. As you mentioned, the biggest concern is probably a malicious 
media file exploiting a vulnerable application to get code execution. Media 
streams would not otherwise be executable.

Someone may add support to later to extract and scan media streams, but without 
signature content or special logic coded in a custom media-stream parser 
written to detect exploits, the scanning of such files is pointless. We have 
some of that kind of logic to inspect some picture formats (JPEG, PNG, etc) for 
correctness, but don't have any support for H265, AAC, or other video or audio 
file formats.

Respectfully,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: clamav-users  on behalf of Paul 
Kosinski via clamav-users 
Sent: Monday, November 13, 2023 7:28 PM
To: Micah Snyder (micasnyd) via clamav-users 
Cc: Paul Kosinski 
Subject: Re: [clamav-users] Question About MaxFileSize / news of upcoming Large 
Archive Scanner tool

Large archive files may be the most obvious case, especially if things like 
disk images and installation images are included, but make sure that large 
multimedia files are also handled.

In today's Internet environment, there are probably far, far more large video 
files floating around than traditional archives. And in some sense multimedia 
"container" files (like MP4, MOV, AVI etc.) are archives of their media streams 
(like H.264/5, AAC, etc.) -- but these archives are, of course, interleaved for 
real-time playback.

I might add that there have been recent reports of malformed (perhaps 
malicious) multimedia files causing crashes or unwanted code execution in 
software such as FFMPEG.


On Mon, 13 Nov 2023 20:32:38 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> In case anyone else is looking into this, I wanted to share some news.
>
> We have been getting some help to create a tool to recursively unpack (or 
> mount) and scan large archives (greater than 2000MB).
>
> This effort has progressed to the point where we've started code review and 
> writing documentation. I'm not entirely sure how we will package it for 
> people to use.  I'll share more when we go to open source it. I wanted to 
> share the news now in case anyone else was going to work on it and so they're 
> not as frustrated when it turns out we've done the same.
>
> I don't have a specific release date in mind.  It likely won't be until early 
> next year.  While we've started code review and testing, the developer that 
> has built the tool for us is now working on adding the allmatch-mode feature 
> support.
>
> Best regards,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
> 
> From: Andrew C Aitchison 
> Sent: Thursday, June 8, 2023 6:25 PM
> To: Micah Snyder (micasnyd) 
> Cc: ClamAV users ML 
> Subject: Re: [clamav-users] Question About MaxFileSize
>
> On Thu, 8 Jun 2023, Micah Snyder (micasnyd) wrote:
>
> > I agree with you.  I suspect the majority of cases today is when
> > people have a large archive of files to scan.
> >
> > I think best case scenario for people with a need to scan files
> > larger than the present internal 2GB limit is that archives larger
> > than 2GB are decompressed and then the files inside are scanned, but
> > without actually scanning the very large outer archive.
> >
> > The way to do this as things work today is to script something
> > around clamscan or clamdscan that if the file is too large, handle
> > some assorted file types:
> >
> >  1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
> >  2.  if file is a zip, un-zip it and then scan the files within.
> >  3.  etc.
> >
> > I think everyone would like if clamav could do this automatically
> > for select archive types. And I think the advantage would be that we
> > would perhaps keep the extracted files in memory, or else at least
> > delete the temp files as we go without extracting all of it to disk
> > before starting to scan.
> >
> > However, it would be far easier to make a shell script or a python
> > script that wraps clamscan/clamdscan and uses native tools like
> > "tar", "unzip", etc.
>
> Good idea.
>
> Simply untarring or unzipping into a pipe does not separate the packed files.
> However at least tar does have an option which allow us to write a one-liner:
&

Re: [clamav-users] Question About MaxFileSize / news of upcoming Large Archive Scanner tool

2023-11-16 Thread Micah Snyder (micasnyd) via clamav-users 
Hi,

It's going to be a python script that depends on having clamav installed and 
has a few other dependencies for working with zip's, tar's, iso's, and a few 
other archive formats. At this time, I'm expecting that we will publish it in a 
separate git repo and not bundle it directly with ClamAV.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Vu, 
Hong-Duc V. via clamav-users 
Sent: Tuesday, November 14, 2023 10:49 AM
Cc: Vu, Hong-Duc V. ; ClamAV users ML 

Subject: Re: [clamav-users] Question About MaxFileSize / news of upcoming Large 
Archive Scanner tool


Hi Micah,



Is it going to be part of clamav or a different application entirely?



Hong-Duc Vu





From: Micah Snyder (micasnyd) 
Sent: Monday, November 13, 2023 3:33 PM
To: Andrew C Aitchison 
Cc: ClamAV users ML 
Subject: Re: [clamav-users] Question About MaxFileSize / news of upcoming Large 
Archive Scanner tool



In case anyone else is looking into this, I wanted to share some news.



We have been getting some help to create a tool to recursively unpack (or 
mount) and scan large archives (greater than 2000MB).



This effort has progressed to the point where we've started code review and 
writing documentation. I'm not entirely sure how we will package it for people 
to use.  I'll share more when we go to open source it. I wanted to share the 
news now in case anyone else was going to work on it and so they're not as 
frustrated when it turns out we've done the same.



I don't have a specific release date in mind.  It likely won't be until early 
next year.  While we've started code review and testing, the developer that has 
built the tool for us is now working on adding the allmatch-mode feature 
support.



Best regards,

Micah



Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize / news of upcoming Large Archive Scanner tool

2023-11-14 Thread Vu, Hong-Duc V. via clamav-users 
Hi Micah,

Is it going to be part of clamav or a different application entirely?

Hong-Duc Vu


From: Micah Snyder (micasnyd) 
Sent: Monday, November 13, 2023 3:33 PM
To: Andrew C Aitchison 
Cc: ClamAV users ML 
Subject: Re: [clamav-users] Question About MaxFileSize / news of upcoming Large 
Archive Scanner tool

In case anyone else is looking into this, I wanted to share some news.

We have been getting some help to create a tool to recursively unpack (or 
mount) and scan large archives (greater than 2000MB).

This effort has progressed to the point where we've started code review and 
writing documentation. I'm not entirely sure how we will package it for people 
to use.  I'll share more when we go to open source it. I wanted to share the 
news now in case anyone else was going to work on it and so they're not as 
frustrated when it turns out we've done the same.

I don't have a specific release date in mind.  It likely won't be until early 
next year.  While we've started code review and testing, the developer that has 
built the tool for us is now working on adding the allmatch-mode feature 
support.

Best regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize / news of upcoming Large Archive Scanner tool

2023-11-13 Thread Paul Kosinski via clamav-users 
Large archive files may be the most obvious case, especially if things like 
disk images and installation images are included, but make sure that large 
multimedia files are also handled.

In today's Internet environment, there are probably far, far more large video 
files floating around than traditional archives. And in some sense multimedia 
"container" files (like MP4, MOV, AVI etc.) are archives of their media streams 
(like H.264/5, AAC, etc.) -- but these archives are, of course, interleaved for 
real-time playback.

I might add that there have been recent reports of malformed (perhaps 
malicious) multimedia files causing crashes or unwanted code execution in 
software such as FFMPEG.


On Mon, 13 Nov 2023 20:32:38 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> In case anyone else is looking into this, I wanted to share some news.
> 
> We have been getting some help to create a tool to recursively unpack (or 
> mount) and scan large archives (greater than 2000MB).
> 
> This effort has progressed to the point where we've started code review and 
> writing documentation. I'm not entirely sure how we will package it for 
> people to use.  I'll share more when we go to open source it. I wanted to 
> share the news now in case anyone else was going to work on it and so they're 
> not as frustrated when it turns out we've done the same.
> 
> I don't have a specific release date in mind.  It likely won't be until early 
> next year.  While we've started code review and testing, the developer that 
> has built the tool for us is now working on adding the allmatch-mode feature 
> support.
> 
> Best regards,
> Micah
> 
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
> From: Andrew C Aitchison 
> Sent: Thursday, June 8, 2023 6:25 PM
> To: Micah Snyder (micasnyd) 
> Cc: ClamAV users ML 
> Subject: Re: [clamav-users] Question About MaxFileSize
> 
> On Thu, 8 Jun 2023, Micah Snyder (micasnyd) wrote:
> 
> > I agree with you.  I suspect the majority of cases today is when
> > people have a large archive of files to scan.
> >
> > I think best case scenario for people with a need to scan files
> > larger than the present internal 2GB limit is that archives larger
> > than 2GB are decompressed and then the files inside are scanned, but
> > without actually scanning the very large outer archive.
> >
> > The way to do this as things work today is to script something
> > around clamscan or clamdscan that if the file is too large, handle
> > some assorted file types:
> >
> >  1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
> >  2.  if file is a zip, un-zip it and then scan the files within.
> >  3.  etc.
> >
> > I think everyone would like if clamav could do this automatically
> > for select archive types. And I think the advantage would be that we
> > would perhaps keep the extracted files in memory, or else at least
> > delete the temp files as we go without extracting all of it to disk
> > before starting to scan.
> >
> > However, it would be far easier to make a shell script or a python
> > script that wraps clamscan/clamdscan and uses native tools like
> > "tar", "unzip", etc.  
> 
> Good idea.
> 
> Simply untarring or unzipping into a pipe does not separate the packed files.
> However at least tar does have an option which allow us to write a one-liner:
> (tar xf ~/viruses.tar --to-command='clamdscan -v - || echo "  found in 
> $TAR_REALNAME\n\n---"' ) |& egrep -i found
> stream: Eicar-Signature FOUND
>found in viruses/EICAR.COM.TAR
> stream: Eicar-Signature FOUND
>found in viruses/eicar.com.txt
> stream: Eicar-Signature FOUND
>found in viruses/URLEICAR.COM.TAR
> stream: Eicar-Signature FOUND
>found in viruses/4DOSBOX/EICAR.COM
> stream: Eicar-Signature FOUND
>found in viruses/EICAR.COM
> 
> The echo is needed to show the name of the file inside the archive.
> 
> This appears not to write the unpacked files to disk.
> 
> --
> Andrew C. Aitchison  Kendal, UK
> and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize / news of upcoming Large Archive Scanner tool

2023-11-13 Thread Micah Snyder (micasnyd) via clamav-users 
In case anyone else is looking into this, I wanted to share some news.

We have been getting some help to create a tool to recursively unpack (or 
mount) and scan large archives (greater than 2000MB).

This effort has progressed to the point where we've started code review and 
writing documentation. I'm not entirely sure how we will package it for people 
to use.  I'll share more when we go to open source it. I wanted to share the 
news now in case anyone else was going to work on it and so they're not as 
frustrated when it turns out we've done the same.

I don't have a specific release date in mind.  It likely won't be until early 
next year.  While we've started code review and testing, the developer that has 
built the tool for us is now working on adding the allmatch-mode feature 
support.

Best regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


From: Andrew C Aitchison 
Sent: Thursday, June 8, 2023 6:25 PM
To: Micah Snyder (micasnyd) 
Cc: ClamAV users ML 
Subject: Re: [clamav-users] Question About MaxFileSize

On Thu, 8 Jun 2023, Micah Snyder (micasnyd) wrote:

> I agree with you.  I suspect the majority of cases today is when
> people have a large archive of files to scan.
>
> I think best case scenario for people with a need to scan files
> larger than the present internal 2GB limit is that archives larger
> than 2GB are decompressed and then the files inside are scanned, but
> without actually scanning the very large outer archive.
>
> The way to do this as things work today is to script something
> around clamscan or clamdscan that if the file is too large, handle
> some assorted file types:
>
>  1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
>  2.  if file is a zip, un-zip it and then scan the files within.
>  3.  etc.
>
> I think everyone would like if clamav could do this automatically
> for select archive types. And I think the advantage would be that we
> would perhaps keep the extracted files in memory, or else at least
> delete the temp files as we go without extracting all of it to disk
> before starting to scan.
>
> However, it would be far easier to make a shell script or a python
> script that wraps clamscan/clamdscan and uses native tools like
> "tar", "unzip", etc.

Good idea.

Simply untarring or unzipping into a pipe does not separate the packed files.
However at least tar does have an option which allow us to write a one-liner:
(tar xf ~/viruses.tar --to-command='clamdscan -v - || echo "  found in 
$TAR_REALNAME\n\n---"' ) |& egrep -i found
stream: Eicar-Signature FOUND
   found in viruses/EICAR.COM.TAR
stream: Eicar-Signature FOUND
   found in viruses/eicar.com.txt
stream: Eicar-Signature FOUND
   found in viruses/URLEICAR.COM.TAR
stream: Eicar-Signature FOUND
   found in viruses/4DOSBOX/EICAR.COM
stream: Eicar-Signature FOUND
   found in viruses/EICAR.COM

The echo is needed to show the name of the file inside the archive.

This appears not to write the unpacked files to disk.

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question on Restriction of Clamscan Privileges

2023-10-17 Thread Michael Orlitzky via clamav-users 
On Tue, 2023-10-17 at 19:53 +0200, Michael via clamav-users wrote:
> Dear ladies and gentleman,
> 
> I have a question about the linux clamscan permissions.
> 
> 

Use clamdscan (NOT clamscan) with the --fdpass option. That will scan
under the privileges of the clamd daemon by passing it a reference to
the file rather than requiring that the daemon be able to read the file
itself. As as a result the daemon can run with few privileges.

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize

2023-06-09 Thread Paul Kosinski via clamav-users 
You are right. But more than that, merely *reading* a file will exercise such 
code. I wonder if anybody has devised a file which exploits such a kernel bug? 
(Shudder.)

After I wrote my objection, I realized that to be even more safe, one should 
scan removable disks at the block level before mounting them. But given the 
capacity these days of even USB thumb drives, this approach is pretty much 
impractical. Beside, what looks like a USB thumb drive might actually act as a 
USB keyboard! (In fact, I think somebody built a prototype.)


On Fri, 09 Jun 2023 18:15:39 -0700
Kenneth Porter  wrote:

> Filesystems are also files, interpreted by kernel-level filesystem drivers. 
> Some filesystems have a compression feature. Scanning ANY file exercises 
> such code.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize

2023-06-09 Thread Kenneth Porter 
--On Friday, June 09, 2023 6:40 PM -0400 Paul Kosinski via clamav-users 
 wrote:



I have on occasion heard of vulnerabilities in some archiving software,
where the mere act of decompressing and extracting an archive can result
in malicious code execution due to a bug in the archiving software. After
all, such software can itself have the all too common lack of bounds
checking (etc.) that could be exploited by a maliciously malformed
archive.

It could also be that lower level archive-like files such as ISOs and
disk images could, by means of malicious structuring, trigger a total
system compromise, because it might well involve the kernel. The way an
ISO or disk image is typically used (on Linux, at least) is to create a
"loop" device from the file, and then *mount* it as block device -- a
clear kernel involvement.


Filesystems are also files, interpreted by kernel-level filesystem drivers. 
Some filesystems have a compression feature. Scanning ANY file exercises 
such code.



Of course, scanning any file might conceivably trigger a ClamAV bug, and
thus a compromise, but that is no reason to add another layer of
vulnerability to things. (But it is a good reason not to run ClamAV as
root.)


This is also a good reason to run it as a service in a sandbox with minimal 
capabilities. The client application (like a mail server) can feed the file 
to scan through a socket and rely on the service's sandbox to protect the 
client application.


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize

2023-06-09 Thread Paul Kosinski via clamav-users 
I must say I strongly disagree with the approach of feeding files contained in 
a big archive file one at a time to ClamAV. That's because an archive is 
*itself* a file.

I have on occasion heard of vulnerabilities in some archiving software, where 
the mere act of decompressing and extracting an archive can result in malicious 
code execution due to a bug in the archiving software. After all, such software 
can itself have the all too common lack of bounds checking (etc.) that could be 
exploited by a maliciously malformed archive.

It could also be that lower level archive-like files such as ISOs and disk 
images could, by means of malicious structuring, trigger a total system 
compromise, because it might well involve the kernel. The way an ISO or disk 
image is typically used (on Linux, at least) is to create a "loop" device from 
the file, and then *mount* it as block device -- a clear kernel involvement.

Of course, scanning any file might conceivably trigger a ClamAV bug, and thus a 
compromise, but that is no reason to add another layer of vulnerability to 
things. (But it is a good reason not to run ClamAV as root.)

Paul Kosinski



On Thu, 8 Jun 2023 20:55:25 +
"Micah Snyder \(micasnyd\) via clamav-users"  
wrote:

> I agree with you.  I suspect the majority of cases today is when people have 
> a large archive of files to scan.
> 
> I think best case scenario for people with a need to scan files larger than 
> the present internal 2GB limit is that archives larger than 2GB are 
> decompressed and then the files inside are scanned, but without actually 
> scanning the very large outer archive.
> 
> The way to do this as things work today is to script something around 
> clamscan or clamdscan that if the file is too large, handle some assorted 
> file types:
> 
>   1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
>   2.  if file is a zip, un-zip it and then scan the files within.
>   3.  etc.
> 
> I think everyone would like if clamav could do this automatically for select 
> archive types. And I think the advantage would be that we would perhaps keep 
> the extracted files in memory, or else at least delete the temp files as we 
> go without extracting all of it to disk before starting to scan.
> 
> However, it would be far easier to make a shell script or a python script 
> that wraps clamscan/clamdscan and uses native tools like "tar", "unzip", etc.
> 
> Regards,
> Micah
> 
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize

2023-06-08 Thread Andrew C Aitchison via clamav-users 

On Thu, 8 Jun 2023, Micah Snyder (micasnyd) wrote:


I agree with you.  I suspect the majority of cases today is when
people have a large archive of files to scan.

I think best case scenario for people with a need to scan files
larger than the present internal 2GB limit is that archives larger
than 2GB are decompressed and then the files inside are scanned, but
without actually scanning the very large outer archive.

The way to do this as things work today is to script something
around clamscan or clamdscan that if the file is too large, handle
some assorted file types:

 1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
 2.  if file is a zip, un-zip it and then scan the files within.
 3.  etc.

I think everyone would like if clamav could do this automatically
for select archive types. And I think the advantage would be that we
would perhaps keep the extracted files in memory, or else at least
delete the temp files as we go without extracting all of it to disk
before starting to scan.

However, it would be far easier to make a shell script or a python
script that wraps clamscan/clamdscan and uses native tools like
"tar", "unzip", etc.


Good idea.

Simply untarring or unzipping into a pipe does not separate the packed files.
However at least tar does have an option which allow us to write a one-liner:
(tar xf ~/viruses.tar --to-command='clamdscan -v - || echo "  found in 
$TAR_REALNAME\n\n---"' ) |& egrep -i found
stream: Eicar-Signature FOUND
  found in viruses/EICAR.COM.TAR
stream: Eicar-Signature FOUND
  found in viruses/eicar.com.txt
stream: Eicar-Signature FOUND
  found in viruses/URLEICAR.COM.TAR
stream: Eicar-Signature FOUND
  found in viruses/4DOSBOX/EICAR.COM
stream: Eicar-Signature FOUND
  found in viruses/EICAR.COM

The echo is needed to show the name of the file inside the archive.

This appears not to write the unpacked files to disk.

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize

2023-06-08 Thread Micah Snyder (micasnyd) via clamav-users 
I agree with you.  I suspect the majority of cases today is when people have a 
large archive of files to scan.

I think best case scenario for people with a need to scan files larger than the 
present internal 2GB limit is that archives larger than 2GB are decompressed 
and then the files inside are scanned, but without actually scanning the very 
large outer archive.

The way to do this as things work today is to script something around clamscan 
or clamdscan that if the file is too large, handle some assorted file types:

  1.  if file is a tar.gz, un-tar.gz it and then scan the files within.
  2.  if file is a zip, un-zip it and then scan the files within.
  3.  etc.

I think everyone would like if clamav could do this automatically for select 
archive types. And I think the advantage would be that we would perhaps keep 
the extracted files in memory, or else at least delete the temp files as we go 
without extracting all of it to disk before starting to scan.

However, it would be far easier to make a shell script or a python script that 
wraps clamscan/clamdscan and uses native tools like "tar", "unzip", etc.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Andrew 
C Aitchison via clamav-users 
Sent: Wednesday, May 24, 2023 1:34 AM
To: ClamAV users ML 
Cc: Andrew C Aitchison 
Subject: Re: [clamav-users] Question About MaxFileSize

On Wed, 24 May 2023, Tachibanaki Nozomi (橘木 希美) wrote:

> Dear Sir or Madam,
>
> Thank you for your help always.
> I am contacting you to ask about MaxFileSize in clamd.conf.
>
> The following description is found in the configuration of
> /usr/local/etc/clamd.conf.
>
> MaxFileSize
> # Technical design limitations prevent ClamAV from scanning files greater than
> # 2 GB at this time.
>
> Is there any plan or possibility to change the technical design
> limitation that prevents scanning files larger than 2 GB in the
> future?

I believe that the intention is to remove this limit at some point.

I wonder whether the technical limitations are less severe for
archive formats such as tar and zip.
Could "small" files inside "large" archives be scanned
without the work necessary for full "large" file support ?

Apart from vulnerabilities caused by 2GB and 4GB limits themselves,
I think scanning inside large archives might solve many of the
reasons for scanning large files.

--
Andrew C. Aitchison  Kendal, UK
and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question About MaxFileSize

2023-05-24 Thread Andrew C Aitchison via clamav-users 

On Wed, 24 May 2023, Tachibanaki Nozomi (橘木 希美) wrote:


Dear Sir or Madam,

Thank you for your help always.
I am contacting you to ask about MaxFileSize in clamd.conf.

The following description is found in the configuration of
/usr/local/etc/clamd.conf.

MaxFileSize
# Technical design limitations prevent ClamAV from scanning files greater than
# 2 GB at this time.

Is there any plan or possibility to change the technical design
limitation that prevents scanning files larger than 2 GB in the
future?


I believe that the intention is to remove this limit at some point.

I wonder whether the technical limitations are less severe for
archive formats such as tar and zip.
Could "small" files inside "large" archives be scanned
without the work necessary for full "large" file support ?

Apart from vulnerabilities caused by 2GB and 4GB limits themselves,
I think scanning inside large archives might solve many of the
reasons for scanning large files.

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question Exception Rule

2022-12-29 Thread Al Varnell via clamav-users 
I'm sure one of us could, but you need to tell us what the display and actual 
urls you want whitelisted first.

Sent from my iPad

-Al-

On Dec 29, 2022, at 08:06, newcomer01 via clamav-users 
 wrote:
> Is it possible, that you assist me in this process?
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question Exception Rule

2022-12-29 Thread newcomer01 via clamav-users 

Hi Eric,

i know about this support-page but i don't understand what i should have to do.
How can I create such a daily.pdb file and what should i write in it ... the 
problem is, what is the displayed url e.g.
Is it possible, that you assist me in this process?

kind regards
Marc


Von / From: Clamav User Mailinglist <mailto:clamav-users@lists.clamav.net>
An / To: Newcomer01 <mailto:newcome...@posteo.de>
CC / CC: Eric Tykwinski <mailto:eric-l...@truenet.com>
Gesendet / Sent: Donnerstag, Dezember 29, 2022 um 16:17 (at 04:17 PM) +0100
Betreff / Subject: Re: [clamav-users] Question Exception Rule

Marc,


-Original Message-
From: clamav-users  On Behalf Of

newcomer01 via clamav-users

Sent: Thursday, December 29, 2022 10:05 AM
To: ClamAV User Mailinglist 
Cc: newcomer01 
Subject: [clamav-users] Question Exception Rule

Hi @ all,

who can I contact to get an exemption for ClamAV

("Heuristics.Phishing.Email.SpoofedDomain")?

This in my case is an absolutely legitimize sender (my Bank).

It's in the documentation:
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format


Regards
Marc

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question Exception Rule

2022-12-29 Thread Eric Tykwinski via clamav-users 
Marc,

> -Original Message-
> From: clamav-users  On Behalf Of
newcomer01 via clamav-users
> Sent: Thursday, December 29, 2022 10:05 AM
> To: ClamAV User Mailinglist 
> Cc: newcomer01 
> Subject: [clamav-users] Question Exception Rule
>
> Hi @ all,
>
> who can I contact to get an exemption for ClamAV
("Heuristics.Phishing.Email.SpoofedDomain")?
> This in my case is an absolutely legitimize sender (my Bank).

It's in the documentation:
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format

> Regards
> Marc

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] question about a malware submission

2021-06-28 Thread vze1amckv--- via clamav-users 

Hello.

I submitted it over a week ago, and got a response saying that "Our 
initial assessment has verified the sample as a threat & we will be 
publishing signatures for ClamAV," but neither the ClamAV scanner in 
Jotti nor the one in Virus Total detects it.


You can verify for yourself; the SHA-1 hash is: 
d2058d5fdd9c4551f7c888d6673a6dbc780b095d.  Shall I resubmit?


Thanks,
Jonathan

On 6/23/21 7:24 AM, Joel Esler (jesler) wrote:


You should submit the suspected malware here:

https://www.clamav.net/reports/malware 



—
Sent from my  iPhone

On Jun 22, 2021, at 22:01, vze1amckv--- via clamav-users 
 wrote:


Hello,

I recently submitted a suspicious file via the ClamAV website 
submission form, and got a response back saying that "Our initial 
assessment has verified the sample as a threat & we will be publishing 
signatures for ClamAV."  But when I re-submit the file to 
virusscan.jotti.org or VirusTotal it still does not show that ClamAV 
detects the file.


Is there a way to check the status of a particular submission? (I can 
e-mail the hash privately.)  Or, how long is the usual turnaround time 
between when a submission is accepted and when a signature is made for it?


Thank you.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] question about a malware submission

2021-06-23 Thread Joel Esler (jesler) via clamav-users 

You should submit the suspected malware here:

https://www.clamav.net/reports/malware

—
Sent from my  iPhone

On Jun 22, 2021, at 22:01, vze1amckv--- via clamav-users 
 wrote:

Hello,

I recently submitted a suspicious file via the ClamAV website submission form, 
and got a response back saying that "Our initial assessment has verified the 
sample as a threat & we will be publishing signatures for ClamAV."  But when I 
re-submit the file to virusscan.jotti.org or VirusTotal it still does not show 
that ClamAV detects the file.

Is there a way to check the status of a particular submission? (I can e-mail 
the hash privately.)  Or, how long is the usual turnaround time between when a 
submission is accepted and when a signature is made for it?

Thank you.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding the 0.103.1 PNG bug fix

2021-03-03 Thread Micah Snyder (micasnyd) via clamav-users 
Hello!

File type detection is performed primarily with file type magic (FTM) 
signatures loaded from daily.cvd.  If you unpack daily.cvd, you’ll find them in 
daily.ftm.  The signature format is documented here: 
https://www.clamav.net/documents/file-type-magic
By adjusting these signatures, we disabled detecting PNG files as “CL_TYPE_PNG” 
for 0.103.0 and prior, instead detecting PNG files as “CL_TYPE_GRAPHICS” as it 
had been before.

If you look at daily.ftm now, the PNG related signatures are:
0:0:89504e47:PNG:CL_TYPE_ANY:CL_TYPE_GRAPHICS::121
0:0:89504e47:PNG:CL_TYPE_ANY:CL_TYPE_PNG:122

For 0.103.1+, PNG files will detect as CL_TYPE_PNG which will enable the 
(fixed) PNG parser.  Because we’re able to effectively mitigate the issue by 
disabling PNG file type detection, which wasn’t working correctly in other ways 
from an efficacy standpoint due to other bugs anyways, we didn’t request a CVE 
or publish an advisory.

-Micah


From: clamav-users  On Behalf Of Pierre 
Olivier KAPLAN
Sent: Wednesday, March 3, 2021 5:12 AM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] Question regarding the 0.103.1 PNG bug fix

Hello,


I have two question regarding the 0.103.1 Releases Notes.
In the bug fixes is mentionned an issue with some PNG parsing file causing a 
stack exhaustion. With isn't this categorized as a vulnerability, as it allows 
DoS attacks ?

It is also mentionned that a signature exists to avoid the parsing. But I 
couldn't find it in the database. Do you know which one we shall use ?

Thanks in advance for your help

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2021-02-08 Thread Lilia Gonzalez Medina 
Hi Orion,

Apologies for taking too long to respond. After some tests I was able to
reproduce the FPs and target type 3 LDB signatures for Urlhaus have been
updated and published and should not alert on legitimate files anymore.
Please update your ClamAV database and if you still have some issues please
let me know.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos



On Tue, Jan 12, 2021 at 12:54 PM Orion Poplawski  wrote:

> Lilia -
>
>   Odd, I see it:
>
> # https_proxy= curl -o ublock_origin-1.32.4-an+fx.xpi
> '
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> '
> # clamscan ublock_origin-1.32.4-an+fx.xpi
> ublock_origin-1.32.4-an+fx.xpi: Urlhaus.Malware.364328-9787819-0 FOUND
>
> # clamscan --version
> ClamAV 0.103.0/26046/Mon Jan 11 05:34:14 2021
>
> # clamscan urlhaus-filter-online.txt
> urlhaus-filter-online.txt: Urlhaus.Malware.364328-9787819-0 FOUND
>
> --- SCAN SUMMARY ---
> Known viruses: 8799521
> Engine version: 0.103.0
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.29 MB
> Data read: 0.14 MB (ratio 2.11:1)
> Time: 21.911 sec (0 m 21 s)
> Start Date: 2021:01:12 10:37:52
> End Date:   2021:01:12 10:38:14
>
> Other URLs:
>
> Virus Urlhaus.Malware.364328-9787819-0:
>https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt:
> 2
> Time(s)
>
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 2 Time(s)
>
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/14db9cf6ad7bfff32779d68d12b869e6f7e8ec1a/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
> I've attached copies.
>
>   Orion
>
> On 1/8/21 9:18 PM, Lilia Gonzalez Medina wrote:
> > Orion, I haven't been able to reproduce the FP with
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> .
> >
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >
> >
> > If you could send me the file that alerts with
> > Urlhaus.Malware.364328-9787819-0 I could look into it.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Thu, Jan 7, 2021 at 12:00 PM Orion Poplawski  > > wrote:
> >
> > Lilia -
> >
> >   Virus database is updated daily and updated last night.  Still
> seeing one
> > this morning:
> >
> > Virus Urlhaus.Malware.364328-9787819-0:
> >
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >:
> > 1 Time(s)
> >
> > Though that is a different signature.
> >
> > Orion
> >
> > On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> > > Hi Orion!
> > >
> > > Those NBD signatures were updated at the beginning of the week and
> > should not
> > > FP anymore. Please update your ClamAV db and let us know if the
> issue
> > persists.
> > >
> > > Best regards,
> > >
> > > Lilia Gonzalez
> > >  Malware Research Team
> > >  Cisco Talos
> > >
> > >
> > > On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski  > 
> > > >> wrote:
> > >
> > > Lilia -
> > >
> > >   Thanks for the response.   We're seeing some others getting
> > triggered as
> > > well:
> > >
> > > Virus Urlhaus.Malware.490516-9766015-0:
> > >10.21.2.5
> > >
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > 
> > > <
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > >:
> 2
> > Time(s)
> > >10.21.2.5
> > >
> >
>

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2021-01-08 Thread Lilia Gonzalez Medina 
Orion, I haven't been able to reproduce the FP with
https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc.



If you could send me the file that alerts with
Urlhaus.Malware.364328-9787819-0 I could look into it.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Thu, Jan 7, 2021 at 12:00 PM Orion Poplawski  wrote:

> Lilia -
>
>   Virus database is updated daily and updated last night.  Still seeing one
> this morning:
>
> Virus Urlhaus.Malware.364328-9787819-0:
>
>
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> :
> 1 Time(s)
>
> Though that is a different signature.
>
> Orion
>
> On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Those NBD signatures were updated at the beginning of the week and
> should not
> > FP anymore. Please update your ClamAV db and let us know if the issue
> persists.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> >  Malware Research Team
> >  Cisco Talos
> >
> >
> > On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski  > > wrote:
> >
> > Lilia -
> >
> >   Thanks for the response.   We're seeing some others getting
> triggered as
> > well:
> >
> > Virus Urlhaus.Malware.490516-9766015-0:
> >10.21.2.5
> > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > :
> 2 Time(s)
> >10.21.2.5
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >:
> > 2 Time(s)
> >10.21.2.5
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >:
> > 1 Time(s)
> >10.21.2.5
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >:
> > 1 Time(s)
> >10.21.2.5
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> >:
> > 1 Time(s)
> >
> > Virus Urlhaus.Malware.161756-8797115-0:
> >10.10.20.7
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >:
> > 1 Time(s)
> >10.11.1.3
> >
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> > <
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> >:
> > 1 Time(s)
> >
> >
> > Orion
> >
> > On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > > Hi Orion!
> > >
> > > Thank you for reporting this. URLhaus is a partner that generates
> a list of
> > > ClamAV signatures to target malicious URLs. Signature
> > > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside
> HTML
> > > files, which is why it is alerting on the URLs you mentioned. We
> found these
> > > FPs some weeks ago and added an extra check on new ClamAV
> signatures to
> > > prevent them from alerting on legitimate URLhaus content. We are
> currently
> > > updating older ClamAV signatures to ensure they don't FP on
> non-malicious
> > > HTML files.
> > >
> > > Best regards,
> > >
> > > Lilia Gonzalez
> > > Malware Research Team
> > > Cisco Talos
> > >
> > > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski  > 
> > > >> wrote:
> > >
> > > Can anyone give me some details about the
> > Urlhaus.Malware.452652-9766253-0
> > > signature?  We're seeing following URLs trigger it:
> > >
> > >
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> >

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2021-01-07 Thread Orion Poplawski 
Lilia -

  Virus database is updated daily and updated last night.  Still seeing one
this morning:

Virus Urlhaus.Malware.364328-9787819-0:

https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
1 Time(s)

Though that is a different signature.

Orion

On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> Hi Orion!
> 
> Those NBD signatures were updated at the beginning of the week and should not
> FP anymore. Please update your ClamAV db and let us know if the issue 
> persists.
> 
> Best regards,
> 
> Lilia Gonzalez
>  Malware Research Team
>  Cisco Talos
> 
> 
> On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski  > wrote:
> 
> Lilia -
> 
>   Thanks for the response.   We're seeing some others getting triggered as
> well:
> 
>     Virus Urlhaus.Malware.490516-9766015-0:
>    10.21.2.5
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> : 2 
> Time(s)
>    10.21.2.5
> 
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> 
> :
> 2 Time(s)
>    10.21.2.5
> 
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> 
> :
> 1 Time(s)
>    10.21.2.5
> 
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> 
> :
> 1 Time(s)
>    10.21.2.5
> 
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> 
> :
> 1 Time(s)
> 
>     Virus Urlhaus.Malware.161756-8797115-0:
>        10.10.20.7
> 
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> 
> :
> 1 Time(s)
>        10.11.1.3
> 
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> 
> :
> 1 Time(s)
> 
> 
> Orion
> 
> On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Thank you for reporting this. URLhaus is a partner that generates a 
> list of
> > ClamAV signatures to target malicious URLs. Signature
> > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> > files, which is why it is alerting on the URLs you mentioned. We found 
> these
> > FPs some weeks ago and added an extra check on new ClamAV signatures to
> > prevent them from alerting on legitimate URLhaus content. We are 
> currently
> > updating older ClamAV signatures to ensure they don't FP on 
> non-malicious
> > HTML files.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski  
> > >> wrote:
> >
> >     Can anyone give me some details about the
> Urlhaus.Malware.452652-9766253-0
> >     signature?  We're seeing following URLs trigger it:
> >
> >     https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> 
> >      >
> >   
>  
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> 
> 
> >   
>  
>  
> >
> >   
>  
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> 
>

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2021-01-07 Thread Lilia Gonzalez Medina 
 Hi Orion!

Those NBD signatures were updated at the beginning of the week and should
not FP anymore. Please update your ClamAV db and let us know if the issue
persists.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski  wrote:

> Lilia -
>
>   Thanks for the response.   We're seeing some others getting triggered as
> well:
>
> Virus Urlhaus.Malware.490516-9766015-0:
>10.21.2.5
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt: 2
> Time(s)
>10.21.2.5
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 2 Time(s)
>10.21.2.5
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
>10.21.2.5
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
>10.21.2.5
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
> Virus Urlhaus.Malware.161756-8797115-0:
>10.10.20.7
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
> 1 Time(s)
>10.11.1.3
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
> 1 Time(s)
>
>
> Orion
>
> On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Thank you for reporting this. URLhaus is a partner that generates a list
> of
> > ClamAV signatures to target malicious URLs. Signature
> > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> > files, which is why it is alerting on the URLs you mentioned. We found
> these
> > FPs some weeks ago and added an extra check on new ClamAV signatures to
> > prevent them from alerting on legitimate URLhaus content. We are
> currently
> > updating older ClamAV signatures to ensure they don't FP on non-malicious
> > HTML files.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski  > > wrote:
> >
> > Can anyone give me some details about the
> Urlhaus.Malware.452652-9766253-0
> > signature?  We're seeing following URLs trigger it:
> >
> > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > 
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> >
> > Which seems to be the online update URLs for the urlhaus filter.
> Does
> > ClamAV
> > deem urlhaus a bad actor?
> >
> > Thanks,
> >   Orion
> >
> > --
> > Orion Poplawski
> > Manager of NWRA Technical Systems  720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane   or...@nwra.com
> > 
> > Boulder, CO 80301 https://www.nwra.com/
> > 
> >
> > ___
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net 
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> > 
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> >
> > http://www.clamav.net/contact.html#ml
> > 
> >
> >
> > ___
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems  720-772-5637
> NWRA, Boulder/CoRA Office FAX:

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2021-01-06 Thread Orion Poplawski 
Lilia -

  Thanks for the response.   We're seeing some others getting triggered as well:

    Virus Urlhaus.Malware.490516-9766015-0:
   10.21.2.5
https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt: 2 Time(s)
   10.21.2.5
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt:
2 Time(s)
   10.21.2.5
https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt:
1 Time(s)
   10.21.2.5
https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt:
1 Time(s)
   10.21.2.5
https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt:
1 Time(s)

Virus Urlhaus.Malware.161756-8797115-0:
   10.10.20.7 
https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
 1 Time(s)
   10.11.1.3 
https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
 1 Time(s)


Orion

On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> Hi Orion!
>
> Thank you for reporting this. URLhaus is a partner that generates a list of
> ClamAV signatures to target malicious URLs. Signature
> Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> files, which is why it is alerting on the URLs you mentioned. We found these
> FPs some weeks ago and added an extra check on new ClamAV signatures to
> prevent them from alerting on legitimate URLhaus content. We are currently
> updating older ClamAV signatures to ensure they don't FP on non-malicious
> HTML files.
>
> Best regards,
>
> Lilia Gonzalez
> Malware Research Team
> Cisco Talos
>
> On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski  > wrote:
>
> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature?  We're seeing following URLs trigger it:
>
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> 
> 
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> 
> 
> 
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> 
> 
> 
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> 
> 
> 
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> 
> 
>
> Which seems to be the online update URLs for the urlhaus filter.  Does
> ClamAV
> deem urlhaus a bad actor?
>
> Thanks,
>   Orion
>
> -- 
> Orion Poplawski
> Manager of NWRA Technical Systems          720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       or...@nwra.com
> 
> Boulder, CO 80301                 https://www.nwra.com/
> 
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
>
> http://www.clamav.net/contact.html#ml
> 
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


-- 
Orion Poplawski
Manager of NWRA Technical Systems  720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/




smime.p7s
Description: S/MIME Cryptographic Signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2021-01-04 Thread Lilia Gonzalez Medina 
Hi Orion!

Thank you for reporting this. URLhaus is a partner that generates a list of
ClamAV signatures to target malicious URLs. Signature
Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
files, which is why it is alerting on the URLs you mentioned. We found
these FPs some weeks ago and added an extra check on new ClamAV signatures
to prevent them from alerting on legitimate URLhaus content. We are
currently updating older ClamAV signatures to ensure they don't FP on
non-malicious HTML files.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski  wrote:

> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature?  We're seeing following URLs trigger it:
>
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
>
> Which seems to be the online update URLs for the urlhaus filter.  Does
> ClamAV
> deem urlhaus a bad actor?
>
> Thanks,
>   Orion
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems  720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane   or...@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2020-12-30 Thread Orion Poplawski 
So that is a apparently a malicious site as determined by Urlhaus and is on
their filter list.  But how is it useful as a ClamAV signature?  You are not
going to be filtering URLs with ClamAV, right?  And now it's blocking these
emails because it contains this string.

Orion

On 12/23/20 11:26 AM, eric-l...@truenet.com wrote:
> Here's the signature decoded:
> # sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig
> VIRUS NAME: Urlhaus.Malware.452652-9766253-0
> FUNCTIONALITY LEVEL: >=48
> TARGET TYPE: HTML
> OFFSET: *
> DECODED SIGNATURE:
> aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/
> 
> Sincerely,
> 
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
> 
> -Original Message-
> From: clamav-users  On Behalf Of
> Orion Poplawski
> Sent: Wednesday, December 23, 2020 1:11 PM
> To: ClamAV users ML 
> Subject: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0
> 
> Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
> signature?  We're seeing following URLs trigger it:
> 
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-fil
> ter-online.txt
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d
> 5d2e877e120/urlhaus-filter-online.txt
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-onl
> ine.txt
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.tx
> t
> 
> Which seems to be the online update URLs for the urlhaus filter.  Does
> ClamAV deem urlhaus a bad actor?
> 
> Thanks,
>   Orion
> 
> --
> Orion Poplawski
> Manager of NWRA Technical Systems  720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane   or...@nwra.com
> Boulder, CO 80301 https://www.nwra.com/
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 


-- 
Orion Poplawski
Manager of NWRA Technical Systems  720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/



smime.p7s
Description: S/MIME Cryptographic Signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2020-12-23 Thread Kris Deugau 

Orion Poplawski wrote:

Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
signature?  We're seeing following URLs trigger it:

https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt

Which seems to be the online update URLs for the urlhaus filter.  Does ClamAV
deem urlhaus a bad actor?


No, but that signature matches a line in that file.  Which should be 
expected since the Clam signature is presumably derived from the 
original source for that file.


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2020-12-23 Thread eric-list 
Here's the signature decoded:
# sigtool --find-sig Urlhaus.Malware.452652-9766253-0 | sigtool --decode-sig
VIRUS NAME: Urlhaus.Malware.452652-9766253-0
FUNCTIONALITY LEVEL: >=48
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
aboveandbelow.com.au/cgi-bin/http:/sites/b4q7eajmmm2moxgkq/

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

-Original Message-
From: clamav-users  On Behalf Of
Orion Poplawski
Sent: Wednesday, December 23, 2020 1:11 PM
To: ClamAV users ML 
Subject: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
signature?  We're seeing following URLs trigger it:

https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-fil
ter-online.txt
https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d
5d2e877e120/urlhaus-filter-online.txt
https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-onl
ine.txt
https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.tx
t

Which seems to be the online update URLs for the urlhaus filter.  Does
ClamAV deem urlhaus a bad actor?

Thanks,
  Orion

--
Orion Poplawski
Manager of NWRA Technical Systems  720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301 https://www.nwra.com/

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about clamAV dependencies

2020-12-10 Thread Ttito Concha, Darwin via clamav-users 
Sorry, I forgot to mention that we run ClamAV in a container, so I think it 
makes sense that it doesn't have installed systemd as it is a single process.

Thanks so much for the replies.

On 10/12/20 08:45, "G.W. Haywood via clamav-users" 
 wrote:

Hi there,

On Wed, 9 Dec 2020, Ttito Concha, Darwin via clamav-users wrote:
> On 09/12/20 18:53, "Andrew C Aitchison"  wrote:
>On Wed, 9 Dec 2020, Ttito Concha, Darwin via clamav-users wrote:
>
> > ...openSUSE...zypper install clamav, which ask to install 27 
dependencies.
> > I would like to know if all these dependencies are needed, since I
> > tried to install clamAV only by installing two of these
> > dependencies: libclammspack0, libclamav7; and it seems to work
> > without problems. Do you know if it is safe to do this?
> > The following 27 NEW packages are going to be installed:
> >  ... clamav ... systemd ...
>
>They look reasonable packages to have on a linux system ...
>What are you using clamav to do ?
> 
> I am using it to scan any type of file that is uploaded to our server.

If you can script the scans, rather than using on-access scanning, I
think you should be fine.  If the ClamAV binaries run OK I don't think
there are any concerns about the safety of your system (at least that
were not already concerns before you installed them. :)

Mr. Aitchison and I differ at least in one respect about what might be
a reasonable package to install on a Linux system - if you don't have
systemd installed, then my feeling is that you've been very lucky. :)
It's a little odd that you don't have it on an OpenSUSE system though,
as I thought they started using it some years ago.  Did you remove it?

Amongst (many) other things, with systemd the ways that things like
daemons are started at boot and are controlled at runtine are *very*
different from the (g)olden days.  If you have many startup scripts it
may take some time to massage them after installing systemd.  If you
use old filesystems - which take longer than about 90 seconds to check
at boot, for example a large ext3 filesystem using fsck - then you may
need to prevent systemd from trashing it after they reach their maximal
mount counts the next time the boot scripts run fsck (by killing the
"start job", which unfortunately systemd will NOT tell you is 'fsck').
There are quite a few other wrinkles too, like it will probably change
the names of all your network interfaces - and you may have to get on a
'plane to recover from that one.

Unfortunately you'll see the horrendous bloat more and more, and quite
a lot of packages are starting to include systemd in the dependencies
so for example if you have any Hewlett-Packard laser printers, one day
without warning they'll all suddenly stop working.

Don't ask me how I know all this.  Rant over.

-- 

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about clamAV dependencies

2020-12-10 Thread G.W. Haywood via clamav-users 

Hi there,

On Wed, 9 Dec 2020, Ttito Concha, Darwin via clamav-users wrote:

On 09/12/20 18:53, "Andrew C Aitchison"  wrote:
   On Wed, 9 Dec 2020, Ttito Concha, Darwin via clamav-users wrote:

> ...openSUSE...zypper install clamav, which ask to install 27 dependencies.
> I would like to know if all these dependencies are needed, since I
> tried to install clamAV only by installing two of these
> dependencies: libclammspack0, libclamav7; and it seems to work
> without problems. Do you know if it is safe to do this?
> The following 27 NEW packages are going to be installed:
>  ... clamav ... systemd ...

   They look reasonable packages to have on a linux system ...
   What are you using clamav to do ?

I am using it to scan any type of file that is uploaded to our server.


If you can script the scans, rather than using on-access scanning, I
think you should be fine.  If the ClamAV binaries run OK I don't think
there are any concerns about the safety of your system (at least that
were not already concerns before you installed them. :)

Mr. Aitchison and I differ at least in one respect about what might be
a reasonable package to install on a Linux system - if you don't have
systemd installed, then my feeling is that you've been very lucky. :)
It's a little odd that you don't have it on an OpenSUSE system though,
as I thought they started using it some years ago.  Did you remove it?

Amongst (many) other things, with systemd the ways that things like
daemons are started at boot and are controlled at runtine are *very*
different from the (g)olden days.  If you have many startup scripts it
may take some time to massage them after installing systemd.  If you
use old filesystems - which take longer than about 90 seconds to check
at boot, for example a large ext3 filesystem using fsck - then you may
need to prevent systemd from trashing it after they reach their maximal
mount counts the next time the boot scripts run fsck (by killing the
"start job", which unfortunately systemd will NOT tell you is 'fsck').
There are quite a few other wrinkles too, like it will probably change
the names of all your network interfaces - and you may have to get on a
'plane to recover from that one.

Unfortunately you'll see the horrendous bloat more and more, and quite
a lot of packages are starting to include systemd in the dependencies
so for example if you have any Hewlett-Packard laser printers, one day
without warning they'll all suddenly stop working.

Don't ask me how I know all this.  Rant over.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about clamAV dependencies

2020-12-09 Thread Ttito Concha, Darwin via clamav-users 
Hi Andrew, thanks for the quick reply.

I am using it to scan any type of file that is uploaded to our server.

Regards,
Darwin

On 09/12/20 18:53, "Andrew C Aitchison"  wrote:

On Wed, 9 Dec 2020, Ttito Concha, Darwin via clamav-users wrote:

> Hi Team,
>
> Currently I am using ClamAV in openSUSE. So to install it I run
> zypper install clamav, which ask to install 27 dependencies.
> I would like to know if all these dependencies are needed, since I
> tried to install clamAV only by installing two of these
> dependencies: libclammspack0, libclamav7; and it seems to work
> without problems. Do you know if it is safe to do this?
>
> I noticed that the two packages mentioned above are the minimum
> requirements of clamAV since without them the clamd process does not
> start.
>
> $zypper install clamav
> Resolving dependencies...
> Resolving package dependencies...
>
> The following 27 NEW packages are going to be installed:
>  blog clamav dbus-1 gawk kbd kbd-legacy kmod libapparmor1
>  libargon2-1 libclamav7 libclammspack0 libcryptsetup12 libdbus-1-3
>  libdevmapper1_03 libexpat1 libjson-c3 libkmod2 libltdl7
>  libqrencode4 libseccomp2 pam-config pkg-config systemd
>  systemd-presets-branding-SLE sysvinit-tools udev
>  update-alternatives

They look reasonable packages to have on a linux system
- I am surprised that you are running with so few of them already installed.

You will have problems with some features of clamav without some of
those packages. For example I suspect that on-access scanning will
fail without kmod.

What are you using clamav to do ?

-- 
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2020-01-12 Thread Al Varnell via clamav-users 
Sent from my iPad

On Jan 12, 2020, at 16:49, Mason, Aj via clamav-users 
 wrote:
> I have to update definitions on my offline Linux file and I needed assistance 
> with how to copy the files to my Linux system. I have already downloaded all 
> three files already. Is there a repository to
> 
> this? Thanks
> 
You don’t say what flavor of Linux you have installed and that may make a 
difference here, but the “repository” should be /share/clamav/.

-Al-
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-05 Thread G.W. Haywood via clamav-users 

Hi there,

On Sat, 5 Oct 2019, Matus UHLAR - fantomas wrote:

On 05.10.19 15:57, alex mc via clamav-users wrote:

El sáb., 5 oct. 2019 a las 15:14, J.R. via clamav-users [...] escribió:


I had already seen all this, but the code itself does not know where it is


Are you talking about the virus definitions? Those are also available
on the clamav download page. Once downloaded you can use sigtool to
extract all the raw files into something you can read.


I'm talking about the source code of the antivirus, but thanks.


your question has been answered then already:
https://lists.clamav.net/pipermail/clamav-users/2019-October/008635.html
https://lists.clamav.net/pipermail/clamav-users/2019-October/008636.html
https://lists.clamav.net/pipermail/clamav-users/2019-October/008637.html


And the most relevant answer, which is most important to the OP:

https://lists.clamav.net/pipermail/clamav-users/2019-October/008642.html

Because our OP has not yet asked the question which he means to ask,
and until he does he will continue to waste everyone's time here and
also probably won't get an answer to the question.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-05 Thread Matus UHLAR - fantomas 

On 05.10.19 15:57, alex mc via clamav-users wrote:

I'm talking about the source code of the antivirus, but thanks.


your question has been answered then already:
https://lists.clamav.net/pipermail/clamav-users/2019-October/008635.html
https://lists.clamav.net/pipermail/clamav-users/2019-October/008636.html
https://lists.clamav.net/pipermail/clamav-users/2019-October/008637.html



El sáb., 5 oct. 2019 a las 15:14, J.R. via clamav-users (<
clamav-users@lists.clamav.net>) escribió:


> I had already seen all this, but the code itself does not know where it
is

Are you talking about the virus definitions? Those are also available
on the clamav download page. Once downloaded you can use sigtool to
extract all the raw files into something you can read.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-05 Thread alex mc via clamav-users 
I'm talking about the source code of the antivirus, but thanks.

El sáb., 5 oct. 2019 a las 15:14, J.R. via clamav-users (<
clamav-users@lists.clamav.net>) escribió:

> > I had already seen all this, but the code itself does not know where it
> is
>
> Are you talking about the virus definitions? Those are also available
> on the clamav download page. Once downloaded you can use sigtool to
> extract all the raw files into something you can read.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-05 Thread J.R. via clamav-users 
> I had already seen all this, but the code itself does not know where it is

Are you talking about the virus definitions? Those are also available
on the clamav download page. Once downloaded you can use sigtool to
extract all the raw files into something you can read.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-04 Thread G.W. Haywood via clamav-users 

Hi there,

On Thu, 3 Oct 2019, alex mc via clamav-users wrote:


... lately I've been looking for the clamav antivirus code but I don't know
why I can't find it, could you send it to me or tell me where to find it?
...


http://catb.org/~esr/faqs/smart-questions.html

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-04 Thread alex mc via clamav-users 
I had already seen all this, but the code itself does not know where it is

El jue., 3 oct. 2019 a las 19:16, Eric Tykwinski ()
escribió:

> > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Wagde Zabit via clamav-users
> > Sent: Thursday, October 03, 2019 1:09 PM
> > To: ClamAV users ML
> > Cc: Wagde Zabit
> > Subject: Re: [clamav-users] Question
> >
> > https://www.clamav.net/downloads/production/clamav-0.102.0.tar.gz
> >
>
> Or my preference: https://github.com/Cisco-Talos/clamav-devel
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
>
>
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-03 Thread Eric Tykwinski 
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
Behalf Of Wagde Zabit via clamav-users
> Sent: Thursday, October 03, 2019 1:09 PM
> To: ClamAV users ML
> Cc: Wagde Zabit
> Subject: Re: [clamav-users] Question
>
> https://www.clamav.net/downloads/production/clamav-0.102.0.tar.gz
>

Or my preference: https://github.com/Cisco-Talos/clamav-devel

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300





___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-03 Thread Wagde Zabit via clamav-users 
https://www.clamav.net/downloads/production/clamav-0.102.0.tar.gz 



> On 3 Oct 2019, at 19:13, alex mc via clamav-users 
>  wrote:
> 
> Hi, lately I've been looking for the clamav antivirus code but I don't know 
> why I can't find it, could you send it to me or tell me where to find it?
> Thank you so much
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-03 Thread Joel Esler (jesler) via clamav-users 
You mean on clamav.net/downloads?

 

--

Joel Esler

Manager, Communities Division

Cisco Talos Intelligence Group

http://www.talosintelligence.com

 

From: clamav-users  on behalf of alex mc 
via clamav-users 
Reply-To: ClamAV users ML 
Date: Thursday, October 3, 2019 at 12:31 PM
To: "clamav-users@lists.clamav.net" 
Cc: alex mc 
Subject: [clamav-users] Question

 

Hi, lately I've been looking for the clamav antivirus code but I don't know why 
I can't find it, could you send it to me or tell me where to find it?
Thank you so much



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding Metasploit signatures

2019-08-31 Thread G.W. Haywood via clamav-users 

Hi there,

On Sat, 31 Aug 2019, J.R. via clamav-users wrote:


If the virus pattern is in one of the database files, then you are
alerted... If it's not, then no alert... That's how every antivirus
works...


There's a bit more to it than that.  Some detection is based on other
characteristics, such as behaviour.  But I think it's true to say that
the mainstay of detection by ClamAV is through the signature databases.
That's how I use it - there are a few excellent third-party databases.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding Metasploit signatures

2019-08-31 Thread J.R. via clamav-users 
> Hence, my question or curiosity over how ClamAV determines
> the *true* threat level of a malicious file.

If the virus pattern is in one of the database files, then you are
alerted... If it's not, then no alert... That's how every antivirus
works...

You are more than welcome to report files for the clamav team to check
out and add to the db:

https://www.clamav.net/reports/malware

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding Metasploit signatures

2019-08-31 Thread Manna, Mohammed via clamav-users 
Hi There,

> -Original Message-
> From: clamav-users  On Behalf Of
> G.W. Haywood via clamav-users
> Sent: 31 August 2019 08:39
> To: Manna, Mohammed via clamav-users 
> Cc: G.W. Haywood 
> Subject: Re: [clamav-users] Question regarding Metasploit signatures
> 
> Hi there,
> 
> On Fri, 30 Aug 2019, Manna, Mohammed via clamav-users wrote:
> 
> > What I can see that ClamAV cannot always successfully detect reverse
> > shell type of files (built using Metasploit msfvenom). And also, if
> > the file is covered using a pseudo extension e.g. test.exe.txt
> >
> > When I was comparing this on virustotal.com ClamAV seems to be
> > missing quite a lot of them. Is there any reason why ClamAV doesn't
> > do a more extensive search?
> 
> ClamAV is by no means perfect, but you haven't told us how you have
> configured it, nor how you are using it, so it's difficult to make any
> particular observations.
> 
> There is a system for reporting failed detections which you can use,
> but to avoid wasted effort it will be as well for you first to check
> that your issue is not simply the expected result of how you have
> configured your ClamAV installation.
> 
> > Reverse shell or bind shell both are sensitive files and I was
> > expecting ClamAV to be detecting them somehow.
> 
> In network security, expecting things to work as intended is sure to
> lead to eventual disappointment.  If instead you expect things to
> fail, and base your behaviour on that expectation, you will likely be
> surprised less often - and suffer fewer system compromises.
> 
> For example, although I scan all mail using ClamAV, I never expect it
> to find anything; but I also block all mail from more than a hundred
> and sixty ISO 3166 country codes, which is partly why ClamAV hasn't
> reported anything malicious in our mail since last September.  That
> doesn't mean that ClamAV wouldn't have found anything if it had been
> given the opportunity to scan it, but it *does* mean that there is a
> much reduced probability of something nasty reaching one of my users.
> Of course, even if it did, it's unlikely to have any serious effect
> because (a) the users are educated and (b) they're using Linux boxes
> which are immune from the vast majority of malicious software.  This
> is called "defence in depth".  There's more, which I won't reveal in
> a public forum.
> 
> > Could someone clarify? Also, if this is mentioned anywhere in the
> > docs, I would be grateful if you please point me to that.
> 
> The 'man' pages for clamscan, clamd.conf and clamsubmit might be good
> places to start.
> 
[[MM]] What you are have said here makes sense. As for my test, I unzipped 
portable ClamAV on linux, then generated a reverse shell file using Metasploit 
to scan it with ClamAV. 
I used the latest virus DB and engine from ClamAV.net. It missed detection for 
any tcp/http reverse shell generation. As a comparison, we run the same test 
with a different AV provider
on Windows OS. The detection was successful. Hence, my question or curiosity 
over how ClamAV determines the *true* threat level of a malicious file.
I do agree with your statement on user education and operating system. However, 
the global userbase cannot be fully educated/converted to mitigate this . My 
intention was
Just to understand why this is constantly being missed.
> --
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding Metasploit signatures

2019-08-31 Thread G.W. Haywood via clamav-users 

Hi there,

On Fri, 30 Aug 2019, Manna, Mohammed via clamav-users wrote:


What I can see that ClamAV cannot always successfully detect reverse
shell type of files (built using Metasploit msfvenom). And also, if
the file is covered using a pseudo extension e.g. test.exe.txt

When I was comparing this on virustotal.com ClamAV seems to be
missing quite a lot of them. Is there any reason why ClamAV doesn't
do a more extensive search?


ClamAV is by no means perfect, but you haven't told us how you have
configured it, nor how you are using it, so it's difficult to make any
particular observations.

There is a system for reporting failed detections which you can use,
but to avoid wasted effort it will be as well for you first to check
that your issue is not simply the expected result of how you have
configured your ClamAV installation.


Reverse shell or bind shell both are sensitive files and I was
expecting ClamAV to be detecting them somehow.


In network security, expecting things to work as intended is sure to
lead to eventual disappointment.  If instead you expect things to
fail, and base your behaviour on that expectation, you will likely be
surprised less often - and suffer fewer system compromises.

For example, although I scan all mail using ClamAV, I never expect it
to find anything; but I also block all mail from more than a hundred
and sixty ISO 3166 country codes, which is partly why ClamAV hasn't
reported anything malicious in our mail since last September.  That
doesn't mean that ClamAV wouldn't have found anything if it had been
given the opportunity to scan it, but it *does* mean that there is a
much reduced probability of something nasty reaching one of my users.
Of course, even if it did, it's unlikely to have any serious effect
because (a) the users are educated and (b) they're using Linux boxes
which are immune from the vast majority of malicious software.  This
is called "defence in depth".  There's more, which I won't reveal in
a public forum.


Could someone clarify? Also, if this is mentioned anywhere in the
docs, I would be grateful if you please point me to that.


The 'man' pages for clamscan, clamd.conf and clamsubmit might be good
places to start.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about LLVM...

2018-12-12 Thread J.R. 
> So I would like to ask, does bytecode have access to its environment
> (like ActiveX unfortunately did) and, how well is bytecode sandboxed?

Well, first of all, only bytecode signatures published by Cisco/Talos
are considered "trusted" and will run by default. You would have to
manually specify if you wanted to run unsigned bytecode signatures.

>From what I've read, the bytecode is C-like, but it is limited in that
it can't access system calls or memory, can only access the file to be
scanned, it does have an internal timeout, and other security measures
to prevent it from arbitrarily doing what it wants.

You can always look through the source code if you want.

It doesn't seem like the bytecode database gets updated very often. I
suppose it is reserved for complex scanning when the pattern matching
of the regular databases just won't cut it...
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about LLVM...

2018-12-12 Thread Paul Kosinski 
I've always been leery of executable code that gets downloaded "behind
the scenes" and then executed for whatever purpose. In the "old days",
people were warned against downloading random software and then
executing it. How that's become at least half of what we do on a daily
basis -- in our browsers!

The most obvious current example of this is Javascript, now that Java,
Flash and ActiveX (but not PDF), have been almost killed off in
browsers. (And this is why I'm also a big fan of NoScript!)

So I would like to ask, does bytecode have access to its environment
(like ActiveX unfortunately did) and, how well is bytecode sandboxed? 

P.S. One of main the reasons I moved to Open Source ClamAV was that 
traditional commercial solutions (like Symantec) were not only opaque
but also stuck their fingers into various parts of the underlying OS
(which ClamAV doesn't do).



On Tue, 11 Dec 2018 13:30:12 -0500
Scott Kitterman  wrote:

> On Tuesday, December 11, 2018 05:59:05 PM Micah Snyder wrote:
> > Sorry about the broken links on the website and in the clamav-faq
> > manual pages.  Our web dev team is actively working on integrating
> > the newly remodeled user manual into the website.
> > 
> > The bytecode interpreter was nonfunctional for a long time but was
> > fixed a few years ago. This is why LLVM was prioritized over the
> > bytecode compiler.
> > 
> > Functionally, from an outside perspective, the feature set of using
> > bytecode interpreter vs LLVM is the same. The cost/benefit analysis
> > of LLVM-JIT vs Interpreter hinges on whether or not executing
> > native code is sufficiently faster than interpreting the bytecodes
> > to outweigh the cost of JIT compilation. Our bytecode signatures
> > themselves are relatively small and are relatively few, so the
> > advantage of executing native code vs the time lost JIT compiling
> > the bytecode is, I'm told, negligible. The developers who did the
> > initial benchmarking on the subject have since left the team and
> > while I've been told that the performance is "about the same", I
> > don't have any figures to back up that up. If anyone out there
> > decides to do additional research on the subject, do note that
> > bytecode functions are only executed for certain file types, so
> > benchmark findings will vary by file type.
> > 
> > The TL;DR is that we're not aware of any significant advantage of
> > using LLVM over the bytecode interpreter at this time.
> > 
> > Regarding the reason for only supporting older versions of LLVM:
> > It takes time to update to use newer APIs.  The LLVM project has
> > been moving pretty fast and we simply haven't prioritized dev and
> > test time towards updating our LLVM support.  In fact, Debian
> > provides a patch to ClamAV to support LLVM 3.7-3.9, but we haven't
> > had the time to properly integrate and test it.  Because the
> > bytecode interpreter is working so well, we're focusing our efforts
> > on other tasks.
> 
> And unfortunately the developer who was doing that work in Debian has
> moved on to other things, so we won't be providing patches for later
> versions.
> 
> Might it make sense in the next feature release to just kill off LLVM
> and move on.  That would certainly help with clarity and focus.
> 
> Scott K

> 
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about LLVM...

2018-12-11 Thread J.R. 
Micah & Scott,

Thank you for the replies, you answered exactly what I was thinking
too based on posts referring to the built-in improvements and hush on
llvm.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about LLVM...

2018-12-11 Thread Scott Kitterman 
On Tuesday, December 11, 2018 05:59:05 PM Micah Snyder wrote:
> Sorry about the broken links on the website and in the clamav-faq manual
> pages.  Our web dev team is actively working on integrating the newly
> remodeled user manual into the website.
> 
> The bytecode interpreter was nonfunctional for a long time but was fixed a
> few years ago. This is why LLVM was prioritized over the bytecode compiler.
> 
> Functionally, from an outside perspective, the feature set of using bytecode
> interpreter vs LLVM is the same. The cost/benefit analysis of LLVM-JIT vs
> Interpreter hinges on whether or not executing native code is sufficiently
> faster than interpreting the bytecodes to outweigh the cost of JIT
> compilation. Our bytecode signatures themselves are relatively small and
> are relatively few, so the advantage of executing native code vs the time
> lost JIT compiling the bytecode is, I'm told, negligible. The developers
> who did the initial benchmarking on the subject have since left the team
> and while I've been told that the performance is "about the same", I don't
> have any figures to back up that up. If anyone out there decides to do
> additional research on the subject, do note that bytecode functions are
> only executed for certain file types, so benchmark findings will vary by
> file type.
> 
> The TL;DR is that we're not aware of any significant advantage of using LLVM
> over the bytecode interpreter at this time.
> 
> Regarding the reason for only supporting older versions of LLVM:  It takes
> time to update to use newer APIs.  The LLVM project has been moving pretty
> fast and we simply haven't prioritized dev and test time towards updating
> our LLVM support.  In fact, Debian provides a patch to ClamAV to support
> LLVM 3.7-3.9, but we haven't had the time to properly integrate and test
> it.  Because the bytecode interpreter is working so well, we're focusing
> our efforts on other tasks.

And unfortunately the developer who was doing that work in Debian has moved on 
to other things, so we won't be providing patches for later versions.

Might it make sense in the next feature release to just kill off LLVM and move 
on.  That would certainly help with clarity and focus.

Scott K
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about LLVM...

2018-12-11 Thread Micah Snyder (micasnyd) 
Sorry about the broken links on the website and in the clamav-faq manual pages. 
 Our web dev team is actively working on integrating the newly remodeled user 
manual into the website.

The bytecode interpreter was nonfunctional for a long time but was fixed a few 
years ago. This is why LLVM was prioritized over the bytecode compiler.

Functionally, from an outside perspective, the feature set of using bytecode 
interpreter vs LLVM is the same. The cost/benefit analysis of LLVM-JIT vs 
Interpreter hinges on whether or not executing native code is sufficiently 
faster than interpreting the bytecodes to outweigh the cost of JIT compilation. 
Our bytecode signatures themselves are relatively small and are relatively few, 
so the advantage of executing native code vs the time lost JIT compiling the 
bytecode is, I'm told, negligible. The developers who did the initial 
benchmarking on the subject have since left the team and while I've been told 
that the performance is "about the same", I don't have any figures to back up 
that up. If anyone out there decides to do additional research on the subject, 
do note that bytecode functions are only executed for certain file types, so 
benchmark findings will vary by file type.

The TL;DR is that we're not aware of any significant advantage of using LLVM 
over the bytecode interpreter at this time.

Regarding the reason for only supporting older versions of LLVM:  It takes time 
to update to use newer APIs.  The LLVM project has been moving pretty fast and 
we simply haven't prioritized dev and test time towards updating our LLVM 
support.  In fact, Debian provides a patch to ClamAV to support LLVM 3.7-3.9, 
but we haven't had the time to properly integrate and test it.  Because the 
bytecode interpreter is working so well, we're focusing our efforts on other 
tasks.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 11, 2018, at 10:05 AM, J.R. 
mailto:themadbea...@gmail.com>> wrote:

I've googled to no end, but haven't been able to come up with anything
except a few snips mentioning LLVM and bytecode here and there...

I'm curious exactly what the benefit would be to use LLVM, is there
much of a performance gain over the built-in (non-llvm) bytecode
interpreter? Is it an expanded feature set? Why the limitation of
using only such old versions of LLVM?

The last time I looked at the manual it only mentioned compilation
options, and that's it... The current link to the ClamAV manual is
broken on the website too, fyi... :(

Not complaining, just curious...
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about sending sample process

2018-11-06 Thread Micah Snyder (micasnyd) 
Thanks Luca for investigating the false negative reports and submitting them to 
our malware research team.  These reports really help, even if you don't 
necessarily get feedback on the reports.

Kind regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Nov 6, 2018, at 11:10 AM, Luca Moscato 
mailto:l...@funambol.com>> wrote:


Thanks to everyone, by adding some extra signature the found rate has 
increased, a few, but has increased and this is a good news.

Luca

Il 06/11/18 15:27, Joel Esler (jesler) ha scritto:


On Nov 6, 2018, at 4:46 AM, Luca Moscato 
mailto:l...@funambol.com>> wrote:

Question 1 - Is this process correct to send samples?


Please update the version of clamsubmit you are using.  You are several 
versions behind.



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about sending sample process

2018-11-06 Thread Luca Moscato 
Thanks to everyone, by adding some extra signature the found rate has 
increased, a few, but has increased and this is a good news.


Luca

Il 06/11/18 15:27, Joel Esler (jesler) ha scritto:



On Nov 6, 2018, at 4:46 AM, Luca Moscato > wrote:


Question 1 - Is this process correct to send samples?



Please update the version of clamsubmit you are using.  You are 
several versions behind.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about sending sample process

2018-11-06 Thread Al Varnell 
Luca

It's possible that some of the failure to detect is due to your using an 
outdated version of ClamAV. Some signature only work with more recent versions. 
You should probably focus on upgrading before submitting any undetected samples.

-Al-
ClamXAV User

On Tue, Nov 06, 2018 at 01:46 AM, Luca Moscato wrote:
> Hi everyone, one of our customers notify us that the AV we use (clamav of 
> course) does not detect some of malware downloadable from das malwerk usued 
> for testing.
> 
> Pretty strange situation, so we decided to download all malwares from that 
> site and send as a sample using command line interface
> 
> [luca@amazon-ami:~]$ clamsubmit -n 
> /home/luca/malware/d77aca7d-f9f1-11e7-b482-80e65024849a.file -N luca -e 
> l...@funambol.com 
> 
> 
> 302 Found
> 
> Found
> The document has moved http://www.clamav.net/sendmalware.cgi 
> ">here.
> 
> [luca@amazon-ami:~]$
> 
> Question 1 - Is this process correct to send samples?
> 
> Question 2 - How much time is required to validate a sample and get the A/V 
> db updated? Days? Months?
> 
> Some notes:
> 
> - I'm using Amazon linux and clamav version available in amz linux repo, db 
> should be updated with freshclam
> 
> [luca@amazon-ami:~]$ sudo freshclam
> ClamAV update process started at Tue Nov  6 09:36:41 2018
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.99.4 Recommended version: 0.100.2
> DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav 
> 
> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: 
> sigmgr)
> daily.cld is up to date (version: 25095, sigs: 2143057, f-level: 63, builder: 
> neo)
> bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
> 
> - I have all links and script (see attach) to quick download all stuff from 
> das_malwerk
> 
> - Actually a scan of all the stuff retrieved from that website have this 
> results while I expect to have a 100%
> 
> --- SCAN SUMMARY ---
> Known viruses: 6702413
> Engine version: 0.99.4
> Scanned directories: 1
> Scanned files: 1488
> Infected files: 964
> Data scanned: 1125.26 MB
> Data read: 1195.11 MB (ratio 0.94:1)
> Time: 361.283 sec (6 m 1 s)
> 
> 
> Thanks and have a nice day
> 
> Luca
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about sending sample process

2018-11-06 Thread Arnaud Jacques 

Hello Luca,

If I remember well, clamsubmit only works since versions 0.100.x of 
ClamAV. It seems you are still using version 0.99.4.



Question 1 - Is this process correct to send samples?


Yes it it.

Question 2 - How much time is required to validate a sample and get 
the A/V db updated? Days? Months?


Depending of many things on ClamAV team side, it can take just a few 
hours, or days, or ... never.


- Actually a scan of all the stuff retrieved from that website have 
this results while I expect to have a 100%


If you expect 100% detection, please use at least the last version of 
ClamAV.

And some 3rd party signatures can help to get full detection :
https://sanesecurity.com
http://ow.ly/LqfdL

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding freshclam.conf SafeBrowsing option

2018-06-04 Thread J Doe 

> On Jun 4, 2018, at 11:08 AM, Micah Snyder (micasnyd)  
> wrote:
> 
> J,
> 
> It appears that the info in freshclam.conf is out of date, and both the 
> Google safebrowsing API have changed as well as our practices for publishing 
> safebrowsing signature databases have changed since it was written.  
> 
> I'm told that it's not necessary to run freshclam multiple times an hour 
> anymore.  We will have to re-evaluate the advice provided in freshclam.conf 
> for safebrowsing.  
> 
>  
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
>> On May 31, 2018, at 4:48 PM, J Doe > > wrote:
>> 
>> Hi,
>> 
>> I had a question regarding the SafeBrowsing option in freshclam.conf for 
>> clamav version 0.99.4.
>> 
>> According to man freshclam.conf, if this option is enabled, freshclam “…must 
>> update every 30 minutes…”.  
>> 
>> Am I correct that this means that the Checks option must be set to 48 or 
>> higher ?  I don’t see any other options to specify a freshclam update check 
>> every 30 minutes.
>> 
>> Thanks,
>> 
>> - J

Hi Micah,

Ok, thank you for the clarification.

- J___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding freshclam.conf SafeBrowsing option

2018-06-04 Thread Micah Snyder (micasnyd) 
J,

It appears that the info in freshclam.conf is out of date, and both the Google 
safebrowsing API have changed as well as our practices for publishing 
safebrowsing signature databases have changed since it was written.

I'm told that it's not necessary to run freshclam multiple times an hour 
anymore.  We will have to re-evaluate the advice provided in freshclam.conf for 
safebrowsing.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On May 31, 2018, at 4:48 PM, J Doe 
mailto:gene...@nativemethods.com>> wrote:

Hi,

I had a question regarding the SafeBrowsing option in freshclam.conf for clamav 
version 0.99.4.

According to man freshclam.conf, if this option is enabled, freshclam “…must 
update every 30 minutes…”.

Am I correct that this means that the Checks option must be set to 48 or higher 
?  I don’t see any other options to specify a freshclam update check every 30 
minutes.

Thanks,

- J
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding SIGUSR2 and clamd

2018-03-22 Thread Maarten Broekman 
You might be able to open the socket that clamd is listening on and attempt
to ping it. I forget if it replies with PONG while it's in the middle of
reloading. It's been a while since I tried to do that.



On Thu, Mar 22, 2018 at 6:40 AM, Ralf Hildebrandt <
ralf.hildebra...@charite.de> wrote:

> One can send SIGUSR2 to a running clamd instance to reload the
> signatures.
>
> But how can I (from a script) determine, if the signatures
> have been reloaded? I can of course try "sleep 30" which will suffice
> in most cases (from my experiene) but is there a script based approach
> apart from trying to parse the logfile?
>
> --
> Ralf Hildebrandt   Charite Universitätsmedizin Berlin
> ralf.hildebra...@charite.deCampus Benjamin Franklin
> https://www.charite.de Hindenburgdamm 30, 12203 Berlin
> Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about the clamdscan

2018-03-21 Thread Dave Warren 
This still has value as it can help catch things in action. It doesn't replace 
periodic scans either to catch malware discovered since the initial scan.

There are a variety of ways of doing this if scanning everything in one shot 
isn't feasible. One option would be to split files up using a hashtable based 
on their name. This has the advantage of not needed to track any state, nor do 
you need to read every file (to hash the content) to determine whether the file 
has been scanned recently. On top of this, you could track hashes of scanned 
files so that you can tell how recently a duplicate copy of a file was scanned, 
avoiding the need to rescan duplicates, even across buckets.

You would still want to use tripwire to scan new/modified files immediately.

You might also consider scanning older files less frequently as it is less 
likely that an older file will contain a 8 month old 0-day that was just 
discovered. It all depends on your tolerance for risk of malware vs available 
resources. Lucky for me, the volume of data under my responsibility can be 
scanned both at creation and nightly without further stress.


On Wed, Mar 21, 2018, at 18:41, Paul Kosinski wrote:
> A few years ago, when Tripwire was no longer free, I set up a "scan
> once" environment for ClamAV, identifying files using SHA1 hashing
> (with a few 'stat' results like inode and timestamp for good measure).
> 
> I gave up when I realized that even if a file had already been scanned,
> it might have contained "0-day" malware when it was scanned. This could
> make it quite nasty, especially if ClamAV is behind in 0-day detection.
> 
> 
> On Wed, 21 Mar 2018 16:56:06 -0700
> Dennis Peterson  wrote:
> 
> > It is possible to integrate ClamAV and Tripwire to get to a scan-once 
> > environment. Include puppet or CFEngine for a more complete tool.
> > 
> > dp
> > 
> > On 3/20/18 5:01 AM, Micah Snyder (micasnyd) wrote:
> > > Good morning Tsutomu,
> > >
> > > Al is quite correct.  clamd and clamdscan maintain no memory of
> > > what has been scanned before.
> > >
> > > In your ordinary use case, you simply run clamdscan over whatever
> > > you want to scan.  You can exclude specific directories in your
> > > configuration if you want to point clamdscan at a high level
> > > directory to scan many items.
> > >
> > > In truth, I've never tried accessing the files as they were
> > > scanned, but I do not believe that there any reason why the files
> > > would be locked by ClamAV except in the following case.
> > >
> > > On newer versions of Linux that have been built with
> > > CONFIG_FANOTIFY=y enabled, you can configure clamd to monitor
> > > directories.  An additional option may be enabled that we call
> > > "OnAccessPrevention" can intentionally block access to the file
> > > until it has been scanned and will deny access if the file is
> > > flagged.  OnAccessPrevention requires your kernel has been built
> > > with CONFIG_FANOTIFY_ACCESS_PERMISSION=y.   If you're interested in
> > > trying this out, please read
> > > http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
> > >
> > > Sadly, OnAccess scanning and prevention only exist for Linux at
> > > this time.
> > >
> > >
> > > Micah Snyder
> > > ClamAV Development
> > > Talos
> > > Cisco Systems, Inc.
> > >
> 
> > 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about the clamdscan

2018-03-21 Thread Dennis Peterson 
Tripwire presumes a golden fileset at the outset, that is, scanned to the degree 
possible before enabling Tripwire. The fear of zero-day loop is infinite.


dp

On 3/21/18 6:41 PM, Paul Kosinski wrote:

A few years ago, when Tripwire was no longer free, I set up a "scan
once" environment for ClamAV, identifying files using SHA1 hashing
(with a few 'stat' results like inode and timestamp for good measure).

I gave up when I realized that even if a file had already been scanned,
it might have contained "0-day" malware when it was scanned. This could
make it quite nasty, especially if ClamAV is behind in 0-day detection.


On Wed, 21 Mar 2018 16:56:06 -0700
Dennis Peterson  wrote:


It is possible to integrate ClamAV and Tripwire to get to a scan-once
environment. Include puppet or CFEngine for a more complete tool.

dp



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about the clamdscan

2018-03-21 Thread Paul Kosinski 
A few years ago, when Tripwire was no longer free, I set up a "scan
once" environment for ClamAV, identifying files using SHA1 hashing
(with a few 'stat' results like inode and timestamp for good measure).

I gave up when I realized that even if a file had already been scanned,
it might have contained "0-day" malware when it was scanned. This could
make it quite nasty, especially if ClamAV is behind in 0-day detection.


On Wed, 21 Mar 2018 16:56:06 -0700
Dennis Peterson  wrote:

> It is possible to integrate ClamAV and Tripwire to get to a scan-once 
> environment. Include puppet or CFEngine for a more complete tool.
> 
> dp
> 
> On 3/20/18 5:01 AM, Micah Snyder (micasnyd) wrote:
> > Good morning Tsutomu,
> >
> > Al is quite correct.  clamd and clamdscan maintain no memory of
> > what has been scanned before.
> >
> > In your ordinary use case, you simply run clamdscan over whatever
> > you want to scan.  You can exclude specific directories in your
> > configuration if you want to point clamdscan at a high level
> > directory to scan many items.
> >
> > In truth, I've never tried accessing the files as they were
> > scanned, but I do not believe that there any reason why the files
> > would be locked by ClamAV except in the following case.
> >
> > On newer versions of Linux that have been built with
> > CONFIG_FANOTIFY=y enabled, you can configure clamd to monitor
> > directories.  An additional option may be enabled that we call
> > "OnAccessPrevention" can intentionally block access to the file
> > until it has been scanned and will deny access if the file is
> > flagged.  OnAccessPrevention requires your kernel has been built
> > with CONFIG_FANOTIFY_ACCESS_PERMISSION=y.   If you're interested in
> > trying this out, please read
> > http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
> >
> > Sadly, OnAccess scanning and prevention only exist for Linux at
> > this time.
> >
> >
> > Micah Snyder
> > ClamAV Development
> > Talos
> > Cisco Systems, Inc.
> >

> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about the clamdscan

2018-03-21 Thread Dennis Peterson 
It is possible to integrate ClamAV and Tripwire to get to a scan-once 
environment. Include puppet or CFEngine for a more complete tool.


dp

On 3/20/18 5:01 AM, Micah Snyder (micasnyd) wrote:

Good morning Tsutomu,

Al is quite correct.  clamd and clamdscan maintain no memory of what has been 
scanned before.

In your ordinary use case, you simply run clamdscan over whatever you want to 
scan.  You can exclude specific directories in your configuration if you want 
to point clamdscan at a high level directory to scan many items.

In truth, I've never tried accessing the files as they were scanned, but I do 
not believe that there any reason why the files would be locked by ClamAV 
except in the following case.

On newer versions of Linux that have been built with CONFIG_FANOTIFY=y enabled, you can 
configure clamd to monitor directories.  An additional option may be enabled that we call 
"OnAccessPrevention" can intentionally block access to the file until it has 
been scanned and will deny access if the file is flagged.  OnAccessPrevention requires 
your kernel has been built with CONFIG_FANOTIFY_ACCESS_PERMISSION=y.   If you're 
interested in trying this out, please read 
http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Sadly, OnAccess scanning and prevention only exist for Linux at this time.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about the clamdscan

2018-03-20 Thread Micah Snyder (micasnyd) 
Good morning Tsutomu,

Al is quite correct.  clamd and clamdscan maintain no memory of what has been 
scanned before.

In your ordinary use case, you simply run clamdscan over whatever you want to 
scan.  You can exclude specific directories in your configuration if you want 
to point clamdscan at a high level directory to scan many items.

In truth, I've never tried accessing the files as they were scanned, but I do 
not believe that there any reason why the files would be locked by ClamAV 
except in the following case.

On newer versions of Linux that have been built with CONFIG_FANOTIFY=y enabled, 
you can configure clamd to monitor directories.  An additional option may be 
enabled that we call "OnAccessPrevention" can intentionally block access to the 
file until it has been scanned and will deny access if the file is flagged.  
OnAccessPrevention requires your kernel has been built with 
CONFIG_FANOTIFY_ACCESS_PERMISSION=y.   If you're interested in trying this out, 
please read 
http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Sadly, OnAccess scanning and prevention only exist for Linux at this time.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Mar 19, 2018, at 10:47 AM, Tsutomu Oyamada 
> wrote:

Thank you so much.
Your advice was very helpful.
I would also like to wait for a message from the developer.

On Thu, 15 Mar 2018 23:13:09 -0700
Al Varnell > wrote:

I believe the developers are hard at work planning for the future this week, so 
they can probably can give you better answers than I later on.

I suspect some of this may be platform specific, so my answers are based on my 
macOS experience.

clamd scans every file that clamdscan tells it to, so something else needs to 
keep track of what's new or changed and notify clamdscan to tell clamd to scan 
them. So that requires tapping into the file system to determine changes in the 
area of interest.

I've never had an issue with using a file while it's being processed by ClamAV, 
but scans normally take place very rapidly, so I my not have noticed it being 
locked.

Sent from my iPad

-Al-

On Mar 15, 2018, at 1:12 AM, Tsutomu Oyamada 
> wrote:

I have two question about the clamdscan;

1) Does the clamd skip scanning the files which are scanned before?
I want to know if the clamd remember which files are scanned, and skip them 
when the scan is performed again.

2) Is there any case that a file is locked by the clamd  (user cannot use that 
file) during that is scanned?

T.O
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about the clamdscan

2018-03-19 Thread Tsutomu Oyamada 
Thank you so much.
Your advice was very helpful.
I would also like to wait for a message from the developer.

On Thu, 15 Mar 2018 23:13:09 -0700
Al Varnell  wrote:

> I believe the developers are hard at work planning for the future this week, 
> so they can probably can give you better answers than I later on.
> 
> I suspect some of this may be platform specific, so my answers are based on 
> my macOS experience.
> 
> clamd scans every file that clamdscan tells it to, so something else needs to 
> keep track of what's new or changed and notify clamdscan to tell clamd to 
> scan them. So that requires tapping into the file system to determine changes 
> in the area of interest.
> 
> I've never had an issue with using a file while it's being processed by 
> ClamAV, but scans normally take place very rapidly, so I my not have noticed 
> it being locked.
> 
> Sent from my iPad
> 
> -Al-
> 
> > On Mar 15, 2018, at 1:12 AM, Tsutomu Oyamada  
> > wrote:
> > 
> > I have two question about the clamdscan;
> > 
> > 1) Does the clamd skip scanning the files which are scanned before?
> > I want to know if the clamd remember which files are scanned, and skip them 
> > when the scan is performed again.
> > 
> > 2) Is there any case that a file is locked by the clamd  (user cannot use 
> > that file) during that is scanned?
> > 
> > T.O
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about the clamdscan

2018-03-16 Thread Al Varnell 
I believe the developers are hard at work planning for the future this week, so 
they can probably can give you better answers than I later on.

I suspect some of this may be platform specific, so my answers are based on my 
macOS experience.

clamd scans every file that clamdscan tells it to, so something else needs to 
keep track of what's new or changed and notify clamdscan to tell clamd to scan 
them. So that requires tapping into the file system to determine changes in the 
area of interest.

I've never had an issue with using a file while it's being processed by ClamAV, 
but scans normally take place very rapidly, so I my not have noticed it being 
locked.

Sent from my iPad

-Al-

> On Mar 15, 2018, at 1:12 AM, Tsutomu Oyamada  wrote:
> 
> I have two question about the clamdscan;
> 
> 1) Does the clamd skip scanning the files which are scanned before?
> I want to know if the clamd remember which files are scanned, and skip them 
> when the scan is performed again.
> 
> 2) Is there any case that a file is locked by the clamd  (user cannot use 
> that file) during that is scanned?
> 
> T.O
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding freshclam log entry

2018-02-23 Thread Kris Deugau 

J Doe wrote:

I note though that man 5 freshclam.conf states that clamd is *NOT* set to 
update by default, however when I installed the package on Ubuntu 16.04.03 LTS, 
it has put in 3600 for an update frequency.


Between freshclam and clamd there are three options here that operate 
indpendently:


NotifyClamd -> freshclam configuration, tells freshclam where to find 
the clamd configuration file to look for the clamd socket


Checks -> freshclam configuration, tells freshclam how often to check 
for new signatures


SelfCheck -> clamd configuration, tells clamd how often to check and see 
if the signature files have been updated



That said, if freshclam does not notify clamd by default, does that mean if I 
don’t get the socket problem sorted out that clamd (and more importantly 
clamav-milter), will still use the most recently downloaded signatures when 
scanning ?  Or does clamd and clamav-milter have to receive an update message 
via the socket to use the most recent signatures?


No;  the notification is just a way to get clamd aware of the new 
signatures faster.  Otherwise it will pick them up on its own refresh 
(SelfCheck).


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding freshclam log entry

2018-02-22 Thread J Doe 
Hi Noel,

> On Feb 22, 2018, at 10:23 AM, Noel Jones  wrote:
> 
>> On 2/22/2018 8:29 AM, J Doe wrote:
>> 
>>> Hello,
>>> 
>>> I recently installed ClamAV 0.99.3 on a Ubuntu 16.04.03 LTS server and 
>>> utilize it as a milter for Postfix v. 3.1.0.
>>> 
>>> When freshclam runs according to its’ cron job and successfully downloads 
>>> an update, it leaves the following note in the freshclam log:
>>> 
>>> WARNING: clamd was NOT notified:  Can’t connect to clamd through 
>>> /var/spool/postfix/var/run/clamav/clamd.sock
>>> 
>>> My initial thought was a simple permissions error, so I checked the 
>>> permissions to the clamd.sock socket:
>>> 
>>> drwxr-xr-xclamav clamav/var/spool/postfix/var/run/clamav
>>> srw-rw-rwclamav clamav/var/spool/postfix/var/run/clamd.sock 
> 
> This path doesn't match the error message above.
> 
>>> 
>>> $ sudo -u clamav namei -m /var/spool/postfix/var/run/clamav/clamd.sock
> 
> Yet this path does.
> 
>>> I’m pretty sure this is a minor mistake on my part; can anyone suggest a 
>>> solution ?
> 
> Check your paths in clamd.conf and freshclam.conf carefully. It's
> likely they don't match.
> 
>  -- Noel Jones

Oops.  You’re right - those paths did not match.

/etc/clamav/freshclam.conf is set to read clamd’s configuration file when a 
update is successfully downloaded for the signature database.

When I check the path in /etc/clamav/clamd.conf it points to the correct path 
to the socket:

/var/spool/postfix/var/run/clamav/clamd.sock

I verified that freshclam runs as clamav via ps aux, so performing the namei 
test again works:

$ sudo -u clamav namei -m /var/spool/postfix/var/run/clamav/clamd.sock

The file permissions on the socket are:

drwxr-xr-xclamav clamav /var/spool/postfix/var/run/clamav/
srw-rw-rwclamav clamav /var/spool/postfix/var/run/clamav/clamd.sock

I note though that man 5 freshclam.conf states that clamd is *NOT* set to 
update by default, however when I installed the package on Ubuntu 16.04.03 LTS, 
it has put in 3600 for an update frequency.

That said, if freshclam does not notify clamd by default, does that mean if I 
don’t get the socket problem sorted out that clamd (and more importantly 
clamav-milter), will still use the most recently downloaded signatures when 
scanning ?  Or does clamd and clamav-milter have to receive an update message 
via the socket to use the most recent signatures ?

Thanks,

- J
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding freshclam log entry

2018-02-22 Thread Noel Jones 
On 2/22/2018 8:29 AM, J Doe wrote:
> 
>> Hello,
>>
>> I recently installed ClamAV 0.99.3 on a Ubuntu 16.04.03 LTS server and 
>> utilize it as a milter for Postfix v. 3.1.0.
>>
>> When freshclam runs according to its’ cron job and successfully downloads an 
>> update, it leaves the following note in the freshclam log:
>>
>> WARNING: clamd was NOT notified:  Can’t connect to clamd through 
>> /var/spool/postfix/var/run/clamav/clamd.sock
>>
>> My initial thought was a simple permissions error, so I checked the 
>> permissions to the clamd.sock socket:
>>
>> drwxr-xr-xclamav clamav/var/spool/postfix/var/run/clamav
>> srw-rw-rwclamav clamav/var/spool/postfix/var/run/clamd.sock 

This path doesn't match the error message above.

>>
>> $ sudo -u clamav namei -m /var/spool/postfix/var/run/clamav/clamd.sock

Yet this path does.

>> I’m pretty sure this is a minor mistake on my part; can anyone suggest a 
>> solution ?

Check your paths in clamd.conf and freshclam.conf carefully. It's
likely they don't match.




  -- Noel Jones
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding freshclam log entry

2018-02-22 Thread J Doe 

> Hello,
> 
> I recently installed ClamAV 0.99.3 on a Ubuntu 16.04.03 LTS server and 
> utilize it as a milter for Postfix v. 3.1.0.
> 
> When freshclam runs according to its’ cron job and successfully downloads an 
> update, it leaves the following note in the freshclam log:
> 
> WARNING: clamd was NOT notified:  Can’t connect to clamd through 
> /var/spool/postfix/var/run/clamav/clamd.sock
> 
> My initial thought was a simple permissions error, so I checked the 
> permissions to the clamd.sock socket:
> 
> drwxr-xr-xclamav clamav/var/spool/postfix/var/run/clamav
> srw-rw-rwclamav clamav/var/spool/postfix/var/run/clamd.sock 
> 
> $ sudo -u clamav namei -m /var/spool/postfix/var/run/clamav/clamd.sock
> 
> ...which successfully accesses the socket.
> 
> Some Googling showed some results but mostly related to older versions of 
> clamd (a couple of years back).
> 
> I’m pretty sure this is a minor mistake on my part; can anyone suggest a 
> solution ?
> 
> Thanks,
> 
> - J

Hello,

Just wondering if anyone has any advice regarding this issue.

Thanks,

- J
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Clamav compressed file support

2018-01-11 Thread botnec 

Hello,

Thank you all very much for explanation and thoughts. I almost expected 
these answers.

Thanks again for your help and best regards

Rob


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Clamav compressed file support

2018-01-11 Thread Noel Jones 
Clamav has no support for unpacking and scanning inside the Acronis
.tib backup images.  I wouldn't bother scanning it.




  -- Noel Jones


On 1/11/2018 9:41 AM, botnec wrote:
> Hello,
> 
> I'm using a QNAP NAS server as destination for Acronis Tue Image
> backup files.
> The extension of these files is .tib. I did not find anything in the
> clam doc file about it.
> 
> Now my question is, how does ClamAV deal with these files ? Will
> they be uncompressed
> and the contents checked anyway? I hope so because it takes some
> hours if ClamAV
> checks the whole backup folder (2.5 TB). If this would be not the
> case, I possible do not
> need to start the virus check procedure at all.
> (btw. I'm using another virus checker on my PC anyway, I just
> thought to use CalmAV
> additionally)
> 
> Can anybody answer please ?
> 
> Thank you.
> Regards
> 
> Rob
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Clamav compressed file support

2018-01-11 Thread Micah Snyder (micasnyd) 
Hi Rob,

At this time, ClamAV does not have the means to decompress and parse the 
proprietary Acronis .tib format.  I only took a brief peek at Wikipedia 
(https://en.wikipedia.org/wiki/Acronis_True_Image#File_format) to learn more 
about Acronis image files.

Unless someone in the community writes a parser to add support to identify 
these file types, parse, decompress, etc and submits a pull request to add the 
feature to the Git repository, I doubt you’ll ever see support in ClamAV for 
this file type.

Regards,

Micah


Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 11, 2018, at 10:41 AM, botnec > 
wrote:

Hello,

I'm using a QNAP NAS server as destination for Acronis Tue Image backup files.
The extension of these files is .tib. I did not find anything in the clam doc 
file about it.

Now my question is, how does ClamAV deal with these files ? Will they be 
uncompressed
and the contents checked anyway? I hope so because it takes some hours if ClamAV
checks the whole backup folder (2.5 TB). If this would be not the case, I 
possible do not
need to start the virus check procedure at all.
(btw. I'm using another virus checker on my PC anyway, I just thought to use 
CalmAV
additionally)

Can anybody answer please ?

Thank you.
Regards

Rob

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding libclamunrar6

2017-12-01 Thread Jonathan Sélea 



On 11/30/2017 06:31 PM, Scott Kitterman wrote:

On Thursday, November 30, 2017 05:02:11 PM Jonathan Sélea wrote:

On 11/30/2017 01:41 PM, Matus UHLAR - fantomas wrote:

On 29.11.17 17:31, Jonathan Sélea wrote:

Is there any alternative to the package "libclamunrar6"? For example a
package that have the GPLv3 license?

I doubt so - afaik, rar uses own propietary file format

Thanks for the answer.

The packages "unrar-free" in the Debian repository do have GPLvx
version, so I thought there should be an alternative to "libclamunrar6"
but with a proper license instead.

unrar-free is unrelated to clamav.  Clamav uses it's own unrar implementation
that in Debian we split off into the libclamunrar binary due to code usage
restrictions that make it unsuitable for Debian main.  Note that these
restrictions are not imposed by the clamav developers, but by the original
developers upon whose work the clamav implementation is based.

Someone would need to write code to make clamav work with a different unrar
implementation.

Scott K
___

Thanks Scott for making this crystal clear!




smime.p7s
Description: S/MIME Cryptographic Signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding libclamunrar6

2017-11-30 Thread Scott Kitterman 
On Thursday, November 30, 2017 05:02:11 PM Jonathan Sélea wrote:
> On 11/30/2017 01:41 PM, Matus UHLAR - fantomas wrote:
> > On 29.11.17 17:31, Jonathan Sélea wrote:
> >> Is there any alternative to the package "libclamunrar6"? For example a
> >> package that have the GPLv3 license?
> > 
> > I doubt so - afaik, rar uses own propietary file format
> 
> Thanks for the answer.
> 
> The packages "unrar-free" in the Debian repository do have GPLvx
> version, so I thought there should be an alternative to "libclamunrar6"
> but with a proper license instead.

unrar-free is unrelated to clamav.  Clamav uses it's own unrar implementation 
that in Debian we split off into the libclamunrar binary due to code usage 
restrictions that make it unsuitable for Debian main.  Note that these 
restrictions are not imposed by the clamav developers, but by the original 
developers upon whose work the clamav implementation is based.

Someone would need to write code to make clamav work with a different unrar 
implementation.

Scott K
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding libclamunrar6

2017-11-30 Thread Jonathan Sélea 

On 11/30/2017 01:41 PM, Matus UHLAR - fantomas wrote:

On 29.11.17 17:31, Jonathan Sélea wrote:

Is there any alternative to the package "libclamunrar6"? For example a
package that have the GPLv3 license?


I doubt so - afaik, rar uses own propietary file format 


Thanks for the answer.

The packages "unrar-free" in the Debian repository do have GPLvx 
version, so I thought there should be an alternative to "libclamunrar6" 
but with a proper license instead.




smime.p7s
Description: S/MIME Cryptographic Signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question regarding libclamunrar6

2017-11-30 Thread Matus UHLAR - fantomas 

On 29.11.17 17:31, Jonathan Sélea wrote:

Is there any alternative to the package "libclamunrar6"? For example a
package that have the GPLv3 license?


I doubt so - afaik, rar uses own propietary file format 
--

Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] question about fale positives

2017-09-30 Thread Joel Esler (jesler) 
Correct.  Although we are currently working on a confirmation system for 
receipt of and resolution of, false positives.

Sent from my iPhone

On Sep 30, 2017, at 4:22 PM, Al Varnell 
> wrote:

You won't receive a response unless you subscribe to the clamav-virusdb email 
list and even then you will probably just have to wait to see if it shows up as 
dropped.

If it's a very serious FP then post a hash value of the file you uploaded here 
and they can check it's status.

-Al-

On Sat, Sep 30, 2017 at 01:05 PM, Robert O'Brien wrote:
I submitted a possible false positive via the clamav.net 
 site on Wednesday.  I have not heard anything back, not 
even a confirmation that the submission was received.  What is the timeframe 
that I should expect to get some sort of response?  Is there any way to get a 
contact information to email or follow up?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] question about fale positives

2017-09-30 Thread Al Varnell 
You won't receive a response unless you subscribe to the clamav-virusdb email 
list and even then you will probably just have to wait to see if it shows up as 
dropped.

If it's a very serious FP then post a hash value of the file you uploaded here 
and they can check it's status.

-Al-

On Sat, Sep 30, 2017 at 01:05 PM, Robert O'Brien wrote:
> I submitted a possible false positive via the clamav.net  
> site on Wednesday.  I have not heard anything back, not even a confirmation 
> that the submission was received.  What is the timeframe that I should expect 
> to get some sort of response?  Is there any way to get a contact information 
> to email or follow up?


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question on GUI notifications of virus detection

2017-06-20 Thread Bryan Everly 
On Mon, 2017-06-19 at 20:44 +0200, Michael D. wrote:
> 
Hi Bryan,
> 
> The problem isn't with ClamAV, it's the difference in sessions between a 
> daemon and a user.
> 
> A user that is logged in, is in a shell with lot's of environment 
> variables set, whereas a daemon is running in a bare-minimum environment.
> 
> You probably need to set the variable DBUS_SESSION_BUS_ADDRESS in your 
> script as described here:
> 
> https://askubuntu.com/questions/298608/notify-send-doesnt-work-from-crontab
> 
> Best regards
>Michael
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


Michael,

Thanks for your help.  I ended up with the following for my script. 
Thought I would put it in this thread in case some future person was
searching for a solution to this as well:

#!/usr/bin/bash

USER=your_user_name

eval "export $(egrep -z DBUS_SESSION_BUS_ADDRESS /proc/$(pgrep -u $USER
gnome-session)/environ)";

su $USER -c '/usr/bin/notify-send -u critical "Virus Found
$CLAM_VIRUSEVENT_VIRUSNAME" "$CLAM_VIRUSEVENT_FILENAME has been
removed"'
echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME > $CLAM_VIRUSEVENT_FILENAME"
>> /var/log/clamav/infected.log
rm $CLAM_VIRUSEVENT_FILENAME
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question on GUI notifications of virus detection

2017-06-19 Thread Michael D. 

On 06/19/2017 07:49 PM, Bryan C. Everly wrote:

Hi all,

I am running Arch Linux with ClamAV 0.99.2 on a Thinkpad X1 Carbon
(Skylake) using xorg and Gnome3.  Anyhow, I have the ScanOnAccess
stuff configured to where the system will detect any activity on my
EICAR test file.

My /opt/clamav-utils/clamd-response file is where I'm running into
trouble.  I'd like to use it to trigger a GUI alert on my screen;

Hi Bryan,

The problem isn't with ClamAV, it's the difference in sessions between a 
daemon and a user.


A user that is logged in, is in a shell with lot's of environment 
variables set, whereas a daemon is running in a bare-minimum environment.


You probably need to set the variable DBUS_SESSION_BUS_ADDRESS in your 
script as described here:


https://askubuntu.com/questions/298608/notify-send-doesnt-work-from-crontab

Best regards
  Michael
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread Reindl Harald 



Am 12.05.2017 um 19:19 schrieb crazy thinker:

@Maarten

I mailing to both ClamAV Developers and Users.. Hope you unerstand this


no, we don#t understand crossposting at all


.ClamAV  Developers Mailing list  seems inactive.. They are not responding


no wonder looking at the type of your questions since you lack *basics* 
at all



On 12 May 2017 at 22:29, Maarten Broekman 
wrote:


Crazy,
the 'users' mailing list is what you are sending this questions to.  You
keep addressing this list as 'developers'. There is a separate mailing list
where developers who write the internals of ClamAV talk. That is the
appropriate forum for ALL of your questions. You really haven't had a
single question about the use of ClamAV in months. Almost all of your
questions surround the internal workings of ClamAV which, from a user
perspective, is pretty irrelevant


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread Steven Morgan 
Hello,

Not strictly single threaded, there is a timer thread for bytecode for
example.

You can search over the source code to see pthread_* function calls. You
will see that the ClamAV engine also contains pthread resource
serialization calls.

Hope this helps,
Steve


On Fri, May 12, 2017 at 1:29 AM, crazy thinker 
wrote:

> Hi ClamAV Developers, Users
>
> I think Clamscan is a Single Thread Application. Am i right?. i inspected
> this for a little bit time. it  doesn't have read any config file to read
> some thing before it about to start.
>
>
> Thanks,
> Crazy Thinker, Inc
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread Joel Esler (jesler) 
It’s not that at all.  They are working on ClamAV 99.3.  I’ll call their 
attention to the devel list.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On May 12, 2017, at 2:47 PM, Dennis Peterson 
> wrote:

On 5/12/17 10:19 AM, crazy thinker wrote:
@Maarten

I mailing to both ClamAV Developers and Users.. Hope you unerstand this
.ClamAV  Developers Mailing list  seems inactive.. They are not responding

Given that your crazyplan is to develop a new fork of ClamAV they can hardly be 
blamed for not helping. You should download the source and start your own 
developer/user group mail lists and register your CrazyClam on one of the 
software developer sites. And you should stop bothering non-developers here 
with your developer issues. It is the polite thing to do.

dp
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread Dennis Peterson 

On 5/12/17 10:19 AM, crazy thinker wrote:

@Maarten

I mailing to both ClamAV Developers and Users.. Hope you unerstand this
.ClamAV  Developers Mailing list  seems inactive.. They are not responding

Given that your crazyplan is to develop a new fork of ClamAV they can hardly be 
blamed for not helping. You should download the source and start your own 
developer/user group mail lists and register your CrazyClam on one of the 
software developer sites. And you should stop bothering non-developers here with 
your developer issues. It is the polite thing to do.


dp
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread Dominguez, Roland 
You are the wind beneath my wings!

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
SCOTT PACKARD
Sent: Friday, May 12, 2017 7:37 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [clamav-users] Question about ClamScan

Hi Crazy -
Could you please stop asking your questions to the clamav-users list?  Just 
stop.

Thanks.

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On 
> Behalf Of crazy thinker
> Sent: Thursday, May 11, 2017 10:29 PM
> To: ClamAV users ML <clamav-users@lists.clamav.net>; ClamAV 
> Development <clamav-de...@lists.clamav.net>
> Subject: [clamav-users] Question about ClamScan
> 
> Hi ClamAV Developers, Users
> 
> I think Clamscan is a Single Thread Application. Am i right?. i 
> inspected this for a little bit time. it  doesn't have read any config 
> file to read some thing before it about to start.
> 
> 
> Thanks,
> Crazy Thinker, Inc
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread crazy thinker 
@Maarten

I mailing to both ClamAV Developers and Users.. Hope you unerstand this
.ClamAV  Developers Mailing list  seems inactive.. They are not responding

On 12 May 2017 at 22:29, Maarten Broekman 
wrote:

> Crazy,
>the 'users' mailing list is what you are sending this questions to.  You
> keep addressing this list as 'developers'. There is a separate mailing list
> where developers who write the internals of ClamAV talk. That is the
> appropriate forum for ALL of your questions. You really haven't had a
> single question about the use of ClamAV in months. Almost all of your
> questions surround the internal workings of ClamAV which, from a user
> perspective, is pretty irrelevant.
>
>   "User" => Does it work? Yes/No.  => clamav-users
>   "Developer" => Does it work? How? Why?  => clamav-devel
>
>   You keep sending "Developer" type questions to the list for "User"
> questions. You would probably get a less irritated response from the
> clamav-devel list.
>
>
>
> On Fri, May 12, 2017 at 12:41 PM, crazy thinker 
> wrote:
>
> > It would be better to keep calm for some one who are not  interested to
> > learn ClamAV Internals.
> >
> > On 12 May 2017 at 21:43, Sierk Bornemann  wrote:
> >
> > >
> > > > Am 12.05.2017 um 18:07 schrieb Reindl Harald  >:
> > > >
> > > >
> > > >
> > > > Am 12.05.2017 um 14:37 schrieb SCOTT PACKARD:
> > > >> Hi Crazy -
> > > >> Could you please stop asking your questions to the clamav-users
> list?
> > > Just stop.
> > > >
> > > > +1
> > >
> > > +1
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread Maarten Broekman 
Crazy,
   the 'users' mailing list is what you are sending this questions to.  You
keep addressing this list as 'developers'. There is a separate mailing list
where developers who write the internals of ClamAV talk. That is the
appropriate forum for ALL of your questions. You really haven't had a
single question about the use of ClamAV in months. Almost all of your
questions surround the internal workings of ClamAV which, from a user
perspective, is pretty irrelevant.

  "User" => Does it work? Yes/No.  => clamav-users
  "Developer" => Does it work? How? Why?  => clamav-devel

  You keep sending "Developer" type questions to the list for "User"
questions. You would probably get a less irritated response from the
clamav-devel list.



On Fri, May 12, 2017 at 12:41 PM, crazy thinker 
wrote:

> It would be better to keep calm for some one who are not  interested to
> learn ClamAV Internals.
>
> On 12 May 2017 at 21:43, Sierk Bornemann  wrote:
>
> >
> > > Am 12.05.2017 um 18:07 schrieb Reindl Harald :
> > >
> > >
> > >
> > > Am 12.05.2017 um 14:37 schrieb SCOTT PACKARD:
> > >> Hi Crazy -
> > >> Could you please stop asking your questions to the clamav-users list?
> > Just stop.
> > >
> > > +1
> >
> > +1
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread crazy thinker 
It would be better to keep calm for some one who are not  interested to
learn ClamAV Internals.

On 12 May 2017 at 21:43, Sierk Bornemann  wrote:

>
> > Am 12.05.2017 um 18:07 schrieb Reindl Harald :
> >
> >
> >
> > Am 12.05.2017 um 14:37 schrieb SCOTT PACKARD:
> >> Hi Crazy -
> >> Could you please stop asking your questions to the clamav-users list?
> Just stop.
> >
> > +1
>
> +1
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread Sierk Bornemann 

> Am 12.05.2017 um 18:07 schrieb Reindl Harald :
> 
> 
> 
> Am 12.05.2017 um 14:37 schrieb SCOTT PACKARD:
>> Hi Crazy -
>> Could you please stop asking your questions to the clamav-users list?  Just 
>> stop.
> 
> +1

+1
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread Reindl Harald 



Am 12.05.2017 um 14:37 schrieb SCOTT PACKARD:

Hi Crazy -
Could you please stop asking your questions to the clamav-users list?  Just 
stop.


+1


-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
crazy thinker
Sent: Thursday, May 11, 2017 10:29 PM
To: ClamAV users ML ; ClamAV Development 

Subject: [clamav-users] Question about ClamScan

Hi ClamAV Developers, Users

I think Clamscan is a Single Thread Application. Am i right?. i inspected
this for a little bit time. it  doesn't have read any config file to read
some thing before it about to start.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread SCOTT PACKARD 
Hi Crazy -
Could you please stop asking your questions to the clamav-users list?  Just 
stop.

Thanks.

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf 
> Of crazy thinker
> Sent: Thursday, May 11, 2017 10:29 PM
> To: ClamAV users ML ; ClamAV Development 
> 
> Subject: [clamav-users] Question about ClamScan
> 
> Hi ClamAV Developers, Users
> 
> I think Clamscan is a Single Thread Application. Am i right?. i inspected
> this for a little bit time. it  doesn't have read any config file to read
> some thing before it about to start.
> 
> 
> Thanks,
> Crazy Thinker, Inc
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread Al Varnell 
On Thu, May 11, 2017 at 03:03 AM, crazy thinker wrote:
> 
> @AI
> May be my question is a stupid one.. i have a still doubt so want to
> clarify my self.. Why Heuristics Scanner need Signature Database when
> Heruisitcs Scanning Technique detects malware based on behavior?

Sorry to sound exasperated but this is the third time I have explained this to 
you.

The database contains a list of the financial institutions that need to be 
checked by that engine for phishing attempts  (.pdb) along with a whitelist 
(.sfp) of combinations that are known to be acceptable.

> Can't Heuristic Scanner detects Malware detected by Signature Based
> Scanner. if Yes, why not  we use Heuristic Scanner alone  in AV  Software?

The Heuristic Scanner you are talking about is only used to detect financial 
institution phishing attempts in email messages. It does nothing at all to 
detect other types of email or non-email malware.

-Al-

> On 11 May 2017 at 14:58, Al Varnell  wrote:
> 
>> On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote:
>>> 
>>> Hi ClamAV Developers, Users
>>> 
>>> SaneSecurtiy and SecruiteInfo provides better virus signature database
>>> feeds. with help of this,  we can Increase the ClamAV Engine Detection
>> Rate
>>> up to 80%-90%. I had  already  integrated ClamAV Enine with unofficial
>>> database (excluded official database) in experimental way. ClamAV
>>> Performance better than earlier now. I want to rewrite the Engine first
>>> from scratch and  i am looking for some guys who willing join to work
>> with
>>> me
>> 
>> How is performance better for you?
>> 
>>> when i debugged ClamAV CodeBase, i am interestingly  found that ClamAV
>>> Creating  14 Engine Instances Internally. out of 14, one only Heuristic
>>> Engine
>> 
>> This is really a developer question, but what are the other engines for
>> and how can you say for certain that they are non-heuristic?
>> 
>>> ClamAV providing both Signature Baed Scanner and Heuristic Based Scanner.
>>> As per my understanding, Signature Based Scanner will never involve in
>>> false postive/false negative results.
>> 
>> Not at all true. Signatures are being dropped daily due to reports of
>> False Positives.
>> 
>>> But Heuristic scanner some times
>>> gives false postive/false negative results.
>> 
>> Heuristic determinations are by their nature warnings based on best guess
>> that something can be malware. It's then up to the user to check further to
>> determine whether they are or not. False positive/negative has little
>> meaning here.
>> 
>>> My Question is All AV Vendors  are Including  both Signature Based
>> Scanner
>>> and Heuristic Based Scanner in their Software? for an example, Most
>>> Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the
>> same
>>> thing?
>> 
>> This is a ClamAV user forum, so it would be appropriate to ask that
>> question elsewhere.
>> 
>>> I had researched on virus scanning tecniques with the help of google
>>> engine..i come to know that heuristic scanning techniques provides
>>> better results than traditional signature based scanning.. then why
>> ClamAV
>>> not created Scanner with Heuristic Scanning Technique Alone?
>>> or  my thought   is wrong  ah ?
>> 
>> Define "better." I'd have to guess that signature based scanning results
>> in an order of magnitude more detections that any current AI technique
>> being used by any vendor, but fixed signatures only work when scanning for
>> known malware. AI techniques are most useful against so called zero-day
>> malware attacks, so both techniques are necessary for complete protection.
>> 
>> -Al-
>> 
>>> Thanks,
>>> Crazy Thinker , Inc
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread Dennis Peterson 
I would consider a malware author that does not pass his/her new product through 
several file scanners to be incompetent. There is little point in distributing 
such files if it is commonly detectable. Scanners are one of the best quality 
inspection tools a malware author has at their disposal. Conveniently, it can be 
done cheaply at VirusTotal and other sites that do live scans using multiple 
engines.


dp

On 5/11/17 8:21 AM, Matthew Molyett wrote:

Crazy Thinker,


As per my understanding, Signature Based Scanner will never involve in
false postive/false negative results. But Heuristic scanner some times
gives false postive/false negative results.

Signature Based scanning can and will have false positive and false
negative results. In fact, the high rate of False Negatives from Signature
Based is the entire reason Heuristic scanning ( and run-time scanning ) is
performed. A brand new, unknown threat, from a careful author, will be free
of existing signatures. Similarly, a signature on a library only seen
before in malicious software will cause a False Positive when a legitimate
software begins using it.

Large, exact signatures prevent False Positives, but can be trivially
defeated. Flexible signatures with wildcards can identify larger blocks
malicious content, but at the price of potential False Positives.

The response from Maarten Broekman does a great job discussing the issues
we are facing.

Thank you for your choosing Clam AV. Helping protect you and your users is
what keeps me happily getting to work each day.


On Thu, May 11, 2017 at 9:54 AM, Arnaud Jacques / SecuriteInfo.com <
webmas...@securiteinfo.com> wrote:


Hello,


is that a *technical* reason or do you *think* it's recommended for
whatever reason

It is technical : we avoid duplicate signatures in our databases. It means
everyday we remove samples already detected by Clamav.


- as example sanesecurity works just fine without the
official stuff an dthe difference are hundrets of MB useless wasted RAM
while i have not seen any relevant hit on our inbound MX caught by the
official signatures which woul dhave slipped through sanesecurity

In your example you are right. On mail filtering, sanesecurity and
spam_marketing.ndb from SecuriteInfo.com are good enough to protect
mailboxes,
because Win32 malwares are not spreaded by mail nowadays.

In any other case (system protection, HTTP scanning, file hosting, etc...)
you
have to get Clamav official + 3rd party signatures for a maximum detection.

--
Best regards,

Arnaud Jacques
SecuriteInfo.com

Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread Matthew Molyett 
Crazy Thinker,

> As per my understanding, Signature Based Scanner will never involve in
> false postive/false negative results. But Heuristic scanner some times
> gives false postive/false negative results.

Signature Based scanning can and will have false positive and false
negative results. In fact, the high rate of False Negatives from Signature
Based is the entire reason Heuristic scanning ( and run-time scanning ) is
performed. A brand new, unknown threat, from a careful author, will be free
of existing signatures. Similarly, a signature on a library only seen
before in malicious software will cause a False Positive when a legitimate
software begins using it.

Large, exact signatures prevent False Positives, but can be trivially
defeated. Flexible signatures with wildcards can identify larger blocks
malicious content, but at the price of potential False Positives.

The response from Maarten Broekman does a great job discussing the issues
we are facing.

Thank you for your choosing Clam AV. Helping protect you and your users is
what keeps me happily getting to work each day.


On Thu, May 11, 2017 at 9:54 AM, Arnaud Jacques / SecuriteInfo.com <
webmas...@securiteinfo.com> wrote:

> Hello,
>
> > is that a *technical* reason or do you *think* it's recommended for
> > whatever reason
>
> It is technical : we avoid duplicate signatures in our databases. It means
> everyday we remove samples already detected by Clamav.
>
> > - as example sanesecurity works just fine without the
> > official stuff an dthe difference are hundrets of MB useless wasted RAM
> > while i have not seen any relevant hit on our inbound MX caught by the
> > official signatures which woul dhave slipped through sanesecurity
>
> In your example you are right. On mail filtering, sanesecurity and
> spam_marketing.ndb from SecuriteInfo.com are good enough to protect
> mailboxes,
> because Win32 malwares are not spreaded by mail nowadays.
>
> In any other case (system protection, HTTP scanning, file hosting, etc...)
> you
> have to get Clamav official + 3rd party signatures for a maximum detection.
>
> --
> Best regards,
>
> Arnaud Jacques
> SecuriteInfo.com
>
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 

Matthew Molyett
Malware Researcher

mmoly...@cisco.com
Phone:  (410) 309-4834
Mobile: (410) 674-2049

Cisco.com - http://www.cisco.com

This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply email and delete all copies of this message.

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread Arnaud Jacques / SecuriteInfo.com 
Hello,

> is that a *technical* reason or do you *think* it's recommended for
> whatever reason

It is technical : we avoid duplicate signatures in our databases. It means 
everyday we remove samples already detected by Clamav.

> - as example sanesecurity works just fine without the
> official stuff an dthe difference are hundrets of MB useless wasted RAM
> while i have not seen any relevant hit on our inbound MX caught by the
> official signatures which woul dhave slipped through sanesecurity

In your example you are right. On mail filtering, sanesecurity and 
spam_marketing.ndb from SecuriteInfo.com are good enough to protect mailboxes, 
because Win32 malwares are not spreaded by mail nowadays.

In any other case (system protection, HTTP scanning, file hosting, etc...) you 
have to get Clamav official + 3rd party signatures for a maximum detection.

-- 
Best regards,

Arnaud Jacques
SecuriteInfo.com

Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread Maarten Broekman 
Your understanding of scanning techniques is flawed at best (I believe this
has been pointed out multiple times). Both techniques have issues with
false positive and false negative matches. The only significant difference
is how they perform against unknown threats. In that regard, heuristic
scanning _may_ be able to detect the threat while it is unlikely that a
signature would be able to detect it.

All of the AV vendors you've named provide signature based scanning. Some
also have a behavior or heuristic based engine as well. As Al mentioned,
heuristic-based approaches are great for matching things that "might" be
malicious. However, they also tend to generate false positives depending on
how tight or loose their rules are. Tighter rules for is considered
'malicious' means fewer false positives but also fewer matches.

Signature based approaches have similar issues but they only work against
known threats. But the more generic the signature, the more likely it is to
run into false positives. Also, what *you* consider to be malware might be
"just another tool" for someone else.

Having multiple engines performing behavior based analysis (heuristics) is
pointless as they would need to share everything they "detect" in order to
perform the analysis correctly. On the other hand, having multiple engines
for signatures makes sense as you can have separate engines looking at
different types of signatures or files.

Your claim of regarding the detection rate is just the statistics against
your collection of malware. The official databases don't seem to be aimed
at the kinds of samples you're running against while Sanesecurity and
SecuriteInfo databases are more closely aimed at the malware population
you're testing against. If other databases work better for your workload,
great. Not everyone has the same experience you do. Also, you can help
improve the official databases by submitting samples that are not detected
by the official signatures.

I wish you all the best with writing your own engine, but I think you'll
find that it's not easy to get close to the performance that ClamAV has.
Also, then you still need to write signatures that your engine can
understand to look for.



On Thu, May 11, 2017 at 8:55 AM, crazy thinker 
wrote:

> @AI
>
> Any Comments from your end on my  question in previous mail thread
>
> On 11 May 2017 at 15:33, crazy thinker  wrote:
>
> > @AI
> > May be my question is a stupid one.. i have a still doubt so want to
> > clarify my self.. Why Heuristics Scanner need Signature Database when
> > Heruisitcs Scanning Technique detects malware based on behaviour?
> >
> > Can't Heuristic Scanner detects Malware detected by Signature Based
> > Scanner. if Yes, why not  we use Heuristic Scanner alone  in AV
> Software?
> >
> > On 11 May 2017 at 14:58, Al Varnell  wrote:
> >
> >> On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote:
> >> >
> >> > Hi ClamAV Developers, Users
> >> >
> >> > SaneSecurtiy and SecruiteInfo provides better virus signature database
> >> > feeds. with help of this,  we can Increase the ClamAV Engine Detection
> >> Rate
> >> > up to 80%-90%. I had  already  integrated ClamAV Enine with unofficial
> >> > database (excluded official database) in experimental way. ClamAV
> >> > Performance better than earlier now. I want to rewrite the Engine
> first
> >> > from scratch and  i am looking for some guys who willing join to work
> >> with
> >> > me
> >>
> >> How is performance better for you?
> >>
> >> > when i debugged ClamAV CodeBase, i am interestingly  found that ClamAV
> >> > Creating  14 Engine Instances Internally. out of 14, one only
> Heuristic
> >> > Engine
> >>
> >> This is really a developer question, but what are the other engines for
> >> and how can you say for certain that they are non-heuristic?
> >>
> >> > ClamAV providing both Signature Baed Scanner and Heuristic Based
> >> Scanner.
> >> > As per my understanding, Signature Based Scanner will never involve in
> >> > false postive/false negative results.
> >>
> >> Not at all true. Signatures are being dropped daily due to reports of
> >> False Positives.
> >>
> >> > But Heuristic scanner some times
> >> > gives false postive/false negative results.
> >>
> >> Heuristic determinations are by their nature warnings based on best
> guess
> >> that something can be malware. It's then up to the user to check
> further to
> >> determine whether they are or not. False positive/negative has little
> >> meaning here.
> >>
> >> > My Question is All AV Vendors  are Including  both Signature Based
> >> Scanner
> >> > and Heuristic Based Scanner in their Software? for an example, Most
> >> > Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the
> >> same
> >> > thing?
> >>
> >> This is a ClamAV user forum, so it would be appropriate to ask that
> >> question elsewhere.
> >>
> >> > I had researched on virus scanning tecniques with the help

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread crazy thinker 
@Arnaud..

Yes, you are right  dude.. but most of clamav virus signautres looks like
junk to me. To avoid more  memory  consumption,
I just removed it :)

On 11 May 2017 at 19:07, Arnaud Jacques / SecuriteInfo.com <
webmas...@securiteinfo.com> wrote:

> Hello,
>
> > SaneSecurtiy and SecruiteInfo provides better virus signature database
> > feeds. with help of this,  we can Increase the ClamAV Engine Detection
> Rate
> > up to 80%-90%. I had  already  integrated ClamAV Enine with unofficial
> > database (excluded official database) in experimental way. ClamAV
> > Performance better than earlier now.
>
> To be clear : The signature databases provided by SecuriteInfo.com have to
> be
> used *with* the official ones from Clamav.
>
> The aim of our signature databases is *not* to replace official ones from
> Clamav.
>
> --
> Best regards,
>
> Arnaud Jacques
> SecuriteInfo.com
>
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread Reindl Harald 



Am 11.05.2017 um 15:37 schrieb Arnaud Jacques / SecuriteInfo.com:

Hello,


SaneSecurtiy and SecruiteInfo provides better virus signature database
feeds. with help of this,  we can Increase the ClamAV Engine Detection Rate
up to 80%-90%. I had  already  integrated ClamAV Enine with unofficial
database (excluded official database) in experimental way. ClamAV
Performance better than earlier now.


To be clear : The signature databases provided by SecuriteInfo.com have to be
used *with* the official ones from Clamav.

The aim of our signature databases is *not* to replace official ones from
Clamav


not really clear:

is that a *technical* reason or do you *think* it's recommended for 
whatever reason - as example sanesecurity works just fine without the 
official stuff an dthe difference are hundrets of MB useless wasted RAM 
while i have not seen any relevant hit on our inbound MX caught by the 
official signatures which woul dhave slipped through sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread Arnaud Jacques / SecuriteInfo.com 
Hello,

> SaneSecurtiy and SecruiteInfo provides better virus signature database
> feeds. with help of this,  we can Increase the ClamAV Engine Detection Rate
> up to 80%-90%. I had  already  integrated ClamAV Enine with unofficial
> database (excluded official database) in experimental way. ClamAV
> Performance better than earlier now.

To be clear : The signature databases provided by SecuriteInfo.com have to be 
used *with* the official ones from Clamav.

The aim of our signature databases is *not* to replace official ones from 
Clamav.

-- 
Best regards,

Arnaud Jacques
SecuriteInfo.com

Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread crazy thinker 
@AI

Any Comments from your end on my  question in previous mail thread

On 11 May 2017 at 15:33, crazy thinker  wrote:

> @AI
> May be my question is a stupid one.. i have a still doubt so want to
> clarify my self.. Why Heuristics Scanner need Signature Database when
> Heruisitcs Scanning Technique detects malware based on behaviour?
>
> Can't Heuristic Scanner detects Malware detected by Signature Based
> Scanner. if Yes, why not  we use Heuristic Scanner alone  in AV  Software?
>
> On 11 May 2017 at 14:58, Al Varnell  wrote:
>
>> On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote:
>> >
>> > Hi ClamAV Developers, Users
>> >
>> > SaneSecurtiy and SecruiteInfo provides better virus signature database
>> > feeds. with help of this,  we can Increase the ClamAV Engine Detection
>> Rate
>> > up to 80%-90%. I had  already  integrated ClamAV Enine with unofficial
>> > database (excluded official database) in experimental way. ClamAV
>> > Performance better than earlier now. I want to rewrite the Engine first
>> > from scratch and  i am looking for some guys who willing join to work
>> with
>> > me
>>
>> How is performance better for you?
>>
>> > when i debugged ClamAV CodeBase, i am interestingly  found that ClamAV
>> > Creating  14 Engine Instances Internally. out of 14, one only Heuristic
>> > Engine
>>
>> This is really a developer question, but what are the other engines for
>> and how can you say for certain that they are non-heuristic?
>>
>> > ClamAV providing both Signature Baed Scanner and Heuristic Based
>> Scanner.
>> > As per my understanding, Signature Based Scanner will never involve in
>> > false postive/false negative results.
>>
>> Not at all true. Signatures are being dropped daily due to reports of
>> False Positives.
>>
>> > But Heuristic scanner some times
>> > gives false postive/false negative results.
>>
>> Heuristic determinations are by their nature warnings based on best guess
>> that something can be malware. It's then up to the user to check further to
>> determine whether they are or not. False positive/negative has little
>> meaning here.
>>
>> > My Question is All AV Vendors  are Including  both Signature Based
>> Scanner
>> > and Heuristic Based Scanner in their Software? for an example, Most
>> > Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the
>> same
>> > thing?
>>
>> This is a ClamAV user forum, so it would be appropriate to ask that
>> question elsewhere.
>>
>> > I had researched on virus scanning tecniques with the help of google
>> > engine..i come to know that heuristic scanning techniques provides
>> > better results than traditional signature based scanning.. then why
>> ClamAV
>> > not created Scanner with Heuristic Scanning Technique Alone?
>> > or  my thought   is wrong  ah ?
>>
>> Define "better." I'd have to guess that signature based scanning results
>> in an order of magnitude more detections that any current AI technique
>> being used by any vendor, but fixed signatures only work when scanning for
>> known malware. AI techniques are most useful against so called zero-day
>> malware attacks, so both techniques are necessary for complete protection.
>>
>> -Al-
>>
>> > Thanks,
>> > Crazy Thinker , Inc
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread crazy thinker 
@AI
May be my question is a stupid one.. i have a still doubt so want to
clarify my self.. Why Heuristics Scanner need Signature Database when
Heruisitcs Scanning Technique detects malware based on behaviour?

Can't Heuristic Scanner detects Malware detected by Signature Based
Scanner. if Yes, why not  we use Heuristic Scanner alone  in AV  Software?

On 11 May 2017 at 14:58, Al Varnell  wrote:

> On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote:
> >
> > Hi ClamAV Developers, Users
> >
> > SaneSecurtiy and SecruiteInfo provides better virus signature database
> > feeds. with help of this,  we can Increase the ClamAV Engine Detection
> Rate
> > up to 80%-90%. I had  already  integrated ClamAV Enine with unofficial
> > database (excluded official database) in experimental way. ClamAV
> > Performance better than earlier now. I want to rewrite the Engine first
> > from scratch and  i am looking for some guys who willing join to work
> with
> > me
>
> How is performance better for you?
>
> > when i debugged ClamAV CodeBase, i am interestingly  found that ClamAV
> > Creating  14 Engine Instances Internally. out of 14, one only Heuristic
> > Engine
>
> This is really a developer question, but what are the other engines for
> and how can you say for certain that they are non-heuristic?
>
> > ClamAV providing both Signature Baed Scanner and Heuristic Based Scanner.
> > As per my understanding, Signature Based Scanner will never involve in
> > false postive/false negative results.
>
> Not at all true. Signatures are being dropped daily due to reports of
> False Positives.
>
> > But Heuristic scanner some times
> > gives false postive/false negative results.
>
> Heuristic determinations are by their nature warnings based on best guess
> that something can be malware. It's then up to the user to check further to
> determine whether they are or not. False positive/negative has little
> meaning here.
>
> > My Question is All AV Vendors  are Including  both Signature Based
> Scanner
> > and Heuristic Based Scanner in their Software? for an example, Most
> > Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the
> same
> > thing?
>
> This is a ClamAV user forum, so it would be appropriate to ask that
> question elsewhere.
>
> > I had researched on virus scanning tecniques with the help of google
> > engine..i come to know that heuristic scanning techniques provides
> > better results than traditional signature based scanning.. then why
> ClamAV
> > not created Scanner with Heuristic Scanning Technique Alone?
> > or  my thought   is wrong  ah ?
>
> Define "better." I'd have to guess that signature based scanning results
> in an order of magnitude more detections that any current AI technique
> being used by any vendor, but fixed signatures only work when scanning for
> known malware. AI techniques are most useful against so called zero-day
> malware attacks, so both techniques are necessary for complete protection.
>
> -Al-
>
> > Thanks,
> > Crazy Thinker , Inc
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread Al Varnell 
On Thu, May 11, 2017 at 02:11 AM, crazy thinker wrote:
> 
> Hi ClamAV Developers, Users
> 
> SaneSecurtiy and SecruiteInfo provides better virus signature database
> feeds. with help of this,  we can Increase the ClamAV Engine Detection Rate
> up to 80%-90%. I had  already  integrated ClamAV Enine with unofficial
> database (excluded official database) in experimental way. ClamAV
> Performance better than earlier now. I want to rewrite the Engine first
> from scratch and  i am looking for some guys who willing join to work with
> me

How is performance better for you?

> when i debugged ClamAV CodeBase, i am interestingly  found that ClamAV
> Creating  14 Engine Instances Internally. out of 14, one only Heuristic
> Engine

This is really a developer question, but what are the other engines for and how 
can you say for certain that they are non-heuristic?

> ClamAV providing both Signature Baed Scanner and Heuristic Based Scanner.
> As per my understanding, Signature Based Scanner will never involve in
> false postive/false negative results.

Not at all true. Signatures are being dropped daily due to reports of False 
Positives.

> But Heuristic scanner some times
> gives false postive/false negative results.

Heuristic determinations are by their nature warnings based on best guess that 
something can be malware. It's then up to the user to check further to 
determine whether they are or not. False positive/negative has little meaning 
here.

> My Question is All AV Vendors  are Including  both Signature Based Scanner
> and Heuristic Based Scanner in their Software? for an example, Most
> Poplular AV Vendors like AVAST, KASPER SKY,AVG,NORTON,SYMANTEC do the same
> thing?

This is a ClamAV user forum, so it would be appropriate to ask that question 
elsewhere.

> I had researched on virus scanning tecniques with the help of google
> engine..i come to know that heuristic scanning techniques provides
> better results than traditional signature based scanning.. then why ClamAV
> not created Scanner with Heuristic Scanning Technique Alone?
> or  my thought   is wrong  ah ?

Define "better." I'd have to guess that signature based scanning results in an 
order of magnitude more detections that any current AI technique being used by 
any vendor, but fixed signatures only work when scanning for known malware. AI 
techniques are most useful against so called zero-day malware attacks, so both 
techniques are necessary for complete protection.

-Al-

> Thanks,
> Crazy Thinker , Inc


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

  1   2   3   >