Re: [clamav-users] False Positive not being corrected
On Dec 11, 2013, at 6:12 AM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: On Wed, Dec 11, 2013 at 02:19 AM, Andrew Carter wrote: I have submitted a file several times (email and Excel attachment) to be corrected at http://www.clamav.net/lang/en/sendvirus/submit-fp/ however this is still being marked as a virus. In testing it against other scanners Clam is the only one picking it up as a virus. They will need the MD5 hash value of the file in order to easily find it in their database. Yup. We’ll need the MD5! Thanks Al. -- Joel Esler AEGIS Intelligence Lead OpenSource Manager Vulnerability Research Team Jabber: jes...@cisco.commailto:jes...@cisco.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] lost
What is this “daily interruption of Console” that you are referring to? Can you give us a screenshot or something so we can reference? Also, ClamXav is probably one of the best GUI clients for ClamAV that I’ve seen so far. -- Joel Esler Intelligence Lead Open Source Manager Vulnerability Research Team Jabber: jes...@cisco.commailto:jes...@cisco.com On Dec 17, 2013, at 6:38 PM, David Grant dgr...@thecommonlot.commailto:dgr...@thecommonlot.com wrote: I can barely understand the home page. I don't know if I use Unix (I'm using an iMac). I was told that ClamAV was the best virus protection, so I signed up … or did I download? In any case, every day at the same time my work is interrupted by a report from Console. I think the upshot is that everything is OK. QUESTIONS: 1) Is there a really simple explanation of ClamAV somewhere? 2) Can I stop that daily interruption of Console, but still keep the virus protection? Thank you. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] some questions about malware statistics
On Dec 23, 2013, at 10:58, 黄海涛 hht...@126.com wrote: 1.http://www.clamav.net/rss/clamsigs-top10.rss, what's statistical duration? one month? Not sure. This was left over from the old ClamAV team and we haven't redone it yet. Yes, we have plans to. 2.can I get all rankings but not top 10. 3.can I get a statistics of latest one year(or latest six months) but not last 7 days. 4.can I get a list of statistics for every day(where I can get the history rankings but not only today) ? Again, we are planning on completely overhauling the stats system. 5.why I can't find some signatures from daily.cld or main.cld which is in rankings (clamsigs-top10.rss), for example: Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net, Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.ne, Heuristics.Phishing.Email.SpoofedDomain, BC.Heuristic.Trojan.SusPacked.BF-6.A. I think someone else answered this. 6.can you tell me what is the relationship between Win.Trojan.Agent-595936 and Win.Trojan.Agent? main.cld contain 390906 signatures whose virus name contain Win.Trojan.Agent, what is the relationship of them? in addition, trojan.agent,trojan.downloader,trojan.spy,win.trojan.fakeav ... The number is sequential. That means that there are that many viruses named that exact name in the system. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] 0.98-exp / LibClamAV Warning
On Dec 23, 2013, at 11:23, gin(e) g...@riseup.net wrote: But why file programm doesn't say that? I have pasted the output for that reason. File only looks at certain parts of a file to determine the type of file. For flash it only has to look at the first three characters of the file. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Debian packaging
On Dec 17, 2013, at 5:28, Simon Hobson li...@thehobsons.co.uk wrote: Well since no-one's come back with something like the package maintainer's gone AWOL or similar, I'll keep bumping that bug ticket. Does seem strange, I don't recall such a long delay in the past. Updating from source isn't really an option since I need to leave these systems maintainable by people who need the simplicity of apt-get upgrade. I haven't had any contact with the package maintainer. That doesn't mean a thing though. I haven't went through and collected the names of the package maintainers like I did for our other projects here at Sourcefire. I'll out that on my to do list. In fact, if you want to help me out, if you are a package maintainer for ClamAV, write me an email off list, and I'll start collecting the names. Joel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV v0.98.1
Thanks Steve. I was having an email issue yesterday and my announcement email was stuck in the queue. -- Joel Esler Intelligence Lead Open Source Manager Vulnerability Research Team On Jan 15, 2014, at 8:07 AM, Steve Basford steveb_cla...@sanesecurity.commailto:steveb_cla...@sanesecurity.com wrote: Looks like 0.98.1 is out... Change log: https://raw.github.com/vrtadmin/clamav-devel/0.98.1/ChangeLog Sources: http://www.clamav.net/lang/en/download/sources/ Windows binaries (.msi format): http://sourceforge.net/projects/clamav/files/clamav/0.98.1/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Virus update notices from month's ago.
Rick, That was me. There were a bunch stuck in the queue, and I cleared it out. Sorry about that. On Jan 15, 2014, at 1:31 PM, Rick Macdougall ri...@ummm-beer.com wrote: Hi, I'm getting all sorts of virus update notifications that are months old and huge in size. Headers for one at http://pastebin.com/iMnkFiCk Regards, Rick ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Vote for ClamAV as the Sourceforge Project of the Month!
Sourceforge has fired up their monthly Project of the Month process again, and they were kind enough to choose ClamAV for this months vote! You can read more about the process on their blog post here: https://sourceforge.net/blog/revival-of-weekly-featured-projects-and-project-of-the-month-voting/ And you can cast your vote here: https://sourceforge.net/p/potm/discussion/vote/thread/7d522915/ Thanks to everyone who supports the ClamAV project, get out and vote! (Note: You must be a member of Sourceforge, and must be logged in, to vote.) -- Joel Esler Intelligence Lead Open Source Manager Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] request for feature
Because these are two separate systems. In two different parts of the network. We haven't consolidated everything that we took over when the original clam team left yet. -- Joel Esler Sent from my iPhone On Jan 31, 2014, at 14:59, Gene Heskett ghesk...@wdtv.com wrote: On Friday 31 January 2014 14:55:39 Shawn Webb did opine: Hey Gene, Thank you for giving us ideas for new features. Our bugzilla system at https://bugzilla.clamav.net/ is the right place to file feature requests. Thanks, Shawn Yup, and another place to require a login, with a password I'll forget by 15:10 today if I don't paint it on the wall of my man cave. And there is no room left on the wall now! Come on folks, if I am a subscriber to the mailing list, why is that not credentials for posting to your bugzilla? Boggles what little mind I have left. On Fri, Jan 31, 2014 at 2:23 PM, Gene Heskett ghesk...@wdtv.com wrote: Greetings; I have trolled thru the man pages at length, and can find no option to make it just a little more verbose by outputting something that would serve to identify the originator of a compromised email. What we do get, is hard to impossible to actually connect to a given email currently sitting in a kmail folder. This is all I am getting in the /var/log/clamav/clamav.log: Thu Jan 30 10:22:29 2014 - instream(local): Sanesecurity.Malware.20493.ZipHeur.UNOFFICIAL(75da5ae7bb694b4d03687026 bb4d6ee4:2) FOUND all on one long line of course. No FOUND yet today which seems odd. Such a feature would appear to me to be handier than sliced bread or bottled beer. Am I missing something? If so, please point me at it. Thanks. Cheers, Gene -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene WTB: Will pay 100 USD for an HP-4815A defective but complete probe assembly. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml Cheers, Gene -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene NOTICE: Will pay 100 USD for an HP-4815A defective but complete probe assembly. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] request for feature
On Feb 2, 2014, at 9:39 AM, Gene Heskett ghesk...@wdtv.commailto:ghesk...@wdtv.com wrote: On Sunday 02 February 2014 09:37:59 Joel Esler (jesler) did opine: Because these are two separate systems. In two different parts of the network. We haven't consolidated everything that we took over when the original clam team left yet. I see Joel. Is this something thats sort of in the inbox? Or has it not been discussed? To be honest I don’t think we’ve talked about consolidating the Mailing lists and bugzilla into one auth structure. But it’s an idea I’ll bring up. -- Joel Esler Intelligence Lead Open Source Manager Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: ClamAV Mailing List Maintenance, Monday, February 10th, 2014
http://blog.clamav.net/2014/02/clamav-mailing-list-maintenance-monday.html ClamAV Mailing List Maintenance, Monday, February 10th, 2014 This notice is for the members of the ClamAV mailing lists found here: http://lists.clamav.net/mailman/listinfo/clamav-users On Monday, February 10th, 2014 starting at 10am EST, the ClamAV Mailing lists will be moving to new server hardware. We anticipate this outage to last approximately four (4) hours. We will be notifying everyone when the new server is up and operational. Thank you for your patience. Joel Esler Threat Intelligence Team Lead Open Source Manager Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-announce] ClamAV®: ClamAV Mailing List Maintenance, Monday, February 10th, 2014
On Feb 6, 2014, at 8:19 PM, Dennis Peterson denni...@inetnw.commailto:denni...@inetnw.com wrote: On 2/6/14, 3:12:09PM, Joel Esler (jesler) wrote: http://blog.clamav.net/2014/02/clamav-mailing-list-maintenance-monday.html ClamAV Mailing List Maintenance, Monday, February 10th, 2014 This notice is for the members of the ClamAV mailing lists found here: http://lists.clamav.net/mailman/listinfo/clamav-users On Monday, February 10th, 2014 starting at 10am EST, the ClamAV Mailing lists will be moving to new server hardware. We anticipate this outage to last approximately four (4) hours. We will be notifying everyone when the new server is up and operational. Thank you for your patience. Are any changes to the network going to happen that might affect our spam filters (ip, hostname, domain, outbound mailer), and will the sender ID change? I'm currently getting list mail from xs4all.nlhttp://xs4all.nl/, for example and because NL lands on a lot of black lists it can be a bugger to whitelist for mail, squid, geoip, blah blah. All of the new mail traffic is going to be originating from 198.148.79.53. Both the A and MX records will be updated for lists.clamav.nethttp://lists.clamav.net. -- Joel Esler Threat Intelligence Team Lead Open Source Manager Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Friday last week I put a blog post up about introducing OpenSSL into the ClamAV ecosystem. I wanted to make sure everyone saw it, so please have a look at the blog post here: http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Feb 28, 2014, at 7:34 AM, Shawn Webb sw...@sourcefire.commailto:sw...@sourcefire.com wrote: On Fri, Feb 28, 2014 at 10:27 AM, Mark Allan markjal...@blueyonder.co.ukmailto:markjal...@blueyonder.co.ukwrote: As this is first time ClamAV has had an external dependency, would it be worth making it an opt-out configure option for people who can't get it to compile or who have to rely on an older/incompatible version of OpenSSL? Mark Hey Mark, I explored that option, but I found attempting to support both too be too cludgy. We would need to maintain two separate code paths, brought together with a shim. There would be a noticeable performance impact along with added complexity. I settled on outright replacing our current hashing functions with OpenSSL's in order to keep ClamAV's engine's performance top-notch and keep complexity at a minimum. In addition here Mark, we’re going to be using OpenSSL in future features we have planned for ClamAV, so this is the best option. -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] as unsubscribe from list ?
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Bottom of the page. -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team On Mar 3, 2014, at 9:06 AM, Erwin Castillo erwincastil...@gmail.com wrote: thanks ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Snort.org Blog: Open Source Community Webinar
http://blog.snort.org/2014/03/open-source-community-webinar.html Open Source Community Webinar Open Source community, First off, we’d like to thank everyone for their continued use of our projects and products here at Sourcefire, now a part of Cisco. We love making great software, and we love for you to use it and contribute back. It’s been a great transition so far into the Cisco community, and recently, we held an Open Source Community Meeting at RSA, and we’d like to provide the content out to our Open Source user base as well. The best way for us to do this is through a Webinar where we can present the current state of our projects, the future of the projects, how the projects are continuing to move forward inside of Cisco and of course, make ourselves available for Questions and Answers. We are planning to hold the Webinar Thursday, March 13, 2014 12:00 PM EST Register Nowhttps://cisco.webex.com/ciscosales/k2/j.php?MTID=tc6ff6d5fd9a1eab5e6e5966b96c914ca for the webinar. We look forward to seeing you and hearing from you then! -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: ClamAV 0.95 Engine End of Life Announcement
http://blog.clamav.net/2014/03/clamav-095-engine-end-of-life.html ClamAV 0.95 Engine End of Life Announcement ClamAV Community, This notice is to inform you that effective immediately ClamAV 0.95 (and all minor versions) is no longer supported in accordance with ClamAV's EOL policy which can be found here: https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-eol.md While the current CVD's being distributed will still work on ClamAV 0.95, and we are not enabling the functionality to actually make those versions be able to update, this does serve as notice that we are no longer going to be testing against that version in our regression tests. We will also be EOL'ing 0.96 in coming months, so if either of those versions is currently in use, it is highly suggested that you upgrade to the most current version. Thank you for using ClamAV! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Mass sample submission
Bohdan, I'd be glad to set you up with a submission method. I'll email you separately offlist. -- Joel Esler Sent from my iPhone On Apr 5, 2014, at 5:53, Bohdan Turkynewych tb0h...@gmail.com wrote: Hi everyone, I have up to several thousand already detected malware samples each day that are not caught by ClamAV and would like to submit them automatically. Please let me know if/how that is possible. Thanks. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] git repository
On Apr 11, 2014, at 3:14 AM, Steve Basford steveb_cla...@sanesecurity.commailto:steveb_cla...@sanesecurity.com wrote: Dear all, I the past - before the latest takeover - I used the git repository to keep track of updates and/or other changes. I notice that since the latest takeover the git repository only is used when a new version has been released, thus defeating the practical use of the git repository. Hi Frans, +1 Must admit I miss seeing the changelog being updated quite a bit before the actual release comes into play, plus it gives a bit of a road-map. Let us discuss this internally and I’ll get back to you all on this. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: ClamXAv in the top ten free Apps in the Mac OSX App Store!
http://blog.clamav.net/2014/04/clamxav-in-top-ten-free-apps-in-mac-osx.html ClamXAv in the top ten free Apps in the Mac OSX App Store! Congratulations to Mark Allan, developer of the ClamXavhttp://www.clamxav.com/ project (the OSX GUI front-end to ClamAV) for making the top ten list in the free App section of the OSX App Store! It's great to see a free tool and great contribution by the community being used by thousands of users and being recognized! Great work Mark! [http://4.bp.blogspot.com/-Qcv2azdUo3A/U1g1C7q-vGI/AsY/iu0AWPShT2U/s1600/clamxav.png]http://4.bp.blogspot.com/-Qcv2azdUo3A/U1g1C7q-vGI/AsY/iu0AWPShT2U/s1600/clamxav.png ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: ClamAV 0.98.2 has been released!
http://blog.clamav.net/2014/05/clamav-0982-has-been-released.html ClamAV 0.98.2 has been released! ClamAV 0.98.2 has been released, and is available here: http://sourceforge.net/projects/clamav/files/clamav/0.98.2/, below are the highlighted changes and fixes from this release! 0.98.2 -- Here are the new features and improvements in ClamAV 0.98.2: - Support for common raw disk image formats using 512 byte sectors, specifically GPT, APM, and MBR partitioning. - Experimental support of OpenIOC files. ClamAV will now extract file hashes from OpenIOC files residing in the signature database location, and generate ClamAV hash signatures. ClamAV uses no other OpenIOC features at this time. No OpenIOC files will be delivered through freshclam. See openioc.orghttp://openioc.org and iocbucket.comhttp://iocbucket.com for additional information about OpenIOC. - All ClamAV sockets (clamd, freshclam, clamav-milter, clamdscan, clamdtop) now support IPV6 addresses and configuration parameters. - Use OpenSSL file hash functions for improved performance. OpenSSL is now prerequisite software for ClamAV 0.98.2. - Improved detection of malware scripts within image files. Issue reported by Maarten Broekman. - Change to circumvent possible denial of service when processing icons within specially crafted PE files. Icon limits are now in place with corresponding clamd and clamscan configuration parameters. This issue was reported by Joxean Koret. - Improvements to the fidelity of the ClamAV pattern matcher, an issue reported by Christian Blichmann. - Opt-in collection of statistics. Statistics collected are: sizes and MD5 hashes of files, PE file section counts and section MD5 hashes, and names and counts of detected viruses. Enable statistics collection with the --enable-stats clamscan flag or StatsEnabled clamd configuration parameter. - Improvements to ClamAV build process, unit tests, and platform support with assistance and suggestions by Sebastian Andrzej Siewior, Scott Kitterman, and Dave Simonson. - Patch by Arkadiusz Miskiewicz to improve error handling in freshclam. - ClamAV 0.98.2 also includes miscellaneous bug fixes and documentation improvements. Thanks to the following ClamAV community members for sending patches or reporting bugs and issues that are addressed in ClamAV 0.98.2: Sebastian Andrzej Siewior Scott Kitterman Joxean Koret Arkadiusz Miskiewicz Dave Simonson Maarten Broekman Christian Blichmann -- REGARDING OPENSSL In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV 0.98.2
ClamAV Community, As some of you may have noticed, ClamAV 0.98.2 has been pulled down from the site temporarily due to unforeseen issues. More news will be forthcoming and it should be fixed soon. Thanks for your patience in the meantime. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: ClamAV 0.98.3 has been released!
http://blog.clamav.net/2014/05/clamav-0983-has-been-released.html ClamAV 0.98.3 has been released, and is available here: http://sourceforge.net/projects/clamav/files/clamav/0.98.3/, below are the highlighted changes and fixes from this release! 0.98.3 -- Here are the new features and improvements in ClamAV 0.98.3: - Support for common raw disk image formats using 512 byte sectors, specifically GPT, APM, and MBR partitioning. - Experimental support of OpenIOC files. ClamAV will now extract file hashes from OpenIOC files residing in the signature database location, and generate ClamAV hash signatures. ClamAV uses no other OpenIOC features at this time. No OpenIOC files will be delivered through freshclam. See openioc.org and iocbucket.com for additional information about OpenIOC. - All ClamAV sockets (clamd, freshclam, clamav-milter, clamdscan, clamdtop) now support IPV6 addresses and configuration parameters. - Use OpenSSL file hash functions for improved performance. OpenSSL is now prerequisite software for ClamAV 0.98.3. - Improved detection of malware scripts within image files. Issue reported by Maarten Broekman. - Change to circumvent possible denial of service when processing icons within specially crafted PE files. Icon limits are now in place with corresponding clamd and clamscan configuration parameters. This issue was reported by Joxean Koret. - Improvements to the fidelity of the ClamAV pattern matcher, an issue reported by Christian Blichmann. - Opt-in collection of statistics. Statistics collected are: sizes and MD5 hashes of files, PE file section counts and section MD5 hashes, and names and counts of detected viruses. Enable statistics collection with the --enable-stats clamscan flag or StatsEnabled clamd configuration parameter. - Improvements to ClamAV build process, unit tests, and platform support with assistance and suggestions by Sebastian Andrzej Siewior, Scott Kitterman, and Dave Simonson. - Patch by Arkadiusz Miskiewicz to improve error handling in freshclam. - ClamAV 0.98.3 also includes miscellaneous bug fixes and documentation improvements. Thanks to the following ClamAV community members for sending patches or reporting bugs and issues that are addressed in ClamAV 0.98.3: Sebastian Andrzej Siewior Scott Kitterman Joxean Koret Arkadiusz Miskiewicz Dave Simonson Maarten Broekman Christian Blichmann -- REGARDING OPENSSL In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Clamav is not finding any viruses
We exchange samples with many groups, companies, and people. Bringing in over 650,000 unique samples a day. Which highlights the understaffed issue. -- Joel Esler Sent from my iPhone On May 9, 2014, at 4:59, Al Varnell alvarn...@mac.com wrote: Thorvald, Just another user here, but I don’t understand why you would be surprised by this. Are you under the impression that Kaspersky shares it’s samples with anybody else? As far as I know, the only way the ClamAV® team would have a sample is if one of us users submitted it to them or it was provided to them by VirusTotal. I looked on VirusTotal.com and was not able to locate a Kaspersky (or any other scanner) identification by that name. I’m also under the impression that the ClamAV® signature team is overworked and understaffed, even though they have taken steps recently to improve that situation. Any time I find a situation such as this, I submit the samples to VirusTotal to validate my findings and if confirmed to the ClamAV® submit a file site. -Al- -- Al Varnell Mountain View, CA On May 9, 2014, at 1:28 AM, Thorvald Hallvardsson thorvald.hallvards...@gmail.com wrote: Hi, The virus I'm looking at in particular is Trojan.Win32.Yakes.elfb. That's how Kaspersky finds it and calls it. It was submitted at the 20th July 2011 so it's quite old. After applying SaneSecurity databases the virus still cannot be found. I tried to scan a ZIP file - no virus found. I tried to scan extracted file - no virus found. Tested that file with NOD32 and Kaspersky - they both shout there is a virus. So I'm quite surprised such an old stuff is not found by clamav :(. Regards, TH On 8 May 2014 19:20, Steve Basford steveb_cla...@sanesecurity.com wrote: On Thu, May 8, 2014 5:47 pm, Kris Deugau wrote: I have been adding MD5 signatures, and somewhat more recently, .zmd .zip-content-filename signatures (for doubled-extension files), but I do not have time to dig more deeply and create more general signatures. -kgd Hi, You could add sanesecurity.com signatures phish.ndb: has some simple zip heuristics to block some of these rogue.hdb: updated hourly for malware received Foxhole can be added to block all double extensions in zips *or* all dangerous attachments in Zips/rar/7zip: sanesecurity.com/foxhole-databases/ Just in case it helps.. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Version 0.98.3 fails on Solaris
On May 8, 2014, at 12:50 PM, Dennis Peterson denni...@inetnw.commailto:denni...@inetnw.com wrote: On 5/8/14, 9:00 AM, Dennis Peterson wrote: On 5/8/14, 8:23 AM, Shawn Webb wrote: Hey Martin, Is there a way you can get to me main.cvd.broken? I'm wondering if the change to OpenSSL for hashing has somehow changed parsing CVDs and CLDs on big-endian machines running Solaris. I thoroughly tested the code on a sparc64 machine (an old SunFire 280r) running FreeBSD 9.2 successfully. To help me debug the issue: what version of OpenSSL do you have installed? Can you give me the output of the clamdconf command (preferably to a pastebin service)? Can you give me (again, pastebin) the output of your config.log? I can install Solaris on this sparc64 machine as early as next week. Thanks, Shawn Are we to understand Sourcefire does not have a proper Solaris Sparc environment for testing ClamAV products? dp My point is asking is I have three Sparc systems (Ultra 10, Ultra 2 dual proc, and Netra X1) that are going to a landfill if I don't find a home for them. All are in perfect working condition. I'll split the shipping cost (US only) if you're interested. OS not included. Understood. I’ll talk to the guys to see if we have a home for them in the lab. We’re currently planning on the expansion of our lab, so it’s a possibility. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Support question.
On May 12, 2014, at 2:57 PM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: On Mon, May 12, 2014 at 11:41 AM, J MCN wrote: Hello, I am writing with a question about the EOL policy here: https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-eol.md I have a few 0.97.7 instances still out there and the wording in the EOL has me wondering if they are technically unsupported. Is the 0.97 branch still supported? Maybe the question is better asked: Is 0.98 currently the only supported major branch? There was an announcement made here on March 28th ClamAV 0.95 Engine End of Life Announcement” http://www.clamav.net/2014/03/28/. I would infer that 0.96 and above are still supported. Don’t forget the last section of the above post: We will also be EOL’ing 0.96 in coming months, so if either of those versions is currently in use, it is highly suggested that you upgrade to the most current version. “ -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Version 0.98.3 fails on Solaris
On May 13, 2014, at 4:24 AM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: On Tue, May 13, 2014 at 01:04 AM, James Lee wrote: (Please don't top post.) Please leave moderation functions to the moderators. There could possibly be a rule preventing it, but I’m unaware of any and there are examples in this thread of Sourcefire contributors top posting. For technical lists, it’s often preferred in order to retain all details. There is no requirement to bottom post (even though I think it to be better). I say, if a threat is already in bottom-post mode, keep doing it. Otherwise, whatever. This is not something to argue about I guess. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAv updates not being published properly?
Thanks all. We'll take a look! -- Joel Esler Sent from my iPhone On May 28, 2014, at 6:34, Jim Popovitch jim...@gmail.com wrote: On Wed, May 28, 2014 at 4:39 AM, Randal, Phil phil.ran...@hoopleltd.co.uk wrote: Oops, left off the latest version of patterns - 19041, allegedly, yet we're stuck on 19037. Same here. DNS says 19037 is the latest: ~$ dig +short txt current.cvd.clamav.net 0.98.3:55:19037:1401269340:1:63:41971:241 -Jim P. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : Virii
Thanks Ellan. What is your question here? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Jun 10, 2014, at 10:49 AM, ellanios82 ellanio...@gmail.commailto:ellanio...@gmail.com wrote: Hello List i notice link : https://bitcointalk.org/index.php?topic=574691.0 notice remarks : Just tell your antivirus program to ignore the folder /Users/username/Library/Application Support/Bitcoin This is a huge mistake! Just imagine: a unknown virus download some viruses to this directory. The folder is ignore by the virus scanner, so _valid_ viruses are not recognized, they can do whatever they want to do. And you do not realize that your wallet is stolen. So the devs sould somehow handle this! Elbandi The 'devs' can't handle this as the signatures are part of the blockchain. And they're there to stay. .. regards Ellan ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bitcoin : Chainstate : Virii [SEC=UNOFFICIAL]
He’s been unsubscribed. On Jun 10, 2014, at 6:57 PM, Alan Langley alan.lang...@naa.gov.au wrote: UNOFFICIAL Hi Joel, I've tried a couple of times to unsubscribe from the clamav-users list as it is no longer required - I'm still receiving the emails - I thought you might have the power to remove my address from the list. Cheers Alan Langley Systems Administrator, Storage, Backup and Recovery ICT Infrastructure Support and Systems Executive and Information Services Room 32 Mitchell -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler (jesler) Sent: Wednesday, 11 June 2014 8:52 AM To: ClamAV users ML Subject: Re: [clamav-users] Bitcoin : Chainstate : Virii Thanks Ellan. What is your question here? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Jun 10, 2014, at 10:49 AM, ellanios82 ellanio...@gmail.commailto:ellanio...@gmail.com wrote: Hello List i notice link : https://bitcointalk.org/index.php?topic=574691.0 notice remarks : Just tell your antivirus program to ignore the folder /Users/username/Library/Application Support/Bitcoin This is a huge mistake! Just imagine: a unknown virus download some viruses to this directory. The folder is ignore by the virus scanner, so _valid_ viruses are not recognized, they can do whatever they want to do. And you do not realize that your wallet is stolen. So the devs sould somehow handle this! Elbandi The 'devs' can't handle this as the signatures are part of the blockchain. And they're there to stay. .. regards Ellan ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml UNOFFICIAL If you have received this transmission in error please notify us immediately by return e-mail and delete all copies. If this e-mail or any attachments have been sent to you in error, that error does not constitute waiver of any confidentiality, privilege or copyright in respect of information in the e-mail or attachments. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: ClamAV 0.98.4 has been released!
http://blog.clamav.net/2014/06/clamav-0984-has-been-released.html ClamAV 0.98.4 has been released! The ClamAV team is pleased to announce the release of ClamAV 0.98.4! Below are the release notes for 0.98.4: 0.98.4 -- ClamAV 0.98.4 is a bug fix release. The following issues are now resolved: - Various build problems on Solaris, OpenBSD, AIX. - Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database. - Infinite loop in clamdscan when clamd is not running. - Freshclam failure on Solaris 10. - Buffer underruns when handling multi-part MIME email attachments. - Configuration of OpenSSL on various platforms. - Name collisions on Ubuntu 14.04, Debian sid, and Slackware 14.1. - Linking issues with libclamunrar Thanks to the following individuals for testing, writing patches, and initiating quality improvements in this release: Tuomo Soini Scott Kitterman Jim Klimov Curtis Smith Steve Basford Martin Preen Lars Hecking Stuart Henderson Ismail Paruk Larry Rosenbaum Dave Simonson Sebastian Andrzej Siewior The newest release can be downloaded from the following link: http://www.clamav.net/download/sources Please download this release, and provide us any feedback on our mailing listshttp://www.clamav.net/lang/en/ml/. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] FN with unknown virus attachment
Thanks Alex, We'll have a look. -- Joel Esler Sent from my iPhone On Jun 21, 2014, at 9:00, Alex mysqlstud...@gmail.com wrote: Hi, I'm using clamav-0.98.4 on fedora20 with the sanesecurity and safebrowsing sigs and still seeing an unknown virus pass through our systems. I've submitted it to the clamav false-negative upload, but haven't received a response, and 24hrs later it's still not being tagged. I was hoping someone could help me identify it and determine the risk. I'm in the process of building a win7 test vm, but haven't been able to otherwise safely open the Word doc attachment yet. It appears to contain a Word macro and an embedded link. Any ideas greatly appreciated. Please let me know if you want me to forward this to you directly or need more information. http://pastebin.com/5UuGrbXt Thanks, Alex ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bad detection rate
Always, as a reminder, we have the ClamAV Community sigs list, which anyone in the world can submit signatures to us, which we’ll put through the system and they’ll go out in the official list. http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team On Jun 23, 2014, at 2:00 PM, Dennis Peterson denni...@inetnw.commailto:denni...@inetnw.com wrote: Quick dump of found signature results: ClamAV vs Basford et al Unofficial sigs, total: grep UNOFFICIAL clam* |wc -l 174 Unofficial Sane Security sigs found grep Sanesecur.*FOUND clam* |wc -l 141 Official ClamAV sigs found: grep FOUND clam* |grep -c -v UNOFFICIAL 10 Non-Sanesecurity unofficial sigs found: grep UNOFFICIAL clam* |grep -v Sanesecurity |awk '{print $8}' |sort |uniq -c |sort -rn 7 winnow.spam.ts.stock.4.UNOFFICIAL 7 ScamNailer.Phish.info_AT_un.org.UNOFFICIAL 3 winnow.spam.ts.miscspam.843424.UNOFFICIAL 3 winnow.malware.m0.malware.863749.UNOFFICIAL 2 winnow.spam.ts.yahoo.1.UNOFFICIAL 2 winnow.spam.ts.miscspam.848859.UNOFFICIAL 2 ScamNailer.Phish.info_AT_uk-lotto.co.uk.UNOFFICIAL 1 winnow.spam.ts.photoeditting.12.UNOFFICIAL 1 winnow.spam.ts.miscspam.842244.UNOFFICIAL 1 ScamNailer.Phish.test_AT_test.com.UNOFFICIAL 1 ScamNailer.Phish.neyland_AT_gonzaga.edu.UNOFFICIAL 1 ScamNailer.Phish.info_AT_loan.com.UNOFFICIAL 1 ScamNailer.Phish.info_AT_it.org.UNOFFICIAL 1 ScamNailer.Phish.fedmail_AT_fedmail.prime-vendor.com.UNOFFICIAL 33 Good job, Steve. On 6/23/14, 10:36 AM, Steve Basford wrote: On Mon, June 23, 2014 4:47 pm, Walter Bürger wrote: This morning I submitted the file Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe (MD5 ad690be247dda635781e20887fcac0e7) on virustotal.comhttp://virustotal.com. 4 out of 54 scanners detected a virus (NOD32 named it Win32/Kryptik.CFAE) but ClamAV did not detect it. Hi Walter, This was added to phish.ndb: Sanesecurity.Malware.23787.ZipHeur Added: 23 Jun 2014 09:32:40 UT Cheers, Steve Sanesecurity.comhttp://Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bad detection rate
On Jun 24, 2014, at 11:01 AM, Bowie Bailey bowie_bai...@buc.commailto:bowie_bai...@buc.com wrote: On 6/24/2014 9:53 AM, Walter Bürger wrote: Hi dear ClamAV team, I submitted the same file as yesterday to virustotal.comhttp://virustotal.com/: Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe (MD5 ad690be247dda635781e20887fcac0e7) 30 out of 54 scanners detected a virus (NOD32 named it Win32/Emotet.AA) but ClamAV did not detect it. I am just curious why ClamAV still can't detect it. AFAIK, virustotal only uses the official signatures. Your samples were detected by a Sanesecurity unofficial signature. Correct. Steve, If SaneSecurity wants to push the sig into the official set, you can get in touch with us at any time, which we’ll give you and your team full credit for. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bad detection rate
On Jun 25, 2014, at 1:40, Dennis Peterson denni...@inetnw.com wrote: On 6/24/14, 9:16 PM, Al Varnell wrote: That’s certainly a valid question and deserves a ClamAV® answer, but I’ll throw this comment out. The signature team has always been overwhelmed by the number of new samples it receives every day and even though the team is bigger today, so is the input. They established a third party signature contribution system a few months ago and I’m sure part of the reason is to try to reduce what is apparently a growing backlog of samples which require manual signature writing. If those with the ability to write quality signatures and contribute them to this project can do so, we will all benefit from this. I don’t blame the team for trying to promote this new means of community contributions. It would appear that Steve is in a unique position here, in that he has his own UNOFFICIAL signature databases to contribute as well as the apparent skills to write them on his own. Obviously there is a much larger user base for official set so contributions there would be of broader benefit, yet he runs his own services to the community. Something he’ll need to consider and decide on his own. Just my two cents. -Al- Al Varnell Mountain View, CA I don't blame them either but the arrangement is that of peers. Why set some of them up as unofficial? Why put a limit on the very resource (2 submissions per day) that that people need to make the product useful? Run all the submitted signatures through the same QA process and stamp them official. Create a signature writer's certification test to help streamline the submission process so qualified people can include a sig with the submission. And they can answer the earlier question, How can we make the process better? If people, Steve or others want to submit to the official list, they are more than welcome. We'll receive it, QA it like we do ours, and ship it in the official set, with attribution. It's not a problem. There's an artificial limitation (not really a restriction on uploads) because we have people, all the time that want to send us, say 100,000 samples. Well, submitting those all through the interface would be a bit tiresome :). So if people are going to submit a bunch of samples we ask them to get in touch with us and we can handle that differently. The certification is not a bad idea. We do it internally, and I know we have discussed it internally for external people as well. Alain can probably comment better on this, but I know he's worked with a couple people to teach them the more advanced sigs, and those people generate content. It wouldn't hurt to have a youtube video that shows admins how to generate simple day 0 check sum sigs that they can deploy locally while waiting for a Cisco/SourceFire signature. In fact the submission process generates a checksum that just needs to be captured to a file. We're currently doing a major overhaul to several of the backend systems on ClamAV. One is ClamAV.net itself. We do have training somewhere on how to write signatures. I don't know if we have the recording anymore, maybe I can get Alain to re-teach it. But if there Are people out there interested in writing sigs for ClamAV, by all means, let's do this. Steve, if you want to submit some, a few, all, (I know you have several feeds) whatever, to the official db, let's do this. Joel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bad detection rate
On Jun 25, 2014, at 2:34, Al Varnell alvarn...@mac.com wrote: Tue, Jun 24, 2014 at 10:40 PM, Dennis Peterson wrote: It wouldn't hurt to have a youtube video that shows admins how to generate simple day 0 check sum sigs that they can deploy locally while waiting for a Cisco/SourceFire signature. In fact the submission process generates a checksum that just needs to be captured to a file. Good point and FYI Mark Allan has implemented exactly that process to provide such a quick-turnaround capability for all ClamXav users (currently 65 additional signatures). Unfortunately I haven’t noticed a single one of them replaced by an official signature yet. Same goes for Mark. Mark, you want to submit them to official? Let's do this. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bad detection rate
On Jun 25, 2014, at 0:17, Al Varnell alvarn...@mac.com wrote: The signature team has always been overwhelmed by the number of new samples it receives every day and even though the team is bigger today, so is the input. Right. We have several people working on malware full time. But we receive well over 650,000 samples a day. We build and ship all this stuff for free. We love it when the community contributes. It's for the benefit of all. They established a third party signature contribution system a few months ago and I’m sure part of the reason is to try to reduce what is apparently a growing backlog of samples which require manual signature writing. If those with the ability to write quality signatures and contribute them to this project can do so, we will all benefit from this. I don’t blame the team for trying to promote this new means of community contributions. Thank you Al. Building a community to solve a problem is important. That's what this whole open source thing is supposed to be about. It's not just that the software is free, it's so that everyone can participate. It would appear that Steve is in a unique position here, in that he has his own UNOFFICIAL signature databases to contribute as well as the apparent skills to write them on his own. Obviously there is a much larger user base for official set so contributions there would be of broader benefit, yet he runs his own services to the community. Something he’ll need to consider and decide on his own. We'd love it if Steve wanted to do it. I've never reached out to him individually, but is be glad to have the conversation! Joel ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Malformed database?
On Jun 25, 2014, at 5:22, Steve Basford steveb_cla...@sanesecurity.com wrote: On Wed, June 25, 2014 9:57 am, Paul Smith wrote: Using ClamAV 0.97.2, since yesterday's update Freshclam gives this when trying to download a fresh database: Hi Paul, Much newer binaries here (0.98.4), does it work ok with this version... http://sourceforge.net/projects/clamav/files/clamav/win32/0.98.4/ Agreed that versions is EOL. We haven't supported that in a long time. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Malformed database?
On Jun 25, 2014, at 7:15 AM, Paul Smith p...@pscs.co.ukmailto:p...@pscs.co.uk wrote: Oh? The FAQ says that the latest two major versions (0.97 and 0.98 ?) are tested against the DB, so it should work as far as I can see. You’re right. I’m sorry. My brain must have transposed “0.97.2” to “0.92.7” ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bad detection rate
On Jun 25, 2014, at 4:23 AM, Walter Bürger walter.buer...@arscons.de wrote: bestellung_9AF6AAE4.exe (MD5 186a1745b54467fa168309da93960df4) 18 out of 54 scanners detected a trojan (F-Secure named it Trojan.Injector.AWD) but ClamAV did not detect it. I submitted both files to http://www.clamav.net/lang/en/sendvirus/submit-malware And I submitted the same file as yesterday and the day before yesterday to virustotal.comhttp://virustotal.com/: Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe (MD5 ad690be247dda635781e20887fcac0e7) Are you sure you submitted these files? We don’t have them. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team signature.asc Description: Message signed with OpenPGP using GPGMail ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Reporting false positives fails
Thank you for brining it to our attention Michael, I’ll take a look. On Jun 27, 2014, at 1:49 PM, Michael Graham mgra...@bloxx.com wrote: I think google is linking to an old version of the page. I googled clamav report and clicked the top link: http://cgi.clamav.net/sendvirus.cgi But if I got to the website and follow the links I end up at: http://www.clamav.net/lang/en/sendvirus/submit-fp/ Perhaps someone maintaining the website can redirect the old link to the right place? http://www.clamav.net/lang/en/sendvirus/ ? Thanks, On Fri, 2014-06-27 at 10:40 -0700, Al Varnell wrote: You are right, it did just disappear, but your results are still strange. -Al- On Fri, Jun 27, 2014 at 10:36 AM, Michael Graham wrote: On Fri, 2014-06-27 at 13:30 -0400, Michael Graham wrote: I'm trying to report a bunch of suspected false positives to HTML.Exploit.CVE_2014_0322 which are being detected but the website just rejects it because it's already detected as a Virus (which is kind of the point Mr buggy website!). Seems like that signature has just been removed... so nevermind I guess ;) Cheers, ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml Report this message as spam http://joey.alba.local/quarantine/notifications/reportspam/message/1823803/check/9b95ae8cfb16c01010513ae62f64190d -- Michael Graham mgra...@bloxx.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Win.Trojan.Zwangi-432 / Osx.Exploit.CVE_2006_0848 / PHP.Shell-29
On Jul 8, 2014, at 5:11, DUCARROZ Birgit birgit.ducar...@unifr.ch wrote: Platform: You mean the platform where clamav is installed, not the platform the virus is for, just? Yes. The platform where ClamAV is. What do you mean I must attach with raw message? The output of the virus-scan? Or the file containing the virus (or false positive)? If it's an email, please attach the whole thing. If it's a malware, attach the malware. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: ClamAV 0.98.5 beta has been posted!
ClamAV 0.98.5 beta has been posted! The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing! http://blog.clamav.net/2014/07/clamav-0985-beta-has-been-posted.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: Compiling OpenSSL For Windows
Compiling OpenSSL For Windows In order to support more advanced features planned in future releases, ClamAV has switched to using OpenSSL for hashing. The ClamAV Visual Studio project included with ClamAV's source code requires the OpenSSL distributables to be placed in a specific directory. This article will teach you how to compile OpenSSL on a Microsoft Windows system and how to link ClamAV against OpenSSL. Read More here: http://blog.clamav.net/2014/07/compiling-openssl-for-windows.html http://blog.clamav.net/2014/07/compiling-openssl-for-windows.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: ClamAV 0.96 Engine End of Life Announcement
http://blog.clamav.net/2014/07/clamav-096-engine-end-of-life.html ClamAV 0.96 Engine End of Life Announcement ClamAV Community, This notice is to inform you that effective immediately ClamAV 0.96 (and all minor versions) is no longer supported in accordance with ClamAV's EOL policy which can be found here: https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-eol.md While the current CVD's being distributed will still work on ClamAV 0.96, we are enabling the functionality to actually make those versions no longer be able to update. There is detection that we have written that cannot be shipped to the 0.96 branch. Thank you for using ClamAV! smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Aug 22, 2014, at 8:24 PM, Dan McDaniel d...@dm3.usmailto:d...@dm3.us wrote: On Fri 22.Aug.14 15:36, Al Varnell wrote: On Aug 22, 2014, at 3:26 PM, Dan McDaniel d...@dm3.usmailto:d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Providing the MD5 of the submitted file will allow the team to locate it quickly. md5sum: 04f34a0597ab21ce25f4fc6bc84cc5d4 I see this on the server side and the hash is assigned to an analyst to take a look. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Aug 22, 2014, at 6:44 PM, Daniel Quintiliani d...@runbox.commailto:d...@runbox.com wrote: On Fri, 22 Aug 2014 18:26:37 -0400, Dan McDaniel d...@dm3.usmailto:d...@dm3.us wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Also, on the web form when submitting false positives there is a check-box that says notify me. It would seem to imply that you might get some kind of notification when your sample had been processed, but I have never received any notification for any of the samples I've submitted. What is that check-box for? I don't know what's going on. It seems that ever since the Cisco buyout the quality of ClamAV has disintegrated really fast. I am always submitting samples from my email and blog spam to VirusTotal, ClamAV, and CRDF. VirusTotal often shows tons of failures, often more than half of the major antivirus products but never ClamAV, and then I submit to CRDF, who do their own automated VirusTotal scans and mark them as malware right away. ClamAV, however, marks them clean for weeks (unless you use CRDF's signatures) and often they are never marked malware. In fact, I have a list of MD5s of 600 MB worth of malware from a game hack site spammed to my blogs. I sent e-mails to ClamAV saying I had the MD5s and files but received no response. I wound up deleting the files because only two were marked as malware, and by CRDF's signatures, not by ClamAV's. (I still have the MD5s list if anyone wants me to post it on the message board) Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought Sourcefire. I’d disagree here. In fact, we’ve only added to the team since the Cisco purchase. We’re currently working on a better way to report false positives, so hopefully we’ll see some resolution to the issue soon, but by all means, if you have FP reports, please report them via the website and we’ll take a look at the issue. As far as reports of new malware, again, the website is the best place to send them, however, for bulk uploads, like the website says, it’s best to contact us. Where did you send emails to us that we missed? Maybe we’re having a server problem that I haven’t seen yet and we need to get that fixed. If people would like to contribute their own signatures to the ruleset, we’d be happy to take a look at that as well: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: The new ClamAV.net is here!
http://blog.clamav.net/2014/08/the-new-clamavnet-is-here.html For the past several months we've been working diligently on a complete refresh of several Open Source websites, designs and logos. The first website we rolled out a refresh of was Snort.orghttp://Snort.org back in June. At the same time, we've been working hard on ClamAV.nethttp://www.clamav.net/. When the ClamAV project was acquired in 2003 by Sourcefire (now a part of Cisco), we retained the original website and hosting provider the website was built on, but we took this opportunity to start from scratch. As with Snort.orghttp://Snort.org, this wasn't just a facelift for the website, this was a complete rewrite. Much of the content you are looking for is the same, for instance the virus submission forms are still on the site, but we've build some improvements: * Simple Navigation * Much like we tried to do with Snort.orghttp://Snort.org, almost all content on ClamAV.nethttp://ClamAV.net is one or two clicks away. * Faster * Not only is the site faster to load on the browser, but it is less load on the server side too. * Documentation * We now dynamically load the ClamAV FAQ from Github onto the site. If someone would like to contribute to the FAQ, they may do so by submitting a pull request (at https://github.com/vrtadmin/clamav-faq. Which, once accepted, will be rendered on the main clamav.nethttp://clamav.net site for all to see. * Elimination of dead links and pages We really hope that you enjoy on the new ClamAV.nethttp://ClamAV.net, and are looking forward to hearing your feedback at vrt...@cisco.commailto:vrt...@cisco.com! Please take a look at the new website over at: http://www.clamav.net ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] False positive for sure
That's a PUA alert. That's not on by default. -- Joel Esler Sent from my iPhone On Sep 3, 2014, at 6:40, Gene Heskett ghesk...@wdtv.com wrote: Greetings; This report from last nights clamscan is absolutely a false positive: /home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz: PUA.Misc.DoubleExtension-zippwd-3 FOUND Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV®: The new ClamAV.net is here!
Ed, Thanks, we’ll have a look. On Sep 2, 2014, at 2:18 PM, Ed Christiansen MS edwa...@ll.mit.edu wrote: You might want to fix the website. When I click on the red text source code on download page and then the big red download source button I still get the clamav-0.98.4-win32.msi which isn't very useful for an of my unix flavors. On 8/31/2014 6:35 AM, Alessandro Vesely wrote: On Tue 26/Aug/2014 20:56:27 +0200 Joel Esler (jesler) wrote: http://blog.clamav.net/2014/08/the-new-clamavnet-is-here.html Thanks for that web site refurbishing. But let me note a couple of points about the mailing list: *No DKIM signature*. In some cases there is an author DKIM signature, which is broken by the mailing list massaging, as usual. Adding DKIM signatures might help deliverability, but watch out for senders with strong DMARC policies. *Broken SPF record*. The relevant records are lists.clamav.net. IN TXT v=spf1 mx a -all IN A 198.148.79.53 There is no MX record, which causes SPF verifications to fail; given how the mx mechanism works, I'd suggest to just remove it from the SPF record. The A suffices if the list sends out from that address only. To tolerate relaying from different 198.148.79.53/32 addresses as well as some 3rd party forwarders, you may want to consider something like: lists.clamav.net. IN TXT v=spf1 a ~exists:%{ir}.list.dnswl.org -all Last and least, I understand your stance toward top-posting, Joel, but would appreciate if you can manage to configure your own mailer to apply Internet style quoting (' ') so as to improve your replies' readability. Thank you for your commitment and dedication Ale ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Where can I download the daily.cvd and main.cvd files
On Sep 9, 2014, at 1:44 PM, Leonardo Rodrigues leolis...@solutti.com.brmailto:leolis...@solutti.com.br wrote: On 09/09/14 14:28, McCarthy, John D. wrote: A million thanks. This is what I needed. Many of my systems do not connect to the internet. This should be noted in an obvious place on the webpage where users can get the files. I suspect this will be a hot issue for the users who have not been to the site in a month. The links are there on the download section of the site !!! http://www.clamav.net/download.html If this is not viable, you may use these direct download links: main.cvd | daily.cvd | bytecode.cvd (and the filenames linked to the URLs) yes, we have them there, but we do not want to keep them there. We’d much rather that people set up a local mirror (private mirror) to allow one machine that does have Internet access to download them from our mirror infrastructure, and you can distribute it from your machine. We don’t want people downloading them directly from our local mirror. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Warning in ClamAV update process
On Sep 11, 2014, at 5:10 AM, Tommy Berglund to...@fam-berglund.eumailto:to...@fam-berglund.eu wrote: Den 2014-09-11 09:59, Al Varnell skrev: On Thu, Sep 11, 2014 at 12:27 AM, Tommy Berglund wrote: I always get these warnings and it is always ip 192.121.13.5 Any way to avoid these warnings? That mirror appear to be located in Sweden. Depending on where in the world you are located, you _might_ see improvement by changing the following in freshclam.conf: Yes I live in Sweden, has tried with Database Mirror db.se.clamav.nethttp://db.se.clamav.net and it gets the same results. Always the same server that gives error, maybe not available anymore. Question for ClamAV® team. Have you done away with the Mirror Status page? (was http://www.clamav.net/mirrors.html) I used it quite often to troubleshoot issues such as this one. I get error 404 for this page http://www.clamav.net/mirrors.html perhaps also not available anymore. The mirrors page and the stats page we’re working on (phase 2) for the site. We have a different way we’re going to be displaying the stats and mirrors, and it isn’t ready yet. Sorry for the inconvenience for anyone affected. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Warning in ClamAV update process
On Sep 11, 2014, at 7:15 AM, Gene Heskett ghesk...@wdtv.commailto:ghesk...@wdtv.com wrote: On Thursday 11 September 2014 05:10:52 Tommy Berglund did opine And Gene did reply: Den 2014-09-11 09:59, Al Varnell skrev: On Thu, Sep 11, 2014 at 12:27 AM, Tommy Berglund wrote: I always get these warnings and it is always ip 192.121.13.5 Any way to avoid these warnings? That mirror appear to be located in Sweden. Depending on where in the world you are located, you _might_ see improvement by changing the following in freshclam.conf: Yes I live in Sweden, has tried with Database Mirror db.se.clamav.nethttp://db.se.clamav.net and it gets the same results. Always the same server that gives error, maybe not available anymore. Question for ClamAV® team. Have you done away with the Mirror Status page? (was http://www.clamav.net/mirrors.html) I used it quite often to troubleshoot issues such as this one. I get error 404 for this page http://www.clamav.net/mirrors.html perhaps also not available anymore. Thanks Al for your answers! I also am getting a 404, but the rotating red devils head graphic is a new image to me. Since its a giant version of the same image at http://www.clamav.net/contact.html#ml, I have to assume that the mirrors.html file is missing from the clamav.nethttp://clamav.net server. Well, it doesn’t exist on the new server. I just answered this in another thread as well, but this page (and the stats page) weren’t ready for the new site yet. We’re still working in it. It looks to me as if the left hand is not communicating with the right hand, and is systematically trying to destroy clamav. We expect that from M$, but your new management does not seem to be on the same page as its users have been for years. I don’t think there is anyone “systematically trying to destroy clamav”, and take issue with that statement. What can I do better to communicate to you? My statistics on usage and downloads don’t illustrate what you are complaining about, so what can I do to make it better for you? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Warning in ClamAV update process
On Sep 11, 2014, at 4:36 PM, Bowie Bailey bowie_bai...@buc.com wrote: On 9/11/2014 4:25 PM, Joel Esler (jesler) wrote: On Sep 11, 2014, at 7:15 AM, Gene Heskett ghesk...@wdtv.commailto:ghesk...@wdtv.com wrote: On Thursday 11 September 2014 05:10:52 Tommy Berglund did opine And Gene did reply: Den 2014-09-11 09:59, Al Varnell skrev: On Thu, Sep 11, 2014 at 12:27 AM, Tommy Berglund wrote: I always get these warnings and it is always ip 192.121.13.5 Any way to avoid these warnings? That mirror appear to be located in Sweden. Depending on where in the world you are located, you _might_ see improvement by changing the following in freshclam.conf: Yes I live in Sweden, has tried with Database Mirror db.se.clamav.nethttp://db.se.clamav.net and it gets the same results. Always the same server that gives error, maybe not available anymore. Question for ClamAV® team. Have you done away with the Mirror Status page? (was http://www.clamav.net/mirrors.html) I used it quite often to troubleshoot issues such as this one. I get error 404 for this page http://www.clamav.net/mirrors.html perhaps also not available anymore. Thanks Al for your answers! I also am getting a 404, but the rotating red devils head graphic is a new image to me. Since its a giant version of the same image at http://www.clamav.net/contact.html#ml, I have to assume that the mirrors.html file is missing from the clamav.nethttp://clamav.net server. Well, it doesn’t exist on the new server. I just answered this in another thread as well, but this page (and the stats page) weren’t ready for the new site yet. We’re still working in it. It looks to me as if the left hand is not communicating with the right hand, and is systematically trying to destroy clamav. We expect that from M$, but your new management does not seem to be on the same page as its users have been for years. I don’t think there is anyone “systematically trying to destroy clamav”, and take issue with that statement. What can I do better to communicate to you? My statistics on usage and downloads don’t illustrate what you are complaining about, so what can I do to make it better for you? Step one would be fixing your email program so that it properly marks quoted text. Your replies are getting mixed in with the quoted text so that we can't tell where the quote ends and your response begins. Take a look above. There are comments from Gene Heskett, Tommy Berglund, Al Varnell, and yourself. Can you tell who is saying what? Yeah, beta email client. :) ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd file.
Georges, You should be using the freshclam tool provided with ClamAV to download updates from our mirror infrastructure. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Sep 15, 2014, at 2:03 PM, Volcy, Georges georges.vo...@pseg.commailto:georges.vo...@pseg.com wrote: I've been unable to find and download daily.cvd files on the clamav.nethttp://clamav.net site. I wanted to know if clamav is no longer providing the daily.cvd files. I'm still running clamav version 0.97. Thanks, Georges Volcy SCADA Engineer - EMS PSEG Long Island CNI - EMS Provisioning Support (516) 545-4481 (Desk) (516) 492-9773 (Cell) (516) 545-4064 (Office) Note: As of January 1, 2014, my email address is now georges.vo...@pseg.commailto:georges.vo...@pseg.commailto:georges.vo...@pseg.com - The information contained in this e-mail, including any attachment(s), is intended solely for use by the named addressee(s). If you are not the intended recipient, or a person designated as responsible for delivering such messages to the intended recipient, you are not authorized to disclose, copy, distribute or retain this message, in whole or in part, without written authorization from PSEG. This e-mail may contain proprietary, confidential or privileged information. If you have received this message in error, please notify the sender immediately. This notice is included in all e-mail messages leaving PSEG. Thank you for your cooperation. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd file.
Correct. We plan on removing these after teaching people how to set up their own private mirror. On Sep 15, 2014, at 2:07 PM, Ed Christiansen MS edwa...@ll.mit.edu wrote: They hide them really really well - like they don't want you to know they are there. http://www.clamav.net/index.html - Download Under the text that loudly proclaims Set Up Freshclam there is, in very light unassuming grey text: main.cvd | daily.cvd | bytecode.cvd On 9/15/2014 2:03 PM, Volcy, Georges wrote: I've been unable to find and download daily.cvd files on the clamav.net site. I wanted to know if clamav is no longer providing the daily.cvd files. I'm still running clamav version 0.97. Thanks, Georges Volcy SCADA Engineer - EMS PSEG Long Island CNI - EMS Provisioning Support (516) 545-4481 (Desk) (516) 492-9773 (Cell) (516) 545-4064 (Office) Note: As of January 1, 2014, my email address is now georges.vo...@pseg.commailto:georges.vo...@pseg.com - The information contained in this e-mail, including any attachment(s), is intended solely for use by the named addressee(s). If you are not the intended recipient, or a person designated as responsible for delivering such messages to the intended recipient, you are not authorized to disclose, copy, distribute or retain this message, in whole or in part, without written authorization from PSEG. This e-mail may contain proprietary, confidential or privileged information. If you have received this message in error, please notify the sender immediately. This notice is included in all e-mail messages leaving PSEG. Thank you for your cooperation. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd file.
The CVD is updated roughly every four hours. Chances are, you are getting a new one ;) -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Sep 16, 2014, at 3:10 PM, Volcy, Georges georges.vo...@pseg.commailto:georges.vo...@pseg.com wrote: Thank you so much for your help! Very much appreciated! Thanks! Georges Volcy SCADA Engineer - EMS PSEG Long Island CNI - EMS Provisioning Support (516) 545-4481 (Desk) (516) 492-9773 (Cell) (516) 545-4064 (Office) Note: As of January 1, 2014, my email address is now georges.vo...@pseg.commailto:georges.vo...@pseg.com -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Ed Christiansen LX Sent: Tuesday, September 16, 2014 1:28 To: ClamAV users ML Subject: Re: [clamav-users] daily.cvd file. You are receiving this email from someone outside of PSEG. Refrain from opening attachments, clicking on links, or responding to requests for personal information or credentials if from an unknown sender or if message is unexpected. here you go. These extract the info from the files. You will have to unwrap them however. head -1 main.cvd | cut -c1-100 | awk -F: '{split($2,d, );printf ClamAV main.cvd %s %s %s, version %s, total %s\n, d[1], d[2], d[3] , $3, $4}' head -1 daily.cvd | cut -c1-100 | awk -F: '{split($2,d, );printf ClamAV daily.cvd %s %s %s, version %s, total %s\n, d[1], d[2], d[3] , $3, $4}' The output looks like this: ClamAV main.cvd 17 Sep 2013, version 55, total 2424225 ClamAV daily.cvd 15 Sep 2014, version 19367, total 1099036 On 9/16/2014 1:07 PM, Volcy, Georges wrote: I did notice the daily.cvd, however it no longer says what day it was release. I'm also installing the daily.cvd file to a server that is on an isolated system with no access to the internet. Also, I'm uploading the daily.cvd , bytecode.cvd, and main.cvd to a server with a hardened firmware and can only obtain new clamav engine version through that company's firmware update. I guess my main question is how can I tell when if I'm downloading a new .cvd file. Thanks, Georges Volcy SCADA Engineer - EMS PSEG Long Island CNI - EMS Provisioning Support (516) 545-4481 (Desk) (516) 492-9773 (Cell) (516) 545-4064 (Office) Note: As of January 1, 2014, my email address is now georges.vo...@pseg.commailto:georges.vo...@pseg.com -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler (jesler) Sent: Monday, September 15, 2014 4:10 To: ClamAV users ML Subject: Re: [clamav-users] daily.cvd file. You are receiving this email from someone outside of PSEG. Refrain from opening attachments, clicking on links, or responding to requests for personal information or credentials if from an unknown sender or if message is unexpected. Correct. We plan on removing these after teaching people how to set up their own private mirror. On Sep 15, 2014, at 2:07 PM, Ed Christiansen MS edwa...@ll.mit.edu wrote: They hide them really really well - like they don't want you to know they are there. http://www.clamav.net/index.html - Download Under the text that loudly proclaims Set Up Freshclam there is, in very light unassuming grey text: main.cvd | daily.cvd | bytecode.cvd On 9/15/2014 2:03 PM, Volcy, Georges wrote: I've been unable to find and download daily.cvd files on the clamav.net site. I wanted to know if clamav is no longer providing the daily.cvd files. I'm still running clamav version 0.97. Thanks, Georges Volcy SCADA Engineer - EMS PSEG Long Island CNI - EMS Provisioning Support (516) 545-4481 (Desk) (516) 492-9773 (Cell) (516) 545-4064 (Office) Note: As of January 1, 2014, my email address is now georges.vo...@pseg.commailto:georges.vo...@pseg.com - The information contained in this e-mail, including any attachment(s), is intended solely for use by the named addressee(s). If you are not the intended recipient, or a person designated as responsible for delivering such messages to the intended recipient, you are not authorized to disclose, copy, distribute or retain this message, in whole or in part, without written authorization from PSEG. This e-mail may contain proprietary, confidential or privileged information. If you have received this message in error, please notify the sender immediately. This notice is included in all e-mail messages leaving PSEG. Thank you for your cooperation. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html
Re: [clamav-users] Daily.cvd file
On Sep 18, 2014, at 1:39 AM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: On Sep 17, 2014, at 9:59 PM, Paul Kosinski cla...@iment.commailto:cla...@iment.com wrote: I'm running ClamAV 0.98.4, yet when I built it the main.cvd file was from 17 Sep 2013 (now a year old!), and the daily.cvd files have been about 28 MB each. Even though I have been running a local mirror on our LAN for years now, it's really annoying that the daily.cvd files are so big. When ClamAV was independent, every new release had an updated main.cvd, and the daily.cvd files were of modest size. Now the whole 0.98.x series has the same main.cvd, and the daily.cvds keep getting bigger. The immediately previous main.cvd, in the 0.97.x series, was shipped with 0.97.3 and was dated Oct 2011. You are not remembering correctly. That may have been true a decade ago, but for the last half dozen years or so the main stayed the same for every new release and was only updated when it was more efficient to update it than to continue downloading large daily’s. I seem to recall that the last update was late and that there was approximately a year between updates in earlier days, but even that varied. You may be correct in that it’s time for another update, but since it mostly impacts the load on network servers and not you and other clients, that’s something the team will need to analyze and decide. All is correct here. I’ll check with the team of when the “rollover” will take place, as this has a substantial impact on the mirror infrastructure, we have to let the mirrors know before we do it. As you can imagine, the 7M+ users of ClamAV all downloading a main.cvd from a mirror is quite heavy on bandwidth if you aren’t expecting it. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd vs main.cvd
We use rsync to move the cvd’s out to the mirrors. Using freshclam to get it from the mirrors is the preferred method. Unless you want to donate the time and resources (and bandwidth) to become a mirror. On Sep 18, 2014, at 6:28 PM, Al Varnell alvarn...@mac.com wrote: OK, so I’m a bit confused by this. I realize that many of us have different approaches to updating the database, due to different circumstances in network access, etc., but why are you downloading daily.cvd five times a day instead of using freshclam to incrementally update as recommended to all users, if bandwidth is such an important resource to you? It certainly has a negative impact to the mirror network if many users are doing this routinely. When the main.cvd is updated it will be an incremental update resulting in a significantly larger main.cld in the database for most users. In a separate thread we were told this week that at some point the daily.cvd would not be routinely available to end users. How is the freshclam approach any different from using rsync to you? -Al- On Thu, Sep 18, 2014 at 02:53 PM, Paul Kosinski wrote: On Thu, 18 Sep 2014 12:00:00 -0400 Joel Esler wrote: You are not remembering correctly. That may have been true a decade ago, but for the last half dozen years or so the main stayed the same for every new release and was only updated when it was more efficient to update it than to continue downloading large daily?s. I seem to recall that the last update was late and that there was approximately a year between updates in earlier days, but even that varied. According to our backup records (see below), in the 2 year period from April 2008 to April 2010, there were *7* different main.cvd files (at least), or more often than one every two releases (see below). You may be correct in that it's time for another update, but since it mostly impacts the load on network servers and not you and other clients, that?s something the team will need to analyze and decide. All is correct here. I'll check with the team of when the 'rollover' will take place, as this has a substantial impact on the mirror infrastructure, we have to let the mirrors know before we do it. As you can imagine, the 7M+ users of ClamAV all downloading a main.cvd from a mirror is quite heavy on bandwidth if you aren?t expecting it. I don't know exactly how big a new main.cvd file would be, but even if it were as big as the current main.cvd (62 MB) *plus* the current daily.cvd (28 MB) taken together, it would still be only 90 MB, which is significantly less than the 140 MB for the 5 updates to the daily.cvd file downloaded in one 24 hour period this week. Paul Kosinski P.S. Maybe it's time for an 'rsync' or 'drpm' approach for daliy.cvd? ++ From our records of CLAMAV files backed up 0.93 -rw-r--r-- 1 clamav clamav 13050207 Apr 15 2008 main.cvd 0.93.1 -rw-r--r-- 1 clamav clamav 13050207 Jun 10 2008 main.cvd.080610-2315 0.93.2 -rw-r--r-- 1 clamav clamav 15200793 Jul 12 2008 main.cvd.080712-1625 0.94 -rw-r--r-- 1 clamav clamav 15200793 Sep 6 2008 main.cvd.orig -rw-r--r-- 1 clamav clamav 17457430 Sep 4 2008 main.cvd.080904-1709 0.94.1 -rw-r--r-- 1 clamav clamav 18462921 Nov 7 2008 main.cvd 0.94.2 -rw-r--r-- 1 clamav clamav 18462921 Nov 28 2008 main.cvd.081128-2131 0.95 -rw-r--r-- 1 clamav clamav 20091559 Mar 26 2009 main.cvd 0.95.1 -rw-r--r-- 1 clamav clamav 20091559 Apr 10 2009 main.cvd.090410-2321 0.95.2 -rw-r--r-- 1 clamav clamav 21253696 May 14 2009 main.cvd 0.95.3 -rw-r--r-- 1 clamav clamav 21253696 May 14 2009 main.cvd.090514-1231 0.96 -rw-r--r-- 1 clamav clamav 22906487 Apr 3 2010 main.cvd 0.96.1 -rw-r--r-- 1 clamav clamav 22906487 Apr 3 2010 main.cvd ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 3, 2014, at 7:19 AM, Tim Smith randomd...@gmail.com wrote: Hi, Over the last 24-48 hours, I submitted a number of email attachments. RAR files that contained viruses. Running one or two of them through VirusTotal today, I see ClamAV have *STILL* not managed to produce virus definitions for them ! All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . Looking forward to hearing the reasons why ! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Tim, I know someone contacted you offlist, however, for the sake of the community — We receive about 1.1M samples a day here. If you submit something, and is more than just a casual submission, maybe you need something covered right away. We are always open to a little poke with the md5/sha256 so we can look at what you submitted. We love the feedback from our users, and always look forward to a constructive dialog. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 3, 2014, at 5:12 PM, Dennis Peterson denni...@inetnw.com wrote: On 10/3/14 8:10:24AM, Mark Allan wrote: On 3 Oct 2014, at 03:39 pm, Gene Heskett ghesk...@wdtv.com wrote: On Friday 03 October 2014 07:19:13 Tim Smith did opine Over the last 24-48 hours, I submitted a number of email attachments. RAR files that contained viruses. Running one or two of them through VirusTotal today, I see ClamAV have *STILL* not managed to produce virus definitions for them ! All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . Looking forward to hearing the reasons why ! Perhaps you should consider submitted them in a compressed file format that is NOT proprietary to apple and which carries a per seat license fee? Cheers, Gene Heskett I'll admit that Tim's email rather reeked of entitlement, but Gene's response is just confusing and wrong. Yes, the RAR file format is proprietary, but not to Apple - it was a Russian named Eugene Roshal (Roshal ARchive hence RAR) who came up with it and the licence is only required for creating files of that format; software to extract RAR files is free. Also, ClamAV already contains code to unRAR these archives. Anyway, I digress from the original question. The reason it takes time to generate signatures from files/samples which are contributed by users is that the signatures are still generated manually by humans, most of whom have other jobs and unless I'm mistaken are therefore giving their time voluntarily. I've always found the turnaround time to be pretty good actually, especially for free software. Mark ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml From http://www.unrarlib.org/faq.html Q: Do you know that the license for the unrar sources from RARLab is not compatible with the GNU Public license? A: Yes, this is true. But we have the permission from Eugene Roshal to release unrarlib 0.4.0 under GPL and unrarlib-license. Note: this doesn't mean that RAR is free now or you can use the unrar source from RARlabs under GPL. You are just allowed to use UniquE RAR File Library version 0.4.0 (unrarlib 0.4.0) under GPL. A lot of people avoid RAR as a result. We have issues with some distributions, as they don’t want to build that feature in (because of the license) or don’t build Clam into the distribution at all because of this exclusion. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 3, 2014, at 5:16 PM, Dennis Peterson denni...@inetnw.com wrote: On 10/3/14 2:11:15PM, Charles Swiger wrote: On Oct 3, 2014, at 1:54 PM, Leonardo Rodrigues leolis...@solutti.com.br wrote: On 03/10/14 08:19, Tim Smith wrote: All of the commercial vendors I submitted the samples to had analysed and created samples in timeframes ranging from hours to one day. At this rate I'm going to be dumping ClamAV from my systems and subscribing to a service from a commercial vendor . are you really trying to compare response times from PAID sollutions to the free/community maintened ones Assuming this wasn't a rhetorical question, the answer is pretty clearly: yes. So what? I would expect that an expensive A/V solution should do better than ClamAV for does for free. Frankly, it's a credit to the ClamAV team that their offering provides significant value for the price Regards, ClamAV also gives each of us tools to provide a Day Zero response to a threat. Our responsibility to our users (for those of us who have them) is to take advantage of that tool set. Well said Dennis. The other part of the equation is that we are always open to accepting the signatures and protection generated by our users for the greater good via our community signatures mailing list. http://www.clamav.net/contact.html#ml http://www.clamav.net/contact.html#ml -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On Oct 6, 2014, at 10:21 AM, Tim Smith randomd...@gmail.com wrote: but call paid prebuildt software always better is not correct, but mostly just marketing What rubbish... ClamAV always lags behind the commercial vendors in any comparative you wish to mention. The majority of well established vendors will also do a better job of detecting and pushing out definitions as it seems that ClamAV is reactive, not proactive on the definitions front …. Incorrect. For instance, just one of our signatures may catch tens of thousands of samples. We can malware when it arrives, and if we catch the “new” piece of malware with an already present signature, we assign the new piece of malware to the already present signature. For instance, I just went into our internal interface, and picked the first “prior detect” on my list, and it has 94 pieces of malware assigned to it. You can actually see some of the de-duplicated ones if you subscribe to the clamav-virusdb mailing list. We don’t list them all in there, because frankly it’d be too large of an email to send out. So only particular malware “Senders” are there. Just because we don’t detect the piece of malware that you found, doesn’t mean we aren’t proactive. What other av product can you make your own virus signatures with, not usefull, hmm You don't need to when they've got a decent set of analysts who are on the ball and push out new definitions quickly ! F-Secure, Sophos, Kasperksy and others all had coverage already of this virus. Those companies also have hundreds of analysts dedicated to the problem. We don’t have hundreds. Seriously, why should I mess around with creating virus signatures, its a waste of my time. That’s kind of the point of a community open-source project. Evangelising over how wonderful open-source anti-virus is is great but if you're severely lagging on pushing out virus definitions then it very quickly removes the attractiveness of the product. 80% of people using your open-source project won't have the knowledge, time or inclination to hack together their own virus definitions …. We try to make it very simple for people to do it, in fact, we include tools for people to be able to do it. I'm off to sign up with one of the well established software vendors. We’re sorry to see you go. We try to offer a good service, for free, to the community in order to make the internet, just a little bit safer. We’ll understand if you’d like a refund. ;) -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On 6 October 2014 14:55, Benny Pedersen m...@junc.eu wrote: On October 6, 2014 3:37:34 PM Tim Smith randomd...@gmail.com wrote: are you really trying to compare response times from PAID sollutions to the free/community maintened ones ? Of course not, the paid solutions will always be better. Dream on, my commodore 64 is the best 8bit computer ever not needing antivirus at all, restarting it cleans any virus for free, sorry could not resists But three days to get some definitions pushed out for a zero-day is a bit on the slow side, you must agree ! You are free to define opensource as you wish, but call paid prebuildt software always better is not correct, but mostly just marketing What other av product can you make your own virus signatures with, not usefull, hmm ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ClamAV® blog: ClamAV 0.95.5rc1 is now available for download!
http://blog.clamav.net/2014/10/clamav-0955rc1-is-now-available-for.html http://blog.clamav.net/2014/10/clamav-0955rc1-is-now-available-for.html ClamAV 0.95.5rc1 is now available for download! ClamAV 0.95.5rc1 is now available for download. Shown below are the notes for this release: ClamAV 0.98.5 also includes these new features: - Support for the XDP file format and extracting, decoding, and scanning PDF files within XDP files. - Addition of shared library support for LLVM verions 3.1 - 3.4 for the purpose of just-in-time(JIT) compilation of ClamAV bytecode signatures. Andreas Cadhalpun submitted the patch implementing this support. - Enhancements to the clambc command line utility to assist ClamAV bytecode signature authors by providing introspection into compiled bytecode programs. - Resolution of many of the warning messages from ClamAV compilation. - Bug fixes and other feature enhancements. See Changelog or git log for details. Thanks to the following ClamAV community members for code submissions and bug reporting included in ClamAV 0.98.5: Andreas Cadhalpun Sebastian Andrzej Siewior The RC is available for download from: http://www.clamav.net/download.html http://www.clamav.net/download.html under the Development Releases section. Please download, test, and provide feedback to the team here: http://lists.clamav.net/mailman/listinfo/clamav-users http://lists.clamav.net/mailman/listinfo/clamav-users -- The ClamAV team (http://www.clamav.net/about.html#credits http://www.clamav.net/about.html#credits) smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.98.5rc1 is now available for download!
An error on my part.. This should read 0.98.5-rc1, not 95.5-rc1. Corrected: ClamAV 0.98.5-rc1 is now available for download! ClamAV 0.98.5-rc1 is now available for download. Shown below are the notes for this release: ClamAV 0.98.5 also includes these new features: - Support for the XDP file format and extracting, decoding, and scanning PDF files within XDP files. - Addition of shared library support for LLVM verions 3.1 - 3.4 for the purpose of just-in-time(JIT) compilation of ClamAV bytecode signatures. Andreas Cadhalpun submitted the patch implementing this support. - Enhancements to the clambc command line utility to assist ClamAV bytecode signature authors by providing introspection into compiled bytecode programs. - Resolution of many of the warning messages from ClamAV compilation. - Bug fixes and other feature enhancements. See Changelog or git log for details. Thanks to the following ClamAV community members for code submissions and bug reporting included in ClamAV 0.98.5: Andreas Cadhalpun Sebastian Andrzej Siewior The RC is available for download from: http://www.clamav.net/download.html http://www.clamav.net/download.html under the Development Releases section. Please download, test, and provide feedback to the team here: http://lists.clamav.net/mailman/listinfo/clamav-users http://lists.clamav.net/mailman/listinfo/clamav-users -- The ClamAV team (http://www.clamav.net/about.html#credits http://www.clamav.net/about.html#credits) smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.98.5 has been released!
Dennis, Haha. Yes at some point. We have a roadmap for a 1.0 release. -- Joel Esler Sent from my iPhone On Nov 19, 2014, at 2:44 AM, Dennis Peterson denni...@inetnw.commailto:denni...@inetnw.com wrote: On 11/18/14 2:11 PM, Joel Esler (jesler) wrote: http://blog.clamav.net/2014/11/clamav-0985-has-been-released.html ClamAV 0.98.5 has been released! Will there be a Clamav 1.0 in my lifetime? I'm pushing 70 :) dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Bytecode Blog Posts
We have three blog posts concerning bytecode that will be posted to the ClamAV over the next week. Today was the first one: http://blog.clamav.net/2014/11/brief-re-introduction-to-clamav.html Please take a minute to read the blog posts if bytecode is something you are interested in or use. If you have any interest on future blog posts you’d like us to produce, please feel free to email me. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] detection of really old viruses?
Al is correct here. -- Joel Esler Sent from my iPhone On Nov 22, 2014, at 9:54 PM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: On Sat, Nov 22, 2014 at 06:42PM, Marcel Giannelia wrote: Most of the virus definitions in the cvd files don't seem to have dates associated with them (at least that I could see with sigtool), so I can't tell -- are older definitions ever dropped? That is, will clamav always be able to detect viruses from, e.g., the 1990s, or are definitions for viruses that old eventually removed from the database? AFAIK, definitions exist forever unless they have been found to cause False Positives. You can normally find the date a definition was added by searching the clamav-virusdb archive: http://lurker.clamav.net/list/clamav-virusdb.en.html -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] cannot find clamav-devel-latest.tar.gz anymore...
Well I imagine this probably happened when we switched from the old website to the new website. I wasn’t aware that we were producing daily builds. I’ll talk it over with the team and see if this is something we want to include on the new site. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Nov 26, 2014, at 7:42 AM, Heino Backhaus heino.backh...@fink-computer.de wrote: Hello List, i'm using http://www.clamav.net/snapshot/clamav-devel-latest.tar.gz as source for an automated daily upgrade-script since about 10 Years on 15 +x MailScanner machines and it worked perfectly (thanks for that). My problem ist that this file just doesn't exist since version: ClamAV devel-20140826/19682/Wed Nov 26 06:40:34 2014. Haven't I searched hard enough ? -- Mit freundlichen Gruessen H. Backhaus Fink-Computer Systeme Heggrabenstr. 9, 35435 Wettenberg Email: heino.backh...@fink-computer.de Web: www.fink-computer.de Fax: +49-641-98444638 Fon: +49-641-98444640 UST-ID: DE151040770 HRB: 2143 Gießen GF: Fredi Fink “I was gratified to be able to answer promptly, and I did. I said I didn’t know.” -Mark Twain ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] cannot find clamav-devel-latest.tar.gz anymore...
I'll take a look, probably won't happen before Thanksgiving here in the US though. Most of the critical people are on vacation. From: clamav-users [clamav-users-boun...@lists.clamav.net] on behalf of Heino Backhaus [heino.backh...@fink-computer.de] Sent: Wednesday, November 26, 2014 9:38 AM To: ClamAV users ML Subject: Re: [clamav-users] cannot find clamav-devel-latest.tar.gz anymore... i would realy appreciate that ;-) Thanks for your effort. Mit freundlichen Gruessen H. Backhaus Fink-Computer Systeme Heggrabenstr. 9, 35435 Wettenberg Email: heino.backh...@fink-computer.de Web: www.fink-computer.de Fax: +49-641-98444638 Fon: +49-641-98444640 UST-ID: DE151040770 HRB: 2143 Gießen GF: Fredi Fink I was gratified to be able to answer promptly, and I did. I said I didn't know. -Mark Twain Am 26.11.2014 15:26, schrieb Joel Esler (jesler): Well I imagine this probably happened when we switched from the old website to the new website. I wasn't aware that we were producing daily builds. I'll talk it over with the team and see if this is something we want to include on the new site. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Nov 26, 2014, at 7:42 AM, Heino Backhaus heino.backh...@fink-computer.de wrote: Hello List, i'm using http://www.clamav.net/snapshot/clamav-devel-latest.tar.gz as source for an automated daily upgrade-script since about 10 Years on 15 +x MailScanner machines and it worked perfectly (thanks for that). My problem ist that this file just doesn't exist since version: ClamAV devel-20140826/19682/Wed Nov 26 06:40:34 2014. Haven't I searched hard enough ? -- Mit freundlichen Gruessen H. Backhaus Fink-Computer Systeme Heggrabenstr. 9, 35435 Wettenberg Email: heino.backh...@fink-computer.de Web: www.fink-computer.de Fax: +49-641-98444638 Fon: +49-641-98444640 UST-ID: DE151040770 HRB: 2143 Gießen GF: Fredi Fink I was gratified to be able to answer promptly, and I did. I said I didn't know. -Mark Twain ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] I will be out of the office starting 12-19-2014 through 12-29-2014.
I’ve disabled your email to clamav-users until you get back form vacation to keep you from sending email to the list subscribers. Joel On Dec 22, 2014, at 10:57 AM, Christopher Checca christopher.che...@packardtransport.com wrote: I will be out of the office starting 12-19-2014 through 12-29-2014. I will respond to your emails as soon as possible upon my return. Christopher Checca Packard Transport, Inc A network of U.S. and Canada owner-operators with flatbed, stepdeck, drop deck and van equipment. 24021 South Municipal Dr PO Box 380 Channahon, IL. 60410 800 467 9260 Ext 1704 815 467 9260 Ext 1704 815 467 7433 Fax christopher.che...@packardtransport.com www.packardtransport.com eMail paperwork to sh...@packardtransport.com Need remote support? http://helpme.packardtransport.com/ -- Packard Logistics, Inc A leader in providing quality brokerage services in the U.S., Certified as Woman Business Enterprise (WBE) by California Public Utility Commission. 24020 S Northern Illinois Dr Unit B PO Box 340 Channahon, IL 60410 800 799 9008 ext 1704 815 467 6768 ext 1704 815 467 7359 Fax christopher.che...@packardlogistics.com www.packardlogistics.com -- Packard Specialized Carriers, Inc A nationwide network of owner-operators with RGN, flatbed and stepdeck equipment. 24021 South Municipal Dr PO Box 840 Channahon, IL. 60410 800 369 1373 Ext 1704 815 467 7433 Fax christopher.che...@packardspecialized.com www.packardspecialized.com eMail paperwork to sh...@packardspecialized.com -- Elwood Cartage Midwest Regional Intermodal Services 24441 W Eames St Suite 100 Channahon, IL. 60410 815 255 2219 815 828 5233 Fax christopher.che...@elwoodcartage.com www.elwoodcartage.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] detection of really old viruses?
Naresh, Please do not reply to every thread on the ClamAV list asking for help. Have you looked at the documentation page on CLamAV.net http://clamav.net/? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Dec 31, 2014, at 12:36 AM, naresh hcu nareshhc...@gmail.com wrote: Respected Sir/Madam, Could you tell me step-wise how to install stable version 0.98.5 from source code in ubuntu??? --- Naresh On Sun, Nov 23, 2014 at 10:02 AM, Marcel Giannelia i...@skeena.net wrote: On Sat, 22 Nov 2014 18:53:58 -0800 Al Varnell alvarn...@mac.com wrote: AFAIK, definitions exist forever unless they have been found to cause False Positives. You can normally find the date a definition was added by searching the clamav-virusdb archive: http://lurker.clamav.net/list/clamav-virusdb.en.html Confirmed; e.g. searching that list for CIH (a.k.a. Chernobyl, from about 1998 or 99) shows W95.CIH-II.882 and some variants were added to the defs in about 2003. sigtool -l of the current main.cvd shows that these definitions are still present in current. Thanks, ~Felix. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Which anti-virus do you prefer on Linux desktop?
I think the answer you are going to get from the ClamAV list is ClamAV. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Jan 1, 2015, at 2:22 AM, Franklin Wang franklin2...@y7mail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I've tried nod32, Dr. Web, AVG, clamav(the only open source one?), comodo, F-prot on the desktop(x86_64). Why can't I find reviews for them? There're many reviews for Windows platform, but few for Linux desktop, not server. Any suggestions? I'm using openSUSE now, with rkhunter, AIDE, gpg installed. Regards, Franklin Wang - -- Skype: touch21st, Gtalk: touch21st, Yahoo/MSN:franklinwan...@yahoo.com Xing/Linkedin: Franklin Wang -BEGIN PGP SIGNATURE- Version: GnuPG v2 iF0EAREIAAYFAlSk9bsACgkQHNPJJKP5Njac6QD3WkjNe9gY8dQepD4zhqpu2X7m EURVm8z3PWbwB7bUSwD/dMnyGiGX06uMXn3rcI+ZJK/LnWQKqx7h3CKGdLvqoiw= =kt50 -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-virusdb on lurker
OH, I see what you are saying. Sorry about that. Let me look into this. On Jan 26, 2015, at 6:41 AM, Walter Bürger walter.buer...@arscons.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Remarkable, I can see my last mail to the list on https://www.mail-archive.com/clamav-users@lists.clamav.net/msg40573.html but not on http://lurker.clamav.net/list/clamav-users.html Best regards, Walter. On 01/26/15 11:54, Walter Bürger wrote: Hi all, same here: - From http://lurker.clamav.net/list/clamav-virusdb.en.html I am missing: 19953 19955 19957-19961 19963-19965 19969-19970 19973 19976 Best regards, Walter. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlTGJ9oACgkQkoswlxeNK+wUNwCfb+VjEtJUm80MHVbNaMnfxRSy SOMAnjFkFYuiQVV45gubrkpiK9UsVu79 =eh4s -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-virusdb on lurker
Alright, so after our awesome ops team looked into this for me, looks like we are archiving email in two places. So our current plan is to eliminate this redundancy. We are looking at what we need to fix (in terms of links, templates, etc) to move all the communication over to the mailing list archives and eliminate the separate need for “lurker”. It’s a rough sketch at this point, and it’ll take some time to find all the links that track back to lurker, so if you manage to find one, please let me know and we’ll get it taken care of. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Jan 26, 2015, at 9:19 AM, Joel Esler (jesler) jes...@cisco.com wrote: OH, I see what you are saying. Sorry about that. Let me look into this. On Jan 26, 2015, at 6:41 AM, Walter Bürger walter.buer...@arscons.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Remarkable, I can see my last mail to the list on https://www.mail-archive.com/clamav-users@lists.clamav.net/msg40573.html but not on http://lurker.clamav.net/list/clamav-users.html Best regards, Walter. On 01/26/15 11:54, Walter Bürger wrote: Hi all, same here: - From http://lurker.clamav.net/list/clamav-virusdb.en.html I am missing: 19953 19955 19957-19961 19963-19965 19969-19970 19973 19976 Best regards, Walter. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlTGJ9oACgkQkoswlxeNK+wUNwCfb+VjEtJUm80MHVbNaMnfxRSy SOMAnjFkFYuiQVV45gubrkpiK9UsVu79 =eh4s -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] About new samples at clamav website.
Can you give me a 256 of a couple samples? On Jan 26, 2015, at 1:08 PM, Wagner De Queiroz wagnerdequei...@gmail.com wrote: Dear users. I receive new viruses (Brazilian malware trojans) all day, and I submit to clamav, but my submissions never appear at virus list. I like to suggest at clamav page to submit files a kind of verify the upload sha256 or md5sum like virustotal website does to know if the submission are new one or not. to stop rising the high number of new submissions all day and maybe better our beloved anti-virus. Maybe put a option at clamav anti-virus to check before send new samples. When I receive a new malware sample, when came at .zip or .rar file, I open the .zip or .rar to expose the .exe trojan before send to virustotal check if the last clamav saw anything before send at website of clamav. My english is not good, and maybe my message can't be understood. but I have hope this email can make a difference. The link what I use to send new samples are: http://www.clamav.net/report/report-malware.html http://cgi.clamav.net/sendvirus.cgi ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Configure Options For Minimal Install
I’ll let someone from the team chime in here, but it’s always better to come to the mailing lists than to go to Github. We’ll see it either way, but more people are here. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Jan 21, 2015, at 4:26 PM, E R ears@gmail.com wrote: Hi to all, I made this post over at Github, my assumptions that this is Clamav's Github? https://github.com/vrtadmin/clamav-devel/issues/14 I'm trying to figure out how to compile clamav as only a stand alone scanner when needed... Any help would be apprecaited. thank you Mii ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Mirrors 65.19.179.67
On Feb 12, 2015, at 4:51 AM, Al Varnell alvarn...@mac.com wrote: I believe this has come up a few times before, but it has never been resolved. The mirror status page vanished when the new web site rolled out. It wasn’t always accurate, but at least there were some clues there. Is there any chance of it’s returning some day? Yes, we have plans to do it, just differently. My current issue is the 65.19.179.67 mirror which has failed 18 out of 18 times over the past several months: Mirror #5 IP: 65.19.179.67 Successes: 0 Failures: 18 Last access: Wed Feb 11 18:04:23 2015 Ignore: Yes Looks to belong to Hurricane Electric in Fremont, CA. This mirror is clearly dead and needs to be taken out of service, yet it continues to be periodically rotated in from this list: db.us.big.clamav.net.60 IN A 200.236.31.1 db.us.big.clamav.net.60 IN A 207.57.106.31 db.us.big.clamav.net.60 IN A 208.72.56.53 db.us.big.clamav.net.60 IN A 209.198.147.20 db.us.big.clamav.net.60 IN A 64.6.100.177 db.us.big.clamav.net.60 IN A 64.22.33.90 db.us.big.clamav.net.60 IN A 65.19.179.67 db.us.big.clamav.net.60 IN A 66.18.18.59 db.us.big.clamav.net.60 IN A 69.12.162.28 db.us.big.clamav.net.60 IN A 69.163.100.14 db.us.big.clamav.net.60 IN A 78.46.84.244 db.us.big.clamav.net.60 IN A 104.131.196.175 db.us.big.clamav.net.60 IN A 128.199.133.36 db.us.big.clamav.net.60 IN A 150.214.142.197 db.us.big.clamav.net.60 IN A 155.98.64.87 db.us.big.clamav.net.60 IN A 168.143.19.95 db.us.big.clamav.net.60 IN A 194.8.197.22 db.us.big.clamav.net.60 IN A 194.186.47.19 db.us.big.clamav.net.60 IN A 198.148.78.4 Not a huge deal, but still waste time unnecessarily when updating definitions. Thanks Al. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] I have some queries about ClamAV
I believe I emailed this privately to you. ClamAV can have the ability to quarantine an infected file if it finds one. We don’t know what you mean by the word “cure”. Can you elaborate what you mean there for the group? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Jan 27, 2015, at 7:10 PM, Jihyun-Chang jhyun_ch...@naver.commailto:jhyun_ch...@naver.com wrote: Is there no one to answer me ? === Dear ClamAV Team, Hi~ I am a student interested in security. I found ClamAV as Anti-virus program and it looks good to me while looking through User-manual. I have a few questions about ClamAV. Does it can use as a cure (It means ClamAV can fix the scanned files) or just virus-scanner ? (It means ClamAV cannot support fix the scanned files) It seems not mentioned in User-manual and http://www.clamav.net/index.html. It may not have seen my eyes only :) Could you explain my request? I will be looking forward to your reply. Thanks in advance for any help. ~Chang~ -Original Message- From: Jihyun-Changjhyun_ch...@naver.commailto:jhyun_ch...@naver.com To: Joel Esler (jesler)jes...@cisco.commailto:jes...@cisco.com; Cc: clamav-devel-ow...@lists.clamav.netmailto:clamav-devel-ow...@lists.clamav.netclamav-devel-ow...@lists.clamav.netmailto:clamav-devel-ow...@lists.clamav.net; clamav-users-ow...@lists.clamav.netmailto:clamav-users-ow...@lists.clamav.netclamav-users-ow...@lists.clamav.netmailto:clamav-users-ow...@lists.clamav.net; Sent: 2015-01-27 (화) 11:29:01 Subject: Re: I have some queries about ClamAV I wrote the user list already but nobody answer my questuon for two weeks. I don't know why it is taking so long. Even though my question is not difficult. thanks. Best regards. -Original Message- From: Joel Esler (jesler) jes...@cisco.commailto:jes...@cisco.comgt To: Jihyun-Chang jhyun_ch...@naver.commailto:jhyun_ch...@naver.comgt Cc: clamav-devel-ow...@lists.clamav.netmailto:clamav-devel-ow...@lists.clamav.net clamav-devel-ow...@lists.clamav.netmailto:clamav-devel-ow...@lists.clamav.netgt Sent: 2015. 1. 27. 오전 11:20:20 Subject: Re: I have some queries about ClamAV You are writing the development list. You should be writing the users list unless you are contributing development code. -- Joel Esler Sent from my iPhone On Jan 26, 2015, at 9:07 PM, Jihyun-Chang jhyun_ch...@naver.commailto:jhyun_ch...@naver.com wrote: can you hear me ? I'm waiting answer from ClamAV team long time ago.. -Original Message- From: Jihyun-Changjhyun_ch...@naver.commailto:jhyun_ch...@naver.com To: clamav-de...@lists.clamav.netmailto:clamav-de...@lists.clamav.net; Cc: Sent: 2015-01-22 (목) 17:19:18 Subject: I have some queries about ClamAV Dear ClamAV Team, Hi~ I am a student interested in security. I found ClamAV as Anti-virus program and it looks good to me while looking through User-manual. I have a few questions about ClamAV. Does it can use as a cure (It means ClamAV can fix the scanned files) or just virus-scanner ? (It means ClamAV cannot support fix the scanned files) It seems not mentioned in User-manual and http://www.clamav.net/index.html. It may not have seen my eyes only :) Could you explain my request? I will be looking forward to your reply. Thanks in advance for any help. ~Chang~ [http://mail.naver.com/readReceipt/notify/?img=FmFjWNkl1zcYar%2B5M6CoMrU9KziCFAb9MxMdFxkoF4UXpxk4Frp0Kqu%2FKxF4MdIo%2BrkSKxt5W4d5W4C5bX0q%2BzkR74FTWx%2FsMrwCW6Jr7630%2B4kn76eXW4kZtzwGbX3q74FnM69C%2BSl5pBt5.gif] [http://mail.naver.com/readReceipt/notify/?img=FY%2BjWNkl1zcYar%2B5M6CoKxUwpxbXFxMXM43SKx0vM6FoFxE9Fq0vMoblpzMmtzFXp6UwaLl5WLl51zlqDBFdp6d5MreRhoR8pBFnpBigMr0qMrY5MreR.gif] ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ClamAV® blog: ClamAV 0.98.6 has been released!
http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html ClamAV 0.98.6 is a bug fix release correcting the following: * library shared object revisions. * installation issues on some Mac OS X and FreeBSD platforms. * includes a patch from Sebastian Andrzej Siewior making ClamAV pid files compatible with systemd. * - Fix a heap out of bounds condition with crafted Yoda's crypter files. This issue was discovered by Felix Groebert of the Google Security Team. * - Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team. * - Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab. * - Fix a heap out of bounds condition with crafted upack packer files. This issue was discovered by Sebastian Andrzej Siewior. CVE-2014-9328. * - Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior. Thanks to the following ClamAV community members for code submissions and bug reporting included in ClamAV 0.98.6: Sebastian Andrzej Siewior Felix Groebert Kevin Szkudlapski Mark Pizzolato Daniel J. Luke Please download the latest release of ClamAV from 0.98.6 from our download pagehttp://www.clamav.net/download.html. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] About new samples at clamav website.
Walter, Thanks. The issue is that we receive over a million new samples a day. We prioritize those samples for analysis and detection in a number of ways, one of the ways, of course, being number of submitters. So, for example if we see 13 different places giving us the same sample, obviously the file is pretty widespread. One of the best ways to help us, is to generate your own signatures and submit those to us on the Community-sigs list. http://www.clamav.net/contact.html That way we can take the coverage, FP test it, and ship it out faster. I'll even return in kind, after 20 submissions, I'll send you a brand new (just had them made) ClamAV Tshirt. How does that sound? -- Joel Esler Sent from my iPhone On Jan 28, 2015, at 6:23 AM, Walter Bürger walter.buer...@arscons.demailto:walter.buer...@arscons.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I can confirm that. My samples never make it into daily. I am very frustrated about that. I use the same link to upload as Wagner, http://www.clamav.net/report/report-malware.html, enter my full name, my email, check notify me, check share this sample with other AV vendors, upload the malware file and submit the malware report. The submit procedure is successful every time as I get the http://www.clamav.net/report/success.html page every time. In the last three days I uploaded a sample, I don't know how often I uploaded it. Every day I checked if clamav could detect the virus in the sample after a new daily arrived. And every day clamav couldn't detect it. I checked on three different machines, linux, windows and openbsd. Virustotal.comhttp://Virustotal.com says about my sample: SHA256: bb1e635aa88a6906473713bd49368553f49c21e885c1586742542b3fee4b405c Dateiname: ccp.exe Erkennungsrate: 42 / 57 Analyse-Datum: 2015-01-28 09:32:11 UTC ( vor 0 Minuten ) If I imagine how often this possibly happens and how many samples it never make into daily, then this could be one of the main reasons why clamav has such a terribly bad detection rate. So, what can we do to remedy the problem and make the detection rate of clamav better ? Best regards, Walter. On 01/26/15 19:08, Wagner De Queiroz wrote: Dear users. I receive new viruses (Brazilian malware trojans) all day, and I submit to clamav, but my submissions never appear at virus list. I like to suggest at clamav page to submit files a kind of verify the upload sha256 or md5sum like virustotal website does to know if the submission are new one or not. to stop rising the high number of new submissions all day and maybe better our beloved anti-virus. Maybe put a option at clamav anti-virus to check before send new samples. When I receive a new malware sample, when came at .zip or .rar file, I open the .zip or .rar to expose the .exe trojan before send to virustotal check if the last clamav saw anything before send at website of clamav. My english is not good, and maybe my message can't be understood. but I have hope this email can make a difference. The link what I use to send new samples are: http://www.clamav.net/report/report-malware.html http://cgi.clamav.net/sendvirus.cgi ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlTIxqYACgkQkoswlxeNK+xWMACgqfiZYE7qM5nHBrd+3pYBE+D/ C5YAoIZMEu9ZkBAOYP+EJAX9DcFNRjNw =sr9b -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Offline updates
The VirusDB files are listed on that page. However, it is highly recommended that you use freshclam to update. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Dec 3, 2014, at 1:57 AM, Pascal patate...@gmail.com wrote: Hi, I found this on http://www.clamav.net/doc/cvd.html : * Can I download the virusdb manually? Yes, the virusdb can be downloaded from the Latest releases section on our home page. But I didn't the link on http://www.clamav.net/download.html :-( Where can I find virusdb ? Thanks, lacsaP. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Which anti-virus do you prefer on Linux desktop?
On Jan 1, 2015, at 4:16 PM, andreisa...@live.ie mailto:andreisa...@live.ie wrote: Date: Thu, 1 Jan 2015 18:27:00 + From: cla...@jubileegroup.co.uk mailto:cla...@jubileegroup.co.uk To: clamav-users@lists.clamav.net mailto:clamav-users@lists.clamav.net Subject: Re: [clamav-users] Which anti-virus do you prefer on Linux desktop? If you find any useful statistics on Linux viruses, do share them. Here are some stats. Not exactly Linux viruses, but Linux AVs . https://www.virusbtn.com/vb100/archive/platforms#linux https://www.virusbtn.com/vb100/archive/platforms#linux The VB100 certification is the standard for most of the AV products. Except you have to pay to submit your engine to the test. Which is why our engine is not on there. We prefer to spend our money in different areas. Not saying we’d be number one, either. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Which anti-virus do you prefer on Linux desktop?
On Jan 1, 2015, at 1:27 PM, G.W. Haywood cla...@jubileegroup.co.uk mailto:cla...@jubileegroup.co.uk wrote: I copied a result of 'Day0 Summary' from shadowserver.org http://shadowserver.org/ ... and unqualified statistics are worthless. Another thing to remember is that shadowserver’s feed is not 100% malicious. So keep that in mind. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd out of date?
David, I forwarded this on to the ops team for a look. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On Mar 16, 2015, at 8:51 AM, Smith, David drsm...@fsu.edumailto:drsm...@fsu.edu wrote: Jason, Can you PLEASE pull mirror 150.214.142.197 out of your lists??? Note the modify date on the daily.cvd [root@rhn cron]# wget http://150.214.142.197/daily.cvd --2015-03-16 08:47:15-- http://150.214.142.197/daily.cvd Connecting to 150.214.142.197:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27596102 (26M) [text/plain] Saving to: `daily.cvd' 100%[==] 27,596,102 2.35M/s in 13s 2015-03-16 08:47:29 (2.05 MB/s) - `daily.cvd' saved [27596102/27596102] [root@rhn cron]# stat daily.cvd File: `daily.cvd' Size: 27596102Blocks: 53976 IO Block: 4096 regular file Device: fd00h/64768dInode: 1310864 Links: 1 Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root) Access: 2015-03-16 08:47:29.0 -0400 Modify: 2014-08-28 13:26:00.0 -0400 Change: 2015-03-16 08:47:29.0 -0400 WITH the Pragma: No-cache [root@rhn cron]# wget --header=Pragma: no-cache http://150.214.142.197/daily.cvd --2015-03-16 08:49:37-- http://150.214.142.197/daily.cvd Connecting to 150.214.142.197:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27596102 (26M) [text/plain] Saving to: `daily.cvd.1' 100%[==] 27,596,102 4.41M/s in 7.0s 2015-03-16 08:49:44 (3.75 MB/s) - `daily.cvd.1' saved [27596102/27596102] [root@rhn cron]# stat daily.cvd.1 File: `daily.cvd.1' Size: 27596102Blocks: 53976 IO Block: 4096 regular file Device: fd00h/64768dInode: 1310865 Links: 1 Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root) Access: 2015-03-16 08:49:44.0 -0400 Modify: 2014-08-28 13:26:00.0 -0400 Change: 2015-03-16 08:49:44.0 -0400 Thanks! Dave Smith drsm...@fsu.edumailto:drsm...@fsu.edu(850)645-8024 Linux Administrators its-unixadm...@fsu.edumailto:its-unixadm...@fsu.edu (850)644-2591 Information Technology Services Florida State University -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Jason Haar Sent: Sunday, March 1, 2015 6:29 PM To: clamav-users@lists.clamav.netmailto:clamav-users@lists.clamav.net Subject: Re: [clamav-users] daily.cvd out of date? On 27/02/15 08:49, Smith, David wrote: Nope .. not yet! :) Try wget --header=Pragma: no-cache http://database.clamav.net/daily.cvd I say that because I'm wondering if you have a transparent proxy in between you and the server, so that extra Pragma header should force the proxy to re-download it instead of feeding out of cache. If the file ends up with a newer date, then that confirms there's a proxy in between (and as a side effect should have replaced the stale cached entry - so freshclam will be happy again - at least for a short while) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd out of date?
Just as a follow up — After some troubleshooting, we’ve removed this one from the mirror pool. Thanks David. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On Mar 16, 2015, at 9:14 AM, Joel Esler (jesler) jes...@cisco.commailto:jes...@cisco.com wrote: David, I forwarded this on to the ops team for a look. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On Mar 16, 2015, at 8:51 AM, Smith, David drsm...@fsu.edumailto:drsm...@fsu.edumailto:drsm...@fsu.edu wrote: Jason, Can you PLEASE pull mirror 150.214.142.197 out of your lists??? Note the modify date on the daily.cvd [root@rhn cron]# wget http://150.214.142.197/daily.cvd --2015-03-16 08:47:15-- http://150.214.142.197/daily.cvd Connecting to 150.214.142.197:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27596102 (26M) [text/plain] Saving to: `daily.cvd' 100%[==] 27,596,102 2.35M/s in 13s 2015-03-16 08:47:29 (2.05 MB/s) - `daily.cvd' saved [27596102/27596102] [root@rhn cron]# stat daily.cvd File: `daily.cvd' Size: 27596102Blocks: 53976 IO Block: 4096 regular file Device: fd00h/64768dInode: 1310864 Links: 1 Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root) Access: 2015-03-16 08:47:29.0 -0400 Modify: 2014-08-28 13:26:00.0 -0400 Change: 2015-03-16 08:47:29.0 -0400 WITH the Pragma: No-cache [root@rhn cron]# wget --header=Pragma: no-cache http://150.214.142.197/daily.cvd --2015-03-16 08:49:37-- http://150.214.142.197/daily.cvd Connecting to 150.214.142.197:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27596102 (26M) [text/plain] Saving to: `daily.cvd.1' 100%[==] 27,596,102 4.41M/s in 7.0s 2015-03-16 08:49:44 (3.75 MB/s) - `daily.cvd.1' saved [27596102/27596102] [root@rhn cron]# stat daily.cvd.1 File: `daily.cvd.1' Size: 27596102Blocks: 53976 IO Block: 4096 regular file Device: fd00h/64768dInode: 1310865 Links: 1 Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root) Access: 2015-03-16 08:49:44.0 -0400 Modify: 2014-08-28 13:26:00.0 -0400 Change: 2015-03-16 08:49:44.0 -0400 Thanks! Dave Smith drsm...@fsu.edumailto:drsm...@fsu.edumailto:drsm...@fsu.edu (850)645-8024 Linux Administrators its-unixadm...@fsu.edumailto:its-unixadm...@fsu.edumailto:its-unixadm...@fsu.edu (850)644-2591 Information Technology Services Florida State University -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Jason Haar Sent: Sunday, March 1, 2015 6:29 PM To: clamav-users@lists.clamav.netmailto:clamav-users@lists.clamav.netmailto:clamav-users@lists.clamav.net Subject: Re: [clamav-users] daily.cvd out of date? On 27/02/15 08:49, Smith, David wrote: Nope .. not yet! :) Try wget --header=Pragma: no-cache http://database.clamav.net/daily.cvd I say that because I'm wondering if you have a transparent proxy in between you and the server, so that extra Pragma header should force the proxy to re-download it instead of feeding out of cache. If the file ends up with a newer date, then that confirms there's a proxy in between (and as a side effect should have replaced the stale cached entry - so freshclam will be happy again - at least for a short while) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Unsubscribing From Update List?
I assume by update list he means the virusdb list. Which Doug linked to. -- Joel Esler Sent from my iPhone On Mar 8, 2015, at 10:35 PM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: That's the database list. The user list is: http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users. Sent from Janet's iPad -Al- -- Al Varnell On Mar 8, 2015, at 7:32 PM, Douglas Goddard dgodd...@sourcefire.commailto:dgodd...@sourcefire.com wrote: Try this page: http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-virusdb On Sun, Mar 8, 2015 at 10:16 PM, Shawn Reynolds sadisticinsan...@gmx.commailto:sadisticinsan...@gmx.com wrote: How do I unsubscribe from the ClamAV update list? I currently have about 80 emails of it in my inbox, and it is keeping me from important e-mails. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
On Mar 29, 2015, at 7:57 AM, Dennis Peterson denni...@inetnw.commailto:denni...@inetnw.com wrote: On 3/29/15 4:55 AM, TR Shaw wrote: On Mar 29, 2015, at 1:45 AM, Dennis Peterson denni...@inetnw.commailto:denni...@inetnw.com wrote: On 3/28/15 10:43 PM, Jinwon Lee wrote: Thanks for that. I guess ‘Hash Value’ refers to the ClamAV identifying the .dmg as a known file that contains virus/es. Jinwon That was the case too for password protected zip files. If you can't burst the contents you condemn the wrapper. Not entirely complete as you can tell ClamAV to mark encrypted zip and rar's as viruses without having a sig. Many milters will do the same without invoking clamav, so that's of limited value. A feature is a feature to someone. Not everyone finds it useful, but for the 10 people that do, it’s the most important thing to them. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamXav and Compressed Files
Dmg scanning was added a couple of versions back. -- Joel Esler Sent from my iPhone On Mar 27, 2015, at 3:11 AM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: On Thu, Mar 26, 2015 at 11:17PM, Dennis Peterson wrote: Forgot to include dmg files are as described when mounted - else they are disk images (cpio). I don't know what the clam product does with unmounted disk images. dp That’s correct. There have been a handful (nine) .dmg hash signatures quite awhile ago and I’ve handled a couple of false positives, but there is no attempt to check the image contents which would almost certainly require mounting. I believe they are simply scanned as a generic file. -Al- On 3/26/15 11:09 PM, Dennis Peterson wrote: The dmg files are logical structures. They are comprised of Unix directories and files and clam doesn't need to treat them differently than any other directory tree. if you have support compiled in for zip, RAR, TAR, and several other archiving formats it should decompose them and scan each of the the contents. You should be able to explore the log to see what clamXav did while scanning. dp On 3/26/15 10:44 PM, Jinwon Lee wrote: Hi I am a new member. I am a Mac user and so I use ClamXav to scan my files. My question is: ‘Does ClamXav scan what’s inside Compressed files like .RAR, .zip…. and Package files like .dmg?’Because I feel ClamXav takes considerably longer to scan the extracted file/s compared to the compressed versions and wonder if it really scans them. Kind Regards Jinwon ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd out of date?
I just did the same operation and pulled this mornings. Can you try again? On Feb 26, 2015, at 10:50 AM, Smith, David drsm...@fsu.edu wrote: Just did a wget http://database.clamav.net/daily.cvd and am getting a daily.cvd dated Aug 28 is there something going on with the servers??? [root@SOMESERVER freshclam]# ls -la total 90288 drwxr-xr-x 2 root root 4096 Feb 26 10:43 . drwxr-xr-x 4 root root 4096 Feb 23 15:01 .. -rw-r--r-- 1 root root 27596102 Aug 28 13:26 daily.cvd Thanks! Dave Smith drsm...@fsu.edumailto:drsm...@fsu.edu (850)645-8024 Linux Administrators its-unixadm...@fsu.edumailto:its-unixadm...@fsu.edu (850)644-2591 Information Technology Services Florida State University ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd out of date?
Who says we don’t? :) But you may be seeing different results than what we see. It’s the internet. On Feb 26, 2015, at 12:41 PM, G.W. Haywood cla...@jubileegroup.co.uk wrote: Hi there, On Thu, 26 Feb 2015, Joel Esler wrote: Which mirror(s) do you suspect to be out of sync? I can't believe you haven't got an nmap script that will tell you that with a single command. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd out of date?
Believe the problem has been rectified. Thank you for pointing it out. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Security Intelligence and Research Group On Feb 26, 2015, at 12:23 PM, Smith, David drsm...@fsu.edumailto:drsm...@fsu.edu wrote: Looks to be database.clamav.nethttp://database.clamav.net|150.214.142.197|:80 [root@SERVERNAME]# nslookup 150.214.142.197 Non-authoritative answer: 197.142.214.150.in-addr.arpaname = clamav.us.eshttp://clamav.us.es. Thanks! Dave Smith drsm...@fsu.edumailto:drsm...@fsu.edu(850)645-8024 Linux Administrators its-unixadm...@fsu.edumailto:its-unixadm...@fsu.edu (850)644-2591 Information Technology Services Florida State University -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Anssi Johansson Sent: Thursday, February 26, 2015 12:22 PM To: clamav-users@lists.clamav.netmailto:clamav-users@lists.clamav.net Subject: Re: [clamav-users] daily.cvd out of date? If you do know the IP addresses of the outdated mirrors, I think that information might be very very useful in diagnosing this problem. For what it's worth, works fine here. 26.2.2015, 18.14, Smith, David kirjoitti: Interestingly I just ran it on one more server and got the correct date... Could it be that the Mirrors at Clamav.nethttp://Clamav.net are out of sync? Thanks! Dave Smith drsm...@fsu.edumailto:drsm...@fsu.edu(850)645-8024 Linux Administrators its-unixadm...@fsu.edumailto:its-unixadm...@fsu.edu (850)644-2591 Information Technology Services Florida State University -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Smith, David Sent: Thursday, February 26, 2015 11:03 AM To: ClamAV users ML Subject: Re: [clamav-users] daily.cvd out of date? Yep, same results from three different servers Thanks! Dave Smith drsm...@fsu.edumailto:drsm...@fsu.edu(850)645-8024 Linux Administrators its-unixadm...@fsu.edumailto:its-unixadm...@fsu.edu (850)644-2591 Information Technology Services Florida State University -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Joel Esler (jesler) Sent: Thursday, February 26, 2015 10:53 AM To: ClamAV users ML Subject: Re: [clamav-users] daily.cvd out of date? I just did the same operation and pulled this mornings. Can you try again? On Feb 26, 2015, at 10:50 AM, Smith, David drsm...@fsu.edumailto:drsm...@fsu.edu wrote: Just did a wget http://database.clamav.net/daily.cvd and am getting a daily.cvd dated Aug 28 is there something going on with the servers??? [root@SOMESERVER freshclam]# ls -la total 90288 drwxr-xr-x 2 root root 4096 Feb 26 10:43 . drwxr-xr-x 4 root root 4096 Feb 23 15:01 .. -rw-r--r-- 1 root root 27596102 Aug 28 13:26 daily.cvd Thanks! Dave Smith drsm...@fsu.edumailto:drsm...@fsu.edumailto:drsm...@fsu.edu (850)645-8024 Linux Administrators its-unixadm...@fsu.edumailto:its-unixadm...@fsu.edumailto:its-unixadm...@fsu.edu (850)644-2591 Information Technology Services Florida State University ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-virusdb on lurker
Al, Not sure what the issue is here. The archives are all here though: http://lists.clamav.net/pipermail/clamav-virusdb/2015-January/thread.html There is nothing stuck in the queues, so all the emails have pushed. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Jan 22, 2015, at 10:09 PM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: Looks like there is an issue with clamav-virusdb mail list updates to lurker.clamav.nethttp://lurker.clamav.net. 19953 and 19955 are missing and nothing since 19956 on 1/20/2015 even though I’ve received all of them directly on the mail list. Footer still says to contact Luca about issues, but I know that isn’t correct. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav jar file
What are you referring to when you say “ClamAV Jar file”? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On Apr 20, 2015, at 5:06 PM, Senthil Kumar M reachsen...@gmail.commailto:reachsen...@gmail.com wrote: Hi, I want to know how to get the Clamav jar file through Maven POM file. Please help me. *--* *Thanks Regards,Senthil Kumar Mahalingam.* ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ClamAV® blog: ClamAV 0.98.7 has been released!
http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html ClamAV 0.98.7 is here! This release contains new scanning features and bug fixes. - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted xz archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305. - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. As always, we appreciate contributions of bug reports, code fixes, and sample submissions from the ClamAV community members: Sebastian Andrzej Siewior Minzhaun Gong Dimitri Kirchner Goulven Guiheux John E. Krokes Kai Risku ClamAV 0.98.7 is always available from ClamAV.net on the downloads page. -- The ClamAV Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV on XP
You may also want to use a version of Windows that has support. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On May 6, 2015, at 3:20 AM, Al Varnell alvarn...@mac.commailto:alvarn...@mac.com wrote: You might find ClamWin easier to use http://www.clamwin.com -Al- On Wed, May 06, 2015 at 12:16AM, Pod wrote: Hi, I've installed ClamAV on XP. There is no icone on the desktop, and nothing in start menu. In the folder of ClamAV there are 7 exe-files: clambc, clamconf, clamd, clamdscan, clamscan, freshclam and sigtool. Whitch file shoud I use? I guess that clamdoc.pdf is for Linux users, is there something for Windows users? Thank you. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] http://www.stats.clamav.net
That server is working off of old data. We haven’t built an interface for the new system yet. We actually need to take this old system down, and will when people transition to the newer versions of ClamAV. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On May 6, 2015, at 4:23 PM, TR Shaw ts...@oitc.commailto:ts...@oitc.com wrote: I originally signed on using gmail. However gmail no longer support OpenID 2. Per Google, OpenID 2.0 was replaced by OpenID Connect, and since April 20, 2015, no longer works for Google Accounts. OpenID 2.0 support was shut down in order to focus on the newer open standard OpenID Connect, which provides greater security. Any idea how I can get into my account? Tom ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Fwd: [Community-sigs] Create your own ClamAV signatures with CASC
Sending this over to the users list as well: Begin forwarded message: From: Alain Zidouemba azidoue...@sourcefire.commailto:azidoue...@sourcefire.com Subject: [Community-sigs] Create your own ClamAV signatures with CASC Date: May 14, 2015 at 9:57:00 AM PDT To: ClamAV Community Signatures Submission List community-s...@lists.clamav.netmailto:community-s...@lists.clamav.net Reply-To: ClamAV Community Signatures Submission List community-s...@lists.clamav.netmailto:community-s...@lists.clamav.net http://blog.clamav.net/2015/05/create-your-own-clamav-signatures-with.html The ClamAV community is growing and we are receiving more user-generated ClamAV signatures through our community signatures mailing list http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html. Thanks to all who have contributed! For those who find the task of writing your own signatures https://github.com/vrtadmin/clamav-devel/raw/master/docs/signatures.pdf daunting, we have created something you may be interested in. To aid users in developing better ClamAV signatures faster, Angel Villegas created the ClamAV Signature Creator (CASC), an IDA Pro plug-in. A quick and easy installation into IDA Pro 6.7 or higher (reduced feature set for IDA Pro 6.6) will have you creating basic ClamAV ndb and ldb signatures in no time. CASC allows users to select aspects of a sample's disassembly, a function block, or a set of strings to create a sub-signature. Each sub-signature can contain user-defined notes to keep track of information contained within the sub-signature. Once you've selected enough sub-signatures to get the job done, or until your heart's content, a ClamAV signature can be created from one or more sub-signatures. Check out this IDA Pro plug-in on Github https://github.com/vrtadmin/CASC and its wiki for documentation https://github.com/vrtadmin/CASC/wiki. - Alain ___ Community-sigs mailing list community-s...@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ClamAV® blog: Lurker is going End of Life
http://blog.clamav.net/2015/05/lurker-is-going-end-of-life.html Lurker is going End of Life For years, we've had a system named Lurker that displayed the archives for our mailing lists, well, we are actually keeping the archives for the mailing lists in two places. On Lurker, and on mailman itself. So, we've decided to End of Life the lurker machine, in favor of the mailman system. The most common place that links to lurker directly is inside of the notification emails that are sent to malware submitters when coverage is written as well as the clamav-virusdb list when the db updates are pushed. We plan on brining lurker down and changing the links in the alert emails on Friday, May 22, 2015. Please be patient with us as we remove this system from the ClamAV network. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamscan infection that is not infected
Oh, sorry, didn’t see that Alain wrote this. Apologies. On Apr 15, 2015, at 9:52 AM, Alain Zidouemba azidoue...@sourcefire.com wrote: Can you provide a checksum for your sample? Thanks, - Alain On Wed, Apr 15, 2015 at 9:50 AM, sanes z...@wrzanes.com wrote: Why does clamscan show this file infection, but a scan with VirusTotal.com shows file is safe? Which source should I trust? c:\Windows\System32\mobsync.exe: Win.Trojan.Agent-863936 FOUND ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml