Re: [clamav-users] Txt.Trojan.Kryptik-6887991-0 FOUND

2019-03-13 Thread Dennis Peterson
That does not appear to be a well anchored regex. dp On 3/12/19 9:15 PM, Al Varnell via clamav-users wrote: All I can add is some technical information about the signature. I have no idea what kind of infection it causes and on what platform. The signature was added to the database by daily

Re: [clamav-users] after installation in an RHEL7, clamd not there

2019-02-23 Thread Dennis Peterson
https://fedoraproject.org/wiki/EPEL On 2/22/19 9:38 PM, Sunhux G via clamav-users wrote: Heard from an ex-colleague that using latest Clam packages from the latest epel will solve this. Anyone know the link/url for this latest epel ? Sun ___

Re: [clamav-users] Using clamav to test for bad links in incoming emails

2019-02-14 Thread Dennis Peterson
Does SA scan attachments now? dp On 2/14/19 8:07 AM, Alessandro Vesely wrote: On Sat 09/Feb/2019 00:07:28 +0100 Gene Heskett wrote: Has anyone rigged clamd to check what looks like questionable links contained in incoming emails? It seems over the last 2 weeks my spam has tripled, and I

Re: [clamav-users] Using clamav to test for bad links in incoming emails

2019-02-10 Thread Dennis Peterson
Best practice has always been least-expensive first and incrementally more expensive to follow. This begins with iptables (essential regardless of expense), tcpwrappers, DenyHosts, Fail2Ban, grey listing, country-code tables, access tables (sendmail and Postfix), multilayer milters, finally, AV

Re: [clamav-users] How to use clamav-unofficial-sigs with clamd

2019-02-10 Thread Dennis Peterson
Highly configurable scripts exist to handle the third-party signatures and it is all very well documented at the Sane Security web site ( https://sanesecurity.com ). These same scripts are available at multiple repos as installable packages for many operating systems as well. dp On 2/10/19

Re: [clamav-users] Input Stream Scanning for very large files

2019-02-06 Thread Dennis Peterson
is first and foremost an acceptable real-time email scanner with limited ability to do file system and stream scanning. dp On 2/3/19 2:37 PM, Ángel wrote: On 2019-01-25 at 18:43 -0800, Dennis Peterson wrote: You can easily use the unix split command and cat to scan files of any size. Or use

Re: [clamav-users] Input Stream Scanning for very large files

2019-01-25 Thread Dennis Peterson
Sometimes it is a management or compliance requirement. dp On 1/25/19 11:38 AM, G.W. Haywood wrote: Hi there, On Fri, 25 Jan 2019, Kushal Kumar wrote: Re: Input Stream Scanning for very large files ... how do you propose I should scan an archive of 100GB ( let's say) size. I wouldn't

Re: [clamav-users] Input Stream Scanning for very large files

2019-01-25 Thread Dennis Peterson
You can easily use the unix split command and cat to scan files of any size. Or use perl to break stream file segments to the stream. The first file in a split or segment contains the file time and will need to be concatenated to the beginning of each split or segment so clamav knows what it

Re: [clamav-users] Can't reached server update

2018-12-25 Thread Dennis Peterson
Try it without the space after the "-". host -t txt current.cvd.clamav.net dp On 12/25/18 1:22 AM, Dorian ROSSE wrote: Hello clamav worker, I still have this error when I launch "host - t txt current.cvd.clamav.net " without

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

2018-12-20 Thread Dennis Peterson
On 12/20/18 10:56 AM, Dennis Peterson wrote: This can be calculated by counting the number of ClamAV hits in the clamd log using ClamAV signatures and the time period between the first and last hits. In my case I have clamd logs back to April (252 days) and 58 hits on ClamAV signatures

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

2018-12-20 Thread Dennis Peterson
This can be calculated by counting the number of ClamAV hits in the clamd log using ClamAV signatures and the time period between the first and last hits. In my case I have clamd logs back to April (252 days) and 58 hits on ClamAV signatures or about 4 per day. Total hits from all signature

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

2018-12-19 Thread Dennis Peterson
The TTL of the TXT record is 30 minutes so unless you are directly polling one of the clamav.net dns servers you are going to get what ever is in your local NSCD cache. dp On 12/19/18 12:26 PM, Paul Kosinski wrote: snip They all do DNS TXT queries 3-5 times per hour, and *only* if that

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

2018-12-17 Thread Dennis Peterson
On 12/17/18 11:57 AM, Joel Esler (jesler) wrote: Inline: On Dec 15, 2018, at 6:23 PM, Paul Kosinski wrote: I don't know if flushing the daily.cvd cache would be adequate, since there are probably some downstream caches that wouldn't follow suit. Actually I had someone correct me after I

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

2018-12-15 Thread Dennis Peterson
Ignoring latency which is probably no where near the problem it was with the volunteer network of mirrors. dp On 12/15/18 2:43 PM, Alain Zidouemba wrote: When a new cdiff is released, is a new daily.cvd also released at the same time? Yes. -Alain On Dec 15, 2018, at 4:26 PM, J.R. wrote:

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

2018-12-15 Thread Dennis Peterson
This raises another point which is and has been the DNS version does not and has not meant there was an update to the daily CVD file - just that the cdiffs exist to update the users' local copy of the CLD to the current version using a reliable and efficient signed process. This only ever

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

2018-12-15 Thread Dennis Peterson
Things have changed a lot since Thomasz and Lucia were bearing the brunt of support, but other things change slowly. https://lists.gt.net/clamav/users/115 dp On 12/15/18 10:32 AM, Gene Heskett wrote: On Saturday 15 December 2018 10:58:12 Micah Snyder (micasnyd) wrote: I was actually

Re: [clamav-users] No good deed goes unpunished, or, why CVD files don't work

2018-12-14 Thread Dennis Peterson
From a best practices perspective it is best to use freshclam when talking to ClamAV resources. Once you have what you need from them you can do anything you like internally. You don't have to be nice to them at this point. I had a couple hundred RedHat servers to manage and they all required

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-12 Thread Dennis Peterson
I wonder if the file size changed when Joel regenerated the daily.cvd file  (or I had in unexplainable file size error). I still use all the technology but no longer for big dot coms. The patched files are larger because they have a lot of unneeded bits in them. dp On 12/12/18 7:43 AM, Paul

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-11 Thread Dennis Peterson
8 20:34:45 -0800 Dennis Peterson wrote: You were using curl (I did remember that after I posted as I'd helped you sort out curl options to do what you wanted) to explore what was available on the servers compared to what was on the DNS TXT record, and that was outside process. It also ignored c

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Dennis Peterson
sts before it sends the messages to Clamd. dp On 12/11/18 3:54 AM, Sunny Marwah wrote: I can see below files in /var/lib/clamav/ directory : main.cvd bytecode.cvd safebrowsing.cld daily.cld mirrors.dat But it is 'safebrowsing.cld', not 'safebrowsing.cvd'. Is it Ok ?? On Tue, Dec 11, 2018 at 1:47

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Dennis Peterson
In your ClamAV signature folder does there exist a safebrowsing.cvd file? dp On 12/10/18 9:46 PM, Sunny Marwah wrote: Same question again : Chrome don't open malicious links due to labeling them dangerous as per "Safebrowsing". Then why ClamAV is not able to identify such malicious links

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Dennis Peterson
.) On Mon, 10 Dec 2018 16:46:42 -0800 Dennis Peterson wrote: Exactly right. We can't be blaming the ClamAV process when we don't use the ClamAV process. People that don't use freshclam should have no expectation of high reliability. In fact any expectations are baseless when the wrong tools

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Dennis Peterson
Helps too to read the entire thread and the thread that preceded this one. The OP has used combinations of dig and wget in diagnosing his problems. dp On 12/10/18 5:22 PM, Gary R. Schmidt wrote: On 11/12/2018 11:46, Dennis Peterson wrote: Exactly right. We can't be blaming the ClamAV process

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Dennis Peterson
Exactly right. We can't be blaming the ClamAV process when we don't use the ClamAV process. People that don't use freshclam should have no expectation of high reliability. In fact any expectations are baseless when the wrong tools are employed. dp On 12/9/18 5:44 AM, Joel Esler (jesler)

Re: [clamav-users] Installation problem.

2018-12-07 Thread Dennis Peterson
The missing tools are either not in your path or not installed. You could run yum info */g++ to see if it is installed, and if it is run locate g++ and compare locations to your path with echo $PATH. dp On 12/6/18 11:28 PM, nikos wrote: Hello list. I'm trying to install the now version of

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-06 Thread Dennis Peterson
My most effective blocks are tcpwrappers and DNS-based IP blacklists and URI blacklists. Low returns on effort go to pattern matching regular expressions in message bodies. It isn't possible to measure the effectiveness of ipset blocklists when using NNN.0.0.0/8 IP blocks but there are a lot of

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-06 Thread Dennis Peterson
You should probably look at http://uribl.com/ for this problem. ClamAV is targeted toward viruses and malware in email. The uribl process uses DNS just like DNS blacklists, is fairly light weight, and well maintained. dp On 12/5/18 11:33 PM, Sunny Marwah wrote: Hello Team, We are using

Re: [clamav-users] [OT] is clamav.securiteinfo.com no more?

2018-12-05 Thread Dennis Peterson
It is implemented here as a DNS URLBL and used by a milter. dp On 12/5/18 9:21 AM, Benny Pedersen wrote: G.W. Haywood skrev den 2018-12-05 18:16: On Wed, 5 Dec 2018, Dennis Peterson wrote: All the "tiny" url hosts are blacklisted here ... A list of them could be useful.  D

Re: [clamav-users] is clamav.securiteinfo.com no more?

2018-12-04 Thread Dennis Peterson
All the "tiny" url hosts are blacklisted here because I don't need the grief they disguise. But he did answer my question. I haven't subscribed to those BL's in a very long time and was surprised to see them pop up in my log file. dp On 12/4/18 9:38 PM, Al Varnell wrote: Not official, but

Re: [clamav-users] is clamav.securiteinfo.com no more?

2018-12-04 Thread Dennis Peterson
à 04:09, Dennis Peterson a écrit : I don't see a dns response for that site and logs show no recent connection. dp ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us

[clamav-users] is clamav.securiteinfo.com no more?

2018-12-04 Thread Dennis Peterson
I don't see a dns response for that site and logs show no recent connection. dp ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:

Re: [clamav-users] Disable MaxFileSize and MaxFileSize to scan the whole system

2018-12-03 Thread Dennis Peterson
e? >>     MaxFileSize 3M >>     MaxFileSize 3999M >>     Is this syntax correct? >> >>     On Mon, Dec 3, 2018, 00:06 Dennis Peterson >>     mailto:denni...@inetnw.com> <mailto:denni...@inetnw.com <mailto:denni...@inetnw.

Re: [clamav-users] Disable MaxFileSize and MaxFileSize to scan the whole system

2018-12-02 Thread Dennis Peterson
I wonder how many signature writers bother to match content at the end of files. Hopefully, none, in which case full file scanning is pointless. dp On 12/2/18 3:02 PM, Al Varnell wrote: Trial and error, depending on your setup. Must not exceed the amount of RAM you have installed less what

Re: [clamav-users] ClamAV mirrors have gotten worse!

2018-11-26 Thread Dennis Peterson
I think these reports don't tell you what you think they mean. In fact they're pretty much meaningless. The two different servers have different versions of the signature. That is perfectly normal - there is simply zero chance and it is naive to think they will always be fully synced in the

Re: [clamav-users] ClamAV mirrors have gotten worse!

2018-11-23 Thread Dennis Peterson
On 11/22/18 8:51 PM, Paul Kosinski wrote: I wonder how many users of ClamAV actually log their freshclam updates. Those who don't likely won't notice freshclam temporary failures due to an out-of-sync condition. I just checked logs on two systems dating from July 1 and see no failures. I

Re: [clamav-users] ClamAV® blog: The ClamAV 0.101.0 release candidate is here!

2018-11-22 Thread Dennis Peterson
Does this change how socket-connected clients (milters, for example) communicate? On 11/19/18 11:40 AM, Joel Esler (jesler) wrote: # Changes to the libclamav API: * Those who build applications around our shared library will need to change how they declare and pass scanning options to

Re: [clamav-users] ClamAV mirrors have gotten worse!

2018-11-15 Thread Dennis Peterson
On 11/13/18 12:04 PM, Paul Kosinski wrote: "Why are you looking at October reports?" It was the first one. And it also shows that the problem began *before* 0.100.1 was deemed OUTDATED. So, here's one from this morning. I also have 4 from yesterday, 3 from Sunday Nov 11 etc. Posting them all

Re: [clamav-users] ClamAV mirrors have gotten worse!

2018-11-13 Thread Dennis Peterson
On 11/12/18 6:28 PM, Paul Kosinski wrote: As some of you may remember, I "solved" the problems of the Cloudflare mirrors being out of sync by not relying on what version the DNS TXT record reports, but double checking it by retrieving the head of the CVD file via curl. Why are you looking at

Re: [clamav-users] request of support for flagging fraud domain

2018-10-22 Thread Dennis Peterson
If you have no reason for accepting mail from the .su top level domain then just block that and be done with it. Sometimes it's reasonable to take a broad brush response to these problematic domains. dp On 10/21/18 6:09 AM, Darius Baumann wrote: I want to submit the following fraud domain for

Re: [clamav-users] Latest report on update "delays"

2018-10-21 Thread Dennis Peterson
ar mirrors?). On Sat, 20 Oct 2018 06:57:55 -0700 Dennis Peterson wrote: Caching file systems do validate the requested file against a master file to see if there has been a change. De-dupe caches do the same. It isn't instantaneous but they also don't have to wait for the cache to refresh as they c

Re: [clamav-users] Latest report on update "delays"

2018-10-20 Thread Dennis Peterson
Caching file systems do validate the requested file against a master file to see if there has been a change. De-dupe caches do the same. It isn't instantaneous but they also don't have to wait for the cache to refresh as they can deliver a pass through request at the same time they're updating

Re: [clamav-users] ClamAV 0.100.2 has been released!

2018-10-04 Thread Dennis Peterson
On 10/3/18 10:37 AM, Joel Esler (jesler) wrote: https://blog.clamav.net/2018/10/clamav-01002-has-been-released.html Are you sure 1.0 is going to happen in my lifetime? I'm not a kid anymore. dp ___ clamav-users mailing list

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-04 Thread Dennis Peterson
It would be a mistake to think everyone is using freshclam to dl signatures. The system needs to accommodate that. dp On 7/4/18 10:08 AM, G.W. Haywood wrote: Hi Joel, FWIW I believe we've had no problems at all with mirrors since March 2018, when I responded to a post on 23rd March by Orion

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-04 Thread Dennis Peterson
What do you see if you run freshclam --list-mirrors, and are you running freshclam in daemon mode? The reason I ask is if you deleted mirrors.dat then freshclam should have no knowledge of any previous errors. dp On 7/4/18 1:18 AM, Michael Da Cova wrote: Hi still getting issues, (I have

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-03 Thread Dennis Peterson
't honored though, when fetching externally. I get the whole daily.cvd. (I swear this doesn't work at 6am Monday morning though. :) ) Thanks, Scott -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Dennis Peterson Sent: Tuesday, July 03, 201

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-03 Thread Dennis Peterson
Does your wget not support the -e args to access a proxy? Example: wget http://someurl.com/filename.html -e use_proxy=yes -e http_proxy=xxx.xxx.xxx.xxx:3128 The proxy IP or hostname can be used. dp On 7/3/18 11:11 AM, SCOTT PACKARD wrote: The current DNS TXT does not work within my

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-03 Thread Dennis Peterson
Well damn - they say memory is the first thing to go... curl -s -r 35-39 http://db.us.clamav.net/daily.cvd |strings The -s (silent) inhibits stats. dp On 7/3/18 12:02 AM, Dennis Peterson wrote: I had completely forgotten about freshclam grabbing the entire file to determine currency. I

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-03 Thread Dennis Peterson
I had completely forgotten about freshclam grabbing the entire file to determine currency. I recall knocking off a quick script to avoid that which included: curl -q -r 35-39 http://db.us.clamav.net/daily.cvd |strings It returns the ID of what ever version is on the mirror. I've added strings

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-02 Thread Dennis Peterson
On 7/2/18 3:39 PM, Joel Esler (jesler) wrote: I’m not at a large keyboard right now. But with Cloudflare currently acting as our mirror network, none of the current assumptions about how the mirror network works is accurate. We have not changed the donated mirror network, as our discussions

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-02 Thread Dennis Peterson
are ready. P.S. The client's mirrors.dat file is updated in 18 different places in manager.c, which is in the freshclam subsystem. On Sun, 1 Jul 2018 21:11:29 -0700 Dennis Peterson wrote: What makes it a problem? You can never dl it until it is available, so the problem is you become aware of i

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-01 Thread Dennis Peterson
, Dennis Peterson wrote: On 7/1/18 8:24 PM, Paul Kosinski wrote: My conclusion is that the cause of this is a typical race condition: the DNS TXT record is updated before Cloudflare has propagated the new cvd file to all the mirrors. Is this a problem? dp

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-01 Thread Dennis Peterson
of time between the DNS update and the mirror updates. I don't have a good feel for how long that is from the postings so far, but it does sound like it may have increased as a result of the move from ClamAV mirrors to the ClamAV CDN. Sent from my iPad -Al- On Jul 1, 2018, at 20:38, Dennis Peterson

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-01 Thread Dennis Peterson
On 7/1/18 8:24 PM, Paul Kosinski wrote: My conclusion is that the cause of this is a typical race condition: the DNS TXT record is updated before Cloudflare has propagated the new cvd file to all the mirrors. Is this a problem? dp ___ clamav-users

Re: [clamav-users] Errors connecting to mirrors

2018-04-05 Thread Dennis Peterson
Since db.us.clamav.net is a round robin resolving to db.us.big.clamav.net, another round robin, try the actual server hostname to dl a known file. The specific diff files come and go and may not be on a particular mirror server. The following worked for me - I send the output to /dev/null to

Re: [clamav-users] ping database.clamav.net

2018-03-30 Thread Dennis Peterson
Ping is not a good test of DNS. You should use dig, nslookup, host, or other DNS tool. dp On 3/29/18 5:10 AM, Régis Houssin wrote: yes but for this IP this not a clamav website ! dev.lepartidegauche.fr (178.33.105.132) thank you ___

Re: [clamav-users] Errors connecting to mirrors

2018-03-28 Thread Dennis Peterson
If your proxy ignores the TTL for the mirrors then quite likely things will grind to a halt for you. All the mirrors are in round-robin dns pools. dp On 3/27/18 4:32 PM, Orion Poplawski wrote: On 03/27/2018 05:21 PM, Al Varnell wrote: Using the same IP each time with failure will also cause

Re: [clamav-users] Question about the clamdscan

2018-03-21 Thread Dennis Peterson
especially if ClamAV is behind in 0-day detection. On Wed, 21 Mar 2018 16:56:06 -0700 Dennis Peterson <denni...@inetnw.com> wrote: It is possible to integrate ClamAV and Tripwire to get to a scan-once environment. Include puppet or CFEngine for

Re: [clamav-users] Question about the clamdscan

2018-03-21 Thread Dennis Peterson
It is possible to integrate ClamAV and Tripwire to get to a scan-once environment. Include puppet or CFEngine for a more complete tool. dp On 3/20/18 5:01 AM, Micah Snyder (micasnyd) wrote: Good morning Tsutomu, Al is quite correct. clamd and clamdscan maintain no memory of what has been

Re: [clamav-users] ClamAV performance overhead on RHEL & Solaris

2018-03-17 Thread Dennis Peterson
I ran it on dozens of enterprise systems, real and virtual, under RHEL and Oracle Linux. As a mail scanner running on demand it was never a great issue regarding performance as they were dedicated servers. But we found that when scanning file systems for compliance it would thrash the disk

Re: [clamav-users] ERROR: NotifyClamd: Can't connect to clamd on 127.0.0.1:3310: Connection refused

2018-02-01 Thread Dennis Peterson
If you can successfully run nc -l 3310 then clamd is not using the port. Check lsof -i |grep clam and examine the clamd.conf file. Something you're sure of is wrong. dp On 2/1/18 9:23 AM, Chris wrote: On Thu, 2018-02-01 at 07:51 -0800, Dennis Peterson wrote: Use the nc tool to connect

Re: [clamav-users] ERROR: NotifyClamd: Can't connect to clamd on 127.0.0.1:3310: Connection refused

2018-02-01 Thread Dennis Peterson
Use the nc tool to connect to that port. If you get a connection then type PING. It should return PONG and disconnect. If that doesn't happen you have a config misunderstanding. dp On 2/1/18 6:49 AM, Chris wrote: First of all regarding my previous post - "Cannot connect to unix socket

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

2018-01-27 Thread Dennis Peterson
On 1/26/18 2:39 PM, Scott Kitterman wrote: Couldn't (old) 0.99.3 beta users just have ignored (new) 0.99.3? As far as I can tell, the beta had all the fixes. Assuming that is correct, I think better advice for beta users would be to do nothing now and update to 0.100 beta when it is

[clamav-users] mirrors, again

2018-01-26 Thread Dennis Peterson
While working the problems this morning I note that freshclam --list-mirrors shows 7 mirrors for db.us.clamav.net and 6 of them are being ignored. And that is after I removed mirrors.dat. In your spare time... dp ___ clamav-users mailing list

Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.

2017-12-28 Thread Dennis Peterson
If I were debugging this I'd want to know if all the vm's run on the same or different hosts, what the allocation of resources to each vm is, if different hosts then what each host's base loads are for cpu, memory, and disk caching. If you don't own the hosts this can be difficult. Then I'd

Re: [clamav-users] How to download and update main.cvd and daily.cvd manually AND update mirrors

2017-12-14 Thread Dennis Peterson
Did you make sure permissions are set so that the clam user can read them? On 12/14/17 8:49 AM, George wrote: Hi, I mistakingly copied this twice in the email. But I did it as in your reply. that's not the problem. Thanks, George 2017-12-14 18:39 GMT+02:00 Dennis Peterson <de

Re: [clamav-users] How to download and update main.cvd and daily.cvd manually AND update mirrors

2017-12-14 Thread Dennis Peterson
you are downloading main.cvd twice. Change one of the wget commands to download daily.cvd. Example: wget database.clamav.net/main.cvd sudo cp main.cvd /var/lib/clamav wget database.clamav.net/daily.cvd sudo cp daily.cvd /var/lib/clamav dp On 12/14/17 8:28 AM, George wrote: Dear All, I am

Re: [clamav-users] Trouble getting cvd files from private local mirror

2017-12-10 Thread Dennis Peterson
Consider using tcpdump or the network sniffer of your choice on the server to see what the connection dialog is between your freshclam client and the httpd server. Or to learn if there is even a connection attempted. dp On 12/8/17 9:16 PM, John Kennedy wrote: Were you to read my original

Re: [clamav-users] Trouble getting cvd files from private local mirror

2017-12-08 Thread Dennis Peterson
The client is ignoring your servers because they are listen in mirrors.dat as broken. Remove the mirrors.dat file and try again. You have not mentioned DNS or host tables but the natural assumption is all your clients and servers have the host tables or dns information needed to find each

Re: [clamav-users] Local Mirror error "Can't download daily.cvd"

2017-12-07 Thread Dennis Peterson
Do you have a host table entry for clamav.clamavsrv.tk ? On 12/7/17 3:27 AM, Emanuel wrote: Hello, Here the config: # client server DatabaseDirectory /var/lib/clamav snip ___ clamav-users mailing list clamav-users@lists.clamav.net

Re: [clamav-users] Freshclam Fails

2017-11-10 Thread Dennis Peterson
I'm wondering why it is trying to dl main-58.cdiff. dp On 11/9/17 9:32 PM, Krishnakumar Nair wrote: Is there any possible cause from clamav end ?? it was working fine. Thanks & Regards, kk ___ clamav-users mailing list

Re: [clamav-users] FreshClam - DNS issues since October 31st

2017-11-10 Thread Dennis Peterson
I've never had a successful download from that ip. dp On 11/9/17 11:36 PM, Al Varnell wrote: As you probably already know, in past discussions of the US round robin it was revealed that there weren't enough US mirrors to support the demand and that was the primary reason for including low

Re: [clamav-users] FreshClam - DNS issues since October 31st

2017-11-09 Thread Dennis Peterson
Any chance you can remove 128.199.133.36  from the US round robin? It's a long way from Kansas. dp On 11/8/17 7:50 AM, Joel Esler (jesler) wrote: The team working on these issues is seeing these emails, so it’s good that you are writing in, if you are still experiencing issues.

Re: [clamav-users] fail updates

2017-11-06 Thread Dennis Peterson
Come to think of it, 130.59.10.36 shouldn't even still be in mirrors.dat and that is part of the systemic problems in the system. Nothing cleans up stale entries in mirrors.dat except rm -f mirrors.dat. dp On 11/6/17 9:02 AM, Benny Pedersen wrote: freshclam --list-mirrors Mirror #1 IP:

Re: [clamav-users] fail updates

2017-11-06 Thread Dennis Peterson
Your report includes mirrors that should be ignored based on last access. I built a list of current mirrors from freshclam logs that go back only to August. grep -h Ignoring freshclam* |grep -v Reading |awk '{print $9}' |sort |uniq -c |sort -rn The result is an easy to understand (if not jaw

Re: [clamav-users] update mirror trouble?

2017-11-06 Thread Dennis Peterson
There are still a lot of broken mirrors out there aside from this problem. dp On 11/6/17 8:05 AM, Joel Esler (jesler) wrote: This should be resolving itself as we speak. -- Joel Esler | Talos: Manager | jes...@cisco.com

Re: [clamav-users] Mirror issues and what we are doing to fix it

2017-08-30 Thread Dennis Peterson
Aug 30, 2017, at 1:11 PM, Dennis Peterson <denni...@inetnw.com<mailto:denni...@inetnw.com>> wrote: I had the same thing happen and I also got successful dl's of the daily.cld file multiple times and I'm sure it would have continued looping forever if I'd not stopped it after obse

Re: [clamav-users] Mirror issues and what we are doing to fix it

2017-08-30 Thread Dennis Peterson
I had the same thing happen and I also got successful dl's of the daily.cld file multiple times and I'm sure it would have continued looping forever if I'd not stopped it after observing it was stuck in a loop. Same symptoms on two separate systems. Couldn't find the cdiff file and the

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-27 Thread Dennis Peterson
It will fall through to db.local.clamav.net. dp On 8/27/17 1:07 AM, Andreas Schulze wrote: Am 25.08.2017 um 22:44 schrieb Joel Esler (jesler): We are working on ways to not only fix the on going mirror issues, but prevent them in the future, as well as bring back the Mirror page on

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-26 Thread Dennis Peterson
On 8/26/17 10:49 AM, Dennis Peterson wrote: I grabbed a tld file to use to locate (best effort) all ClamAV mirrors using a couple patterns I've discovered. Surely there is a better way but I'm old and time is precious. db.TLD.clamav.net db.TLD.rr.clamav.net Snippage happened. I should

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-26 Thread Dennis Peterson
I grabbed a tld file to use to locate (best effort) all ClamAV mirrors using a couple patterns I've discovered. Surely there is a better way but I'm old and time is precious. db.TLD.clamav.net db.TLD.rr.clamav.net I used the host command to find every mirror available to this method. That

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-25 Thread Dennis Peterson
anyone have a list of confirmed working mirrors? Thanks Joel for getting onto this, let me know if I can help somehow. -- Thanks Paul Dean. "Life is not WHAT you make it, it's WHO you have in it..." On Fri, 25 Aug 2017 07:43:08 -0700 Dennis Peterson <denni...@inetnw.com> wr

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-25 Thread Dennis Peterson
This is abysmal. # freshclam --list-mirrors |grep Success |sort -n -k2 Successes: 0 Successes: 0 Successes: 0 Successes: 0 Successes: 0 Successes: 0 Successes: 0 Successes: 4 Successes: 7 Successes: 8 Successes: 11 Successes: 11 Successes: 19 Successes: 46 Successes: 79 Successes: 81 Successes:

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-25 Thread Dennis Peterson
You don't need ClamAV ppl to help - you have complete control over this process. Try this: Find a healthy mirror Put that healthy mirror's IP address in your freshclam.conf file as the first definition of DatabaseMirror Run freshclam manually. grep ^DatabaseMirror freshclam.conf You should

Re: [clamav-users] Unable to download database

2017-08-23 Thread Dennis Peterson
using real-time network response time. If nothing else it will stop most if not all attempts to missing mirrors which seem to be the majority. Obviously it will also ignore mirrors that disallow icmp traffic. dp On 8/23/17 9:48 AM, Dennis Peterson wrote: nslookup db.local.clamav.net |awk '/Addres

Re: [clamav-users] Unable to download database

2017-08-23 Thread Dennis Peterson
nslookup db.local.clamav.net |awk '/Address:/ {print $2}' |xargs -L1 ping -c 1 nslookup db.us.clamav.net |awk '/Address:/ {print $2}' |xargs -L1 ping -c 1 nslookup db.ca.clamav.net |awk '/Address:/ {print $2}' |xargs -L1 ping -c 1 nslookup db.ru.clamav.net |awk '/Address:/ {print $2}' |xargs

Re: [clamav-users] Main CVD and Main Cdiff have been published

2017-06-08 Thread Dennis Peterson
The main.cld is equivalent to main.cvd and the date is correct. The difference is one is compressed, the other not. dp On 6/8/17 9:30 PM, mlnl wrote: Hi, should this be correct? -rw-r--r--. 1 clam clam654336 Jun 7 03:18 bytecode.cld -rw-r--r--. 1 clam clam 123921920 Jun 9 03:26

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

2017-06-01 Thread Dennis Peterson
If I were to have gotten a suspicious message notice from epl.paypal-communication.com and gone through a whois, nslookup, whois (ip address), dig txt paypal-communication.com, dig mx paypal-communication.com, dig mx epl.paypal-communication.com routine I would have found a very suspicious

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-16 Thread Dennis Peterson
If not email what is the vector? dp On 5/15/17 5:11 PM, Joel Esler (jesler) wrote: To be clear let me link to our blog post on the subject: http://blog.talosintelligence.com/2017/05/wannacry.html There has been No email vector seen in WannaCry to date. Almost everyone that has claimed

Re: [clamav-users] Question about ClamScan

2017-05-12 Thread Dennis Peterson
On 5/12/17 10:19 AM, crazy thinker wrote: @Maarten I mailing to both ClamAV Developers and Users.. Hope you unerstand this .ClamAV Developers Mailing list seems inactive.. They are not responding Given that your crazyplan is to develop a new fork of ClamAV they can hardly be blamed for not

Re: [clamav-users] Question about ClamAV

2017-05-11 Thread Dennis Peterson
I would consider a malware author that does not pass his/her new product through several file scanners to be incompetent. There is little point in distributing such files if it is commonly detectable. Scanners are one of the best quality inspection tools a malware author has at their disposal.

Re: [clamav-users] ClamAV UnOfficial Database

2017-05-04 Thread Dennis Peterson
You make this harder than is necessary. Create a directory for your preferred signature files in it (/var/lib/crazyclam, for example), put your preferred signature files in it, create a new clamd config file (crazyclamd.conf, for example) with that directory defined (DatabaseDirectory

[clamav-users] Mirror problem

2017-04-20 Thread Dennis Peterson
Anyone else seeing this? Sat Apr 1 14:02:39 2017 -> Trying host db.us.clamav.net (209.198.147.20)... Sat Apr 1 14:03:09 2017 -> Can't connect to port 80 of host db.us.clamav.net (IP: 209.198.147.20) Mon Apr 3 08:02:39 2017 -> Can't connect to port 80 of host db.us.clamav.net (IP:

Re: [clamav-users] error when starting clamd: LibClamAV Warning: Don't know how to create filter for: BC.Win.Exploit.CVE_2017_0060-6099223-0.{}

2017-04-19 Thread Dennis Peterson
Which version of ClamAV are you running? dp On 4/19/17 5:46 PM, Jobst Schmalenbach wrote: Hi Upon starting clamd I am receiving following messages: Starting clamd: LibClamAV Warning: Don't know how to create filter for: BC.Win.Exploit.CVE_2017_0060-6099223-0.{} LibClamAV Warning:

Re: [clamav-users] ClamAV for EnterPrise

2017-04-19 Thread Dennis Peterson
You should hire an integrator that already knows how to do this. dp On 4/18/17 3:28 AM, crazy thinker wrote: Hi ClamAV Developers, ClamAV Users I have refered ClamAV Docs but i could find any info to set up clamav in Business Environment. i have a small business office where 50-75 employees

Re: [clamav-users] Identify Threat Risk Level with ClamAV

2017-04-14 Thread Dennis Peterson
This is probably not the best list for this conversation. You make get better results by talking with developers, not end-users. dp On 4/14/17 9:33 AM, crazy thinker wrote: Oh.. ok..But how Commercial AV Calculating risk level of malware and what is the criteria for that.? On 14 April

Re: [clamav-users] Question about .cvd files

2017-04-12 Thread Dennis Peterson
The ClamAV product is designed to be used for real time detection with mail transport agents and to respond on detection. These mail transport agents are capable of delivering malware that will run on any architecture. In a perfect world everyone that runs an MTA would test outbound mail for

Re: [clamav-users] Javascript file not recognized

2017-02-16 Thread Dennis Peterson
ers>. There was no attachment on the e-mail I received, did you get it? -Al- On Thu, Feb 16, 2017 at 12:02 PM, Dennis Peterson wrote: It is really bad form to post suspected malware to this or any list. dp On 2/16/17 11:55 AM, Markus Egg wrote: The attached file was in an email as attachment as

Re: [clamav-users] Javascript file not recognized

2017-02-16 Thread Dennis Peterson
It is really bad form to post suspected malware to this or any list. dp On 2/16/17 11:55 AM, Markus Egg wrote: The attached file was in an email as attachment as "bill": 319598.js sha1sum b32a6dfdef2444de1695cb96e6a674c2f7cda74b 319598.js sha256sum 319598.js

Re: [clamav-users] Freshcalm issues

2017-02-11 Thread Dennis Peterson
It would be helpful to see the output of this command: clamconf |egrep -i "^.*(mirror|proxy|server|local|database)" dp On 2/11/17 7:07 AM, Hugo Deprez wrote: Hello, am I the only one having that kind of issues ? On 3 January 2017 at 14:49, Hugo Deprez wrote:

Re: [clamav-users] clamd/clamdscan and IPv6

2016-12-14 Thread Dennis Peterson
Thanks for closing the event here. It doesn't happen enough. dp On 12/14/16 2:54 PM, Steven Morgan wrote: Thanks, there was a little coding error. Following the connect() failure on the local socket, the code was not checking if the TCPAddr option is enabled. Steve On Wed, Dec 14, 2016 at

  1   2   3   4   5   6   7   8   9   10   >