Re: [clamav-users] [External] Re: Scan very slow

2019-04-10 Thread Steve Basford
On 2019-04-09 22:29, Micah Snyder (micasnyd) via clamav-users wrote: Maarten, Looking at a few of the Phish.Phishing signatures, these appear to have the same issue (href="http:// prefix). In testing with scan of a PDF document, I was able to reduce the scan time from 31.987 sec down to 2.632

Re: [clamav-users] [External] Re: Scan very slow

2019-04-09 Thread Steve Basford
On 2019-04-09 12:02, Brent Clark via clamav-users wrote: Cant those be adopted / managed by Sanesecurity? For all you know, those are already in Sanesecurity. They are... and have been for quite some time: "The following databases are distributed by Sanesecurity, but produced by Porcupine

Re: [clamav-users] Scan very slow

2019-04-07 Thread Steve Basford
On 7 April 2019 17:25:56 Arnaud Jacques wrote: ... and one day I created a *huge* ign2 file and it crashed clamd. Ign2 files may not be appropriate to ignore tons of signatures. From memory.. daily.info (inside the daily.cvd) contains the database names included. If all phishtank sigs

Re: [clamav-users] Scan very slow

2019-03-25 Thread Steve Basford
On 2019-03-25 10:52, Mark Allan via clamav-users wrote: Hi all, te. Hopefully this helps someone to narrow things down a bit. Mark 18/3/19 10m 49s TXT from DNS: 0.101.1:58:25392:1552904941:1:63:48507:328 *** Here's the changes for the above update:

Re: [clamav-users] Slow reload

2019-03-20 Thread Steve Basford
On 2019-03-19 14:35, Bowie Bailey wrote: I do have a bunch of third party signatures installed from Sanesecurity and SecuriteInfo.  Is there a way to get timing information on which signature files are taking the longest to load?  Or is this mainly a function of file size? Here's a quick

Re: [clamav-users] Slow reload

2019-03-19 Thread Steve Basford
On 19 March 2019 21:01:03 Bowie Bailey wrote: On 3/19/2019 4:27 PM, Bowie Bailey wrote: Is there a way to get the details on how long each file take to load, or do I just have to test them one by one? A very simple per Database scan time test... Sorry not sorted in time order but might

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-12 Thread Steve Basford
On Wed, December 12, 2018 8:59 am, Al Varnell wrote: > You mentioned earlier that ClamAV has recently added signatures from > PhishTank, but I've noticed over the last few days that most, if not all > of them have been removed. Should I conclude that the PhishTank > organization signatures are

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Steve Basford
On Tue, December 11, 2018 1:58 pm, Sunny Marwah wrote: Hi Sunny/All, Here's the summary The phishing attempt looks like this html code: h-t-t-p-s:/-/-pastebin DOT com/TL5WUJZh This first link is just a hijacked graphic and won't be in safebrowsing... h-t-t-p-s:-/-/gokdenizhealthtourism

Re: [clamav-users] Detecting Word docs with macros

2018-12-10 Thread Steve Basford
On 10 December 2018 17:21:05 "G.W. Haywood" wrote: Hi there, On Mon, 10 Dec 2018, Steve Basfordwrote: ... MiscreantPunch099-Low.ldb for additional detection but can hit scanning performance. Can you give any estimate (however rough) of the performance hit? Scanning a small file...

Re: [clamav-users] Detecting Word docs with macros

2018-12-10 Thread Steve Basford
On Mon, December 10, 2018 2:58 pm, Eric Tykwinski wrote: > Default clam sigs obviously are not catching these, but wondering if > anyone has them included in a third party that rather FP friendly. > > I also just tested a yara from here, and it seems to work, but not > certain about FPs from it

Re: [clamav-users] Adding a custom signature for spam

2018-11-12 Thread Steve Basford
On Mon, November 12, 2018 8:54 am, turgut kalfaoğlu wrote: > Hello there. I was fed up with some repeated spam that was coming our > way, and had the idea that it would be great if the clamd could stop these. Are these being detected with 3rd party signatures? > $ echo This is a text line from

Re: [clamav-users] ICON_HASH signature for PE files

2018-11-09 Thread Steve Basford
On Fri, November 9, 2018 9:00 am, Irshad wrote: > Hi, > > > My apologies, if I am missing something obvious. I spent around 3 hours Hi Irshad Not sure if this will help but there are a few icon based sigs I think in the current daily.cvd So unpack them and then grep for IconG, something like

[clamav-users] ClamAV 0.101.0 beta rar issue

2018-11-08 Thread Steve Basford
Hi, Using a cdb sig in this format: Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for quotation.{0,30}\.exe$:*:*:*:2:*:* The above sig will work on a Rar pre v5 format file, to catch a *single* exe in a rar file. In ClamAV 0.101.0 beta (which has Rar v5 support), the above wasn't

Re: [clamav-users] More MBL FPs

2018-10-29 Thread Steve Basford
All whitelisted this morning anyway. Cheers, Steve Twitter: @sanesecurity On 29 October 2018 10:21:13 am Paul Stead wrote: MBL_17895395 MBL_17662054 MBL_17962226 ___ clamav-users mailing list clamav-users@lists.clamav.net

Re: [clamav-users] [ext] MBL_17713260 false positive!

2018-10-26 Thread Steve Basford
On 26 October 2018 12:30:45 Paul Stead wrote: Woo, more - MBL_17674787 MBL_17784910 Personally I'd stop using them... as Malware Patrol don't seem to want to improve the situation. So although I do whitelist.. like I have with the above ones... it'll be an ongoing task/pain. Tried

Re: [clamav-users] [ext] MBL_17713260 false positive!

2018-10-24 Thread Steve Basford
On Wed, October 24, 2018 9:05 am, Al Varnell wrote: > I cannot argue that malware does not show up in Google Docs which is wide > open to anybody that wants to post there, as I know it has occurred. Not > sure how big a problem it has become for Google to police. I think it > would be better if

[clamav-users] Sanesecurity FP Alert

2018-10-04 Thread Steve Basford
@sanesecurity: News: Sanesecurity.Rogue.0hr.20181004-1536 is causing FPs. Fixed but reload signatures ASAP Will investigate what went wrong. Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net

Re: [clamav-users] Malwarepatrol false positive

2018-09-18 Thread Steve Basford
On 18 September 2018 16:33:28 Paul Stead wrote: Yet another Malwarepatrol FP: MBL_14437114 White listing as we speak... Sigh ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [clamav-users] Rar unpacker

2018-09-15 Thread Steve Basford
On 16 September 2018 00:03:06 Paul wrote: Hello Is support for a RAR V5 unpacker in the pipeline Yes :) https://bugzilla.clamav.net/show_bug.cgi?id=11959 Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list

Re: [clamav-users] Malwarepatrol false positive

2018-09-04 Thread Steve Basford
On 4 September 2018 18:52:04 Mark G Thomas wrote: Hi, Good grief! Yet another. So much for Malware patrol! Sigh. # sigtool --find-sigs MBL_13497693| sigtool --decode-sigs Pushing out a whitelist entry to the mirrors as I type. Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] Malwarepatrol false positive

2018-08-31 Thread Steve Basford
On 31 August 2018 17:52:26 Mark G Thomas wrote: Hi, And YET ANOTHER today. I figured others here might want the heads up. [root@imx0 conf]# sigtool --find-sigs MBL_13226139 | sigtool --decode-sigs Sigh. I've just added to the main Sansecurity whitelist. Thanks for the heads up.

Re: [clamav-users] Malwarepatrol false positive

2018-08-29 Thread Steve Basford
, thank you for reporting this issue. ? ?Regards, ? ?Luciana ?Malware Patrol Team So if anyone else sees FPs the above email should be a starting point. Cheers, Steve Twitter: @sanesecurity On 29 August 2018 18:52:31 "Steve Basford" wrote: On Tue, August 21, 2018 12:31 pm, Al Varnell

Re: [clamav-users] Malwarepatrol false positive

2018-08-29 Thread Steve Basford
On Tue, August 21, 2018 12:31 pm, Al Varnell wrote: > OK, I don't think there is anything that ClamAV can do about it since > it's an UNOFFICIAL. > > Maybe Steve Basford from SaneSecurity can put some pressure on them. He > usually reads what's posted here. I've just sen

Re: [clamav-users] Malwarepatrol false positive

2018-08-27 Thread Steve Basford
! # sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs VIRUS NAME: MBL_13087222 DECODED SIGNATURE: https://docs.google.com On Tue, Aug 21, 2018 at 04:31:28AM -0700, Al Varnell wrote: OK, I don't think there is anything that ClamAV can do about it since it's an UNOFFICIAL. Maybe Steve

Re: [clamav-users] Malwarepatrol false positive

2018-08-21 Thread Steve Basford
On Tue, August 21, 2018 12:27 pm, Dave McMurtrie wrote: > > I'm beginning to get the feeling they don't have any type of review > process in place. I whitelisted the sig on the Sanesecurity mirrors this morning UK time: 21/08/2018 @ 11:37 It's usually quicker to do that, if not ideal. --

Re: [clamav-users] Bytecode 86 failed to run

2018-08-08 Thread Steve Basford
That suggests that the actual default value of --bytecode-timeout might be 5000. Yep... https://github.com/Cisco-Talos/clamav-devel/blob/76d0d93d4f11a43f237cce495765b0f95d4352d1/shared/optparser.c Ie... { "BytecodeTimeout", "bytecode-timeout", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER,

Re: [clamav-users] After 0.100.1 Update, clamd crashes

2018-07-31 Thread Steve Basford
Just posting a little regarding the Yara issue with 0.100.x: After a little bit of testing last week... here's what was found: It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has *multiple* rules inside the single Yara file, it seems to crash linux versions of ClamAV. If

Re: [clamav-users] Strange Problem with a Virus inside a rar file

2018-07-26 Thread Steve Basford
On Thu, July 26, 2018 10:49 am, Tech wrote: > Last week we got a mail which contained a scr file inside a rar > clamav-milter let it through and saying it's clean. After that the windows > security essentials software on one of our clients detected the virus > inside the rar package. Hi Drees,

Re: [clamav-users] How to run clamav 0.100.1 on Win server 2012 version?

2018-07-18 Thread Steve Basford
On Wed, July 18, 2018 10:35 am, Tiến Hưng Phan wrote: > Hello clamav support team, > > > I'm using clamav 0.100.1 on Windows server 2012. > When I run clamscan.exe to scan a file, it show a dialog that I'm missing > "api-ms-win-crt-runtime-l1-1-0.dll". How can I run clamav on Windows > server

Re: [clamav-users] VirusDB Updates Broken?

2018-06-27 Thread Steve Basford
On Wed, June 27, 2018 11:32 am, Joel Esler (jesler) wrote: > Just fixed it. > > Thanks Joel... all working now... main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr ) Downloading daily-24686.cdiff [100%] Downloading daily-24687.cdiff [100%] Downloading

Re: [clamav-users] VirusDB Updates Broken?

2018-06-27 Thread Steve Basford
On Wed, June 27, 2018 2:42 am, Joel Esler (jesler) wrote: > Db.us should be good on both now. > > Worked perfectly from California, but with .cdiff updates, not the entire Just checked and gb doesn't work ClamAV update process started at Wed Jun 27 09:37:20 2018 WARNING:

[clamav-users] [Fwd: Sad News: Tom Shaw]

2018-06-05 Thread Steve Basford
Original Message Subject: Sad News: Tom Shaw From:"Steve Basford" Date:Tue, June 5, 2018 9:30 am To: sanesecur...@freelists.org Cc: sanesecurity_annou...@fre

Re: [clamav-users] Attachments

2018-05-15 Thread Steve Basford via clamav-users
--- Begin Message --- On Tue, May 15, 2018 12:57 pm, Todd Aiken via clamav-users wrote: > ___ > clamav-users mailing list clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > Help us build a comprehensive

Re: [clamav-users] Malwarepatrol false positives

2018-04-29 Thread Steve Basford
On Sun, April 29, 2018 3:29 am, Micah Snyder (micasnyd) wrote: > What I think Joel is saying is that your MBL signatures are coming > through SaneSecurity, not from Cisco/Talos official ClamAV rule set. > > Hi Micah, MBL signatures are produced and distributed by MalwarePatrol, nothing to do

Re: [clamav-users] Malwarepatrol false positives

2018-04-27 Thread Steve Basford
Hi Alex... I've whitelisted the two sigs... until they fix them.. so that might help a little. Cheers, Steve Twitter: @sanesecurity On 28 April 2018 04:23:51 Alex wrote: Hi, I can't imagine outright blocking https://goo.gl is not a mistake. MBL_6882958 and

Re: [clamav-users] Another Open Source anti-malware project

2018-03-23 Thread Steve Basford
On 23 March 2018 19:25:08 Paul Kosinski wrote: I just came across this Open Source anti-malware project called "Linux Malware Detect". Anybody know anything about this? https://hydrasky.com/network-security/linux-malware-detect-lmd/ It's been going a while and can

Re: [clamav-users] .0-rc has been posted!

2018-03-23 Thread Steve Basford
On Thu, March 22, 2018 9:44 pm, Joel Esler (jesler) wrote: > ClamAV 0.100.0-rc has been posted! Just a quick bit of feedback with a few test VM's: 32bit Windows XP: "fails" - "is not a valid Win32 application" ** Where as ClamAV-0.99.4 runs fine on XP **

Re: [clamav-users] Daily version 24256

2018-01-29 Thread Steve Basford
>I would like to reproduce the problem again to force the error in order to >be able to establish a system alarms or warnings with Nagios scripting >Anybody knows how can I get daily.cld version 24256? Any link to download >it? You could create this: badsig.ldb:

Re: [clamav-users] False positive -- I hope

2018-01-28 Thread Steve Basford
I *think* that this signature flags *all* zipped JS files, and (IIRC) both Firefox and Thunderbird have JS-containing JAR files. I hope that is all it is. Yep that's it. Foxhole_filename. Foxhole_all. Foxhole_generic and Foxhole_js all have different fp levels...depending on what your see

Re: [clamav-users] Problem with Max Open desciptor Files limit

2018-01-26 Thread Steve Basford
On Fri, January 26, 2018 3:35 pm, Dianne Skoll wrote: > On Fri, 26 Jan 2018 15:18:10 + > David Shrimpton wrote: > > >> I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and >> restarting clamd fixed the problem. > > Thank you! That was immensely

Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.

2017-12-28 Thread Steve Basford
Could you list the signatures in you clamav database folders. Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a

Re: [clamav-users] Improving clamscan speed?

2017-12-16 Thread Steve Basford
What can I do to speed up the clamscan process? Hi Dan, Sorry this is a little brief... Skipping files you aren't interested in scanning might help a little... clamscan --exclude='\.(jpg|jpeg|png|gif)$' Choose a smaller file size to scan.. --max-filesize=300M --max-scansize=300M Cheers,

[clamav-users] clamav-0.99.3-beta1-win32

2017-09-19 Thread Steve Basford
Probably just a post for windows users but... If you are using: clamav-0.99.3-beta1-win32.msi, under Vista and get an error: Vista etc: VCRUNTIME140.dll is missing (running on 32 bit Vista) Fix by installing Visual C++ Re distributable for Visual Studio 2015 Under Windows XP: sigtool.exe

Re: [clamav-users] Unable to download database

2017-08-23 Thread Steve Basford
On Wed, August 23, 2017 8:26 am, lukn555 wrote: > Good Day ClamAV List > > > Since yesterday at around noon CET I've been having issues downloading > the ClamAV database: Same here in the UK... Can't query daily.0.82.0.1.814301DA.ping.clamav.net Wed Aug 23 08:14:39 2017 -> Giving up on

Re: [clamav-users] sanesecurity: Permission denied

2017-08-03 Thread Steve Basford
On Thu, August 3, 2017 3:06 pm, Reindl Harald wrote: > > > > frankly you have one or more mirrors which just don't work at all for a > long time, a friend just looked for a working one, hardcoded the IP and > has never seen that errors again The problem was fixed on 1 mirror but seems to have

Re: [clamav-users] Signature not detected

2017-07-18 Thread Steve Basford
On Mon, July 17, 2017 10:22 pm, Alex wrote: > Hi guys, just submitted an "ace" archive with a .cmd inside. > > > # sha1sum PROFORMA\ INVOICE_xls.ace > 97757622d5d568b01faa9d662818eebd40b1e0c0 PROFORMA INVOICE_xls.ace > Hi, I've added Sanesecurity.Malware.27099.AceHeur.Cmd​ to the

Re: [clamav-users] sanesecurity: Permission denied

2017-07-03 Thread Steve Basford
On Mon, July 3, 2017 11:58 am, Reindl Harald wrote: > issues like below are also reported by a friend on his machines for some > days, randomly with different files I'm looking into it -- will email off-list -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] petya signature?

2017-06-29 Thread Steve Basford
On Thu, June 29, 2017 5:02 am, Dmitry Melekhov wrote: > 28.06.2017 17:23, Alain Zidouemba пишет: > >> This went out yesterday to address the latest variant: >> >> >> Win.Ransomware.Agent-6331177-0 >> Sorry for the lack of update yesterday but lots of hashes were added yesterday and a couple

[clamav-users] WannaCry

2017-05-15 Thread Steve Basford
Sorry for the slightly off-topic post but just in case this helps... MS17-01 Summary 1. malwarehash.hsb 175+ hashes in malwarehash.hsb (Sanesecurity.MalwareHash.WannaCry) added over the weekend 2. MS17-010 nmap network scan script

Re: [clamav-users] disabling a database

2017-05-11 Thread Steve Basford
On Thu, May 11, 2017 6:40 am, Al Varnell wrote: > while Spam detection is all done using UNOFFICIAL sigs. Not quite Malware, Phishing and Spam... http://sanesecurity.com/usage/signatures/ And a lot of people decide the emails fate with "pam_score_maps" scoring.. eg:

Re: [clamav-users] FilenameRegex and case sensitivity

2017-05-03 Thread Steve Basford
On Wed, May 3, 2017 8:19 am, kionez wrote: > Hi all, > > > I wonder how I can use a case-insensitive FilenameRegex in signatures > based on container metadata. > > I.E.: if I would like to match "word", "Word" and "worD" (abd so on), my > rule will be something like: > >

Re: [clamav-users] Need help: clamd stops after starting without any error message

2017-04-19 Thread Steve Basford
On Wed, April 19, 2017 10:13 am, Torge Riedel wrote: > Well, was not enabled. After setting > > > LogSyslog true Might be worth turning on debug temporarily... clamd.conf and freshclam.conf # Enable debug messages in libclamav. # Default: no -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] Identify Threat Risk Level with ClamAV

2017-04-14 Thread Steve Basford
On 14 April 2017 17:31:21 Reindl Harald wrote: SanSecurity creating signature database files based and it showing risk status of malware sanesecurity shows *risk of false-positives* don't confuse such basics That's correct it's a *very rough* fp guide for each

Re: [clamav-users] Java.Malware fps

2017-04-07 Thread Steve Basford
On Fri, April 7, 2017 7:24 am, Henrik K wrote: > > Whos' flooding crappy samples around, and why is ClamAV making sigs of > tiny class files like > org/eclipse/aether/impl/RemoteRepositoryManager.class? > > The odd few I've checked are hashes in daily.hsb:

Re: [clamav-users] clamav antivm.yar malicious_document.yar and errors

2017-04-05 Thread Steve Basford
On Wed, April 5, 2017 3:24 pm, Rejaine Monteiro wrote: > > Hello, I'm having some errors with these signatures in clamav-0.99.2. > Any tips on what it is about or how to solve? > See here: 3rd Party download script: https://github.com/extremeshok/clamav-unofficial-sigs/issues/151 -- Cheers,

Re: [clamav-users] Problems with 3rd party sigs

2017-03-31 Thread Steve Basford
On 31 March 2017 18:45:58 Mark Foley wrote: Per advice on this list, I downloaded and installed the clamav-unofficial-sigs scripts from the link on Sanesecurity. 2. I run a cron'd clamscan job to scan mail folders several time a day. I get the following errors

Re: [clamav-users] MailFollowUrl alternative?

2017-03-31 Thread Steve Basford
On 31 March 2017 19:14:36 Steven Morgan wrote: Mauro, It is not clear what MailFollowURL did. Have a look at docs/phishsigs_howto.pdf for a description of how to scan for URLs. This may have subsumed MailFollowURL. It did a curl on any urls found in the body and

Re: [clamav-users] False Positive of IObit product by ClamAV

2017-03-31 Thread Steve Basford
On Fri, March 31, 2017 8:44 am, Arnaud Jacques / SecuriteInfo.com wrote: > Received this message : > > > -- Message transmis -- > > This is Coco from IObit (www.iobit.com). > > > Your program ClamAV reports the file RegistryDefragBootTime.exe as > Win.Trojan.Agent-5776271-0

Re: [clamav-users] Heuristics.Filetype.ZipWithJS

2017-03-28 Thread Steve Basford
On Tue, March 28, 2017 1:23 pm, Reindl Harald wrote: > > > Am 28.03.2017 um 14:20 schrieb Matteo Dessalvi: > >> Hello. >> >> >> Regarding your fist question you can execute the following >> tools from the command line: >> >> sigtool --find-sigs=Heuristics.Filetype.ZipWithJS-6162396-0 | sigtool

Re: [clamav-users] Heuristics.Filetype.ZipWithJS

2017-03-28 Thread Steve Basford
> 1. Where can I find information about what kind of threat this? \.[A-Za-z]{3}\.js$ FP Source example: https://www.mobileread.com/forums/showthread.php?p=3496981 Ie. any .js inside a zip file that's starts with 3 letters will get blocked. -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] FP: ScamNailer.Phish.en_notification_AT_made-in-china.com

2017-03-23 Thread Steve Basford
On Thu, March 23, 2017 2:05 pm, Reindl Harald wrote: > [ScamNailer.Phish.en_notification_AT_made-in-china.com.UNOFFICIAL(ad638b8 > abc0d0af59ded4aa2835061e3:293969)] Thanks for the report, I've removed the sig. -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] how to find Html.Phishing.Auction-214

2017-03-22 Thread Steve Basford
On Wed, March 22, 2017 12:52 pm, Hajo Locke wrote: > Hello, > > > have an issue here with this signature. Html.Phishing.Auction-214 is found VIRUS NAME: Html.Phishing.Auction-214 Here you go... TARGET TYPE: HTML OFFSET: * DECODED SIGNATURE: sein, weil sie ei[][][]nen fehler gemacht haben, als

Re: [clamav-users] ClamWin Portable DLL Hijack

2017-03-09 Thread Steve Basford
On Thu, March 9, 2017 11:03 am, Groach wrote: > So what are we saying? > > Clamwin people need to be made aware of this? Or ARE aware of this and > complicit? ClamWin should be aware of this by now... let's hope they make a statement of what (if any the issues are) and what versions. For

Re: [clamav-users] ClamWin Portable DLL Hijack

2017-03-09 Thread Steve Basford
On Thu, March 9, 2017 11:09 am, Al Varnell wrote: > Or is it based on older versions, like most of the items contained in > those documents? I suspect that the ClamWin developers are the only ones > that can tell us what has been or will be done about it. Exactly, it could just be old

[clamav-users] ClamWin Portable DLL Hijack

2017-03-09 Thread Steve Basford
Just for those who hasn't spotted ClamWin in the leak: https://wikileaks.org/ciav7p1/cms/page_27262995.html Clam Portable http://portableapps.com/apps/security/clamwin_portable ClamWin: http://www.clamwin.com/ -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] Daily 23161 broke Clam

2017-03-03 Thread Steve Basford
On Fri, March 3, 2017 7:20 pm, Alain Zidouemba wrote: > We're pulling the signature causing the issue now, while we investigate > the cause. > > - Alain Hi Alain, I think the fix is... Replace ? with ?P when the PCRE library is old ie. ?< to ?P< On... Doc.Macro.GenericHeuristic-5901772-0

Re: [clamav-users] Daily 23161 broke Clam

2017-03-03 Thread Steve Basford
It's a macro detecting ldb Sig that fails due to an old pcre engine being used. The Sig can be rewritten to work on older pcre versions .. or you need to update. Sorry I can't help more. Cheers, Steve Twitter: @sanesecurity On 3 March 2017 17:39:48 "Aaron C. Bolch"

Re: [clamav-users] Javascript file not recognized

2017-02-16 Thread Steve Basford
On Thu, February 16, 2017 7:55 pm, Markus Egg wrote: > The attached file was in an email as attachment as "bill": > 319598.js Detected: phish.ndb: Sanesecurity.Malware.26652.JsHeur shelter.ldb: Sanesecurity.Shelter.Malware.JSHeur.004 -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] SpoofedDomain FOUND

2017-02-16 Thread Steve Basford
On Thu, February 16, 2017 1:03 pm, Reindl Harald wrote: > give a man a fish and you feed him for a day; teach a man to fish and you > feed him for a lifetime ___ Are you are that's correct... wasn't it... Give a man a fish , he eats for a day. Teach

Re: [clamav-users] How to determine false-v-real FOUND

2017-02-09 Thread Steve Basford
On Thu, February 9, 2017 1:12 pm, Brad Scalio wrote: > Clamscan found a PE "visor.exe.svn-base" that matched > Win.Trojan.Agent-793284 FOUND. > > Is there a way, or an online tutorial, or some other information to > decompose the signature and the file easily to determine if it's a false >

Re: [clamav-users] svg files support

2017-02-01 Thread Steve Basford
On Wed, February 1, 2017 10:19 am, Al Varnell wrote: > After further review, I see that SVG is in XML text format, which should > not be a problem and there are a couple of SVG signatures in the > database: That's correct... I've a few sigs for SVG too, mainly due to Javascript being used

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

2016-12-29 Thread Steve Basford
On Thu, December 29, 2016 1:40 pm, Mark Allan wrote: > It seems a little overkill to add a new feature for this. Couldn't you > just delete the cvd/cld file and prevent freshclam from running? Or > better yet, write a wrapper around freshclam so the update still takes > place and then unpack the

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

2016-12-29 Thread Steve Basford
On Thu, December 29, 2016 9:32 am, Reindl Harald wrote: > >i would love to be able to *completly* exclude >"daily.cld", "daily.cvd" and "main.cvd" and only update >"safebrowsing.cvd" daily.cvd and main.cvd are compressed versions of multiple databases... eg. sigtool --unpack-current=daily

Re: [clamav-users] signature memory use

2016-12-28 Thread Steve basford
doppelstern aren't used any more but I still mirror the blank files for a while so people's config don't break. Cheers, Steve Twitter: @sanesecurity On 28 December 2016 19:57:06 Alex wrote: Hi Steve, crdfam.clamav.hdb,pool memory used: 4.355 MB

Re: [clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

2016-12-27 Thread Steve basford
#All# macros inside xlsm files are being blocked due to sig blocking of Vbaproject.bin inside. Cheers, Steve Twitter: @sanesecurity On 27 December 2016 20:08:37 Adnan de Castro Donato wrote: In keeping with one false positive reports I have 8 CentOS servers

Re: [clamav-users] Probable False Positive - OpenJDK-1.8 nashorn.jar : Win.Trojan.Toa-5370166-0

2016-12-26 Thread Steve Basford
On Mon, December 26, 2016 6:55 pm, Mark Edwards wrote: > In keeping with the other false positive reports I have more than 400 > CentOS servers report below after yesterday's freshclam update: Yes, nashorn.jar seems to get hit too... eg: fp2\11476331d01: Win.Trojan.Toa-5372078-0

Re: [clamav-users] More fp's.

2016-12-26 Thread Steve Basford
On Mon, December 26, 2016 12:39 pm, Sierk Bornemann wrote: Just run freshclam... fp\Aston Villa 1.4.3.ipa: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND fp\greasemonkey-3.8-fx.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND fp\imagus-0.9.8.45-fx+sm.xpi: Win.Trojan.Toa-5370166-0.UNOFFICIAL FOUND

Re: [clamav-users] More fp's. Now its almost everything that has been zipped.

2016-12-25 Thread Steve Basford
On Sun, December 25, 2016 10:40 am, Al Varnell wrote: > A handful of ClamXav users can confirm the Firefox > omni.ja:Win.Trojan.Toa-5370234-0. It also identified some Adobe products > as infected when run through QA. Firstly, Merry Christmas to all. Onto the FP's... basically they are too

Re: [clamav-users] signature memory use

2016-12-21 Thread Steve Basford
> So all signatures should be running fine with 6Gb of RAM, right ? > Even our big signatures :) Summary test: Using clamscan only to scan test.eml (3,706 bytes) ClamAV Official sigs only (daily/main): pool memory used: 385.675 MB Official + *all* Sanesecurity/Distributed sigs pool memory

[clamav-users] signature memory use

2016-12-21 Thread Steve Basford
As some people have reported memory issues... Quickly put these together based on scanning a small file and *only* loading *one* signature database at a time: Sanesecurity: badmacro.ndb,pool memory used: 5.132 MB blurl.ndb,pool memory used: 4.800 MB bofhland_cracked_URL.ndb,pool memory used:

Re: [clamav-users] clamd restart

2016-12-21 Thread Steve basford
On 21 December 2016 11:07:42 Al Varnell wrote: Are you using any UNOFFICIAL signatures? Some of them have been causing memory issues recently for others. Al, while some 3rd party sigs are using memory, you also got to remember the Huge amount of sig only hashes the

Re: [clamav-users] clamd restart

2016-12-21 Thread Steve basford
Do you have a list of signatures in your clamav database folder you can list? Cheers, Steve Twitter: @sanesecurity On 21 December 2016 11:20:12 "Richard Walker - Seven Internet Ltd" wrote: Hi Al Yes I'm using unofficial signatures. I have disabled the cron

Re: [clamav-users] Custom CVD

2016-12-16 Thread Steve Basford
On Fri, December 16, 2016 2:39 am, filipecalderon66...@yahoo.com wrote: > Hello all - first time post and new clamav user. > I have installed clamav on a box that has very specific exposures, and has > very limited memory and disk space. The existing signatures when all the > other optional ones

Re: [clamav-users] Custom CVD

2016-12-16 Thread Steve Basford
On Fri, December 16, 2016 2:39 am, filipecalderon66...@yahoo.com wrote: > Hello all - first time post and new clamav user. > I have installed clamav on a box that has very specific exposures, and has > very limited memory and disk space. The existing signatures when all the > other optional ones

Re: [clamav-users] Question on attachments

2016-12-12 Thread Steve basford
Hi Tom, .ftm files contain magic headers of various formats. Cat daily.ftm Cat sanesecurity.ftm The engine then unpacks if it's a zip etc and the unpacked exists. That's why your example filename still unpacks. You can also use. ftm to skip file formats from scanning. I'm mobile at the

Re: [clamav-users] bugzilla security certificate

2016-12-12 Thread Steve Basford
On Wed, December 7, 2016 5:03 pm, Benny Pedersen wrote: >> You can bypass the warning if desired. > > worst advise you ever have giving here Thanks... but I didn't actually say you *should* ... but browsers do allow you too. In this case the firefox error box was: bugs.clamav.net uses an

Re: [clamav-users] Goldeneye ransomware

2016-12-08 Thread Steve basford
Hi... this is detected with Badmacro.ndb. On 8 December 2016 16:54:26 Matteo Dessalvi wrote I also ran a quick analysis on Malwr: https://malwr.com/analysis/Y2VhYWNjZTk3NWFhNGRhMDg5OWYwY2E5MzdjNDA2M2I/ Best regards, Matteo

Re: [clamav-users] Goldeneye ransomware

2016-12-08 Thread Steve basford
On 8 December 2016 20:39:49 Jack wrote: In addition to SaneSecurity, here is another third-party repo of sigs (updated often) that catches these docs: They are available on the to use on the download script already I seem to remember. I've high fps with them and had

[clamav-users] bugzilla security certificate

2016-12-07 Thread Steve Basford
Just a quick one... in case it confuses visitors to Bugzilla... Going to https://bugs.clamav.net/ Firefox reports: "bugs.clamav.net uses an invalid security certificate. The certificate is only valid for bugzilla.clamav.net Error code: SSL_ERROR_BAD_CERT_DOMAIN" You can bypass the warning if

[clamav-users] support

2016-12-05 Thread Steve Basford
Hi, Just had a twitter user contact me regarding an fp that he reported 1st September (I don't have a hash sorry): 3986318.cbc:BC.Legacy.Exploit.CVE_2012_4148-1.{};Engine:70-255,Target:10;(0&2&1) ;0:255044462d312e;*:2f416e6e6f74;*:2f53756274797065{-5}2f576964676574 Secondly, I'm seeing this

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

2016-11-30 Thread Steve Basford
On Wed, November 30, 2016 10:50 am, Al Varnell wrote: > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > >> >> * Al Varnell : >> >>> Has anybody submitted a PDF yet? >>> >> >> Of course. >> > > Hash? Here's one example I saw in a forum... Source:

Re: [clamav-users] BKF archives scanable by ClamAV?

2016-11-30 Thread Steve Basford
On Tue, November 29, 2016 9:26 pm, Fr34k wrote: > Hello ClamAV Experts, > Can ClamAV scan within Windows BKF archives? > Both the Clam AntiVirus 0.99.1User Manual and my Internet searches thus > far suggest the answer is, sadly, "no".I presume this may be due to the > age of .bkf usage.  

[clamav-users] Reddit fp report

2016-11-29 Thread Steve basford
Might need a reply https://www.reddit.com/r/Malware/comments/5fix65/clamav_and_fortinet_have_not_fixed_a_false/ https://www.virustotal.com/en/file/61b5451350a110512d734f426a37e49721a7dea8170fd10f0a48974dedd971a5/analysis/ Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] Whitelist based on sign *and* filename?

2016-11-28 Thread Steve Basford
On Mon, November 28, 2016 1:56 pm, Mathieu D. wrote: > Hello, > > > Is there any way to whitelist a file based on it's signature *and* it's > filename? > Not that I know of... I guess this *might* be an option. 1. Find something common in your pdf you want to "whitelist", say "Your company

Re: [clamav-users] [Ext] Using very high CPU with lots of errors

2016-11-21 Thread Steve Basford
On Mon, November 21, 2016 3:15 pm, Hayes, Doug wrote: > Hi Team, > > > Looking for some assistance here, looks like I am getting the below > errors when starting the clamd process? Any ideas? > > --Version > ClamAV 0.97.6/22576/Mon Nov 21 06:21:40 2016 Sorry for to add...

Re: [clamav-users] [Ext] Using very high CPU with lots of errors

2016-11-21 Thread Steve Basford
On Mon, November 21, 2016 3:15 pm, Hayes, Doug wrote: > Hi Team, > > > Looking for some assistance here, looks like I am getting the below > errors when starting the clamd process? Any ideas? > > --Version > ClamAV 0.97.6/22576/Mon Nov 21 06:21:40 2016 You need to upgrade your ClamAV engine.

Re: [clamav-users] CRDF databases and clamav

2016-11-20 Thread Steve basford
Passed directly to CRDF at the same time something is reported to the ClamAV team. For infoIf someone reports an FP with a Sanesecurity or Sanesecurity distributed sigs, the sig is firstly removed then reported to the sig maker and if the FP can be avoided and fixed, it will be

Re: [clamav-users] CRDF databases and clamav

2016-11-20 Thread Steve basford
On 20 November 2016 16:54:48 Rafael Ferreira wrote: CRDF databases are now being rolled into the >main/daily.cvd ones? Yes they were distributed on the Sanesecurity mirror originally (with an config option to enable) but were removed after the announcement... as it

Re: [clamav-users] clamav-users@lists.clamav.net

2016-11-18 Thread Steve basford
:07 PM, Steve basford wrote: Remove javascript.ndb and retry... Cheers, Steve Twitter: @sanesecurity On 18 November 2016 22:02:41 Richard Doyle <list...@arbitrarydomain.name> wrote: On 11/18/2016 01:52 PM, Steve basford wrote: Does clamscan --debug on the database folder show the

Re: [clamav-users] clamav-users@lists.clamav.net

2016-11-18 Thread Steve basford
Remove javascript.ndb and retry... Cheers, Steve Twitter: @sanesecurity On 18 November 2016 22:02:41 Richard Doyle <list...@arbitrarydomain.name> wrote: On 11/18/2016 01:52 PM, Steve basford wrote: Does clamscan --debug on the database folder show the same delays... Yes Can

  1   2   3   4   5   6   >