Is the failing machine running out of memory running engine = cl_engine_new()
David Shrimpton
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive
k any settings other than database location from freshclam.conf would
apply. So if you were just trying to
get an example main.cvd you might see side effects you don't want like
freshclam writing to a configured log file
or trying to HUP your
and likely will vary with each sample. A regex signature to get any variable
name would be better.
David Shrimpton
From: clamav-users on behalf of Arnaud
Jacques
Sent: Saturday, April 6, 2019 12:27 AM
To: clamav-users@lists.clamav.net
Subject: Re
ensible output for the above signature, so I am not sure this is the
exact one causing the sigtool error.
The problem started from database version 25410 upgrade , so it appears one (or
more) sigs are Malformed in 25410
ClamAV 0.100.2/25410/Fri Apr 5 17:
CL_TYPE_SWF so
some sigs for flash using CL_TYPE_ZIP may no longer work.
David Shrimpton
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide
: NONE
+-> DECODED SUBSIGNATURE:
= "re" end if
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
exe /c start
David Shrimpton
From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf
ine (to mark the end of headers)
(Use qf instead of hf for a non quarantine queue file,
but also bear in mind that queue processing by the mail daemon
may be writing to a qf but not a hf file.)
Rescan and clamav should recognize as email file and extract
and scan any attachments.
--
Dav
> These signatures were generated out of attachments to know bad spam files.
> We'll have a look.
>
I generated the null byte files from sizes 1 to 1 and ran clamav against
them
and came up with 785 signatures that matched the null byte files and are
therefore
broken.
I'd speculate that
On Wed, 28 Sep 2016, Joel Esler (jesler) wrote:
> These signatures were generated out of attachments to know bad spam files.
> We'll have a look.
>
clamscan -z on pdf shows:
Win.Trojan.Agent-1696579
Win.Trojan.Agent-1696632
Win.Trojan.Agent-1696690
Win.Trojan.Agent-1696882
causes the hit on Win.Trojan.Agent-1696554.
Might be something wrong with many more sigs from Version: 9 ?
Might be worth doing all the null byte files from 1 to X in size
and running clamscan against them.
David Shrimpton
___
Help us build a compr
al.pdf
Is the original malware sample for which the signature was intended still
available
and does it have the above sha256sum ?
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clam
ening the same pdf.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
stics.OLE2.ContainsMacros
was returned. Or you could treat unofficial hits with more caution
eg add warning only and official hits more aggressively eg discard.
But -z is broken with OLE2 ,so you must decide to use OLE2BlockMacros
and not official/unofficial signatures or not use OLE2BlockMacros.
roblem occurs with .docx which are zip but not with .doc
which are 'CDF V2 Document' which are the OLE2 file itself.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
ot sigtool.
clamav appears to still extract the macros and signatures
written against the macro code still work.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Using #match as a condition in a yara rule to
count the occurences of $match doesn't appear to
work where $match is a regex.
#match only appears to work if $match is a string literal
eg "abc123"
Is #match intended to work with a regex ?
--
David
.ContainsMacros.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
or encrypted zip or ole2 with macros, differently to files that matched
a real sig. eg do logging only instead of discarding.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net
he contained file itself was scanned or not.
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
t.
I note the same md5sum:size in winnow_malware.hdb
924d8e14ccb2604effc455e1a584cb80:93184:winnow.malware.135963
Seems like some sort of weird bug exercised by the signature set
in my local databases when scan-ole2=yes .
I'll keep trying to narrow it down.
--
David Shrimpton
Information
.
If it can't be fixed then ome clearer explanation of the OLE2 scanning would be
helpful as its misleading at present.
--
David Shrimpton
Information Technology Services | The University of Queensland
___
Help us build a comprehensive ClamAV guide
from badmacro are detected
--
David Shrimpton
Information Technology Services | The University of Queensland
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
ExtendedDetectionInfo no
in clamd.conf and restarting clamd seems
to have no influence over this.
Is there a way of turning off the hash and file size in
the virus name returned in response to a SCAN
command , (rather than writing a regex to parse
the result )?
--
David Shrimpton
Systems Programmer
.
(Note the virus naming has changed from
Encrypted.Zip to Heuristic.Encrypted.Zip
in versions = 0.96rc1)
Has anyone else observed the same problem
since upgrading to 0.96 ?
--
David Shrimpton
Systems Programmer ITS
University of Queensland
___
Help
Thanks for replies,
Submitted new bug report:
Bug #1660
--
David Shrimpton
Systems Programmer ITS
University of Queensland
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
in another file is not
reported as Encrypted.Zip when ArchiveBlockEncrypted is on in clamd.conf,
so it would still be possible to send a virus within an encrypted zip
by simply appending a few bytes to the start of the archive.
--
David Shrimpton
Systems Programmer ITS
University of Queensland
On Wed, 29 Oct 2008, Noel Jones wrote:
Submit false positives to the clamav team for analysis.
http://www.clamav.net/sendvirus/
Thanks, Was done earlier.
It appears this has already been fixed - I can't find a
signature named W97M.Static in the current clam database.
W97M.Static was
On Wed, 29 Oct 2008, Noel Jones wrote:
David Shrimpton wrote:
This suggests creating a local.ign file eg
daily.ndb:319:W97M.Static
clamscan appear to indicate it was loading the file.
Sounds as if you did it correctly, I have no insight into why
it didn't work for you. Only
536176654e6f726d616c50726f6d7074 | perl -ne 'chomp ;print
pack(H*,$_),\n'
SaveNormalPrompt
Surely this signature is incorrect .
Is there a way of disabling it ?
--
David Shrimpton Systems Programmer
Software Infrastructure, Information Technology Services
University of Qld
of the
virus text)
The implication of the above is that clamav 0.93 would now
no longer detect many once prevalent viruses for which it
only has hexdump signatures.
--
David Shrimpton
___
Help us build a comprehensive ClamAV guide: visit http
these files scanned ?
If so, are these files only scanned against a subset of the
signatures and not the hexdump signatures ?
What has changed in 0.93 to cause WScr.Unsafe.D (and presumeably other viuses)
to no longer be detected and is there a fix for this ?
--
David Shrimpton
Thanks,
This quote from the bugzilla posts is quite amusing:
As for the official clamav signatures, please stand assured that when the new
code will be in the stable release, all the broken signatures will be properly
fixed.
--
David Shrimpton
On Fri, 2 May 2008, Steve Basford wrote
database file by adding a name, type and offset
(use sigtool --list to make sure the name you choose doesn't clash
with an existing one. Also choose a name you think won't clash with
a future clamav signature name )
On Fri, 2 May 2008, David Shrimpton wrote:
Thanks,
This quote
Sample Submitted.
thanks
David
Please submit a sample at http://www.clamav.org/sendvirus/
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
-virname = Archive.ExceededRecursionLimit;
return CL_VIRUS;
}
return CL_CLEAN;
}
In 0.93 the if(BLOCKMAX) part is deleted.
I think that CL_EMAXREC (Recursion limit exceeded )
should be returned and not CL_CLEAN.
--
David Shrimpton
University
Worm.Bagle.Gen-zippwd-8 remains.
Can anyone please explain why these signatures have disappeared ?
This has also happened with other virus signatures in the past
and viruses previously detected are no longer detected.
--
David Shrimpton Systems Programmer
Software Infrastructure
in freshclam.conf.
Oct 11 07:51:29 pow1 freshclam[29134]: ERROR: Clamd was NOT notified: Both
socket types (TCP and local) declared in /usr/local/etc/clamd.conf
--
David Shrimpton Systems Programmer
Software Infrastructure, Information Technology Services
University of Qld 4072
the problem is more an underlying network
connectivity problem from your host to port 80 on many IPs
but not to clamavdb.planetmirror.com. Perhaps your ISP
requires traffic to most sites to go through a proxy but traffic
to clamavdb.planetmirror.com is considered local
and allowed directly.
--
David
was not found
A workaround for this is to comment out
DatabaseMirror db.au.clamav.net
DatabaseMirror database.clamav.net
in freshclam.conf and add a DatabaseMirror line pointing
to a mirror host that has an uptodate daily.cvd
--
David Shrimpton Systems Programmer
Software
40 matches
Mail list logo