Re: [clamav-users] ClamAV 1.4.0 release candidate now available!

should I worry if it's not present? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de

Re: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

onably still be affected > by the vulnerabilities. > > I am curious though - what are your MaxFileSize / MaxScanSize > settings? I wonder if you're seeing timeouts with the default settings > or if you increased them. MaxFileSize 100M MaxScanSize 200M MaxScanTime 12 -

[clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

: Exceeded time limit is this a bad Bytecode rule? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de

Re: [clamav-users] [ext] Announcing Fangfrisch release 1.8.0

> - Sanesecurity (https://sanesecurity.com) provider default > configuration overhaul. Switch to a less congested mirror site, > add/remove several signature URLs. Thanks for that! -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz |

[clamav-users] Yara rule for Anydesk files...

way as to be usable from withn clamav (1.3.0)? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de ht

Re: [clamav-users] [ext] ClamAV 1.3.0 second release candidate published!

gt; page<https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc>. https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc2 returns a 404. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalid

Re: [clamav-users] [ext] Compressing log files with clamav

postrotate if [ -d /run/systemd/system ]; then systemctl -q is-active clamav-freshclam && systemctl kill --signal=SIGHUP clamav-freshclam || true else invoke-rc.d clamav-freshclam reload-log > /dev/null ||true fi endscript } -- Ralf Hildebrand

Re: [clamav-users] [ext] Re: Cannot "decode" a SHA256 signature

* Al Varnell via clamav-users : > Sent from my iPad > > On Sep 12, 2023, at 01:29, Ralf Hildebrandt via clamav-users > wrote: > > should sigtool --decode-sigs really throw an error in that case? > > Perhaps not, but it's been the case for as long as I've been using

[clamav-users] Cannot "decode" a SHA256 signature

clamav.net: # dpkg -l |fgrep clam ii clamav 1.2.0-1 amd64 ClamAV open source email, web, and end-point anti-virus toolkit. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49

Re: [clamav-users] [ext] CVE-2023-20032 how to identify and solve

ware.redirect.ecpms.net.720". What does this have to do with CVE-2023-20032? # sigtool --find-sigs=sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 | sigtool --decode-sig VIRUS NAME: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 DECODED SIGNATURE: ecpms.net

Re: [clamav-users] [ext] Clamav 1.0.1 and email scan failed

amavis does the unpacking) More logging is needed for the message in question. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155

Re: [clamav-users] [ext] ClamAV and Cohesity

ot;Non-LTS feature releases will be allowed access to download signatures until at least four (4) months after the next-next feature release is published." -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1.

Re: [clamav-users] [ext] ClamAV and Cohesity

ed? And: How are the updates done? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://ww

Re: [clamav-users] [ext] Segfaults with database version 26908

one seen this, too? I've seen this with 1.1.0-1 as well. Maybe they're related to the "pattern issue" I posted a while ago -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm

[clamav-users] LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0

cli_ac_addsig: cannot use filter for trie -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...

Re: [clamav-users] [ext] ppa for ClamAV for Ubuntu 22.04.1

tc/clamav/clamd.conf /usr/local/etc/clamd.conf service clamav-freshclam restart service clamav-daemon restart -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Be

Re: [clamav-users] [ext] Re: parallel processes fail at startup when clamd is running

* JOHN URBAN : > Not quite as easy to set up as I made it sound, as lots of pieces and people > involved but that is exactly one of the tests we hope to run today; thanks! Yes, ths sounds like hours of fun :/ But the insight gained will be rewarding :) -- Ralf Hildebrandt C

Re: [clamav-users] [ext] Re: parallel processes fail at startup when clamd is running

g: strace --failed-only $program -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.d

Re: [clamav-users] [ext] Re: ClamAV 1.0.0 release candidate now available

resting. I'm using the *.deb from > > http://www.clamav.net/downloads/production/clamav-1.0.0-rc.linux.x86_64.deb -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D

Re: [clamav-users] ClamAV 1.0.0 release candidate now available

> https://github.com/Cisco-Talos/clamav/issues/736 Ah, interesting. I'm using the *.deb from http://www.clamav.net/downloads/production/clamav-1.0.0-rc.linux.x86_64.deb -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Frank

Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) Thu Oct 27 11:00:19 2022 -> bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2) Thu Oct 27 11:00:19 2022 -> ------ So the issue is wit

Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

p-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2) Fri Oct 28 09:07:10 2022 -> -- Still failing. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 10

Re: [clamav-users] [ext] PDF scan

clamdscan -V /tmp/LPBB0010-10.pdf ClamAV 0.105.1/26663/Mon Sep 19 09:56:35 2022 -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel.

Re: [clamav-users] [ext] More info about detected virus

it finds an email containing a BASE64 encoded "readme.exe" using the content type "audio/x-wav"... Maybe this helps: VIRUS NAME: Win.Trojan.N-68 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE: REMOVED A MIME BOUNDARY HERE Content-Type: audio/x-wav; name="readme.exe&

Re: [clamav-users] Fuzzy image signatures, Y U no work?

* Ralf Hildebrandt via clamav-users : > Today I installed 0.105.0 to test the new fuzzy image signatures. I'm a moron: "Added image fuzzy hash sub-signatures for logical signatures" -- thus it must be an LDB file :/ > Alas, I started up my trusty editor an generated a

[clamav-users] Fuzzy image signatures, Y U no work?

loading database /var/lib/clamav/rezeptfrei.hdb ERROR: Malformed database So what IS the correct syntax? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel

Re: [clamav-users] [ext] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd

cld ERROR: listdb: Error listing database /var/lib/clamav/main.cld Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hilde

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!

mav.so.9 /usr/local/lib/libclammspack.so /usr/local/lib/libclammspack.so.0 /usr/local/lib/libclamunrar.so /usr/local/lib/libclamunrar.so.5 /usr/local/lib/libclamunrar_iface.so /usr/local/lib/libclamunrar_iface.so.9 /usr/local/lib/libfreshclam.so /usr/local/lib/libfreshclam.so.2 Ralf Hildeb

Re: [clamav-users] [ext] Re: ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

* Vladislav Kurz via clamav-users : > How about just making the file empty? I think this causes an error in clamav/clamd Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm

Re: [clamav-users] [ext] Re: Regarding ClamAV code coverage metrics with help of existing unit-test cases

> > I usually rebuild from a recent debian source (hah!) > > that's what I recommend. > > with changing version to something lower than 0.103 e.g. 0.103~backport > - it gets upgraded to ubuntu-provided version when it's available. Same here. Ralf Hildebrandt Charité

Re: [clamav-users] [ext] Re: Regarding ClamAV code coverage metrics with help of existing unit-test cases

t; Do you want to take care of it since now (forever)? > > It is possible, but it should be easier to backport clamav e.g. version > 0.103 from hirsute. That way, when newer version appears in ubuntu > repository, it may get upgraded so you won't have to care. I usually rebuild f

[clamav-users] pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects

while extracting objects. Sep 18 11:47:55 proxy-cbf-1 clamd[791]: LibClamAV Error: pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects. What is the timeout value? Can it be configured? Is there any way of preserving the files for further analysis? Ralf

Re: [clamav-users] [ext] Xls.Malware.Sagent-7132944-0

00020819---C000-0046}" anywhere 1: contain "CallByName" anywhere 2: contain "ThisWorkbook" anywhere -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburg

Re: [clamav-users] Becoming disillusioned

er extent SecuriteInfo). The only offical "hit" in the top 25 is "Win.Downloader.WannaMine-6442440-2" I see the extensibility as a major advantage. Just the other day I created a set of patterns to detect EPOCH3 EMOTET files. But to some extent I agree to the point you're mak

Re: [clamav-users] [ext] ClamAV Development Release: Cannot compile, no configure-script available...

Remove autotools generated files, add autogen.sh 26 days ago Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@chari

Re: [clamav-users] [ext] Re: ClamAV® blog: Freshclam, cdiffs and bandwidth are your friends

63, builder: raynman) Tue Jul 28 18:00:53 2020 -> daily.cld updated (version: 25887, sigs: 3681654, f-level: 63, builder: raynman) Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburg

Re: [clamav-users] [ext] About Madeba-8019734

BSIGNATURE: words(85 So, as you can see the signature consists of 6 subsignatures numbered 0-5, ll of which must match. It sort-of looks highly specific to me. Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF

Re: [clamav-users] [ext] SelfCheck: Database modification detected. Forcing reload.

* Cliff Hayes via clamav-users : > I have a daily cron job that runs around 3am that: > - shuts down clamd > - runs freshclam > - starts clamd Why? freshclam usually runs all the time, updating and signalling clamd on demand. But you do have a point... Ralf Hildebr

Re: [clamav-users] rpm files question [was: ClamAV 0.101.2 announcement?]

ld you, and others here, be interested in installing a ClamAV > snap in the future? That definitely sounds interesting! -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hin

Re: [clamav-users] [ext] What kind of mails is clam* checking? Only mails with attachments / mailflow

y scans the whose mail "as is" and the text parts and attachments sperately. > As clam* can also do URL checks and stuff, also mails withouth attachments > can be infected. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCam

Re: [clamav-users] [ext] MBL_17713260 false positive!

epatrol were to > list the specific site where the malware was reportedly found, rather > than condemning the entire sub-domain. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de

Re: [clamav-users] [ext] Re: MBL_17713260 false positive!

is not a false > positive. > > There is no reason to believe that the Google infrastructure doesn't > host malware. In case you still don't want or can't block such domain, > we advise you to whitelist it before applying our block lists." Fucking idiots. -- Ralf Hildebrandt

Re: [clamav-users] [ext] MBL_17713260 false positive!

nymore. Is it worth it to keep malwarepatrol? I'm wondering this as well. That stuff pops up every other day. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30,

Re: [clamav-users] [ext] Re: Malwarepatrol false positive

* Paul Stead : > Yet another Malwarepatrol FP: > > MBL_14437114 - https://drive.google.com That's a recurring FP. Happens every week. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.c

Re: [clamav-users] [ext] Re: WARNING: Local version: 0.99.4 Recommended version: 0.100.0

* Philip : > Has this been released yet by the major Distros? I'm using Debian 9 and > can't get any higher than 0.99.x Debian has 0.100: https://packages.debian.org/buster/clamav I used that source package to rebuild for my Ubuntu installaions. -- Ralf Hildebrandt C

Re: [clamav-users] [ext] Re: Question regarding SIGUSR2 and clamd

| socat - /var/run/clamav/clamd.ctl PONG # echo RELOAD | socat - /var/run/clamav/clamd.ctl RELOADING # echo PING | socat - /var/run/clamav/clamd.ctl # echo PING | socat - /var/run/clamav/clamd.ctl PONG Yeah! -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebr

[clamav-users] Question regarding SIGUSR2 and clamd

rom trying to parse the logfile? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 sig

Re: [clamav-users] Announcement missing

* Joel Esler (jesler) <jes...@cisco.com>: > You're right. That's my fault. I'll correct that here in a second after I > read through all the emails in my ClamAV folder. OK, tomorrow then :) -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra..

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

* Reindl Harald <h.rei...@thelounge.net>: > > > Am 26.01.2018 um 13:40 schrieb Ralf Hildebrandt: > > * maxal <m...@sbg.at>: > > > nobody of clamav/cisco reading this list? > > > > It's 7:45AM on the east coast > > so what - i don't get

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

* lukn <lukn...@gmail.com>: > As ClamAV/Thalos is owned by Cisco I assume all ClamAV employees are > located in Silicon Valley area and therefore still enjoying a good > Californian night's sleep. Or maybe in Philadelphia. -- Ralf Hildebrandt Charite Univ

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

* maxal <m...@sbg.at>: > nobody of clamav/cisco reading this list? It's 7:45AM on the east coast. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

> Arguably if a bug in the signatures can lead to such massive problems > then that is in itself a bug in the software, which might be (but > apparently so far isn't) fixed in a later version. Amen to that. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

8 994 -> /tmp/clamav-59b5548fe87bc9a454486cbe37d5c89b.tmp (deleted) lrwx-- 1 root root 64 Jan 26 10:38 995 -> /tmp/clamav-0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted) ... -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampu

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

* Reindl Harald <h.rei...@thelounge.net>: > sounds like an issue with the official signatures given that you are not the > first reporter and that we don't use them and have no problems Thought so. Must be a recent signature in daily.cvd. -- Ralf Hildebrandt

Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?

* Karl Pielorz <kpielorz_...@tdx.co.uk>: > This ends up with a lot of wedged mail processes (and we slowly run out of > fd's as the process table fills up). Same here on Ubuntu 16.04 with official patterns. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin r

Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.

0.838784 952 881 fcntl ... -- --- --- - 100.00 195.366582 47161 total -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de

Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.

futex 0.000.00 0 1 restart_syscall -- --- --- - - 100.000.103050 3803012 total -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@char

Re: [clamav-users] Win.Exploit.CVE_2016_3301-6210129-0 detected. Could this be a false positive?

* ANANT S ATHAVALE <a...@isac.gov.in>: > Hi List, > > One of the .pptx file which was attached is getting detected as VIRUS: > Win.Exploit.CVE_2016_3301-6210129-0. As it is a official document and can't > to uploaded for submission. How to manually verify? What do you want

Re: [clamav-users] Grizzly Steppe

ny discussion about this, could anyone comment? They probably mean the exploit code used in operation Grizzly Steppe ATP 29, APT 28, Cozybear, Fancybear, Sandworm, Sofacy etc. https://www.dhs.gov/news/2016/12/30/executive-summary-grizzly-steppe-findings-homeland-security-assistant-

Re: [clamav-users] Porting LibClamAV for Android

* Bengt H. <ben...@gmail.com>: > Unsubscribe please List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/options/clamav-users>, -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http:/

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Ralf Hildebrandt <ralf.hildebra...@charite.de>: > * Al Varnell <alvarn...@mac.com>: > > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > > > * Al Varnell <alvarn...@mac.com>: > > >> Has any

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell <alvarn...@mac.com>: > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell <alvarn...@mac.com>: > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? 8d62c398679ab6c7b85749eac

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell <alvarn...@mac.com>: > Has anybody submitted a PDF yet? Of course. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 122

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

> and not public. I already did a FP report. It happened with PDFs from "Springer Medical". had to diable that signature. > I hope there are some additional FP-Reports from other people regarding this > virus to review this signature. Yep. -- Ralf Hildebrandt

Re: [clamav-users] One final clamd Frage

> clamd to run, No. clamdscan together with clamd eliminated the long startup time. > does it provide any added features or functionality not already present > with freshclam + clamscan running on-demand from cronjobs? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ral

Re: [clamav-users] ClamAV® blog: CRDF Joins the ClamAV Signature Partner Program!

* Joel Esler (jesler) <jes...@cisco.com>: > > > http://blog.clamav.net/2016/07/crdf-joins-clamav-signature-partner.html Are these signatures already active? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Be

Re: [clamav-users] Problem with mirrors overnight?

mirrors are probed from freshclam? > All of them are failing since last night on all of our servers. > > Probed are: > 178.63.73.246 > 84.39.110.99 > 88.198.17.100 http://lutz.donnerhacke.de/Blog/ClamAV-aktualisiert-sich-nicht-mehr -- Ralf Hildebrandt

Re: [clamav-users] Bad detection rate

. Up to now, I never got a notification, although Notify me was checked. Indeed. I also submitted quite a lot of malware and never got a notification (in years!) 3. Why shall we not post more than two sample files per day ? I also wondered about that. -- Ralf Hildebrandt

Re: [clamav-users] An FP?

* Gene Heskett ghesk...@wdtv.com: It's an UNOFFICIAL pattern, not a core clamav pattern Still, is it not un-needed noise? It's obviously a FP, but calling it un-needed noise is a bit off. If the pattern were correct and would find a real virus, is it not un-needed noise? -- Ralf

Re: [clamav-users] An FP?

/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND /home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND But https://virustotal.com thinks otherwise. It's an UNOFFICIAL pattern, not a core clamav pattern -- Ralf Hildebrandt

Re: [clamav-users] Error build clamav 0.98

* Константин Белозеров codingu...@gmail.com: Hello. Error when building from source anti-virus in the operating system GNU/Linux Debian 7.1 Performed make check VG=1. But to no avail. But which error are you getting? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin

Re: [clamav-users] Error build clamav 0.98

* Константин Белозеров codingu...@gmail.com: Errors are listed in log file. Would you mind pasting them here? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm

Re: [clamav-users] Error build clamav 0.98

valgrind installed -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: [clamav-users] Major new false positive? BC.Exploit.CVE_2012_0184

else seeing this? Yes, I'm also seeing a lot of FP's for BC.Exploit.CVE_2012_0184 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin

Re: [clamav-users] Major new false positive? BC.Exploit.CVE_2012_0184

* Joel Esler jes...@sourcefire.com: Please run Freshclam. This has already been cleared up. Thanks for the heads up. Time to release stuff from the quarantine. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin

Re: [clamav-users] False positive submission page down

instance because your client has not told it which one it wants to talk to. It's not a client issue. It depends on my source IP. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de

Re: [clamav-users] False positive submission page down (for a few days now)?

-age=0 Connection: keep-alive answer: HTTP/1.1 503 Service Unavailable Server: Varnish Content-Type: text/html; charset=utf-8 Retry-After: 5 Content-Length: 284 Accept-Ranges: bytes Date: Fri, 04 May 2012 10:29:21 GMT X-Varnish: 221993613 Age: 0 Via: 1.1 varnish Connection: close -- Ralf

[clamav-users] Solved: False positive submission page down (for a few days now)?

from varnish. Setting it to delete, on or truncate make the page http://cgi.clamav.net/sendfp.cgi work again. Only off causes the page to fail. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de

Re: [clamav-users] False positive submission page down (for a few days now)?

being logged for my source IP. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

[clamav-users] False positive submission page down (for a few days now)?

Is there an alternative way of submitting FP's? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30

Re: [clamav-users] False positive submission page down (for a few days now)?

* Török Edwin ed...@clamav.net: On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote: Is there an alternative way of submitting FP's? Are you using this page? http://www.clamav.net/lang/en/sendvirus/submit-fp/ Yep. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin

Re: [clamav-users] False positive submission page down (for a few days now)?

* Török Edwin ed...@clamav.net: On 04/19/2012 04:10 PM, Ralf Hildebrandt wrote: I just tested and it worked fine for me. What's exactly the problem on your side? I keep getting: Under maintenance. Try again later. How big is the file that you're trying to upload? I'm

Re: [clamav-users] False positive submission page down (for a few days now)?

maintenance. Try again later./h1 /body /html Connection closed by foreign host. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin

Re: [clamav-users] False positive submission page down (for a few days now)?

submission page used to work for us uptill now. Hm. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30

Re: [clamav-users] False positive submission page down (for a few days now)?

* Török Edwin ed...@clamav.net: Can you try flushing your varnish cache, and trying again? It's your varnish cache :) (we don't have any here) I already restarted my squid servers, no change. It's very odd. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin

Re: [clamav-users] False positive submission page down (for a few days now)?

* Ralf Hildebrandt ralf.hildebra...@charite.de: * Török Edwin ed...@clamav.net: Can you try flushing your varnish cache, and trying again? It's your varnish cache :) (we don't have any here) I already restarted my squid servers, no change. It's very odd. Now I emptied my cache

Re: [clamav-users] False positive submission page down (for a few days now)?

. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

BC.Exploit.CVE_2011_3412 The entry is not complete. The correct one is: BC.Exploit.CVE_2011_3412.{CVE_2011_3412} After applying your fix, correct? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http

[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

What am I doing wrong here? Running clamv 0.97.3 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

* Alain Zidouemba azidoue...@sourcefire.com: Ralf, We got your FP reports and will address them today. Thanks :) But the original question remains in case I need to whitelist a signature. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.de

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

* Bill Maidment b...@maidment.vu: What am I doing wrong here? Running clamv 0.97.3 It's the same story here. We've had to switch off all bytecode rules in the conf file. Not ideal. Sound like one cannot whitelist a bytecode signature? -- Ralf Hildebrandt Charite

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

with : but with ; -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: [clamav-users] Unit Testing

* Jan-Pieter Cornet joh...@xs4all.nl: I haven't got any experience with IRIX, but I do wonder: why are you using tits for testing purposes? That seems inappropriate. No, he's using un-tits. Everything but tits. E.g. a canary would be an un-tit. Like an undead is anything but dead. PS ;-)

Re: [clamav-users] Fwd: Re: AV timeout?

* Török Edwin edwinto...@gmail.com: On 2011-06-29 17:01, Michael Scheidell wrote: On 6/29/11 9:24 AM, Michael Scheidell wrote: Ok, so not just me. I am going to ask Ralf Hildebrandt what version of os he is using. maybe we can track this down. so, its not just on amd64

Re: [Clamav-users] clamd DLP(Data Loss Prevention) w/Postfix

in Subject or Body) You'd probably need to use amavisd-new -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra

Re: [Clamav-users] DNS server blocks database.clamav.net?

nslookup database.clamav.net 85.255.112.204: $ nslookup database.clamav.net 85.255.112.204 Server: 85.255.112.204 Address: 85.255.112.204#53 Why don't you ask your ISP? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus

Re: [Clamav-users] announcing ClamAV 0.94rc1

* Dennis Peterson [EMAIL PROTECTED]: My point was that it's ten times as big as it should be Which begs the question: How big should it be, and why is that size better than the one it is? Size matters not! -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite

Re: [Clamav-users] announcing ClamAV 0.94rc1

: 16.134.725 0.93: 20.247.322 -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail

Re: [Clamav-users] WARNING: Suspicious recipient address blocked

of addresses manually but anything containing | has the same problem. Please do show the logs. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30

Re: [Clamav-users] Missed Virus

is picking up this virus: W32/Zhelatin.gen!eml It seems our ClamAV is not seeing it. We get a couple hundred of these a day and they're all the same virus. Any ideas? False positive? By any means, submit it to the team. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED

  1   2   >