Re: [clamav-users] Blocked Access to ClamAV Database

On 17 May 2024 13:26:27 Julia Korhonen via clamav-users wrote: Upon running command curl http://database.clamav.net, I received a message indicating that my access was blocked. However, upon reviewing my network settings and conducting diagnostic tests, I could not find any explicit

Re: [clamav-users] Failed to open file. ERROR.

On 30 April 2024 10:42:39 Nathan Millard via clamav-users wrote: Hi, when I am scanning using clamav on windows I am getting lots of errors staying “Failed to open file. ERROR” Does anyone know how to solve this? Seems like it would be a permissions problem? Hi. While there is a windows

Re: [clamav-users] Announcing Fangfrisch release 1.9.0

On 8 March 2024 13:20:53 Ralph Seichter via clamav-users wrote: I am also happy to report that the new HTTP mirror for SaneSecurity signature files is chugging along nicely. Over the last days, I have counted 4672 unique client connections accessing these files, with a slow but steady

Re: [clamav-users] ClamAV 1.3.0 release candidate published

On 15 December 2023 16:49:49 "Micah Snyder \(micasnyd\) via clamav-users" wrote Fixed an issue decrypting some PDF's with an empty password. Hi Micah, Just tested and it's decoding URLs now :) I also wanted to say a huge Thank You for all the programming bug fixes/new features and support

Re: [clamav-users] since clamav version 1.2.0, false/positive pihole links?

On 31 August 2023 09:30:46 energynorman--- via clamav-users wrote: Dear clamav Teams, we are using some Debian 12 servers with PiHole Systems: OS: Debian GNU/Linux 12 (bookworm) aarch64 Host: Raspberry Pi 4 Model B Rev 1.4 Kernel: 6.1.21-v8+ Uptime: 4 hours Packages: 2830 (dpkg), 14

Re: [clamav-users] since clamav version 1.2.0, false/positive pihole links?

On 31 August 2023 09:33:24 energynorman--- via clamav-users wrote: ..additional, also these were found now by the version 1.2.0 (whitelisting?): --- SCAN SUMMARY --- Known viruses: 8862874 Engine version: 1.2.0 Scanned directories: 91 Scanned files: 416 Infected files: 0

[clamav-users] Unix.Malware.Kaiji-10003916-0

Multi False Positive reports... Just a heads up. Cheers, Steve Sanesecurity.com Twitter: @sanesecurity ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a

Re: [clamav-users] ClamAV 1.0.1

On 24 May 2023 21:57:33 Steve Basford via clamav-users wrote: Could you do a ls of the clamav database folder... So I can see what databases you are using Sorry all should have been of list... Duh ;) Cheers, Steve Twitter: @sanesecurity ___ Manage

Re: [clamav-users] ClamAV 1.0.1

2 2023 -> ERROR: accept() failed: Too many open files Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files Mon May 22 13:

Re: [clamav-users] ClamAV 1.0.1

On 24 May 2023 18:52:04 Paul Netpresto wrote: Hi I have found that 1.0.1 and 0.103.8 both behave badly if they find a malformed db. Agreed freshclam checks out the clamav/cisco db's. I have yet to determine what unofficial db caused the failure. They should all have been verified before

Re: [clamav-users] ClamAV 1.0.1

On 24 May 2023 18:52:04 Paul Netpresto wrote: Hi I have found that 1.0.1 and 0.103.8 both behave badly if they find a malformed db. Agreed freshclam checks out the clamav/cisco db's. I have yet to determine what unofficial db caused the failure. They should all have been verified before

Re: [clamav-users] ClamAV 1.0.1

On 23 May 2023 21:59:22 Paul Netpresto wrote: Hello What should the behaviour of a running clamd be when it comes across a malformed database during a signature-reload. Clamd.conf has setting "ConcurrentDatabaseReload no" Regards Paul Hi Paul, Is there is a malformed database freshclam

Re: [clamav-users] Fwd: Problem with current databases

On 4 May 2023 14:04:26 newcomer01 via clamav-users wrote: Hi there, do we have currently a problem with the database files? my cronjob, stops without any error or something on scanning files and in case did not delete his tmp files. What version of clamav? What linux version? Memory/disk

Re: [clamav-users] Be wary of emails with attachments targeting clamav-users list members

The attached file was some small HTML file containing malicious obfuscated javascript. Just to note that at my workplace 1 user received a similar email, using older email threads to make it look convincing and a with a single html attachment. 0/55 av's so far 6 hours after submitting..

Re: [clamav-users] clamscan exclude-dir on Windows

On 28 January 2023 16:07:04 Richard Rosner via clamav-users wrote: Very interesting to know. Sadly that doesn't help. I added --exclude-dir="C:\\PROGRA~2\\" --exclude-dir="C:\\PROGRA~1\\" and tried running in both PowerShell and CMD, no success, it always ends up scanning Program Files.

Re: [clamav-users] Mail contains virus ? MBL_162040584.UNOFFICIAL and some errors.

On 22 July 2022 10:15:27 Thomas Barth via clamav-users wrote: Hello, I use ClamAV unofficial signatures and it seems that I get a false positiv, I m not sure. A known person with a gmail-address and MS Outlook 16.0 X-Mailer tries to send me a mail with a link to google docs (Google Sheets)

Re: [clamav-users] MS Word Follina - CVE-2022-30190

On 9 June 2022 13:17:29 Vangelis Katsikaros via clamav-users wrote: Hi I am not a security person so I apologize if the question sounds stupid. I'd like to ask if there is a signature in the clamav DB to recognise Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote

Re: [clamav-users] human friendly signatures

On 16 March 2022 22:16:05 Eric Tykwinski wrote: Steve, I like the idea, but why the hex; hex? Sorry, should have been clearer... not just hex but Test;Engine:81-255,Target:0;(b0);0f0f0f*0b0b0b;0/blah*(?:[4-7]|[8003]\d)/ etc...>Just thinking about my recent issues with direct deposit

Re: [clamav-users] human friendly signatures

, 2022, at 5:10 PM, Steve Basford wrote: On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users" wrote: yara rule loading logic works right now. (3) a way to specify that a rule is to match in (a) mail headers only or (b) mail body only or (c) both; Jus

Re: [clamav-users] human friendly signatures

On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users" wrote: yara rule loading logic works right now. (3) a way to specify that a rule is to match in (a) mail headers only or (b) mail body only or (c) both; Just a random early thought... could .ldb be extended...

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

On 28 April 2021 15:25:32 Robert Kudyba wrote: Since the signature name has .UNOFFICIAL and starts with MBL I believe that's Malware Block List. I've submitted a sample to fp (at) malwarepatrol.net. Is more than one sample needed? I'm posting here to let others know and as they don't appear

Re: [clamav-users] malwarepatrol.db invalid

On 29 March 2021 15:04:17 Steve Hanselman wrote: Is anyone able to successfully use the malwarepatrol.db file? I’m running clamav 0.102.4, I’ve verified the md5 of the download, but every single time I try it dies with database integrity tested BAD. LibClamAV Error: Malformed pattern

Re: [clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

On 24 March 2021 14:16:33 Robert Kudyba wrote: Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was a link forwarded as an attachment of a Google Drive folder. Hi Robert, It's best to report this

Re: [clamav-users] How can we consume .ldb files in ClamAV Ubuntu?

On 22 December 2020 07:28:53 Luca Sironi via clamav-users wrote: Hello, are those signatures coming from FireEye github already included on the regular update ? Hi... Joel indicated the other day sigs to detect the problem files are already in the official Databases :) Cheers, Steve

Re: [clamav-users] clamav blocking libreoffice macro

Could I have a sample too. I've got a test sig to block libreoffice samples but would like to confirm more. On 9 September 2020 13:31:49 Giovanni Bechis wrote: On 9/9/20 1:52 PM, G.W. Haywood via clamav-users wrote: Hi Hugo, On Wed, 9 Sep 2020, Hugo Boss via clamav-users wrote: ... we

Re: [clamav-users] libclamunrar.dll being quarantined by Vipre Enterprise

On 2020-02-18 13:58, Brian Fluet wrote: File libclamunrar.dll from ClamAV 0.102.2 win x86 portable is being quarantined by Sunbelt Vipre Enterprise as Trojan.GenericKD.42582612. The first detection was at 5:44 PM EST on Friday Feb 14. Microsoft is the only product that flags it as infected on

[clamav-users] clamav-unofficial-sigs download script updated

Hi All, eXtremeSHOK.com's clamav-unofficial-sigs download script has been updated: https://github.com/extremeshok/clamav-unofficial-sigs Change Log Version 7.0.1 (Updated 25 January 2020) Disable yara project rules duplicated in rxfn.yara (Thanks @dominicraf) Incremented the

Re: [clamav-users] Stop clamdscan from stepping on itself?

On 18 October 2019 16:19:23 Ian via clamav-users wrote: This doesn't seem like a difficult problem for clamav to solve -- clamd is asked to scan the file system and it creates temp files to accomplish this I know I'm mainly a win user... So sorry in advance... but if you created a Linux

Re: [clamav-users] Continuous increase of startup time (is daily.cld broken?)

On 7 October 2019 15:25:41 "J.R. via clamav-users" wrote: I don't know how the viruses are tracked, but maybe to reduce size (if applicable) some of the more ancient viruses that only affect EOL operating systems (or programs that should have long since been patched) could be spun-off into a

Re: [clamav-users] How do you add specific files to white list ?

On 20 August 2019 21:41:30 "Micah Snyder \(micasnyd\) via clamav-users" wrote: Hi Asok, I’m extremely curious about the `--memory` you’re using with clamscan. I’m under the impression that is a feature added in some versions of ClamWin – but as far as I know, ClamWin hasn’t had a release

[clamav-users] pipermail signature lists

Just a quick one. Sometimes it's useful to check on signature updates eg... https://lists.clamav.net/pipermail/clamav-virusdb/ https://lists.clamav.net/pipermail/clamav-virusdb/2019-August/date.html But when you want to get to the detail:

Re: [clamav-users] SecuriteInfo.com.Spam-12370

On 24 June 2019 21:45:25 Bowie Bailey wrote: Anyone else having issues with this signature? IVIRUS NAME: SecuriteInfo.com.Spam-12370 Yes.. Just seen a few twitter posts and had a couple of emails about that sig. I'm sure I'll be fixed by them shortly. Cheers, Steve Twitter:

Re: [clamav-users] [External] Re: Scan very slow

On 2019-04-09 22:29, Micah Snyder (micasnyd) via clamav-users wrote: Maarten, Looking at a few of the Phish.Phishing signatures, these appear to have the same issue (href="http:// prefix). In testing with scan of a PDF document, I was able to reduce the scan time from 31.987 sec down to 2.632

Re: [clamav-users] [External] Re: Scan very slow

On 2019-04-09 12:02, Brent Clark via clamav-users wrote: Cant those be adopted / managed by Sanesecurity? For all you know, those are already in Sanesecurity. They are... and have been for quite some time: "The following databases are distributed by Sanesecurity, but produced by Porcupine

Re: [clamav-users] Scan very slow

On 7 April 2019 17:25:56 Arnaud Jacques wrote: ... and one day I created a *huge* ign2 file and it crashed clamd. Ign2 files may not be appropriate to ignore tons of signatures. From memory.. daily.info (inside the daily.cvd) contains the database names included. If all phishtank sigs

Re: [clamav-users] Scan very slow

On 2019-03-25 10:52, Mark Allan via clamav-users wrote: Hi all, te. Hopefully this helps someone to narrow things down a bit. Mark 18/3/19 10m 49s TXT from DNS: 0.101.1:58:25392:1552904941:1:63:48507:328 *** Here's the changes for the above update:

Re: [clamav-users] Slow reload

On 2019-03-19 14:35, Bowie Bailey wrote: I do have a bunch of third party signatures installed from Sanesecurity and SecuriteInfo.  Is there a way to get timing information on which signature files are taking the longest to load?  Or is this mainly a function of file size? Here's a quick

Re: [clamav-users] Slow reload

On 19 March 2019 21:01:03 Bowie Bailey wrote: On 3/19/2019 4:27 PM, Bowie Bailey wrote: Is there a way to get the details on how long each file take to load, or do I just have to test them one by one? A very simple per Database scan time test... Sorry not sorted in time order but might

Re: [clamav-users] Can't detect deceptive URL's as infected !!

On Wed, December 12, 2018 8:59 am, Al Varnell wrote: > You mentioned earlier that ClamAV has recently added signatures from > PhishTank, but I've noticed over the last few days that most, if not all > of them have been removed. Should I conclude that the PhishTank > organization signatures are

Re: [clamav-users] Can't detect deceptive URL's as infected !!

On Tue, December 11, 2018 1:58 pm, Sunny Marwah wrote: Hi Sunny/All, Here's the summary The phishing attempt looks like this html code: h-t-t-p-s:/-/-pastebin DOT com/TL5WUJZh This first link is just a hijacked graphic and won't be in safebrowsing... h-t-t-p-s:-/-/gokdenizhealthtourism

Re: [clamav-users] Detecting Word docs with macros

On 10 December 2018 17:21:05 "G.W. Haywood" wrote: Hi there, On Mon, 10 Dec 2018, Steve Basfordwrote: ... MiscreantPunch099-Low.ldb for additional detection but can hit scanning performance. Can you give any estimate (however rough) of the performance hit? Scanning a small file...

Re: [clamav-users] Detecting Word docs with macros

On Mon, December 10, 2018 2:58 pm, Eric Tykwinski wrote: > Default clam sigs obviously are not catching these, but wondering if > anyone has them included in a third party that rather FP friendly. > > I also just tested a yara from here, and it seems to work, but not > certain about FPs from it

Re: [clamav-users] Adding a custom signature for spam

On Mon, November 12, 2018 8:54 am, turgut kalfaoğlu wrote: > Hello there. I was fed up with some repeated spam that was coming our > way, and had the idea that it would be great if the clamd could stop these. Are these being detected with 3rd party signatures? > $ echo This is a text line from

Re: [clamav-users] ICON_HASH signature for PE files

On Fri, November 9, 2018 9:00 am, Irshad wrote: > Hi, > > > My apologies, if I am missing something obvious. I spent around 3 hours Hi Irshad Not sure if this will help but there are a few icon based sigs I think in the current daily.cvd So unpack them and then grep for IconG, something like

[clamav-users] ClamAV 0.101.0 beta rar issue

Hi, Using a cdb sig in this format: Sanesecurity.Foxhole.Rar_fs1620:CL_TYPE_RAR:*:(?i)^request for quotation.{0,30}\.exe$:*:*:*:2:*:* The above sig will work on a Rar pre v5 format file, to catch a *single* exe in a rar file. In ClamAV 0.101.0 beta (which has Rar v5 support), the above wasn't

Re: [clamav-users] More MBL FPs

All whitelisted this morning anyway. Cheers, Steve Twitter: @sanesecurity On 29 October 2018 10:21:13 am Paul Stead wrote: MBL_17895395 MBL_17662054 MBL_17962226 ___ clamav-users mailing list clamav-users@lists.clamav.net

Re: [clamav-users] [ext] MBL_17713260 false positive!

On 26 October 2018 12:30:45 Paul Stead wrote: Woo, more - MBL_17674787 MBL_17784910 Personally I'd stop using them... as Malware Patrol don't seem to want to improve the situation. So although I do whitelist.. like I have with the above ones... it'll be an ongoing task/pain. Tried

Re: [clamav-users] [ext] MBL_17713260 false positive!

On Wed, October 24, 2018 9:05 am, Al Varnell wrote: > I cannot argue that malware does not show up in Google Docs which is wide > open to anybody that wants to post there, as I know it has occurred. Not > sure how big a problem it has become for Google to police. I think it > would be better if

[clamav-users] Sanesecurity FP Alert

@sanesecurity: News: Sanesecurity.Rogue.0hr.20181004-1536 is causing FPs. Fixed but reload signatures ASAP Will investigate what went wrong. Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net

Re: [clamav-users] Malwarepatrol false positive

On 18 September 2018 16:33:28 Paul Stead wrote: Yet another Malwarepatrol FP: MBL_14437114 White listing as we speak... Sigh ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [clamav-users] Rar unpacker

On 16 September 2018 00:03:06 Paul wrote: Hello Is support for a RAR V5 unpacker in the pipeline Yes :) https://bugzilla.clamav.net/show_bug.cgi?id=11959 Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list

Re: [clamav-users] Malwarepatrol false positive

On 4 September 2018 18:52:04 Mark G Thomas wrote: Hi, Good grief! Yet another. So much for Malware patrol! Sigh. # sigtool --find-sigs MBL_13497693| sigtool --decode-sigs Pushing out a whitelist entry to the mirrors as I type. Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] Malwarepatrol false positive

On 31 August 2018 17:52:26 Mark G Thomas wrote: Hi, And YET ANOTHER today. I figured others here might want the heads up. [root@imx0 conf]# sigtool --find-sigs MBL_13226139 | sigtool --decode-sigs Sigh. I've just added to the main Sansecurity whitelist. Thanks for the heads up.

Re: [clamav-users] Malwarepatrol false positive

, thank you for reporting this issue. ? ?Regards, ? ?Luciana ?Malware Patrol Team So if anyone else sees FPs the above email should be a starting point. Cheers, Steve Twitter: @sanesecurity On 29 August 2018 18:52:31 "Steve Basford" wrote: On Tue, August 21, 2018 12:31 pm, Al Varnell

Re: [clamav-users] Malwarepatrol false positive

On Tue, August 21, 2018 12:31 pm, Al Varnell wrote: > OK, I don't think there is anything that ClamAV can do about it since > it's an UNOFFICIAL. > > Maybe Steve Basford from SaneSecurity can put some pressure on them. He > usually reads what's posted here. I've just sen

Re: [clamav-users] Malwarepatrol false positive

! # sigtool --find-sigs MBL_13087222 | sigtool --decode-sigs VIRUS NAME: MBL_13087222 DECODED SIGNATURE: https://docs.google.com On Tue, Aug 21, 2018 at 04:31:28AM -0700, Al Varnell wrote: OK, I don't think there is anything that ClamAV can do about it since it's an UNOFFICIAL. Maybe Steve

Re: [clamav-users] Malwarepatrol false positive

On Tue, August 21, 2018 12:27 pm, Dave McMurtrie wrote: > > I'm beginning to get the feeling they don't have any type of review > process in place. I whitelisted the sig on the Sanesecurity mirrors this morning UK time: 21/08/2018 @ 11:37 It's usually quicker to do that, if not ideal. --

Re: [clamav-users] Bytecode 86 failed to run

That suggests that the actual default value of --bytecode-timeout might be 5000. Yep... https://github.com/Cisco-Talos/clamav-devel/blob/76d0d93d4f11a43f237cce495765b0f95d4352d1/shared/optparser.c Ie... { "BytecodeTimeout", "bytecode-timeout", 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER,

Re: [clamav-users] After 0.100.1 Update, clamd crashes

Just posting a little regarding the Yara issue with 0.100.x: After a little bit of testing last week... here's what was found: It seems that in ClamAV 0.100.x if the yara file uses pe.imports *and* has *multiple* rules inside the single Yara file, it seems to crash linux versions of ClamAV. If

Re: [clamav-users] Strange Problem with a Virus inside a rar file

On Thu, July 26, 2018 10:49 am, Tech wrote: > Last week we got a mail which contained a scr file inside a rar > clamav-milter let it through and saying it's clean. After that the windows > security essentials software on one of our clients detected the virus > inside the rar package. Hi Drees,

Re: [clamav-users] How to run clamav 0.100.1 on Win server 2012 version?

On Wed, July 18, 2018 10:35 am, Tiến Hưng Phan wrote: > Hello clamav support team, > > > I'm using clamav 0.100.1 on Windows server 2012. > When I run clamscan.exe to scan a file, it show a dialog that I'm missing > "api-ms-win-crt-runtime-l1-1-0.dll". How can I run clamav on Windows > server

Re: [clamav-users] VirusDB Updates Broken?

On Wed, June 27, 2018 11:32 am, Joel Esler (jesler) wrote: > Just fixed it. > > Thanks Joel... all working now... main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr ) Downloading daily-24686.cdiff [100%] Downloading daily-24687.cdiff [100%] Downloading

Re: [clamav-users] VirusDB Updates Broken?

On Wed, June 27, 2018 2:42 am, Joel Esler (jesler) wrote: > Db.us should be good on both now. > > Worked perfectly from California, but with .cdiff updates, not the entire Just checked and gb doesn't work ClamAV update process started at Wed Jun 27 09:37:20 2018 WARNING:

[clamav-users] [Fwd: Sad News: Tom Shaw]

Original Message Subject: Sad News: Tom Shaw From:"Steve Basford" Date:Tue, June 5, 2018 9:30 am To: sanesecur...@freelists.org Cc: sanesecurity_annou...@fre

Re: [clamav-users] Attachments

--- Begin Message --- On Tue, May 15, 2018 12:57 pm, Todd Aiken via clamav-users wrote: > ___ > clamav-users mailing list clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > Help us build a comprehensive

Re: [clamav-users] Malwarepatrol false positives

On Sun, April 29, 2018 3:29 am, Micah Snyder (micasnyd) wrote: > What I think Joel is saying is that your MBL signatures are coming > through SaneSecurity, not from Cisco/Talos official ClamAV rule set. > > Hi Micah, MBL signatures are produced and distributed by MalwarePatrol, nothing to do

Re: [clamav-users] Malwarepatrol false positives

Hi Alex... I've whitelisted the two sigs... until they fix them.. so that might help a little. Cheers, Steve Twitter: @sanesecurity On 28 April 2018 04:23:51 Alex wrote: Hi, I can't imagine outright blocking https://goo.gl is not a mistake. MBL_6882958 and

Re: [clamav-users] Another Open Source anti-malware project

On 23 March 2018 19:25:08 Paul Kosinski wrote: I just came across this Open Source anti-malware project called "Linux Malware Detect". Anybody know anything about this? https://hydrasky.com/network-security/linux-malware-detect-lmd/ It's been going a while and can

Re: [clamav-users] .0-rc has been posted!

On Thu, March 22, 2018 9:44 pm, Joel Esler (jesler) wrote: > ClamAV 0.100.0-rc has been posted! Just a quick bit of feedback with a few test VM's: 32bit Windows XP: "fails" - "is not a valid Win32 application" ** Where as ClamAV-0.99.4 runs fine on XP **

Re: [clamav-users] Daily version 24256

>I would like to reproduce the problem again to force the error in order to >be able to establish a system alarms or warnings with Nagios scripting >Anybody knows how can I get daily.cld version 24256? Any link to download >it? You could create this: badsig.ldb:

Re: [clamav-users] False positive -- I hope

I *think* that this signature flags *all* zipped JS files, and (IIRC) both Firefox and Thunderbird have JS-containing JAR files. I hope that is all it is. Yep that's it. Foxhole_filename. Foxhole_all. Foxhole_generic and Foxhole_js all have different fp levels...depending on what your see

Re: [clamav-users] Problem with Max Open desciptor Files limit

On Fri, January 26, 2018 3:35 pm, Dianne Skoll wrote: > On Fri, 26 Jan 2018 15:18:10 + > David Shrimpton wrote: > > >> I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and >> restarting clamd fixed the problem. > > Thank you! That was immensely

Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.

Could you list the signatures in you clamav database folders. Cheers, Steve Twitter: @sanesecurity ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a

Re: [clamav-users] Improving clamscan speed?

What can I do to speed up the clamscan process? Hi Dan, Sorry this is a little brief... Skipping files you aren't interested in scanning might help a little... clamscan --exclude='\.(jpg|jpeg|png|gif)$' Choose a smaller file size to scan.. --max-filesize=300M --max-scansize=300M Cheers,

[clamav-users] clamav-0.99.3-beta1-win32

Probably just a post for windows users but... If you are using: clamav-0.99.3-beta1-win32.msi, under Vista and get an error: Vista etc: VCRUNTIME140.dll is missing (running on 32 bit Vista) Fix by installing Visual C++ Re distributable for Visual Studio 2015 Under Windows XP: sigtool.exe

Re: [clamav-users] Unable to download database

On Wed, August 23, 2017 8:26 am, lukn555 wrote: > Good Day ClamAV List > > > Since yesterday at around noon CET I've been having issues downloading > the ClamAV database: Same here in the UK... Can't query daily.0.82.0.1.814301DA.ping.clamav.net Wed Aug 23 08:14:39 2017 -> Giving up on

Re: [clamav-users] sanesecurity: Permission denied

On Thu, August 3, 2017 3:06 pm, Reindl Harald wrote: > > > > frankly you have one or more mirrors which just don't work at all for a > long time, a friend just looked for a working one, hardcoded the IP and > has never seen that errors again The problem was fixed on 1 mirror but seems to have

Re: [clamav-users] Signature not detected

On Mon, July 17, 2017 10:22 pm, Alex wrote: > Hi guys, just submitted an "ace" archive with a .cmd inside. > > > # sha1sum PROFORMA\ INVOICE_xls.ace > 97757622d5d568b01faa9d662818eebd40b1e0c0 PROFORMA INVOICE_xls.ace > Hi, I've added Sanesecurity.Malware.27099.AceHeur.Cmd​ to the

Re: [clamav-users] sanesecurity: Permission denied

On Mon, July 3, 2017 11:58 am, Reindl Harald wrote: > issues like below are also reported by a friend on his machines for some > days, randomly with different files I'm looking into it -- will email off-list -- Cheers, Steve Twitter: @sanesecurity

[clamav-users] WannaCry

Sorry for the slightly off-topic post but just in case this helps... MS17-01 Summary 1. malwarehash.hsb 175+ hashes in malwarehash.hsb (Sanesecurity.MalwareHash.WannaCry) added over the weekend 2. MS17-010 nmap network scan script

Re: [clamav-users] disabling a database

On Thu, May 11, 2017 6:40 am, Al Varnell wrote: > while Spam detection is all done using UNOFFICIAL sigs. Not quite Malware, Phishing and Spam... http://sanesecurity.com/usage/signatures/ And a lot of people decide the emails fate with "pam_score_maps" scoring.. eg:

Re: [clamav-users] FilenameRegex and case sensitivity

On Wed, May 3, 2017 8:19 am, kionez wrote: > Hi all, > > > I wonder how I can use a case-insensitive FilenameRegex in signatures > based on container metadata. > > I.E.: if I would like to match "word", "Word" and "worD" (abd so on), my > rule will be something like: > >

Re: [clamav-users] Need help: clamd stops after starting without any error message

On Wed, April 19, 2017 10:13 am, Torge Riedel wrote: > Well, was not enabled. After setting > > > LogSyslog true Might be worth turning on debug temporarily... clamd.conf and freshclam.conf # Enable debug messages in libclamav. # Default: no -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] Identify Threat Risk Level with ClamAV

On 14 April 2017 17:31:21 Reindl Harald wrote: SanSecurity creating signature database files based and it showing risk status of malware sanesecurity shows *risk of false-positives* don't confuse such basics That's correct it's a *very rough* fp guide for each

Re: [clamav-users] Java.Malware fps

On Fri, April 7, 2017 7:24 am, Henrik K wrote: > > Whos' flooding crappy samples around, and why is ClamAV making sigs of > tiny class files like > org/eclipse/aether/impl/RemoteRepositoryManager.class? > > The odd few I've checked are hashes in daily.hsb:

Re: [clamav-users] clamav antivm.yar malicious_document.yar and errors

On Wed, April 5, 2017 3:24 pm, Rejaine Monteiro wrote: > > Hello, I'm having some errors with these signatures in clamav-0.99.2. > Any tips on what it is about or how to solve? > See here: 3rd Party download script: https://github.com/extremeshok/clamav-unofficial-sigs/issues/151 -- Cheers,

Re: [clamav-users] Problems with 3rd party sigs

On 31 March 2017 18:45:58 Mark Foley wrote: Per advice on this list, I downloaded and installed the clamav-unofficial-sigs scripts from the link on Sanesecurity. 2. I run a cron'd clamscan job to scan mail folders several time a day. I get the following errors

Re: [clamav-users] MailFollowUrl alternative?

On 31 March 2017 19:14:36 Steven Morgan wrote: Mauro, It is not clear what MailFollowURL did. Have a look at docs/phishsigs_howto.pdf for a description of how to scan for URLs. This may have subsumed MailFollowURL. It did a curl on any urls found in the body and

Re: [clamav-users] False Positive of IObit product by ClamAV

On Fri, March 31, 2017 8:44 am, Arnaud Jacques / SecuriteInfo.com wrote: > Received this message : > > > -- Message transmis -- > > This is Coco from IObit (www.iobit.com). > > > Your program ClamAV reports the file RegistryDefragBootTime.exe as > Win.Trojan.Agent-5776271-0

Re: [clamav-users] Heuristics.Filetype.ZipWithJS

On Tue, March 28, 2017 1:23 pm, Reindl Harald wrote: > > > Am 28.03.2017 um 14:20 schrieb Matteo Dessalvi: > >> Hello. >> >> >> Regarding your fist question you can execute the following >> tools from the command line: >> >> sigtool --find-sigs=Heuristics.Filetype.ZipWithJS-6162396-0 | sigtool

Re: [clamav-users] Heuristics.Filetype.ZipWithJS

> 1. Where can I find information about what kind of threat this? \.[A-Za-z]{3}\.js$ FP Source example: https://www.mobileread.com/forums/showthread.php?p=3496981 Ie. any .js inside a zip file that's starts with 3 letters will get blocked. -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] FP: ScamNailer.Phish.en_notification_AT_made-in-china.com

On Thu, March 23, 2017 2:05 pm, Reindl Harald wrote: > [ScamNailer.Phish.en_notification_AT_made-in-china.com.UNOFFICIAL(ad638b8 > abc0d0af59ded4aa2835061e3:293969)] Thanks for the report, I've removed the sig. -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] how to find Html.Phishing.Auction-214

On Wed, March 22, 2017 12:52 pm, Hajo Locke wrote: > Hello, > > > have an issue here with this signature. Html.Phishing.Auction-214 is found VIRUS NAME: Html.Phishing.Auction-214 Here you go... TARGET TYPE: HTML OFFSET: * DECODED SIGNATURE: sein, weil sie ei[][][]nen fehler gemacht haben, als

Re: [clamav-users] ClamWin Portable DLL Hijack

On Thu, March 9, 2017 11:03 am, Groach wrote: > So what are we saying? > > Clamwin people need to be made aware of this? Or ARE aware of this and > complicit? ClamWin should be aware of this by now... let's hope they make a statement of what (if any the issues are) and what versions. For

Re: [clamav-users] ClamWin Portable DLL Hijack

On Thu, March 9, 2017 11:09 am, Al Varnell wrote: > Or is it based on older versions, like most of the items contained in > those documents? I suspect that the ClamWin developers are the only ones > that can tell us what has been or will be done about it. Exactly, it could just be old

[clamav-users] ClamWin Portable DLL Hijack

Just for those who hasn't spotted ClamWin in the leak: https://wikileaks.org/ciav7p1/cms/page_27262995.html Clam Portable http://portableapps.com/apps/security/clamwin_portable ClamWin: http://www.clamwin.com/ -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] Daily 23161 broke Clam

On Fri, March 3, 2017 7:20 pm, Alain Zidouemba wrote: > We're pulling the signature causing the issue now, while we investigate > the cause. > > - Alain Hi Alain, I think the fix is... Replace ? with ?P when the PCRE library is old ie. ?< to ?P< On... Doc.Macro.GenericHeuristic-5901772-0

Re: [clamav-users] Daily 23161 broke Clam

It's a macro detecting ldb Sig that fails due to an old pcre engine being used. The Sig can be rewritten to work on older pcre versions .. or you need to update. Sorry I can't help more. Cheers, Steve Twitter: @sanesecurity On 3 March 2017 17:39:48 "Aaron C. Bolch"

Re: [clamav-users] Javascript file not recognized

On Thu, February 16, 2017 7:55 pm, Markus Egg wrote: > The attached file was in an email as attachment as "bill": > 319598.js Detected: phish.ndb: Sanesecurity.Malware.26652.JsHeur shelter.ldb: Sanesecurity.Shelter.Malware.JSHeur.004 -- Cheers, Steve Twitter: @sanesecurity

Re: [clamav-users] SpoofedDomain FOUND

On Thu, February 16, 2017 1:03 pm, Reindl Harald wrote: > give a man a fish and you feed him for a day; teach a man to fish and you > feed him for a lifetime ___ Are you are that's correct... wasn't it... Give a man a fish , he eats for a day. Teach

  1   2   3   4   5   6   >