Re: [clamav-users] Thank You

On Tue, June 17, 2014 3:51 pm, Matt Olney wrote: > > Due to the success of this release candidate, we would like to use the > beta/RC model going forward. Development is what it is, so we may not > always be able to do this, but my strong preference would be to use this > model. Provided nothing

Re: [clamav-users] Again: No database updates for 48 hours?

On Mon, June 2, 2014 10:09 am, Julius Plenz wrote: > Hi, Alain! > > > * Alain Zidouemba [2014-05-19 19:45]: > >> Let us know if you have any issues. >> > > Again, the last update to "daily.cvd" is more than 48 hours old: > "released on 30 May 2014 16:25 :0400". Is this intended? > Hi, Dns dig sh

Re: [clamav-users] ClamAv updates not being published properly?

On Wed, May 28, 2014 9:35 am, Randal, Phil wrote: > > Yet freshclam says (with and without -no-dns) Hi Phil, Same here... freshclam... ClamAV update process started at Wed May 28 10:13:11 2014 main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cld is up to da

Re: [clamav-users] Signature matching email Subject:

On Fri, May 23, 2014 4:25 pm, Claudio Cuqui wrote: > Hello there ! > > > I would like to known if is it possible to create a virus signature that > match the subject of a mail message. I tried everything and the signature > only match when the pattern is located in the email body. > Something lik

Re: [clamav-users] clamav-0.98.3 does not pass vulnerability scan

On Tue, May 20, 2014 4:22 am, anctop wrote: >> The file 42.zip was sent 2 times. If there is an antivirus in your MTA, >> it might have crashed. Please check its status right now, as it is not >> possible to do so remotely Just for info... Summary: This script sends the 42.zip recursive archive

Re: [clamav-users] ClamAV®: ClamAV 0.98.4rc1 is now available!

> - Crashes of clamd on Windows and Mac OS X platforms when reloading > the virus signature database. Just testing at the moment - reload issue seems to have gone and so far so good... great work guys! Cheers, Steve Sanesecurity ___ Help us build a

Re: [clamav-users] reported before, makes no sense

>-rw-r--r-- 1 clamav adm 5958972 2013-05-03 07:51 junk.ndb That's a bit out of date ;) > -rw-r--r-- 1 clamav adm 567741 2013-05-04 01:48 mbl.ndb JUST NUKED > I'll see if the one I just nuked comes back. Yep, that'll be the one to watch out for... Current download scripts are here,

Re: [clamav-users] reported before, makes no sense

>> UNOFFICIAL means it did not come from ClamAV®. >> You need to take it up with whomever maintains the MBL database. >> MalwarePatrol? > I don't recall every subscribing to that service, and the clamav- > unofficial sigs database is not installed, and never has bee

Re: [clamav-users] FP-Report: Email.Trojan-417

On Tue, May 13, 2014 8:27 am, Julian Hansmann wrote: > Regardless of its content (even if it's empty) a mail which has a file > with the suffix ".JPG.zip" (case sensitive) attached will be detected as > "Email.Trojan-417". > Hi Julian, I'm guessing the orignal offical signature was to catch some

Re: [clamav-users] 0.98.3, new segfault probably related to email parser

On Mon, May 12, 2014 3:50 pm, Stuart Henderson wrote: > It also happens for clamscan (I removed all standard db's and > included only the single signature triggered by this mail so it would start > quickly). > > I have only hit this crash if a signature is matched (i.e. > I haven't hit it if I re

Re: [clamav-users] 0.98.3, new segfault probably related to email parser

On Mon, May 12, 2014 2:12 pm, Stuart Henderson wrote: > I'm running clamav on OpenBSD/amd64 5.5 (with various sanesecurity > hdb's, if that matters). Built from ports (with LLVM 3.3). Hi, Is is random or only on a certain email? Do have a full copy of the email shown in your log? If you do, doe

Re: [clamav-users] Clamav is not finding any viruses

On Thu, May 8, 2014 5:47 pm, Kris Deugau wrote: > > I have been adding MD5 signatures, and somewhat more recently, .zmd > .zip-content-filename signatures (for doubled-extension files), but I do > not have time to dig more deeply and create more general signatures. > > -kgd Hi, You could add sa

Re: [clamav-users] Crash on db reload: 0.98.3 (OS: win32, ARCH: i386

> Hey Steve, > Could you send me over a copy of your clamd.conf, please? Hi Shawn, I can reproduce... Installed a clamav without 3rd party stuff, fresh onto a test XP box I had not doing anything run freshclam run clamd run clamdscan to prove its all working 1) clamdscan --reload to force a

Re: [clamav-users] Crash on db reload: 0.98.3 (OS: win32, ARCH: i386

On Thu, May 8, 2014 5:46 pm, Shawn Webb wrote: > Hey Steve > > Could you send me over a copy of your clamd.conf, please? > > > Thanks, > > > Shawn Here you go... http://pastebin.com/EzRLk9iW Cheers, Steve Sanesecurity ___ Help us build a compreh

[clamav-users] Crash on db reload: 0.98.3 (OS: win32, ARCH: i386

Just a quick report... 0.98.3 crashes... 0.98.1 no issues... Thu May 08 15:29:06 2014 -> +++ Started at Thu May 08 15:29:06 2014 Thu May 08 15:29:06 2014 -> clamd daemon 0.98.3 (OS: win32, ARCH: i386, CPU: i386) Thu May 08 15:29:06 2014 -> Log file size limited to 104857600 bytes. Thu May 08 15:2

Re: [clamav-users] ClamAV®: ClamAV 0.98.3 has been released!

On Wed, May 7, 2014 8:52 pm, Joel Esler (jesler) wrote: > > ClamAV 0.98.3 has been released, and is available here: Win32/64 released here... with... drumroll... Zips *and* MSI versions.. thanks guys! :) http://sourceforge.net/projects/clamav/files/clamav/win32/0.98.3/ Cheers, Steve Sanesecur

Re: [clamav-users] git repository

> Dear all, > > I the past - before the latest takeover - I used the git repository to > keep track of updates and/or other changes. I notice that since the > latest takeover the git repository only is used when a new version has > been released, thus defeating the practical use of the git reposit

Re: [clamav-users] Low detection rate

> On 03.03.14 12:38, Dennis Peterson wrote: > >> Did you just send a link to a known infected file to this list? > > Yes, I sent a link to something I felt people answering my question > would need to be able to see, with some text next to it *specifically > saying it was infected*. I think a "h

Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV

> OpenSSL will be required to both compile and run ClamAV. Out of interest what Cipher: http://zombe.es/post/4078724716/openssl-cipher-selection http://security.stackexchange.com/questions/35036/different-performance-of-openssl-speed-on-the-same-hardware-with-aes-256-evp-an Cheers, Steve San

[clamav-users] TheMask aka Careto

In case this is useful for system scanning for TheMask aka Careto... Original Message Subject: [sanesecurity] new database: malwarehash.hsb From:"Steve Basford" Date:Mon, February 17, 2014 4:00 pm To: sanesecu

Re: [clamav-users] Block all "EXE/SRC" or MS-EXE/DLL file

> Hello Steve, > > > In this way I can stop EXE/Executable into ZIP/Archive file and as > attachment (without change any other settings into mailserver config) Shouldn't be an issue. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV

Re: [clamav-users] Block all "EXE/SRC" or MS-EXE/DLL file

> Need to write an anti virus that uses the NIST NSRL database and operate > it > as a white list based AV. The db contains some 100 million hashes of known > good binary files. I tried to crowd fund to do this but no one was > interested. Disclaimer: use at own risk, sold (for free) as seen/0 d

Re: [clamav-users] fireclam log

> does anyone please know where is any documentation on fireclam plugin > that is supposed to scan all files downloaded through Firefox browser > using clamav? specifically I am trying to find out if it can be > configured to produce a log or summary report of scan results > including positive con

Re: [clamav-users] Block all "EXE/SRC" or MS-EXE/DLL file

> > Which is the best solution/way to block all EXE/executable files? You could use these... http://sanesecurity.com/foxhole-databases/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq

Re: [clamav-users] An FP?

> Now, since the real thing is considered a high level threat to a win32 > system, perhaps the thing to do is edit the .'s to DOT's, make a patch and > submit it to lkml? I might see if its accepted. Sorry, forgot to add this: http://www DOT nirsoft DOT net/false_positive_report.html fwiw, I

Re: [clamav-users] An FP?

>> c) It's a false positive and should be report to MBL as such > > And their contact address is? > To report false positives or list problems: fp (_a_t_) malwarepatrol.net Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: ht

Re: [clamav-users] Possible FP

> Hi Clamav Users, > > I'm getting a FP-Alert from a customer regarding the following sig: > > main.hdb:15c9c9ed5046a885d241afd2159c236a:43180:Junk.Corrupted-50 > > The scan is done on our inbound authenticated mail host, which rejects our > customer's mail with the following error-message: Hi, T

Re: [clamav-users] An FP?

> The daily system scan is fussing about > /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND Hi, Just seen your post on LKML, so before this get's any more out of hand than it already has, here's why you'll find MBL_400944 detected in gadget_multi.txt.

Re: [clamav-users] An FP?

> Greetings; > > The daily system scan is fussing about > /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND Hi... http://www.malwarepatrol.net/cgi/search.pl?id=400944 To report false positives: fp (_a_t_) malwarepatrol.net *or* printf MBL_400944 > loc

Re: [clamav-users] One last Q (I hope) And an FP report

> Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND > > And while its marked up txt, it doesn't look like it should be a problem. > Can it be verified? MBL#: 400944 PSWTool.Win32.PassViewer.av Insertion date: 00:51:45 27/03/2013 UTC URL http://www.nirsoft.net/utils/ Malware MD5: 8

Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VERSION 0.98.1

> >> >> Someone @ ClamAV needs to add this to daily.ftm filetypes... Just to close this... daily.ftm has now been updated, so XZ files should now be scanned correctly. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https:/

Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VERSION 0.98.1

> > Someone @ ClamAV needs to add this to daily.ftm filetypes... > These are missing too, unless it's still in devel... 1:EOF-512:6b6f6c79:DMG container file:CL_TYPE_ANY:CL_TYPE_DMG:75 0:0:78617221:XAR container file:CL_TYPE_ANY:CL_TYPE_XAR:75 4:1024:482B0004:HFS+ partition:CL_TYPE_PART_ANY:CL_TY

Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VERSION 0.98.1

> Thanks Steve for this reply; this is helpful. > Hi Bill, Sorted I think. Someone @ ClamAV needs to add this to daily.ftm filetypes... 0:0:FD377A585A00:XZ container file:CL_TYPE_ANY:CL_TYPE_XZ:75 It's in the source defaults (filetypes_int.h) but when daily.cvd gets loaded, it uses the daily.

Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VERSION 0.98.1

> I have just compiled and installed version 0.98.1 of Clam on my > computer. According to the documentation, this version should support > decompression and scanning of files in the Xz compression format. > However, when I run clamscan to check an Xz file which I know contains a > virus (the EICA

[clamav-users] ClamAV v0.98.1

Looks like 0.98.1 is out... Change log: https://raw.github.com/vrtadmin/clamav-devel/0.98.1/ChangeLog Sources: http://www.clamav.net/lang/en/download/sources/ Windows binaries (.msi format): http://sourceforge.net/projects/clamav/files/clamav/0.98.1/ Cheers, Steve Sanesecurity ___

Re: [clamav-users] False positive - CRDF.Malware-Generic.3661413036.UNOFFICIAL

> Finally I found where this signature is located > sigwhitelist.ign2:CRDF.Malware-Generic.3661413036 > Does someone know how can I bypass this signature? Which command? Hi Pawel, Just to add, that seeing the signature in sigwhitelist.ign2 means that signature is in your whitelist already.. Ho

Re: [clamav-users] False positive - CRDF.Malware-Generic.3661413036.UNOFFICIAL

> Hello, > > I found a problem with false positive malware > CRDF.Malware-Generic.3661413036.UNOFFICIAL. I wanted to decode and bypass > this signature but it looks like this can be an image signature or another > type of signature Hi Pawel CRDF.Malware-Generic.3661413036 was whitelisted/removed

Re: [clamav-users] How is Worm.Bagle.H-zippwd-1 detected? (was: sigwhitelist.ign2 whitelist not working)

> clamav@debian-vm-07:~/clamav-devel$ sigtool --find-sigs=Worm.Bagle.H-zip > [main.db] Worm.Bagle.H-zippwd-1 > > What makes this one a special case is the extra " (Clam)" at the end of > the signature name. This is an old sig. Hi Dave, Thanks for the detailed write-up, the issue was a bit confus

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

> We added a file "local.ign2" containing one line: "Worm.Bagle.H-zippwd-1" > clamscan called again and - nothing changed. Still marked as virus... > Any hints/ideas? Hi Andreas, Make sure you don't have a space at the end of the sig name in the .ign2 file: "Sanesecurity.Malware.22454.ZipHeur"

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

> So, you'd need to upgrade ClamAV for the .ign2 format to work. ... But...just looking back in time... local.ign... FileName:Line#:SigName so...try create a local.ign file with... junk.ndb:50779:Sanesecurity.Junk.50779 scam.ndb:11957:Sanesecurity.Spam.11957.WCM (if it doesn't work add ".U

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

> > freebsd FreeBSD mx1.hctc.net 7.2-RELEASE > > clamav-0.95.1 (yeah, I know) Hi, According to the changelog... 0.95.1 came out... Wed Apr 8 16:49:32 CEST 2009 .ign2 was added: Mon Sep 28 19:29:32 CEST 2009 (tk) -- * libclamav: new signature blacklisting fo

[clamav-users] ArchiveBlockEncrypted confusion

Hi, This is nothing new but I've had a few off-list emails regarding this, so thought I'd throw out to the list. ArchiveBlockEncrypted (clamd.conf) or --block-encrypted=yes blocks encrypted zip/rar etc. archives which is fine... but it also blocked Encrypted PDF files.. Eg: readme.zip: Heuristi

Re: [clamav-users] 0.98 and PUA

> Joel > > thanks, is this list still correct.. > > https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md > Hi Martin, I think it's slightly outdated... just looking at the daily ones PUA.Crypt.ScriptCryptor PUA.CVE_2007_0214 PUA.CVE_2007_0325 PUA.CVE_2007_1498 PUA.CVE_2011_3397

Re: [clamav-users] Scan Engine version number

> > I have downloaded the prebuilt installation of ClamAV 0.98 for Win-32 > from sourceforge. However, when I issue the command clamscan -V, I > get the response ClamAV devel-clamav-0.97-408-ge11f7cc > > Is this what I should expect to get, or have I somehow got my hands on > an older version of

Re: [clamav-users] filename ignore uppercase

On 17/09/2013 20:05, Alejandro Rodriguez wrote: How I can ignore uppercase in a filename. Right now i´m using foxhole_all.cdb to block .exe files inside .zip archives However if the zip contain archive.EXE (in uppercase) the scan miss. Hi, Sorry for the delay, been away for a few days. I'

Re: [clamav-users] detected zipped exe as virus

Hi, have a look on the sanesecurity.com site for the foxhole signature databases. cheers, Steve Rajesh M <24x7ser...@24x7server.net> wrote: >hi > >i wish to know the steps to prepare signature so that clamav will >detect >all zipped files containing files with extensions pif, scr, exe, com, >bat,

Re: [clamav-users] regex to skip certain files

> I'm running clamav 0.97.3 (I know it's old, working on that) on Linux. I > want to exclude files (via clamd) based on a regex and can't seem to > figure out how. I can ignore paths just fine (ExcludePath ^/tmp) but I > want to ignore all log files. I've tried many different variations of > the f

[clamav-users] MBL fps - update

MBL sigs are now fixed, just had contact with them "We sincerely apologize for the trouble caused by these faulty signatures. An update to our system was applied this morning and, unfortunately, it had this unwanted side effect. The update was reverted and signatures should be fixed now. W

Re: [clamav-users] false positives

> > Finally I would like to know why these subscriptions were implemented? Who > can answer this question? I had a report the this sig causing an issue, sigs were removed and domain whitelisted. Problem was a big spam run from those domain, but root was incorrectly flagged Cheers, Steve Sanese

Re: [clamav-users] false positives

> Hi Andre, > NB: I'm copying this to the ClamAV users list, as a heads-up. > > The ClamAV EXT list currently contains a number (eleven) of false positive > entries. They all match the string "://" (without the quotes), which > clearly matches any email containing any URL. > > This is a very

Re: [clamav-users] clamd taking too long to restart?

> >> I've done some analysis of ClamAV with just this signature set, and the >> loading is simply slowing down as it runs through the list. * Third Party dbs * Hi, While looking into the database loading time issue, thought it might be an idea to quickly scan the same "small" file with each dat

Re: [clamav-users] clamd taking too long to restart?

> I've done some analysis of ClamAV with just this signature set, and the > loading is simply slowing down as it runs through the list. This is mainly > because of the significant amounts of overlap at the beginnings of these > strings and the length thereafter. Hi David, Thanks for the info..

Re: [clamav-users] clamd taking too long to restart?

> OK, we've been able to reproduce the problem and it is, as you all > suspected revolving around the www. matching. I've asked one of the > developers to look at it, and we should be able to provide some > best-practice guidelines on how to construct rules to avoid this > situation. Thanks Matt

Re: [clamav-users] clamd taking too long to restart?

> OK...I'll do some testing tomorrow and see if we can't come up with some > information for you. Hi Matt In additional testing: a) Replacing "(B)772E" with "(B)772E" also brings the speed down... (6.5 secs) b) Replacing "(B)772E" with "(B)77??772E" also brings the speed down..

Re: [clamav-users] clamd taking too long to restart?

> OK...I'll do some testing tomorrow and see if we can't come up with some > information for you. > > Matt > in the last few days a lot of spam is (ab)using t.co shortened URLs in > the payload, so these are ending up in bofhland_cracked_URL.ndb (~7K > distinct URLs atm) > Sorry for the cross

[clamav-users] news: Cisco Announces Agreement to Acquire Sourcefire

just in case anyone missed it... "The best news in all of this, especially for our partners, customers and open source users, is that Cisco is committed to accelerate the realization of our vision into the market. We’ll be able to more quickly innovate, develop and provide products and technol

Re: [clamav-users] ClamAV 0.97.8 has been released!

> Sorry about that, I had it right in my post, but when the email went out, > it didn't take. No problem, just thought I'd point it out in case anyone thought there had been a security issue with the file. Cheers, Steve Sanesecurity ___ Help us buil

Re: [clamav-users] ClamAV 0.97.8 has been released!

> Dear ClamAV users, > > > "ClamAV 0.97.8 addresses several reported potential security bugs. Thanks > to Felix Groebert of the Google Security Team for finding and reporting > these issues." > > Download: http://downloads.sourceforge.net/clamav/clamav-0.97.8.tar.gz > PGP sig: http://downloads.sou

Re: [clamav-users] GTUBE message detection

>> Given that a large proportion of the Sanesecurity sigs detect spam, >> phishing, and other junk >> mail (and folks use them as such), wouldn't it be useful to include a >> standard spam test >> signature by default? > > It seems to be very controversial if ClamAV should include signatures > fo

Re: [clamav-users] GTUBE message detection

> On 4/8/13 1:40 PM, "Andrew Beverley" wrote: > >> Some time ago there was a discussion that resulted in the GTUBE test >> spam message being added to the Clamav signatures[1]. >> ... >> [1] http://lurker.clamav.net/message/20090924.234610.57310ea1.en.html > > According to the second message in y

Re: [clamav-users] W32/Autorun.worm.aaeh not found in ClamAV ?

> Al, > > Just now I restored and submitted autorun.inf as well to "submit > malware" in clamav.net > From sigtool I got this MD5 signature; > 3b19da4562e3729854ae6b3fe127:1123:Autorun.inf It's also worth submitting the malware to: https://www.virustotal.com/en/ Currently the Autorun hash

Re: [clamav-users] looking for Bill Landry

> Hi all, > > Bill Landry is the developer of clamav-unofficial-sigs and since I'm the > Debian maintainer of that, I need to discuss some things with him but > his domain inetmsg.com doesn't respond to HTTP or SMTP connections. Does > anyone know what happened to him or if he moved to a different

Re: [clamav-users] ClamAV 0.97.7 available?

FYI, Win32 now available too... http://sourceforge.net/projects/clamav/files/clamav/win32/0.97.7/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

Re: [clamav-users] Block files type inside attached files

> How could I block some files type that are inside a zip or rar files > attached into an e-mail received? Here's an example: create a blockext.zmd: Sanesecurity.Blocked.Zip.xxx.exe:0:\.(doc|xls|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe$:*:*:*:*:*:* (watch the wrap after the 0:\. bit) This

Re: [clamav-users] question about sanesecurity

> Are signatures for Belgian or Dutch bank-phishing mails (ING, > BNP-Paribas-Fortis, Belfius, etc) included in these databases? I've replied off-list Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.c

Re: [clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL

> Jari Fredriksson skrev den 25-11-2012 17:10: >> These rules must have a common signature? Old downloads suddenly >> trigger >> positives. > > unofficial sigs, what should clamav team do about them ? Well, I've tried to explain what to do with FP's like this... http://sanesecurity.co.uk/fps.htm

Re: [clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL

> > These rules must have a common signature? Old downloads suddenly trigger > positives. Hi Jari, These sigs need to be reported as FP's to: false_positive AT crdf.fr In the mean time, I've whitelisted on the mirrors, until they can take a look. One thing to double check is to submit one of

Re: [clamav-users] missed virus

> OK, I'm stumped as to why clamav-milter did not catch this virus. It was > from this address, being masked as from UPS: > > > File: Invoices-14-2012.htm" > Hi Jamen, I've been seeing these java/htm combos over the last few days and been adding detection to phish.ndb. The other bad stuff coming

Re: [clamav-users] Spam No Longer ID'd as Virus

> Unless something has changed again that I missed, the INetMsg signatures > are no > longer maintained. That's still correct... just in case anyone else missed the updates, here's the last two announcements, as there were a few new databases too: http://www.freelists.org/post/sanesecurity/data

Re: [clamav-users] False Positives

> I will Alain, > > But I want a quick way to whitelist as a shortcut, because our users > are complaining. :( Put the problem signature name in a file called local.ign2 and restart clamd. eg: MBL_303159 MBL_312128 Worm.Mydoom-20009 etc. etc. Cheers, Steve Sanesecurity

Re: [clamav-users] how to release 16K FPs from quarantine?

> I'm also now noticing there are hundreds or thousands of messages > erroneously quarantined as a result of this rule. It appears to expand > to: > > # sigtool --find-sigs MBL_303159 | sigtool --decode-sigs > Does anyone know what's going on with this domain? It doesn't look > like a domain thou

Re: [clamav-users] ZIP/Bredolab.A!Camelot

> Hi, just was informed that some mails with > ZIP/Bredolab.A!Camelot > > slipped through up2date clamav gateway , detected by > Microsoft Forefront Hi, Did they slip past the Sanesecurity phish.ndb/rogue.hdb ones too? Cheers, Steve Sanesecurity __

Re: [clamav-users] Clam virus database for test purposes

> Thank you for your reply. > > The suggested solution doesn't solve the problem as I am trying to > communicate with clamav-daemon which (as far as I can tell) checks for > the cvd databases and doesn't take a database argument. Any other > suggestions? Create the test.ndb file as shown earlier.

Re: [clamav-users] Windows packaging

> VisualStudio does not have a target to build a ZIP file, we could also > build a cab file if this would help. > Hi Tom, Any use? http://markkemper1.blogspot.co.uk/2010/10/zipping-build-outputs-using-build-file.html http://stackoverflow.com/questions/4794503/is-there-a-zip-project-in-visual-st

Re: [clamav-users] Windows packaging

> On Mon, Jun 25, 2012 at 08:13:58AM +0100, Steve Basford wrote: >> While I can see the MSI installer being useful to some people... I'd >> prefer to have the .ZIPs back (or have both built), as I've got to run >> the >> MSI >> installer, find where

Re: [clamav-users] Windows packaging

> Your best bet is to ask on the ClamWin forum. Here is the forum site > http://forums.clamwin.com/ I'm not sure if he's talking about the binaries here, auto-built by ClamAV Team (not the version by the ClamWin team) http://sourceforge.net/projects/clamav/files/clamav/win32/ The builds used to

Re: [clamav-users] 10 years of ClamAV

> Finally, we would like to thank all who have trusted ClamAV for scanning > and protecting some of the most valuable data on their networks. Just want to say a huge thank you to you all... for all the development work/fixes/support over the last 10 years. And good luck to you all with future p

Re: [clamav-users] [sanesecurity] Re: Long DB refresh times

> I think I'm missing some context here: which DB files are slow to load? > The official ones? Just the sanesecurity ones? Any particular DB from the > sanesecurity ones? Hi Edwin, I'm emailed you off-list... but think I've found the issue and work-around. Sorry for the cross-post to clamav-us

[clamav-users] ClamAv 0.97.4 win32/64 binaries

Hi, Any eta on an update to v0.97.4 here... http://sourceforge.net/projects/clamav/files/clamav/win32/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

Re: [clamav-users] false positives with MBL_207346?

> Oh, and I now realize that this is outside of freshclam's control, being > a sanesecurity signature. I removed the mbl.db and disabled that > cronjob until we sort this out... Hi John, Actually, just to clarify... it's not a Sanesecurity signature and it's not distributed by Sanesecurity eithe

Re: [clamav-users] false positives with MBL_207346?

> I started seeing a bunch of these this morning, essentially trashing > around... I don't know, 80 or 90% of our mail. The signature is > definitely in our database but I can't find anything about it via google > aside from pages that have apparently been updated to no longer mention > it. Any i

Re: [clamav-users] undetected virus

> Dear list, > > We received a virus not detected by Clamav. VirusTotal shows a 23/43 > detection ratio. Trend Micro recogises it as TROJ_GEN.R06C8AN. > Yesterday I submitted a sample to Clamav. But till now it's not detected. > https://www.virustotal.com/file/d6a2ae622adae26cc7988e68edfa6898364b42

Re: [clamav-users] Finding false positives

> Can someone help me understand why the issue with securesites.net is, > and why this email was blocked because of it? Hi Alex, The domain was blocked by a Third Party ClamAV database produced by InetMsg. I've removed the signature for them and it will be removed from the mirrors in the next 1

Re: [clamav-users] Scan files by date

> I have a large number of files (9TB) with over a million files and > thousands of directories. I would like to scan the group one time so I > have a good baseline. After that I would like to scan files that are less > than 365 days old. Can I use clamscan to scan files by date? Along these lines

Re: [clamav-users] Yet Another US Mirror Issue

> On Wed, 14 Sep 2011, Dan wrote: > http://www.downforeveryoneorjustme.com/88.198.67.125 > > Says it's up. Received responses: 53 Ok 5 Fail http://host-tracker.com/check_res_ajx/8730391-0/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive

Re: [clamav-users] eicar-like phishing test signature?

> Am 06.09.2011 11:55, schrieb Matus UHLAR - fantomas: >> Hello, >> >> does clamav include any signature used to test phishing mail? >> > > there is gtube antispam test sig > http://spamassassin.apache.org/gtube/ > Just for info, if you are using scam.ndb from the Sanesecurity sigs, the above down

Re: [clamav-users] False Positive - INetMsg.SpamDomain-2w.dl_dropbox_com.UNOFFICIAL

> This is a message I hand created with a valid link to a dropbox file. > <4e1653aa.432.e8be7950.c618...@mc3computerclub.org> "Message contains an > infected attachment (INetMsg.SpamDomain-2w.dl_dropbox_com.UNOFFICIAL)" Hi, I've removed the signature from the mirrors and have also notified Bill (

Re: [clamav-users] announcing ClamAV 0.97.1

> On Thu, 9 Jun 2011, Luca Gibelli wrote: > >> >> Dear ClamAV users, >> >> >> This is a bugfix release recommended for all users. Please refer to the >> ChangeLog file for details. >> >> Download : http://downloads.sourceforge.net/clamav/clamav-0.97.1.tar.gz Can't see the windows binaries for 0.97

Re: [clamav-users] HOW to whitelist XF.Sic.L

> I know that XF.SIC.L detected files are not virus i want clamav to ignore > this kind for viruses . > > i also also created file local.ign2 in the the database dir with folowing > content > > # cat local.ign2 > XF.Sic.E > XF.Sic.L > but got error after restarting the clamd service How about? pr

Re: [clamav-users] Access has been denied page

> On 04/17/11 05:05, Dennis Peterson wrote: >> Adding the hard-coded >> UNOFFICIAL reduces some liability from the Clamav team. > > That! > And lots of daily annoyances with FP reports too. > > Which is why the suffix won't go away nor an option will be available to > get rid of it. I receive .UNO

Re: [clamav-users] Access has been denied page

> Thanks > > I ad put in > MBL_200562.UNOFFICIAL > > instead of > MBL_200562 > > I reloaded clamav and now it works. > Glad you got it sorted. Just to clarify, don't add the .UNOFFICIAL to *any* signature names that you wish to whitelist (add to the .ign2 file) It confused me at first too, why s

Re: [clamav-users] Access has been denied page

> Hello, > > I have a user that receives an email from a legitimate online newspaper > site and since Monday they click on links in that email address and DG > blocks the page with the following message > > Virus MBL_200562.UNOFFICIAL found > Hi, Although it's a not a Sanesecurity signature but

Re: [clamav-users] Problem with "sanesecurity-winnow_phish_complete.ndb"

> > Disregard the message found this was and OLD database file that was > causing problems. > Hi Ken, Thanks for the report and glad you sorted out the problem. For reference, here's the contact details for the Sanesecurity/Sanesecurity Distributed signatures: http://sanesecurity.co.uk/fps.htm

Re: [clamav-users] [0.97rc] 3rd party DB securiteinfohtml.hdb: "Malformed database"

> Hello again, > > Probably expected, the above mentioned 3rd party database can't be > loaded with this version, 0.96 had no such problem. I've just done a quick download of the current file and this item is causing the problem for me: LibClamAV Error: cli_loadhash: Invalid value for the size fi

[Clamav-users] OT: best ClamAV changelog entry

[NSFW] http://git.clamav.net/gitweb?p=clamav-devel.git;a=commit;h=42ab31d897c0d67b89467cfe34532c8b421d2c95 Lol, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

Re: [Clamav-users] Tracking false positives

Alex wrote: Hi, We had a user report that their email was tagged with winnow.botnets.zu.zeus.4637.UNOFFICIAL, according to the logs. How can I track this, and determine which database it was that contains this pattern, and why it considered this email to contain this virus? Hi Alex, As o

Re: [Clamav-users] concerning new virus

> > the actual file name is Xerox_doc.exe > > i have submitted this on the clam website several times but there seems to > be no update on this > > Could somebody check this out and help please. Just to add that Sanesecurity signatures from phish.ndb should be catching that one already... add in r

Re: [Clamav-users] 0.96.2 freezing with sane security update script on one of 2 linux systems

> OK. Here's debug AND the fix at least from my solution: > > Recompiled with > > ./configure --disable-llvm > make > make install Thanks for reporting back.. it's odd though, as the test file you are scanning is only a small ascii file out of interest does the same thing happen with llvm enab

Re: [Clamav-users] 0.96.2 freezing with sane security update script on one of 2 linux systems

> Can you run it with --debug to see where it hangs? > Then open a bugreport please (and attach junk.ndb). Not that this really helps, but I've tried the official win32 windows port from here: http://sourceforge.net/projects/clamav/files/clamav/win32/ And in doing a quick test - loading ALL curr

Re: [Clamav-users] MSRBL signatures?

> > I've discontinued using them because of the lack of activity. I've also > shut off > SecuriteInfo and because of false positives, InetMsg signatures. Hi Dennis, If any FP's are reported here: false_positive AT sanesecurity DOT me DOT uk I then remove and forward on the the right person to t

<    1   2   3   4   5   6   >