Re: [clamav-users] Untit Testing
B0;261;0cHi there, On Tue, 7 Feb 2012, Reynolds, David C. wrote: I've recently installed .97.3 on an SGI Origin 3000 running TRIX ... This is a totally Trusted Irix environment. If it's a trusted environment, why would you put ClamAV on it? ClamAV is certainly less than totally trustworthy. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today): mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412 [0001114551.cbc BYTECODE] BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(01);0:d0cf11e0a1b11ae1;*:1c000404 mail2:/var/lib/clamav# cat local.ign2 BC.Exploit.CVE_2011_3412.{CVE_2011_3412} BC.Exploit.CVE_2011_3412 CVE_2011_3412 (I tried 3 different ways of disabling the signature) I restarted clamd, but still the mails are stopped as infected: Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004: BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002: BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND What am I doing wrong here? Running clamv 0.97.3 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
Ralf, We got your FP reports and will address them today. Thanks, -Alain On Tue, Feb 7, 2012 at 8:08 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today): mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412 [0001114551.cbc BYTECODE] BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(01);0:d0cf11e0a1b11ae1;*:1c000404 mail2:/var/lib/clamav# cat local.ign2 BC.Exploit.CVE_2011_3412.{CVE_2011_3412} BC.Exploit.CVE_2011_3412 CVE_2011_3412 (I tried 3 different ways of disabling the signature) I restarted clamd, but still the mails are stopped as infected: Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004: BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002: BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND What am I doing wrong here? Running clamv 0.97.3 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Untit Testing
Thanks for the quick replies. I was able to run those tests. As to why I would install ClamAV, it is an IA requirement that we scan for viruses on remote file transfers that go thru this system and there aren't too many options that will run under IRIX. --Dave Reynolds From: clamav-users-boun...@lists.clamav.net on behalf of G.W. Haywood Sent: Tue 2/7/2012 3:55 AM To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] Untit Testing B0;261;0cHi there, On Tue, 7 Feb 2012, Reynolds, David C. wrote: I've recently installed .97.3 on an SGI Origin 3000 running TRIX ... This is a totally Trusted Irix environment. If it's a trusted environment, why would you put ClamAV on it? ClamAV is certainly less than totally trustworthy. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://wiki.clamav.net/ http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Alain Zidouemba azidoue...@sourcefire.com: Ralf, We got your FP reports and will address them today. Thanks :) But the original question remains in case I need to whitelist a signature. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
-Original message- From: Ralf Hildebrandt ralf.hildebra...@charite.de Sent: Wed 08-02-2012 00:16 Subject:[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today): mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412 [0001114551.cbc BYTECODE] BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(01);0:d0cf11e0 a1b11ae1;*:1c000404 mail2:/var/lib/clamav# cat local.ign2 BC.Exploit.CVE_2011_3412.{CVE_2011_3412} BC.Exploit.CVE_2011_3412 CVE_2011_3412 (I tried 3 different ways of disabling the signature) I restarted clamd, but still the mails are stopped as infected: Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004: BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002: BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND What am I doing wrong here? Running clamv 0.97.3 It's the same story here. We've had to switch off all bytecode rules in the conf file. Not ideal. Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Bill Maidment b...@maidment.vu: What am I doing wrong here? Running clamv 0.97.3 It's the same story here. We've had to switch off all bytecode rules in the conf file. Not ideal. Sound like one cannot whitelist a bytecode signature? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On 02/07/12 15:05, Bill Maidment wrote: -Original message- From: Ralf Hildebrandtralf.hildebra...@charite.de Sent: Wed 08-02-2012 00:16 Subject:[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today): mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412 [0001114551.cbc BYTECODE] BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(01);0:d0cf11e0 a1b11ae1;*:1c000404 mail2:/var/lib/clamav# cat local.ign2 BC.Exploit.CVE_2011_3412.{CVE_2011_3412} BC.Exploit.CVE_2011_3412 CVE_2011_3412 (I tried 3 different ways of disabling the signature) I restarted clamd, but still the mails are stopped as infected: Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004: BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND Tue Feb 7 13:33:09 2012 - /var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002: BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND What am I doing wrong here? Running clamv 0.97.3 It's the same story here. We've had to switch off all bytecode rules in the conf file. Not ideal. Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml The format of local.ign is not very inituitive, IMHO. INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com The first entry is the name of the file the definition is in(minus the file extension). The second is the line number that the definition is on. And the third is the name of the definition. These fields are separated by ':' as you can see. The format apparently was chosen so that if you forgot to delete the file, no harm will be done when the definition disappears. But one of the side effects is that a simple update that changes the line number for that definition will also render the local.ign useless. It does work and I have used it, but every time I need it, it takes me more than one try to get it right. Especially since I only use it once every 3 or 4 months at best and it's case sensitive. Lyle Giese LCR Computer Services, Inc. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Lyle Giese l...@lcrcomputer.net: The format of local.ign is not very inituitive, IMHO. It's local.ign2 according to the docs. Creating signatures for ClamAV http://www.clamav.net/doc/latest/signatures.pdf 3.8 Whitelist databases To whitelist a specific signature from the database you just add its name into a local file called -- local.ign2 -- stored inside the database directory. You can additionally follow the signature name with the MD5 of the entire database entry for this signature, eg: Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c In such a case, the signature will no longer be whitelisted when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com The first entry is the name of the file the definition is in(minus the file extension). The second is the line number that the definition is on. And the third is the name of the definition. These fields are separated by ':' as you can see. Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; The bytecode loader indeed seems to ignore local.ign2, I'm looking into it -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 7 23:09:12 CET 2012 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On 02/07/12 16:07, Ralf Hildebrandt wrote: * Lyle Giesel...@lcrcomputer.net: The format of local.ign is not very inituitive, IMHO. It's local.ign2 according to the docs. Creating signatures for ClamAV http://www.clamav.net/doc/latest/signatures.pdf 3.8 Whitelist databases To whitelist a specific signature from the database you just add its name into a local file called -- local.ign2-- stored inside the database directory. You can additionally follow the signature name with the MD5 of the entire database entry for this signature, eg: Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c In such a case, the signature will no longer be whitelisted when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com The first entry is the name of the file the definition is in(minus the file extension). The second is the line number that the definition is on. And the third is the name of the definition. These fields are separated by ':' as you can see. Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; I have never used sigtool. grep/kate/nano or any good editor will let you search and tell you the line number that you are looking at. I guess I never used a local.ign2 only local.ign for bypassing 'bad' definitions and I have tested the local.ign files I created to make sure they do exactly what is needed for my mail system. Lyle Giese LCR Computer Services, Inc. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
On Tue, 07 Feb 2012 23:11:24 +0100 Tomasz Kojm tk...@clamav.net wrote: On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; The bytecode loader indeed seems to ignore local.ign2, I'm looking into it The problem is now fixed in master 0.97 branches: http://git.clamav.net/gitweb?p=clamav-devel.git;a=commit;h=4c22459d7a84f4c2c14b5e33ab2dfe4818121801 Thanks, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 7 23:26:30 CET 2012 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Untit Testing
On 2012-2-7 18:27 , Reynolds, David C. wrote: Thanks for the quick replies. I was able to run those tests. As to why I would install ClamAV, it is an IA requirement that we scan for viruses on remote file transfers that go thru this system and there aren't too many options that will run under IRIX. I haven't got any experience with IRIX, but I do wonder: why are you using tits for testing purposes? That seems inappropriate. Everyone else uses canaries! The tits scare too easily and will fly at the slightest sound. Canaries are more reliable. And if there's a virus in range, they just die :) PS ;-) -- Jan-Pieter Cornet SSL is only keeping your connection safe from hackers, crooks and three letter agencies by the least secured, least likely to refuse money from strangers, and least bullying-proof of several hundred companies worldwide. signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Unit Testing
* Jan-Pieter Cornet joh...@xs4all.nl: I haven't got any experience with IRIX, but I do wonder: why are you using tits for testing purposes? That seems inappropriate. No, he's using un-tits. Everything but tits. E.g. a canary would be an un-tit. Like an undead is anything but dead. PS ;-) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
-Original message- From: Tomasz Kojm tk...@clamav.net Sent: Wed 08-02-2012 09:29 Subject:Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; On Tue, 07 Feb 2012 23:11:24 +0100 Tomasz Kojm tk...@clamav.net wrote: On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; The bytecode loader indeed seems to ignore local.ign2, I'm looking into it The problem is now fixed in master 0.97 branches: Thanks Tomasz The patch doesn't line up with 0.97.3 source. Do I have to manually patch that? [root@stiles clamav-0.97.3]# patch -p1 --dry-run ../fix.diff patching file libclamav/readdb.c Hunk #1 succeeded at 1192 (offset -4 lines). Hunk #2 FAILED at 1218. Hunk #3 FAILED at 1388. Hunk #4 succeeded at 1409 (offset -6 lines). Hunk #5 FAILED at 1476. Hunk #6 FAILED at 1484. Hunk #7 succeeded at 1491 with fuzz 2 (offset -6 lines). 4 out of 7 hunks FAILED -- saving rejects to file libclamav/readdb.c.rej [root@stiles clamav-0.97.3]# Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
-Original message- From: Bill Maidment b...@maidment.vu Sent: Wed 08-02-2012 09:53 Subject:Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; -Original message- From: Tomasz Kojm tk...@clamav.net Sent: Wed 08-02-2012 09:29 Subject: Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; On Tue, 07 Feb 2012 23:11:24 +0100 Tomasz Kojm tk...@clamav.net wrote: On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; The bytecode loader indeed seems to ignore local.ign2, I'm looking into it The problem is now fixed in master 0.97 branches: Thanks Tomasz The patch doesn't line up with 0.97.3 source. Do I have to manually patch that? I have manually patched 0.97.3, re-compiled, re-installed and restarted clamd, but the ign2 file is still being ignored. [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2 BC.Exploit.CVE_2011_3412 [root@stiles clamav]# Wed Feb 8 10:49:39 2012 - /var/spool/MIMEDefang/mdefang-q17NnSa7022557/Work/msg-30733-35.xls: BC.Exploit.CVE_2011_3412 FOUND Cheers Bill Maidment IT Consultant to Elgas Ltd Phone: 02 4294 3649 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml