date:20180630

[clamav-users] Upgrade to 0.100.0 disables CL_TYPE_ZIP regex signatures for Office files

2018-06-30 Thread David Shrimpton

Upgrade of clamav to 0.100.0 disables Container CL_TYPE_ZIP regex signatures
for Office 2007+ files.  Eg signatures attempting to match a contained file
of an Office zip.

Prior to 0.100.0 the Container for Office files was classified only as 
CL_TYPE_ZIP.
With 0.100.0 the  Container is classified as both
(CL_TYPE_OOXML_WORD or CL_TYPE_OOXML_XL or CL_TYPE_OOXML_PPT) and CL_TYPE_ZIP.
Existing signatures pre 0.100.0 would all be CL_TYPE_ZIP.

With 0.100.0 it appears regexes are pooled as one regardless of Container type 
and files are first scanned with Container set to one of the CL_TYPE_OOXML_* 
then same pool
of regexes is run with Container set to CL_TYPE_ZIP.

But with no hits on a file during the  CL_TYPE_OOXML_*  run the file  md5 is 
cached as clean 
so that file is  not re-scanned with container set to CL_TYPE_ZIP .
Thus the  CL_TYPE_OOXML_* run disables  the CL_TYPE_ZIP run.

The only time a CL_TYPE_ZIP signature may work is with -z and if an 
CL_TYPE_OOXML_* sig is hit 
as caching is turned off for the rest of the files during the  CL_TYPE_OOXML_* 
Container run
when there is a sig hit.   This would also need the file that triggers the 
CL_TYPE_ZIP to be
the same file as that  triggering the CL_TYPE_OOXML_* sig or to be a file 
scanned after
that file (so the file  is not in the clean cache). 

--disable-cache for clamscan or 'DisableCache yes' in clamd.conf fixes the 
problem.

The fix would be to not cache files as clean until all Container types are 
tested.

Same problem I expect would apply in other multiple Container situations.

The problem might impact a large pool of existing signatures as well as new 
ones using
CL_TYPE_ZIP and not one of the CL_TYPE_OOXML_*.

Another unrelated problem is that Flash used to be container  CL_TYPE_ZIP but 
are now CL_TYPE_SWF so
some sigs for flash using CL_TYPE_ZIP may no longer work.

David Shrimpton

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] update report

2018-06-30 Thread Gene Heskett

On Saturday 30 June 2018 20:30:57 Joel Esler (jesler) wrote:

> Interesting.   Can you give us a -debug?
>
Is this something I can put in the crontab, Joel?  How?

> Sent from my iPhone
>
> > On Jun 30, 2018, at 20:22, Gene Heskett 
> > wrote:
> >
> > I'm still logging this about every other freshclam run:
> >
> > Sat Jun 30 18:49:53 2018 -> nonblock_connect: connect(): fd=4
> > errno=101: Network is unreachable
> > Sat Jun 30 18:49:53 2018 -> Can't connect to port 80 of host
> > db.us.clamav.net (IP: 2400:cb00:2048:1::6810:ba8a)
> >
> > And I've rm'd mirrors.dat several times.
> > --
> > Cheers, Gene Heskett
> > --
> > "There are four boxes to be used in defense of liberty:
> > soap, ballot, jury, and ammo. Please use in that order."
> > -Ed Howdershelt (Author)
> > Genes Web page 
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] CVE verification

2018-06-30 Thread Dajuan Mcdonald

Hi,

Regarding CVE-2017-12941 and CVE-2017-12942, unrar-5.5.6 is affected.
There is a fixed version of unrar-5.5.7. I am asking:

[1] are the CVEs known to affect any versions of clamav, if so which
versions are not affected? 

[2] These are the vulnerable code examples:

#Vulnerable unrar function (CVE-2017-12941)
int DistNumber=DecodeNumber(Inp,);
unsigned int Distance=DDecode[DistNumber]+1;


# Vulnerable unpack longlz (CVE-2017-12942)
//ChSetB[DistancePlace]=ChSetB[NewDistancePlace];
--
I found this in clamav 0.100.0:
## ClamAV code: unpack20.c
//int rar_unpack20(int fd, int solid, unpack_data_t *unpack_data)

{ ...
unsigned int bits, distance;
dist_number = rar_decode_number(unpack_data, (struct Decode
*)_data->DD);
distance = ddecode[dist_number] + 1


#ClamAV unpack longlz
//static void long_lz(unpack_data_t *unpack_data)

unpack_data->chsetb[distance_place & 0xff]
chsetb[new_distance_place & 0xff] = distance;
chsetb[distance_place & 0xff] = unpack_data->chsetb[new_distance_place
& 0xff];

it isn't clear to me (as I cannot read C code very well) if these are
indeed affected by the CVEs mentioned above. Any one able to clarify?

[3] Any commits one can point me to for varification of changes if any?

Thank you and apologies if this is old or redundant news already
resolved.

Referece:  http://seclists.org/oss-sec/2017/q3/290

 domhnall

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-06-30 Thread Joel Esler (jesler)

Ping.clamav.net is an identification lookup.  Helps us see what versions people 
are running out there and what version of ClamAV people are using.  It’s 
failure shouldn’t stop the update process.  Please give us a debug. 

Sent from my iPhone

> On Jun 30, 2018, at 19:28, Paul Kosinski  wrote:
> 
> We are *still* failing to get ClamAV cvd files updates reliably -- even
> after deleting mirrors.dat before each attempt!
> 
> The basic problem seems to be that the query to (e.g.):
> 
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net
> 
> fails as often as not (e.g.):
> 
>  Querying daily.24710.85.1.0.6810BB8A.ping.clamav.net
>  Can't query daily.24710.85.1.0.6810BB8A.ping.clamav.net
> 
> The query fails a lot when issued by freshclam, and it also fails
> (times out) a lot when issued by dig.
> 
> As far as I can tell by reading the freshclam code, the query is just a
> DNS query for the A record (as opposed to a TXT record etc.). I presume
> that the prefix part of the FQDN works like it does for blacklists and
> indicates whether the prefix is "good" or "bad".
> 
> As I investigated further, I ran one test which gave a very interesting
> result:
> 
>  # dig  xx.ping.clamav.net
>  ;xx.ping.clamav.net.IN  A
>  xx.ping.clamav.net. 1   IN  A   5.9.14.57
>  ping.clamav.net.218 IN  NS  ns4.clamav.net.
>  ns4.clamav.net. 3053IN  A   12.167.151.33
>  ns4.clamav.net. 3053IN  A   5.9.14.57
>  ns4.clamav.net. 3258IN  2a01:4f8:160:8421::2
> 
> Apparently, ping.clamav.net is handled by ns4.clamav.net, but that name
> server has 2 unrelated IP addresses. The 12.167.151.33 address appears
> to be leased by Sourcefire from AT, but the 5.9.14.57 address is
> owned by Hetzner.de.
> 
> 
> If I now do digs explicitly using the 2 different addresses for ns4,
> the Hetzner one works, but the Sourcefire one doesn't:
> 
>  # while true; do dig @5.9.14.57 daily.24710.85.1.0.6810BB8A.ping.clamav.net 
> ; sleep 1 ; done
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.1200IN  NS  ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.1200IN  NS  ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.1200IN  NS  ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.1200IN  NS  ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.1200IN  NS  ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.1200IN  NS  ns4.clamav.net.
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
>  ping.clamav.net.1200IN  NS  ns4.clamav.net.
>  ^C
> 
>  # while true; do dig @12.167.151.33 
> daily.24710.85.1.0.6810BB8A.ping.clamav.net ; sleep 1 ; done
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
>  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
> 604800 86400 2419200 86400
>  ^C
> 
> This would explain why the DNS query from freshclam is so unreliable.
> (Is the Sourcefire instance of ns4 even

Re: [clamav-users] update report

2018-06-30 Thread Joel Esler (jesler)

Interesting.   Can you give us a -debug?

Sent from my iPhone

> On Jun 30, 2018, at 20:22, Gene Heskett  wrote:
> 
> I'm still logging this about every other freshclam run:
> 
> Sat Jun 30 18:49:53 2018 -> nonblock_connect: connect(): fd=4 errno=101: 
> Network is unreachable
> Sat Jun 30 18:49:53 2018 -> Can't connect to port 80 of host 
> db.us.clamav.net (IP: 2400:cb00:2048:1::6810:ba8a)
> 
> And I've rm'd mirrors.dat several times.
> -- 
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] update report

2018-06-30 Thread Gene Heskett

I'm still logging this about every other freshclam run:

Sat Jun 30 18:49:53 2018 -> nonblock_connect: connect(): fd=4 errno=101: 
Network is unreachable
Sat Jun 30 18:49:53 2018 -> Can't connect to port 80 of host 
db.us.clamav.net (IP: 2400:cb00:2048:1::6810:ba8a)

And I've rm'd mirrors.dat several times.
-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-06-30 Thread Paul Kosinski

We are *still* failing to get ClamAV cvd files updates reliably -- even
after deleting mirrors.dat before each attempt!

The basic problem seems to be that the query to (e.g.):

  daily.24710.85.1.0.6810BB8A.ping.clamav.net

fails as often as not (e.g.):

  Querying daily.24710.85.1.0.6810BB8A.ping.clamav.net
  Can't query daily.24710.85.1.0.6810BB8A.ping.clamav.net

The query fails a lot when issued by freshclam, and it also fails
(times out) a lot when issued by dig.

As far as I can tell by reading the freshclam code, the query is just a
DNS query for the A record (as opposed to a TXT record etc.). I presume
that the prefix part of the FQDN works like it does for blacklists and
indicates whether the prefix is "good" or "bad".

As I investigated further, I ran one test which gave a very interesting
result:

  # dig  xx.ping.clamav.net
  ;xx.ping.clamav.net.IN  A
  xx.ping.clamav.net. 1   IN  A   5.9.14.57
  ping.clamav.net.218 IN  NS  ns4.clamav.net.
  ns4.clamav.net. 3053IN  A   12.167.151.33
  ns4.clamav.net. 3053IN  A   5.9.14.57
  ns4.clamav.net. 3258IN  2a01:4f8:160:8421::2

Apparently, ping.clamav.net is handled by ns4.clamav.net, but that name
server has 2 unrelated IP addresses. The 12.167.151.33 address appears
to be leased by Sourcefire from AT, but the 5.9.14.57 address is
owned by Hetzner.de.


If I now do digs explicitly using the 2 different addresses for ns4,
the Hetzner one works, but the Sourcefire one doesn't:
 
  # while true; do dig @5.9.14.57 daily.24710.85.1.0.6810BB8A.ping.clamav.net ; 
sleep 1 ; done
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.1200IN  NS  ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.1200IN  NS  ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.1200IN  NS  ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.1200IN  NS  ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.1200IN  NS  ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.1200IN  NS  ns4.clamav.net.
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  daily.24710.85.1.0.6810BB8A.ping.clamav.net. 1 IN A 5.9.14.57
  ping.clamav.net.1200IN  NS  ns4.clamav.net.
  ^C

  # while true; do dig @12.167.151.33 
daily.24710.85.1.0.6810BB8A.ping.clamav.net ; sleep 1 ; done
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
604800 86400 2419200 86400
  ;daily.24710.85.1.0.6810BB8A.ping.clamav.net. INA
  ping.clamav.net.86400   IN  SOA localhost. root.localhost. 1 
604800 86400 2419200 86400
  ^C

This would explain why the DNS query from freshclam is so unreliable.
(Is the Sourcefire instance of ns4 even running a DNS server?)


This behavior is causing us much grief, because a large number of
ClamAV DB updates fail, saying that the mirror is not synchronized,
thus adding that mirror to mirrors.dat (which I now automatically
delete right before freshclam runs!).

Is there anything we can do short of bypassing freshclam, periodically
downloading daily.cvd, bytecode.cvd etc., and seeing if they differ from
the last download?


P.S. Here are

[clamav-users] Problems with freshclam (Can't create new socket: Address family not supported by protocol)

2018-06-30 Thread Klaus Ethgen

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi folks,

since several months I get the message "Can't create new socket: Address
family not supported by protocol" several times the day. It is only
freshclam that acts this wrong, no other tool/service has this problem.

The machine I use freshclam is IPv4 only; no IPv6 is compiled into the
kernel. Additionally the gai.conf say to prefer IPv4 over IPv6.

Unfortunately, the resolving of db.de.clamav.net (that I use, see below)
gives half IPv6 and half IPv6 addresses. There is a IPv6 only DNS name
but no IPv4 only DNS name.

I didn't also not find any solution to force freshclam to use IPv4 only.
- From that fact and that freshclam is running every hour, the change to
get the message is pretty high.

It is also notable that this has started several months ago.

Do you have any idea how to stop this annoying message without silenting
also real errors? Any idea how to force freshclam to behave like all
other software and just ignore the IPv6 addresses if there is no IPv6 on
this system?

Here is my config:
   ~> cat /etc/clamav/freshclam.conf
   # Automatically created by the clamav-freshclam postinst
   # Comments will get lost when you reconfigure the clamav-freshclam package

   DatabaseOwner clamav
   UpdateLogFile /var/log/clamav/freshclam.log
   LogVerbose false
   LogSyslog false
   LogFacility LOG_LOCAL6
   LogFileMaxSize 0
   LogRotate true
   LogTime true
   Foreground false
   Debug false
   MaxAttempts 5
   DatabaseDirectory /var/lib/clamav
   DNSDatabaseInfo current.cvd.clamav.net
   ConnectTimeout 30
   ReceiveTimeout 30
   TestDatabases yes
   ScriptedUpdates yes
   CompressLocalDatabase no
   SafeBrowsing true
   Bytecode true
   DatabaseMirror db.de.clamav.net
   DatabaseMirror database.clamav.net
   ~> cat /etc/cron.d/clamav-freshclam 
   59 */1 * * *clamav [ -x /usr/bin/freshclam ] && /usr/bin/freshclam 
--quiet >/dev/null
   ~> ifconfig
   eth0: flags=4163  mtu 1500
   inet 10.0.0.4  netmask 255.255.255.0  broadcast 10.0.0.255
   ether 52:54:00:41:3f:f6  txqueuelen 1000  (Ethernet)
   RX packets 22441291  bytes 31417154646 (29.2 GiB)
   RX errors 0  dropped 0  overruns 0  frame 0
   TX packets 27477983  bytes 27236010595 (25.3 GiB)
   TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

   lo: flags=73  mtu 65536
   inet 127.0.0.1  netmask 255.0.0.0
   loop  txqueuelen 1  (Local Loopback)
   RX packets 401467  bytes 338215821 (322.5 MiB)
   RX errors 0  dropped 0  overruns 0  frame 0
   TX packets 401467  bytes 338215821 (322.5 MiB)
   TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Note that the system has different IP outside, that is just the
internal IP. But the whole stack has no IPv6 at all and will not in
foreseeable future.

Regards
   Klaus
- -- 
Klaus Ethgen   http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16Klaus Ethgen 
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-BEGIN PGP SIGNATURE-
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAls3gdMACgkQpnwKsYAZ
9qyJwwv/dJtRgUGFFTCGsItG16jqGZWVQ2kb/vhI1a2JN3tLwUcuVxpdeftlyCFJ
YlYgc2veSF9qpdfsRSTB7ZThmqwXmzFzHKggkPW8hjL2OJrdLFTIJHt3Adk8UDVo
hXAX9tpUJUBk8rLNc1CXv+JRKs6d7lUnEpW3oqWego8m5dLCITIWTgv8IbbYGPOP
OmHQ81X9BuuFwZkoUld0AbeL3rQ2FBGT6zxguZ9DsTKQsca43zJ5K9ZW5JdJSnOc
2XLcoQSit/Ub8khGa8swfxe60f5d+lS3sUqwAQEKmjTcI7Xy9+U+R0clF2Qh4NTL
mFIOXhMQ24WobKKjuLxVABfVhzDBjIJIjm+CgHJP7sSiehacnNCz+kUoNSiQNZjQ
29OOa5kanLBnUXGo/psWI+mQntKlyP7raNPoNsSzD4k8fw2r362ApR96cjRlR1yt
mgQIs5Q99iq427F/NgrIe/exG1ojeRw5HJXgsMKYNFEM+4kj7W/N0Lxp8OK/0pdK
Fm913zmI
=AjJn
-END PGP SIGNATURE-
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is there any documentation on what signatures mean?

2018-06-30 Thread Nikita Yerenkov-Scott

Dear Al,

Thank you very much for your response. Completely understand the
ClamAV position. Perhaps one day if you expand then there will be more
capability for documentation of the samples.


Best wishes,

Nikita

On Sat, 30 Jun 2018 at 12:34, Nikita Yerenkov-Scott
 wrote:
>
> Dear Al,
>
> Thank you very much for your response. Completely understand the ClamAV 
> position. Perhaps one day if you expand then there will be more capability 
> for documentation of the samples.
>
>
> Best wishes,
>
> Nikita
>
> On Sat, 30 Jun 2018 at 04:09, Al Varnell  wrote:
>>
>> I'm not sure I understand exactly what you are looking for.
>>
>> When an individual submits a file directly to ClamAV, there is plenty of 
>> opportunity for them to make their case on what they believe is malicious. 
>> The form for doing this can be seen at 
>> . Of course this information is not 
>> publicly available, it simply helps the signature writers with their 
>> conclusions as to whether it's malware or not. It's up to ClamAV to decide 
>> whether it's malicious or not and should a user disagree for any reason, 
>> then they need to make their case back to ClamAV by reporting it as a "False 
>> Positive."
>>
>> I suspect the main source of malware submissions is Virus Total, which is 
>> crowd source supported by both malware scanning vendors and a variety of 
>> other malware analysts. There you can sometimes find comments and votes 
>> publicly displayed that will help with what you appear to be struggling 
>> with. If you know anything about malware infections, there is often a 
>> section showing the behavior of any executable software which will assist 
>> you in determining whether or not it is behaving in a malicious way.
>>
>> If you are looking for detailed information on the hundreds of thousands of 
>> individual malware samples being submitted from all sources as many other 
>> software vendors do, then I think you are expecting way to much from a group 
>> that is providing a free product from a small staff and a large group of 
>> volunteers. When you charge for your product you can afford to establish a 
>> lab able to actively research malware infections 24/7 and publish their 
>> findings. It's pretty much all the ClamAV signature team can do to keep up 
>> with all the samples and much of what is done today is automated, with 
>> little or no information of the detail you are asking for. ClamAV appears to 
>> be focused on the art of signature writing, not malware discovery and 
>> analysis. I think you are asking for way too much unless you are willing to 
>> pay for it.
>>
>> -Al-
>>
>> On Fri, Jun 29, 2018 at 04:36 PM, Nikita Yerenkov-Scott wrote:
>>
>> Basically in terms of the signatures people provide, even though you
>> can get the information of what they thought was malicious from the
>> sigtool, it would be really nice if there was at least an option for
>> people to also provide descriptions of *why* they thought it was
>> malicious. So that it is easier to tell if it's actually so and also
>> to deal with all the damage in case in is unclear all that it did. If
>> an option like this was provided then it would be really great if
>> users were encouraged to do so. It is so with all other AVs. It's
>> really unhelpful for Clam to give such little information on "malware"
>> it finds. It might not even be actually a malicious file.
>>
>> On Sat, 30 Jun 2018 at 00:35, Nikita Yerenkov-Scott
>>  wrote:
>>
>>
>> Basically in terms of the signatures people provide, even though you can get 
>> the information of what they thought was malicious from the sigtool, it 
>> would be really nice if there was at least an option for people to also 
>> provide descriptions of *why* they thought it was malicious. So that it is 
>> easier to tell if it's actually so and also to deal with all the damage in 
>> case in is unclear all that it did. If an option like this was provided then 
>> it would be really great if users were encouraged to do so. It is so with 
>> all other AVs. It's really unhelpful for Clam to give such little 
>> information on "malware" it finds. It might not even be actually a malicious 
>> file.
>>
>> On Sat, 30 Jun 2018 at 00:31, Joel Esler (jesler)  wrote:
>>
>>
>> Who needs to add a link to what, and what would you like to see?
>>
>> Sent from my iPhone
>>
>> On Jun 29, 2018, at 19:11, Nikita Yerenkov-Scott  
>> wrote:
>>
>> Is there any chance that they will add a way of people giving a
>> description of why they think that it is malware?
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>>
>>
>> --
>> The world is filled with Totoros.
>>
>>
>> -Al-
>> --
>> Al Varnell
>> Mountain View, CA

Re: [clamav-users] Is there any documentation on what signatures mean?

2018-06-30 Thread Nikita Yerenkov-Scott

Dear Al,

Thank you very much for your response. Completely understand the ClamAV
position. Perhaps one day if you expand then there will be more capability
for documentation of the samples.


Best wishes,

Nikita

On Sat, 30 Jun 2018 at 04:09, Al Varnell  wrote:

> I'm not sure I understand exactly what you are looking for.
>
> When an individual submits a file directly to ClamAV, there is plenty of
> opportunity for them to make their case on what they believe is malicious.
> The form for doing this can be seen at <
> https://www.clamav.net/reports/malware>. Of course this information is
> not publicly available, it simply helps the signature writers with their
> conclusions as to whether it's malware or not. It's up to ClamAV to decide
> whether it's malicious or not and should a user disagree for any reason,
> then they need to make their case back to ClamAV by reporting it as a
> "False Positive."
>
> I suspect the main source of malware submissions is Virus Total, which is
> crowd source supported by both malware scanning vendors and a variety of
> other malware analysts. There you can sometimes find comments and votes
> publicly displayed that will help with what you appear to be struggling
> with. If you know anything about malware infections, there is often a
> section showing the behavior of any executable software which will assist
> you in determining whether or not it is behaving in a malicious way.
>
> If you are looking for detailed information on the hundreds of thousands
> of individual malware samples being submitted from all sources as many
> other software vendors do, then I think you are expecting way to much from
> a group that is providing a free product from a small staff and a large
> group of volunteers. When you charge for your product you can afford to
> establish a lab able to actively research malware infections 24/7 and
> publish their findings. It's pretty much all the ClamAV signature team can
> do to keep up with all the samples and much of what is done today is
> automated, with little or no information of the detail you are asking for.
> ClamAV appears to be focused on the art of signature writing, not malware
> discovery and analysis. I think you are asking for way too much unless you
> are willing to pay for it.
>
> -Al-
>
> On Fri, Jun 29, 2018 at 04:36 PM, Nikita Yerenkov-Scott wrote:
>
> Basically in terms of the signatures people provide, even though you
> can get the information of what they thought was malicious from the
> sigtool, it would be really nice if there was at least an option for
> people to also provide descriptions of *why* they thought it was
> malicious. So that it is easier to tell if it's actually so and also
> to deal with all the damage in case in is unclear all that it did. If
> an option like this was provided then it would be really great if
> users were encouraged to do so. It is so with all other AVs. It's
> really unhelpful for Clam to give such little information on "malware"
> it finds. It might not even be actually a malicious file.
>
> On Sat, 30 Jun 2018 at 00:35, Nikita Yerenkov-Scott
>  wrote:
>
>
> Basically in terms of the signatures people provide, even though you can
> get the information of what they thought was malicious from the sigtool, it
> would be really nice if there was at least an option for people to also
> provide descriptions of *why* they thought it was malicious. So that it is
> easier to tell if it's actually so and also to deal with all the damage in
> case in is unclear all that it did. If an option like this was provided
> then it would be really great if users were encouraged to do so. It is so
> with all other AVs. It's really unhelpful for Clam to give such little
> information on "malware" it finds. It might not even be actually a
> malicious file.
>
> On Sat, 30 Jun 2018 at 00:31, Joel Esler (jesler) 
> wrote:
>
>
> Who needs to add a link to what, and what would you like to see?
>
> Sent from my iPhone
>
> On Jun 29, 2018, at 19:11, Nikita Yerenkov-Scott 
> wrote:
>
> Is there any chance that they will add a way of people giving a
> description of why they think that it is malware?
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
>
> --
> The world is filled with Totoros.
>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 
The world is filled with Totoros.
___
clamav-users mailing

[clamav-users] Upgrade to 0.100.0 disables CL_TYPE_ZIP regex signatures for Office files

Re: [clamav-users] update report

[clamav-users] CVE verification

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

Re: [clamav-users] update report

[clamav-users] update report

[clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

[clamav-users] Problems with freshclam (Can't create new socket: Address family not supported by protocol)

Re: [clamav-users] Is there any documentation on what signatures mean?

Re: [clamav-users] Is there any documentation on what signatures mean?

10 matches

Site Navigation

Mail list logo

Footer information