Re: [clamav-users] ClamAV installation is OUTDATED! as reported by freshclam utility on CentOS Linux release 7.6.1810 (Core)

[Scott Kitterman]

A larger issue in this case is that 0.100.0, as released is not suitable for 
distribution use to to shared library header issues (mentioned on this list a 
few days ago - I appreciate Cisco being forthcoming and warning people).  I 
don't know what EPEL/CentOS will do, but 0.100.0 won't be in Debian at all.

Scott K

On Thursday, December 13, 2018 08:22:10 AM Luca Moscato wrote:
> Issue is in CentOS repo (not sure if standard or EPEL additional repo)
> that, still, do not ship the latest stable.
> 
> On this topic, AMZ Linux is still have 0.99 in standard repo
> 
> 
> Luca
> 
> Il 13/12/2018 07:42, Al Varnell ha scritto:
> > Not sure what comment you are looking for. The warning is pretty much
> > self explanatory. You can either wait for CentOS to update it for you
> > when they get around to it or download, configure and install 0.101.0
> > yourself
> > .
> > 
> > Sent from my iPad
> > 
> > -Al-
> > ClamXAV User
> > 
> > On Dec 12, 2018, at 22:30, Kaushal Shriyan wrote:
> >> Hi,
> >> 
> >> I am running CentOS Linux release 7.6.1810 (Core) with ClamAV
> >> installed. When i am running freshclam i am seeing a Warning message
> >> and the details are described below:-
> >> 
> >> # freshclam
> >> ClamAV update process started at Thu Dec 13 11:49:18 2018
> >> WARNING: Your ClamAV installation is OUTDATED!
> >> WARNING: Local version: 0.100.2 Recommended version: 0.101.0
> >> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
> >> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60,
> >> builder: sigmgr)
> >> nonblock_recv: recv timing out (30 secs)
> >> WARNING: getfile: Download interrupted: Operation now in progress
> >> (IP: 104.16.189.138)
> >> WARNING: Can't download daily.cvd from database.clamav.net
> >> 
> >> Trying again in 5 secs...
> >> ClamAV update process started at Thu Dec 13 11:49:56 2018
> >> WARNING: Your ClamAV installation is OUTDATED!
> >> WARNING: Local version: 0.100.2 Recommended version: 0.101.0
> >> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
> >> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60,
> >> builder: sigmgr)
> >> Trying host database.clamav.net 
> >> (104.16.188.138)...
> >> Downloading daily.cvd [100%]
> >> daily.cvd updated (version: 25202, sigs: 2176766, f-level: 63,
> >> builder: neo)
> >> bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63,
> >> builder: neo)
> >> Database updated (6743106 signatures) from database.clamav.net
> >>  (IP: 104.16.188.138)
> >> #
> >> 
> >> _OS Version_
> >> # cat /etc/redhat-release
> >> CentOS Linux release 7.6.1810 (Core)
> >> # yum update
> >> No packages marked for update
> >> #
> >> 
> >> _EPEL Version_
> >> # rpm -qa | grep epel
> >> epel-release-7-11.noarch
> >> #
> >> 
> >> _ClamAV Version_
> >> # rpm -qa | grep clamav
> >> clamav-lib-0.100.2-2.el7.x86_64
> >> clamav-filesystem-0.100.2-2.el7.noarch
> >> clamav-update-0.100.2-2.el7.x86_64
> >> clamav-0.100.2-2.el7.x86_64
> >> #
> >> 
> >> Please comment. Thanks in Advance. I look forward to hearing from you.
> >> 
> >> Best Regards,
> >> 
> >> Kaushal
> > 
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > 
> > 
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> > http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV installation is OUTDATED! as reported by freshclam utility on CentOS Linux release 7.6.1810 (Core)

[Luca Moscato]

Issue is in CentOS repo (not sure if standard or EPEL additional repo) 
that, still, do not ship the latest stable.


On this topic, AMZ Linux is still have 0.99 in standard repo


Luca

Il 13/12/2018 07:42, Al Varnell ha scritto:
Not sure what comment you are looking for. The warning is pretty much 
self explanatory. You can either wait for CentOS to update it for you 
when they get around to it or download, configure and install 0.101.0 
yourself

.

Sent from my iPad

-Al-
ClamXAV User

On Dec 12, 2018, at 22:30, Kaushal Shriyan wrote:

Hi,

I am running CentOS Linux release 7.6.1810 (Core) with ClamAV 
installed. When i am running freshclam i am seeing a Warning message 
and the details are described below:-


# freshclam
ClamAV update process started at Thu Dec 13 11:49:18 2018
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.0
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, 
builder: sigmgr)

nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Download interrupted: Operation now in progress 
(IP: 104.16.189.138)
WARNING: Can't download daily.cvd from database.clamav.net 


Trying again in 5 secs...
ClamAV update process started at Thu Dec 13 11:49:56 2018
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.0
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, 
builder: sigmgr)
Trying host database.clamav.net  
(104.16.188.138)...

Downloading daily.cvd [100%]
daily.cvd updated (version: 25202, sigs: 2176766, f-level: 63, 
builder: neo)
bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, 
builder: neo)
Database updated (6743106 signatures) from database.clamav.net 
 (IP: 104.16.188.138)

#

_OS Version_
# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# yum update
No packages marked for update
#

_EPEL Version_
# rpm -qa | grep epel
epel-release-7-11.noarch
#

_ClamAV Version_
# rpm -qa | grep clamav
clamav-lib-0.100.2-2.el7.x86_64
clamav-filesystem-0.100.2-2.el7.noarch
clamav-update-0.100.2-2.el7.x86_64
clamav-0.100.2-2.el7.x86_64
#

Please comment. Thanks in Advance. I look forward to hearing from you.

Best Regards,

Kaushal


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV installation is OUTDATED! as reported by freshclam utility on CentOS Linux release 7.6.1810 (Core)

[Al Varnell]

Not sure what comment you are looking for. The warning is pretty much self 
explanatory. You can either wait for CentOS to update it for you when they get 
around to it or download, configure and install 0.101.0 yourself 
.

Sent from my iPad

-Al-
ClamXAV User

On Dec 12, 2018, at 22:30, Kaushal Shriyan wrote:
> Hi,
> 
> I am running CentOS Linux release 7.6.1810 (Core) with ClamAV installed. When 
> i am running freshclam i am seeing a Warning message and the details are 
> described below:-
> 
> # freshclam
> ClamAV update process started at Thu Dec 13 11:49:18 2018
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.100.2 Recommended version: 0.101.0
> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: 
> sigmgr)
> nonblock_recv: recv timing out (30 secs)
> WARNING: getfile: Download interrupted: Operation now in progress (IP: 
> 104.16.189.138)
> WARNING: Can't download daily.cvd from database.clamav.net
> Trying again in 5 secs...
> ClamAV update process started at Thu Dec 13 11:49:56 2018
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.100.2 Recommended version: 0.101.0
> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: 
> sigmgr)
> Trying host database.clamav.net (104.16.188.138)...
> Downloading daily.cvd [100%]
> daily.cvd updated (version: 25202, sigs: 2176766, f-level: 63, builder: neo)
> bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
> Database updated (6743106 signatures) from database.clamav.net (IP: 
> 104.16.188.138)
> #
> 
> OS Version
> # cat /etc/redhat-release
> CentOS Linux release 7.6.1810 (Core)
> # yum update
> No packages marked for update
> #
> 
> EPEL Version
> # rpm -qa | grep epel
> epel-release-7-11.noarch
> #
> 
> ClamAV Version
> # rpm -qa | grep clamav
> clamav-lib-0.100.2-2.el7.x86_64
> clamav-filesystem-0.100.2-2.el7.noarch
> clamav-update-0.100.2-2.el7.x86_64
> clamav-0.100.2-2.el7.x86_64
> #
> 
> Please comment. Thanks in Advance. I look forward to hearing from you.
> 
> Best Regards,
> 
> Kaushal
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV installation is OUTDATED! as reported by freshclam utility on CentOS Linux release 7.6.1810 (Core)

[Kaushal Shriyan]

Hi,

I am running CentOS Linux release 7.6.1810 (Core) with ClamAV installed.
When i am running freshclam i am seeing a Warning message and the details
are described below:-

# freshclam
ClamAV update process started at Thu Dec 13 11:49:18 2018
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.0
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder:
sigmgr)
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Download interrupted: Operation now in progress (IP:
104.16.189.138)
WARNING: Can't download daily.cvd from database.clamav.net
Trying again in 5 secs...
ClamAV update process started at Thu Dec 13 11:49:56 2018
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.2 Recommended version: 0.101.0
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder:
sigmgr)
Trying host database.clamav.net (104.16.188.138)...
Downloading daily.cvd [100%]
daily.cvd updated (version: 25202, sigs: 2176766, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder:
neo)
Database updated (6743106 signatures) from database.clamav.net (IP:
104.16.188.138)
#

*OS Version*
# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
# yum update
No packages marked for update
#

*EPEL Version*
# rpm -qa | grep epel
epel-release-7-11.noarch
#

*ClamAV Version*
# rpm -qa | grep clamav
clamav-lib-0.100.2-2.el7.x86_64
clamav-filesystem-0.100.2-2.el7.noarch
clamav-update-0.100.2-2.el7.x86_64
clamav-0.100.2-2.el7.x86_64
#

Please comment. Thanks in Advance. I look forward to hearing from you.

Best Regards,

Kaushal
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

[Dennis Peterson]

I wonder if the file size changed when Joel regenerated the daily.cvd file  (or 
I had in unexplainable file size error). I still use all the technology but no 
longer for big dot coms. The patched files are larger because they have a lot of 
unneeded bits in them.


dp

On 12/12/18 7:43 AM, Paul Kosinski wrote:

The daily.cvd is still less than half as big as main.cvd:

   -rw-r--r-- 1 clamav clamav 117892267 Jun  7  2017 main.cvd
   -rw-r--r-- 1 clamav clamav  53147013 Dec 11 14:03 daily.cvd

but indeed using the cdiffs could save bandwidth.

I never tried using cdiffs since the FAQ said "Let freshclam download
the *.cvd files", and I wasn't sure if "scripted update" would actually
create a proper cvd for both local mirroring *and* HAVP. Also, I
figured that we were already saving lots of bandwidth by doing local
mirroring instead of N separate freshclam external downloads.

P.S. After retirement there is less pressure, but the technology I deal
with daily (for my own purposes, rather than for pay) doesn't seem to
get any simpler.



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] cli_get_filepath_from_filedesc error when using zINSTREAM in 0.101.0

[Joel Pettis]

Greetings,

I've recently started using zINSTREAM with clamd in the new version 0.101.0
and every time I scan a file, a log is written to the std out like this:

LibClamAV Error: cli_get_filepath_from_filedesc: File path for fd [12] is:
/tmp/clamav-e9c124cf7c3129c87ebea09868d4838f.tmp


>From reviewing the code on GitHub, it appears this originates from
libclamav/scanners.c when the file path is null.  But since I'm using
zINSTREAM, it should not have file path, correct?

I could understand if this was and info log, but for it to be an error
doesn't seem correct to me.

Has anyone else experienced this?

thank you,
Joel
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV protect against viruses, rootkits, malware

[Kaushal Shriyan]

On Wed, Dec 12, 2018 at 11:42 PM Leonardo Rodrigues <
leolis...@solutti.com.br> wrote:

> Em 12/12/2018 15:06, Kaushal Shriyan escreveu:
> > Hi,
> >
> > I have installed ClamAV ClamAV 0.100.2/25200/Wed Dec 12 15:59:52 2018
> > on CentOS Linux release 7.6.1810 (Core). Does ClamAV protect against
> > viruses, rootkits, malware like watchbog  and detection of
> > unauthorized activities? Please comment.
> >
>
>  clamav is a FILE scanner, it's very different on the way Windows
> antivirus works, being 'always on' and being able to catch virus 'on the
> fly' as files are accessed. Clamav *DO NOT* work that way.
>
>  That being said, if the virus/rootkit/malware signature is present
> on clamav database, yes it will detect that file, but it will *NEVER*
> (it doesn't work that way) prevent you from accessing and even running
> them.
>
>
> --
>
>
> Atenciosamente / Sincerily,
> Leonardo Rodrigues
> Solutti Tecnologia
> http://www.solutti.com.br
>
> Minha armadilha de SPAM, NÃO mandem email
> gertru...@solutti.com.br
> My SPAMTRAP, do not email it
>

Thanks Leonardo for the explanation and appreciate your help !!!
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

[Al Varnell]

Thanks for the explanation, Alain. Makes a lot of sense to keep those 
signatures dynamically current.

Sent from my iPad

-Al-

On Dec 12, 2018, at 07:17, Alain Zidouemba wrote:
> The Phistank URLs being dropped from daily.cvd have nothing to do with false 
> positives. We are just rotating in and out the top phishing URLs based on 
> number DNS lookups per hour.
> 
> - Alain
> 
>> On Wed, Dec 12, 2018 at 6:23 AM Joel Esler (jesler)  wrote:
>> Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank 
>> project, so this is about making our different properties work together 
>> through the official signature set in a supported way.  If false positives 
>> are reported on the phishtank sigs through ClamAV.net, they are 
>> automatically routed to my team for resolution in the phishtank feed and in 
>> ClamAV.  
>> 
>> Sent from my  iPhone
>> 
>>> On Dec 12, 2018, at 03:59, Al Varnell  wrote:
>>> 
>>> You mentioned earlier that ClamAV has recently added signatures from 
>>> PhishTank, but I've noticed over the last few days that most, if not all of 
>>> them have been removed. Should I conclude that the PhishTank organization 
>>> signatures are resulting in a high False Positive count? Are they simply 
>>> accepting all the submissions they get as valid fishing attempts and not 
>>> QAing them before release?
>>> 
>>> Part of my interest is that I've been providing input to them for years 
>>> after first establishing that the spam e-mail I received is from an address 
>>> that doesn't match the purported notice of impeding doom and offer to fix 
>>> by clicking a link which does not match the announced domain? I'm not sure 
>>> all users would go to such lengths and might be forwarding all their spam 
>>> to these folks. Or perhaps some are flooding the site with valid url's in 
>>> an attempt defeat their purpose.
>>> 
>>> -Al-
>>> 
 On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
 Hi Sunny,
 
 I meant to say that if I scanned a saved email file containing the 
 malicious URL in an HTML link (i.e.   a href=link  ), then it will detect 
 the link with the safebrowsing signature.  However, if the malicious URL 
 is not an HTML link, for example if the email content is plain text, then 
 the safebrowsing signature does not appear to alert. 
 
 Regards,
 Micah
  
 Micah Snyder
 ClamAV Development
 Talos
 Cisco Systems, Inc.
 
 
> On Dec 11, 2018, at 8:58 AM, Sunny Marwah  wrote:
> 
> Hi Al,
> 
> Thanks for sharing that reply.
> 
> Do you mean ClamAV did not detect that file (containing deceptive link) 
> as 'Infected" in your scanning ?
> 
> FYI, i have also tried Google's Safebrowsing API to check such deceptive 
> links.
> 
> It was really strange to know that even Google's Safebrowsing lookup API 
> did not detect that file as 'Unsafe'. The reason behind is the deceptive 
> link is phishing link but not malware.
> 
> So Google's Safebrowsing lookup API will identify only Malware links as 
> 'Unsafe' but not all deceptive links. However, when i check the same URL 
> on "https://transparencyreport.google.com/safe-browsing/search";, then it 
> shows 'site is unsafe' what i am actually looking for.
> 
> Regards
> Sunny
> 
>> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  wrote:
>> Here was the earlier reply to your question
>> .
>> 
>> Sent from my iPad
>> 
>> -Al-
>> 
>>> On Dec 10, 2018, at 21:46, Sunny Marwah  wrote:
>>> Same question again : Chrome don't open malicious links due to labeling 
>>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to 
>>> identify such malicious links when "Safebrowsing" option is already 
>>> enabled ??  
>>> 
 On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
  wrote:
 Our replies may be getting filtered by your email provider because you 
 included a malicious link in the email chain. :D  I removed the link 
 from this reply. 
 
  
 Micah Snyder
 ClamAV Development
 Talos
 Cisco Systems, Inc.
 
 
> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  
> wrote:
> 
> 
> Still no reply on this matter. 
> 
> 
> -- 
> Regards
> Sunny
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV protect against viruses, rootkits, malware

[Leonardo Rodrigues]

Em 12/12/2018 15:06, Kaushal Shriyan escreveu:

Hi,

I have installed ClamAV ClamAV 0.100.2/25200/Wed Dec 12 15:59:52 2018 
on CentOS Linux release 7.6.1810 (Core). Does ClamAV protect against 
viruses, rootkits, malware like watchbog  and detection of 
unauthorized activities? Please comment.




    clamav is a FILE scanner, it's very different on the way Windows 
antivirus works, being 'always on' and being able to catch virus 'on the 
fly' as files are accessed. Clamav *DO NOT* work that way.


    That being said, if the virus/rootkit/malware signature is present 
on clamav database, yes it will detect that file, but it will *NEVER* 
(it doesn't work that way) prevent you from accessing and even running them.



--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about LLVM...

[J.R.]

> So I would like to ask, does bytecode have access to its environment
> (like ActiveX unfortunately did) and, how well is bytecode sandboxed?

Well, first of all, only bytecode signatures published by Cisco/Talos
are considered "trusted" and will run by default. You would have to
manually specify if you wanted to run unsigned bytecode signatures.

>From what I've read, the bytecode is C-like, but it is limited in that
it can't access system calls or memory, can only access the file to be
scanned, it does have an internal timeout, and other security measures
to prevent it from arbitrarily doing what it wants.

You can always look through the source code if you want.

It doesn't seem like the bytecode database gets updated very often. I
suppose it is reserved for complex scanning when the pattern matching
of the regular databases just won't cut it...
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV protect against viruses, rootkits, malware

[Kaushal Shriyan]

Hi,

I have installed ClamAV ClamAV 0.100.2/25200/Wed Dec 12 15:59:52 2018
on CentOS Linux release 7.6.1810 (Core). Does ClamAV protect against
viruses, rootkits, malware like watchbog  and detection of unauthorized
activities? Please comment.

Thanks in Advance. I look forward to hearing from you.

Best Regards,

Kaushal
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-users Digest, Vol 169, Issue 8

[Webster, Matt (PIRSA)]

I am in.

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
clamav-users-requ...@lists.clamav.net
Sent: Monday, December 10, 2018 3:30 AM
To: clamav-users@lists.clamav.net
Subject: clamav-users Digest, Vol 169, Issue 8

Send clamav-users mailing list submissions to
clamav-users@lists.clamav.net

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
or, via email, send a message with subject or body 'help' to
clamav-users-requ...@lists.clamav.net

You can reach the person managing the list at
clamav-users-ow...@lists.clamav.net

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of clamav-users digest..."

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

[Joel Esler (jesler)]

Thanks Alain.

> On Dec 12, 2018, at 10:17 AM, Alain Zidouemba  
> wrote:
> 
> The Phistank URLs being dropped from daily.cvd have nothing to do with false 
> positives. We are just rotating in and out the top phishing URLs based on 
> number DNS lookups per hour.
> 
> - Alain
> 
> On Wed, Dec 12, 2018 at 6:23 AM Joel Esler (jesler)  > wrote:
> Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank 
> project, so this is about making our different properties work together 
> through the official signature set in a supported way.  If false positives 
> are reported on the phishtank sigs through ClamAV.net , 
> they are automatically routed to my team for resolution in the phishtank feed 
> and in ClamAV.  
> 
> Sent from my  iPhone
> 
> On Dec 12, 2018, at 03:59, Al Varnell  > wrote:
> 
>> You mentioned earlier that ClamAV has recently added signatures from 
>> PhishTank, but I've noticed over the last few days that most, if not all of 
>> them have been removed. Should I conclude that the PhishTank organization 
>> signatures are resulting in a high False Positive count? Are they simply 
>> accepting all the submissions they get as valid fishing attempts and not 
>> QAing them before release?
>> 
>> Part of my interest is that I've been providing input to them for years 
>> after first establishing that the spam e-mail I received is from an address 
>> that doesn't match the purported notice of impeding doom and offer to fix by 
>> clicking a link which does not match the announced domain? I'm not sure all 
>> users would go to such lengths and might be forwarding all their spam to 
>> these folks. Or perhaps some are flooding the site with valid url's in an 
>> attempt defeat their purpose.
>> 
>> -Al-
>> 
>> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
>>> Hi Sunny,
>>> 
>>> I meant to say that if I scanned a saved email file containing the 
>>> malicious URL in an HTML link (i.e.   a href=link  ), then it will detect 
>>> the link with the safebrowsing signature.  However, if the malicious URL is 
>>> not an HTML link, for example if the email content is plain text, then the 
>>> safebrowsing signature does not appear to alert. 
>>> 
>>> Regards,
>>> Micah
>>>  
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>> 
>>> 
 On Dec 11, 2018, at 8:58 AM, Sunny Marwah >>> > wrote:
 
 Hi Al,
 
 Thanks for sharing that reply.
 
 Do you mean ClamAV did not detect that file (containing deceptive link) as 
 'Infected" in your scanning ?
 
 FYI, i have also tried Google's Safebrowsing API to check such deceptive 
 links.
 
 It was really strange to know that even Google's Safebrowsing lookup API 
 did not detect that file as 'Unsafe'. The reason behind is the deceptive 
 link is phishing link but not malware.
 
 So Google's Safebrowsing lookup API will identify only Malware links as 
 'Unsafe' but not all deceptive links. However, when i check the same URL 
 on "https://transparencyreport.google.com/safe-browsing/search 
 ", then it 
 shows 'site is unsafe' what i am actually looking for.
 
 Regards
 Sunny
 
 On Tue, Dec 11, 2018 at 5:28 PM Al Varnell >>> > wrote:
 Here was the earlier reply to your question
 >.
 
 Sent from my iPad
 
 -Al-
 
 On Dec 10, 2018, at 21:46, Sunny Marwah >>> > wrote:
> Same question again : Chrome don't open malicious links due to labeling 
> them dangerous as per "Safebrowsing". Then why ClamAV is not able to 
> identify such malicious links when "Safebrowsing" option is already 
> enabled ??  
> 
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
>> mailto:micas...@cisco.com>> wrote:
> Our replies may be getting filtered by your email provider because you 
> included a malicious link in the email chain. :D  I removed the link from 
> this reply. 
> 
>  
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah > > wrote:
>> 
>> 
>> Still no reply on this matter. 
 
 
 -- 
 Regards
 Sunny
 System Engineer
 Mob : +91 9711155549 
 
 ___
 clamav-users mailing list
 clamav-users@lists.clamav.net 
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
 

Re: [clamav-users] Question about LLVM...

[Paul Kosinski]

I've always been leery of executable code that gets downloaded "behind
the scenes" and then executed for whatever purpose. In the "old days",
people were warned against downloading random software and then
executing it. How that's become at least half of what we do on a daily
basis -- in our browsers!

The most obvious current example of this is Javascript, now that Java,
Flash and ActiveX (but not PDF), have been almost killed off in
browsers. (And this is why I'm also a big fan of NoScript!)

So I would like to ask, does bytecode have access to its environment
(like ActiveX unfortunately did) and, how well is bytecode sandboxed? 

P.S. One of main the reasons I moved to Open Source ClamAV was that 
traditional commercial solutions (like Symantec) were not only opaque
but also stuck their fingers into various parts of the underlying OS
(which ClamAV doesn't do).



On Tue, 11 Dec 2018 13:30:12 -0500
Scott Kitterman  wrote:

> On Tuesday, December 11, 2018 05:59:05 PM Micah Snyder wrote:
> > Sorry about the broken links on the website and in the clamav-faq
> > manual pages.  Our web dev team is actively working on integrating
> > the newly remodeled user manual into the website.
> > 
> > The bytecode interpreter was nonfunctional for a long time but was
> > fixed a few years ago. This is why LLVM was prioritized over the
> > bytecode compiler.
> > 
> > Functionally, from an outside perspective, the feature set of using
> > bytecode interpreter vs LLVM is the same. The cost/benefit analysis
> > of LLVM-JIT vs Interpreter hinges on whether or not executing
> > native code is sufficiently faster than interpreting the bytecodes
> > to outweigh the cost of JIT compilation. Our bytecode signatures
> > themselves are relatively small and are relatively few, so the
> > advantage of executing native code vs the time lost JIT compiling
> > the bytecode is, I'm told, negligible. The developers who did the
> > initial benchmarking on the subject have since left the team and
> > while I've been told that the performance is "about the same", I
> > don't have any figures to back up that up. If anyone out there
> > decides to do additional research on the subject, do note that
> > bytecode functions are only executed for certain file types, so
> > benchmark findings will vary by file type.
> > 
> > The TL;DR is that we're not aware of any significant advantage of
> > using LLVM over the bytecode interpreter at this time.
> > 
> > Regarding the reason for only supporting older versions of LLVM:
> > It takes time to update to use newer APIs.  The LLVM project has
> > been moving pretty fast and we simply haven't prioritized dev and
> > test time towards updating our LLVM support.  In fact, Debian
> > provides a patch to ClamAV to support LLVM 3.7-3.9, but we haven't
> > had the time to properly integrate and test it.  Because the
> > bytecode interpreter is working so well, we're focusing our efforts
> > on other tasks.
> 
> And unfortunately the developer who was doing that work in Debian has
> moved on to other things, so we won't be providing patches for later
> versions.
> 
> Might it make sense in the next feature release to just kill off LLVM
> and move on.  That would certainly help with clarity and focus.
> 
> Scott K

> 
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

[Paul Kosinski]

The daily.cvd is still less than half as big as main.cvd:

  -rw-r--r-- 1 clamav clamav 117892267 Jun  7  2017 main.cvd
  -rw-r--r-- 1 clamav clamav  53147013 Dec 11 14:03 daily.cvd

but indeed using the cdiffs could save bandwidth.

I never tried using cdiffs since the FAQ said "Let freshclam download
the *.cvd files", and I wasn't sure if "scripted update" would actually
create a proper cvd for both local mirroring *and* HAVP. Also, I
figured that we were already saving lots of bandwidth by doing local
mirroring instead of N separate freshclam external downloads.

P.S. After retirement there is less pressure, but the technology I deal
with daily (for my own purposes, rather than for pay) doesn't seem to
get any simpler.


On Tue, 11 Dec 2018 14:34:17 -0800
Dennis Peterson  wrote:

> You know the daily.cvd file is now larger than the main.cvd file, so
> you are burning up a lot of bandwidth if your world-facing ClamAV
> mirror is ignoring cdiff files. If it is using freshclam then it is
> using cdiffs and merging them as part of the process of mirroring. In
> that case your clients won't see the cdiff files which is perfectly
> acceptable. I used to use a proxy when many systems were co-located
> and it was very effective and was also being used for other purposes.
> Life is much simpler now that I'm retired.
> 
> dp
> 
> On 12/11/18 11:45 AM, Paul Kosinski wrote:
> > Ever since we set up a local mirror on our LAN, we have not been
> > using cdiffs. The reason for this is that I followed the procedure
> > outlined on the ClamAV website (about 2/3 down the page) at:
> >
> >http://www.clamav.net/documents/clamav-virus-database-faq
> >
> > where it says:
> >
> > [Q] I’m running ClamAV on a lot of clients on my local network.
> > Can I serve the cvd files from a local server so that each client
> > doesn’t have to download them from your servers? 
> > [A] Sure, you can find more details on our Mirror page.
> >
> > If you want to take advantage of incremental updates, install a
> > proxy server and then configure your freshclam clients to use it
> > (watch for the HTTPProxyServer parameter in man freshclam.conf). 
> > The second possible solution is to:
> >
> >Configure a local webserver on one of your machines (say
> > machine1.mylan) 
> >Let freshclam download the *.cvd files from
> > http://database.clamav.net to the webserver’s DocumentRoot. 
> >Finally, change freshclam.conf on your clients so that it
> > includes: 
> >DatabaseMirror machine1.mylan
> >
> >ScriptedUpdates off
> >
> >First the database will be downloaded to the local webserver
> > and then the other clients on the network will update their copy of
> > the database from it. 
> >Important: For this to work, you have to add ScriptedUpdates
> > off on all of your machines!
> >
> > Since I didn't want to set up a proxy server for this purpose, I
> > used the 2nd solution (and a very trivial web server). Thus, cvd
> > files only.
> >
> > P.S. I am now thinking about trying the BOS vs IAD test for cdiff
> > files. But, even if cdiff files always work without any delays,
> > doesn't "scripted update" on occasion have to back off to
> > downloading full cvds?
> >
> > P.P.S. Thanks for the curl help!
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

[Alain Zidouemba]

The Phistank URLs being dropped from daily.cvd have nothing to do with
false positives. We are just rotating in and out the top phishing URLs
based on number DNS lookups per hour.

- Alain

On Wed, Dec 12, 2018 at 6:23 AM Joel Esler (jesler) 
wrote:

> Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank
> project, so this is about making our different properties work together
> through the official signature set in a supported way.  If false positives
> are reported on the phishtank sigs through ClamAV.net, they are
> automatically routed to my team for resolution in the phishtank feed and in
> ClamAV.
>
> Sent from my  iPhone
>
> On Dec 12, 2018, at 03:59, Al Varnell  wrote:
>
> You mentioned earlier that ClamAV has recently added signatures from
> PhishTank, but I've noticed over the last few days that most, if not all of
> them have been removed. Should I conclude that the PhishTank organization
> signatures are resulting in a high False Positive count? Are they simply
> accepting all the submissions they get as valid fishing attempts and not
> QAing them before release?
>
> Part of my interest is that I've been providing input to them for years
> after first establishing that the spam e-mail I received is from an address
> that doesn't match the purported notice of impeding doom and offer to fix
> by clicking a link which does not match the announced domain? I'm not sure
> all users would go to such lengths and might be forwarding all their spam
> to these folks. Or perhaps some are flooding the site with valid url's in
> an attempt defeat their purpose.
>
> -Al-
>
> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
>
> Hi Sunny,
>
> I meant to say that if I scanned a saved email file containing the
> malicious URL in an HTML link (i.e.   a href=link  ), then it will detect
> the link with the safebrowsing signature.  However, if the malicious URL is
> not an HTML link, for example if the email content is plain text, then the
> safebrowsing signature does not appear to alert.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Dec 11, 2018, at 8:58 AM, Sunny Marwah  wrote:
>
> Hi Al,
>
> Thanks for sharing that reply.
>
> Do you mean ClamAV did not detect that file (containing deceptive link) as
> 'Infected" in your scanning ?
>
> FYI, i have also tried Google's Safebrowsing API to check such deceptive
> links.
>
> It was really strange to know that even Google's Safebrowsing lookup API
> did not detect that file as 'Unsafe'. The reason behind is the deceptive
> link is phishing link but not malware.
>
> So Google's Safebrowsing lookup API will identify only Malware links as
> 'Unsafe' but not all deceptive links. However, when i check the same URL on
> "https://transparencyreport.google.com/safe-browsing/search";, then it
> shows 'site is unsafe' what i am actually looking for.
>
> Regards
> Sunny
>
> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  wrote:
>
>> Here was the earlier reply to your question
>> > >.
>>
>> Sent from my iPad
>>
>> -Al-
>>
>> On Dec 10, 2018, at 21:46, Sunny Marwah  wrote:
>>
>> Same question again : Chrome don't open malicious links due to labeling
>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to
>> identify such malicious links when "Safebrowsing" option is already enabled
>> ??
>>
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) <
>> micas...@cisco.com> wrote:
>>
>> Our replies may be getting filtered by your email provider because you
>>> included a malicious link in the email chain. :D  I removed the link from
>>> this reply.
>>>
>>>
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>>
>>>
>>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  wrote:
>>>
>>>
>>> Still no reply on this matter.
>>>
>>>
>
> --
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549 <+91%209711155549>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_

Re: [clamav-users] Can't detect deceptive URL's as infected !!

[Sunny Marwah]

Hi Micah,

I checked the what you suggested.

I put that deceptive link as an hyperlink like href=link in html file and
scanned the file.

Still, ClamAV did not detect that file as 'Infected'. It gave OK to that
file.

Regards
Sunny

On Wed, Dec 12, 2018 at 5:53 PM Joel Esler (jesler) 
wrote:

> Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank
> project, so this is about making our different properties work together
> through the official signature set in a supported way.  If false positives
> are reported on the phishtank sigs through ClamAV.net, they are
> automatically routed to my team for resolution in the phishtank feed and in
> ClamAV.
>
> Sent from my  iPhone
>
> On Dec 12, 2018, at 03:59, Al Varnell  wrote:
>
> You mentioned earlier that ClamAV has recently added signatures from
> PhishTank, but I've noticed over the last few days that most, if not all of
> them have been removed. Should I conclude that the PhishTank organization
> signatures are resulting in a high False Positive count? Are they simply
> accepting all the submissions they get as valid fishing attempts and not
> QAing them before release?
>
> Part of my interest is that I've been providing input to them for years
> after first establishing that the spam e-mail I received is from an address
> that doesn't match the purported notice of impeding doom and offer to fix
> by clicking a link which does not match the announced domain? I'm not sure
> all users would go to such lengths and might be forwarding all their spam
> to these folks. Or perhaps some are flooding the site with valid url's in
> an attempt defeat their purpose.
>
> -Al-
>
> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
>
> Hi Sunny,
>
> I meant to say that if I scanned a saved email file containing the
> malicious URL in an HTML link (i.e.   a href=link  ), then it will detect
> the link with the safebrowsing signature.  However, if the malicious URL is
> not an HTML link, for example if the email content is plain text, then the
> safebrowsing signature does not appear to alert.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Dec 11, 2018, at 8:58 AM, Sunny Marwah  wrote:
>
> Hi Al,
>
> Thanks for sharing that reply.
>
> Do you mean ClamAV did not detect that file (containing deceptive link) as
> 'Infected" in your scanning ?
>
> FYI, i have also tried Google's Safebrowsing API to check such deceptive
> links.
>
> It was really strange to know that even Google's Safebrowsing lookup API
> did not detect that file as 'Unsafe'. The reason behind is the deceptive
> link is phishing link but not malware.
>
> So Google's Safebrowsing lookup API will identify only Malware links as
> 'Unsafe' but not all deceptive links. However, when i check the same URL on
> "https://transparencyreport.google.com/safe-browsing/search";, then it
> shows 'site is unsafe' what i am actually looking for.
>
> Regards
> Sunny
>
> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  wrote:
>
>> Here was the earlier reply to your question
>> > >.
>>
>> Sent from my iPad
>>
>> -Al-
>>
>> On Dec 10, 2018, at 21:46, Sunny Marwah  wrote:
>>
>> Same question again : Chrome don't open malicious links due to labeling
>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to
>> identify such malicious links when "Safebrowsing" option is already enabled
>> ??
>>
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) <
>> micas...@cisco.com> wrote:
>>
>> Our replies may be getting filtered by your email provider because you
>>> included a malicious link in the email chain. :D  I removed the link from
>>> this reply.
>>>
>>>
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>>
>>>
>>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  wrote:
>>>
>>>
>>> Still no reply on this matter.
>>>
>>>
>
> --
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#m

Re: [clamav-users] Can't detect deceptive URL's as infected !!

[Joel Esler (jesler)]

Not sure.  Perhaps Alain can chime in.  My team also runs the Phishtank 
project, so this is about making our different properties work together through 
the official signature set in a supported way.  If false positives are reported 
on the phishtank sigs through ClamAV.net, they are automatically routed to my 
team for resolution in the phishtank feed and in ClamAV.  

Sent from my  iPhone

> On Dec 12, 2018, at 03:59, Al Varnell  wrote:
> 
> You mentioned earlier that ClamAV has recently added signatures from 
> PhishTank, but I've noticed over the last few days that most, if not all of 
> them have been removed. Should I conclude that the PhishTank organization 
> signatures are resulting in a high False Positive count? Are they simply 
> accepting all the submissions they get as valid fishing attempts and not 
> QAing them before release?
> 
> Part of my interest is that I've been providing input to them for years after 
> first establishing that the spam e-mail I received is from an address that 
> doesn't match the purported notice of impeding doom and offer to fix by 
> clicking a link which does not match the announced domain? I'm not sure all 
> users would go to such lengths and might be forwarding all their spam to 
> these folks. Or perhaps some are flooding the site with valid url's in an 
> attempt defeat their purpose.
> 
> -Al-
> 
>> On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
>> Hi Sunny,
>> 
>> I meant to say that if I scanned a saved email file containing the malicious 
>> URL in an HTML link (i.e.   a href=link  ), then it will detect the link 
>> with the safebrowsing signature.  However, if the malicious URL is not an 
>> HTML link, for example if the email content is plain text, then the 
>> safebrowsing signature does not appear to alert. 
>> 
>> Regards,
>> Micah
>>  
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> 
>> 
>>> On Dec 11, 2018, at 8:58 AM, Sunny Marwah  wrote:
>>> 
>>> Hi Al,
>>> 
>>> Thanks for sharing that reply.
>>> 
>>> Do you mean ClamAV did not detect that file (containing deceptive link) as 
>>> 'Infected" in your scanning ?
>>> 
>>> FYI, i have also tried Google's Safebrowsing API to check such deceptive 
>>> links.
>>> 
>>> It was really strange to know that even Google's Safebrowsing lookup API 
>>> did not detect that file as 'Unsafe'. The reason behind is the deceptive 
>>> link is phishing link but not malware.
>>> 
>>> So Google's Safebrowsing lookup API will identify only Malware links as 
>>> 'Unsafe' but not all deceptive links. However, when i check the same URL on 
>>> "https://transparencyreport.google.com/safe-browsing/search";, then it shows 
>>> 'site is unsafe' what i am actually looking for.
>>> 
>>> Regards
>>> Sunny
>>> 
 On Tue, Dec 11, 2018 at 5:28 PM Al Varnell  wrote:
 Here was the earlier reply to your question
 .
 
 Sent from my iPad
 
 -Al-
 
> On Dec 10, 2018, at 21:46, Sunny Marwah  wrote:
> Same question again : Chrome don't open malicious links due to labeling 
> them dangerous as per "Safebrowsing". Then why ClamAV is not able to 
> identify such malicious links when "Safebrowsing" option is already 
> enabled ??  
> 
>> On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) 
>>  wrote:
>> Our replies may be getting filtered by your email provider because you 
>> included a malicious link in the email chain. :D  I removed the link 
>> from this reply. 
>> 
>>  
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> 
>> 
>>> On Dec 8, 2018, at 9:17 AM, Sunny Marwah  wrote:
>>> 
>>> 
>>> Still no reply on this matter. 
>>> 
>>> 
>>> -- 
>>> Regards
>>> Sunny
>>> System Engineer
>>> Mob : +91 9711155549
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> 
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

[Steve Basford]

On Wed, December 12, 2018 8:59 am, Al Varnell wrote:
> You mentioned earlier that ClamAV has recently added signatures from
> PhishTank, but I've noticed over the last few days that most, if not all
> of them have been removed. Should I conclude that the PhishTank
> organization signatures are resulting in a high False Positive count? Are
> they simply accepting all the submissions they get as valid fishing
> attempts and not QAing them before release?

Not sure but just to add that phishtank.ndb is still up and running and
has been for quite some time...  so might end up with some duplicates for
those already using phishtank.ndb:

eg

phishtank.ndb:

VIRUS NAME: PhishTank.Phishing.5433945
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
{STRING_ALTERNATIVE:.|/}trck DOT me/459690/

vs

daily.ndb:

VIRUS NAME: Phishtank.Phishing.PHISH_ID_5433945-6762532-0
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
http://trck DOT me/459690/

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

[Al Varnell]

You mentioned earlier that ClamAV has recently added signatures from PhishTank, 
but I've noticed over the last few days that most, if not all of them have been 
removed. Should I conclude that the PhishTank organization signatures are 
resulting in a high False Positive count? Are they simply accepting all the 
submissions they get as valid fishing attempts and not QAing them before 
release?

Part of my interest is that I've been providing input to them for years after 
first establishing that the spam e-mail I received is from an address that 
doesn't match the purported notice of impeding doom and offer to fix by 
clicking a link which does not match the announced domain? I'm not sure all 
users would go to such lengths and might be forwarding all their spam to these 
folks. Or perhaps some are flooding the site with valid url's in an attempt 
defeat their purpose.

-Al-

On Tue, Dec 11, 2018 at 08:01 PM, Micah Snyder (micasnyd) wrote:
> Hi Sunny,
> 
> I meant to say that if I scanned a saved email file containing the malicious 
> URL in an HTML link (i.e.   a href=link  ), then it will detect the link with 
> the safebrowsing signature.  However, if the malicious URL is not an HTML 
> link, for example if the email content is plain text, then the safebrowsing 
> signature does not appear to alert. 
> 
> Regards,
> Micah
>  
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
>> On Dec 11, 2018, at 8:58 AM, Sunny Marwah > > wrote:
>> 
>> Hi Al,
>> 
>> Thanks for sharing that reply.
>> 
>> Do you mean ClamAV did not detect that file (containing deceptive link) as 
>> 'Infected" in your scanning ?
>> 
>> FYI, i have also tried Google's Safebrowsing API to check such deceptive 
>> links.
>> 
>> It was really strange to know that even Google's Safebrowsing lookup API did 
>> not detect that file as 'Unsafe'. The reason behind is the deceptive link is 
>> phishing link but not malware.
>> 
>> So Google's Safebrowsing lookup API will identify only Malware links as 
>> 'Unsafe' but not all deceptive links. However, when i check the same URL on 
>> "https://transparencyreport.google.com/safe-browsing/search 
>> ", then it shows 
>> 'site is unsafe' what i am actually looking for.
>> 
>> Regards
>> Sunny
>> 
>> On Tue, Dec 11, 2018 at 5:28 PM Al Varnell > > wrote:
>> Here was the earlier reply to your question
>> > >.
>> 
>> Sent from my iPad
>> 
>> -Al-
>> 
>> On Dec 10, 2018, at 21:46, Sunny Marwah > > wrote:
>>> Same question again : Chrome don't open malicious links due to labeling 
>>> them dangerous as per "Safebrowsing". Then why ClamAV is not able to 
>>> identify such malicious links when "Safebrowsing" option is already enabled 
>>> ??  
>>> 
 On Sat, Dec 8, 2018 at 9:00 PM Micah Snyder (micasnyd) >>> > wrote:
>>> Our replies may be getting filtered by your email provider because you 
>>> included a malicious link in the email chain. :D  I removed the link from 
>>> this reply. 
>>> 
>>>  
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>> 
>>> 
 On Dec 8, 2018, at 9:17 AM, Sunny Marwah >>> > wrote:
 
 
 Still no reply on this matter. 
>> 
>> 
>> -- 
>> Regards
>> Sunny
>> System Engineer
>> Mob : +91 9711155549 
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net 
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
>> 
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> 
>> 
>> http://www.clamav.net/contact.html#ml 
> 

-Al-
-- 
Al Varnell
Mountain View, CA




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml