Re: [clamav-users] Untit Testing

2012-02-07 Thread G.W. Haywood
B0;261;0cHi there, On Tue, 7 Feb 2012, Reynolds, David C. wrote: I've recently installed .97.3 on an SGI Origin 3000 running TRIX ... This is a totally Trusted Irix environment. If it's a trusted environment, why would you put ClamAV on it? ClamAV is certainly less than totally trustworthy.

[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Ralf Hildebrandt
Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today): mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412 [0001114551.cbc BYTECODE]

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Alain Zidouemba
Ralf, We got your FP reports and will address them today. Thanks, -Alain On Tue, Feb 7, 2012 at 8:08 AM, Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Hi! I'm trying to disable this signature, since it's giving my FPs for some XLS files (yes, I already submitted it as FP today):

Re: [clamav-users] Untit Testing

2012-02-07 Thread Reynolds, David C.
Thanks for the quick replies. I was able to run those tests. As to why I would install ClamAV, it is an IA requirement that we scan for viruses on remote file transfers that go thru this system and there aren't too many options that will run under IRIX. --Dave Reynolds

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Ralf Hildebrandt
* Alain Zidouemba azidoue...@sourcefire.com: Ralf, We got your FP reports and will address them today. Thanks :) But the original question remains in case I need to whitelist a signature. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.de

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Bill Maidment
-Original message- From: Ralf Hildebrandt ralf.hildebra...@charite.de Sent: Wed 08-02-2012 00:16 Subject:[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; Hi! I'm trying to disable this signature, since it's giving my FPs for

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Ralf Hildebrandt
* Bill Maidment b...@maidment.vu: What am I doing wrong here? Running clamv 0.97.3 It's the same story here. We've had to switch off all bytecode rules in the conf file. Not ideal. Sound like one cannot whitelist a bytecode signature? -- Ralf Hildebrandt Charite

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Lyle Giese
On 02/07/12 15:05, Bill Maidment wrote: -Original message- From: Ralf Hildebrandtralf.hildebra...@charite.de Sent: Wed 08-02-2012 00:16 Subject:[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; Hi! I'm trying to disable this

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Ralf Hildebrandt
* Lyle Giese l...@lcrcomputer.net: The format of local.ign is not very inituitive, IMHO. It's local.ign2 according to the docs. Creating signatures for ClamAV http://www.clamav.net/doc/latest/signatures.pdf 3.8 Whitelist databases To whitelist a specific signature from the database you just

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Tomasz Kojm
On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; The bytecode loader indeed seems to ignore

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Lyle Giese
On 02/07/12 16:07, Ralf Hildebrandt wrote: * Lyle Giesel...@lcrcomputer.net: The format of local.ign is not very inituitive, IMHO. It's local.ign2 according to the docs. Creating signatures for ClamAV http://www.clamav.net/doc/latest/signatures.pdf 3.8 Whitelist databases To whitelist a

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Tomasz Kojm
On Tue, 07 Feb 2012 23:11:24 +0100 Tomasz Kojm tk...@clamav.net wrote: On Tue, 7 Feb 2012 23:07:05 +0100 Ralf Hildebrandt ralf.hildebra...@charite.de wrote: Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not

Re: [clamav-users] Untit Testing

2012-02-07 Thread Jan-Pieter Cornet
On 2012-2-7 18:27 , Reynolds, David C. wrote: Thanks for the quick replies. I was able to run those tests. As to why I would install ClamAV, it is an IA requirement that we scan for viruses on remote file transfers that go thru this system and there aren't too many options that will run

Re: [clamav-users] Unit Testing

2012-02-07 Thread Ralf Hildebrandt
* Jan-Pieter Cornet joh...@xs4all.nl: I haven't got any experience with IRIX, but I do wonder: why are you using tits for testing purposes? That seems inappropriate. No, he's using un-tits. Everything but tits. E.g. a canary would be an un-tit. Like an undead is anything but dead. PS ;-)

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Bill Maidment
-Original message- From: Tomasz Kojm tk...@clamav.net Sent: Wed 08-02-2012 09:29 Subject:Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; On Tue, 07 Feb 2012 23:11:24 +0100 Tomasz Kojm tk...@clamav.net wrote: On Tue, 7 Feb

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

2012-02-07 Thread Bill Maidment
-Original message- From: Bill Maidment b...@maidment.vu Sent: Wed 08-02-2012 09:53 Subject:Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP To: clamav-users@lists.clamav.net; -Original message- From: Tomasz Kojm tk...@clamav.net Sent: Wed 08-02-2012