date:20150723

Re: [clamav-users] clamd conf questions

2015-07-23 Thread Charles Swiger

On Jul 23, 2015, at 3:07 PM, Michael Peter roundcube...@alaadin.org wrote:
 Hi,
 
 I have the following questions for clamd.conf configuration
 
 #LogRotate yes
 
 how many logs clamd will keep ? because there is no option in the conf
 file on how many logs files clamd should keep after rotations ?

How much disk space do you have?

As far as I can tell, it will keep rotating the logfile whenever it exceeds
LogFileMaxSize and will append --MM-DD_HH:MM:SS timesampt via
rename_logg() function.

 #LogFileMaxSize 2M
 also incase i set  (#LogFileMaxSize 2M) will this enforce the logrotate
 yes?

Supposedly.

 and is it possible to  set log rotate off in this case?

I think so-- with LogRotate off, the logs will grow to 2M and then stop.

 or not
 possible because #LogFileMaxSize is specified in my conf ?
 
 #TCPSocket 3310
 #TCPAddr 127.0.0.1
 
 what if i donot want clamd to listen on tcp and only to listen on unix
 socket? should i leave TCPsocket empty ?? or how to achieve this ?

Leave them commented out.

 and is it wrong to try to disable TCP for clamd ?

No; that is the default behavior.

 Inside clamsmtpd.conf
 ==
 ClamAddress
 [ Default: /var/run/clamav/clamd ]
 
 so should i configure unix socket in clamdc.onf to be
 /var/run/clamav/clamd ? so clamsmtp can connect to clamd ? and how to
 achieve this ? what to add to clamd.conf to achieve this ?

LocalSocket /var/run/clamav/clamd

Regards,
-- 
-Chuck

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamd conf questions

2015-07-23 Thread Michael Peter

Hi,

I have the following questions for clamd.conf configuration

#LogRotate yes

how many logs clamd will keep ? because there is no option in the conf
file on how many logs files clamd should keep after rotations ?


#LogFileMaxSize 2M
also incase i set  (#LogFileMaxSize 2M) will this enforce the logrotate
yes? and is it possible to  set log rotate off in this case? or not
possible because #LogFileMaxSize is specified in my conf ?

#TCPSocket 3310
#TCPAddr 127.0.0.1

what if i donot want clamd to listen on tcp and only to listen on unix
socket? should i leave TCPsocket empty ?? or how to achieve this ?
and is it wrong to try to disable TCP for clamd ?

Inside clamsmtpd.conf
==
ClamAddress
 [ Default: /var/run/clamav/clamd ]

so should i configure unix socket in clamdc.onf to be
/var/run/clamav/clamd ? so clamsmtp can connect to clamd ? and how to
achieve this ? what to add to clamd.conf to achieve this ?

Thank you.

Michael Peter

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] just a little help please

2015-07-23 Thread Al Varnell


On Thu, Jul 23, 2015 at 05:28 PM, phoenixcomm wrote:
 
 I am new to clamAV so be gentle.
 the Tk interface is very nice but I have a problem
 you have only 2 choices to scan home or everything.
 you need to add other dir as well..
 as I have a public drive mounted
 mnt/MyData/public  so how do I scan this dir
 and my media is
 mnt/MyMedia/media (lots of movies and music
 
 I have to do this as I use NFS for file sharing and these are my exports

Perhaps you meant to contact the clamtk developer about this.  I don’t think 
he’s affiliated in any way with Cisco/ClamAV®
https://github.com/dave-theunsub/clamtk/issues

-Al-
-- 
Al Varnell
Mountain View, CA




___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] just a little help please

2015-07-23 Thread phoenixcomm


I am new to clamAV so be gentle.
the Tk interface is very nice but I have a problem
you have only 2 choices to scan home or everything.
you need to add other dir as well..
as I have a public drive mounted
mnt/MyData/public  so how do I scan this dir
and my media is
mnt/MyMedia/media (lots of movies and music

I have to do this as I use NFS for file sharing and these are my exports


Cris
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] offline updates

2015-07-23 Thread Phil Dumont

Maybe I didn't state my point clearly enough.  Apparently, my siting http
as something I wanted to avoid made you think that it was http in
particular that I object to.  Not so.  It is networking in general I'm
trying to avoid.  Did you notice that I said the target machine is not on
any kind of network, not even a local LAN?  It has no wireless.  There's no
ethernet cable plugged into it.

Okay, so the local private mirror solution does not require the final
target to use http.  So I could do without a web server.  But it does
require the final target to use networking, yes?  DNS?  So I *could* make
it work, but I'd have to run a domain name server on the target machine,
and it would need its loopback network interface running.  All this just so
the final target, which is the client, can ask the server, which is also
the final target machine, one little question that has a short text string
for an answer.  That seems to me like an awfully big hammer, considering
that otherwise, on a stand-alone machine, networking is entirely
unnecessary.

All I'm saying is that, for the admittedly unusual but definitely simpler
situation of an entirely stand-alone, completely non-networked machine, it
would be nice if there were a solution that was correspondingly simpler.
One that used the file system only, not networking.

On Wed, Jul 22, 2015 at 7:00 PM, Al Varnell alvarn...@mac.com wrote:

 Please read the solutions a bit more closely.  The HTTP portion of some of
 those solutions is to bring the database to the local mirror.  Since you
 have already said you plan to burn optical disks and manually install them
 on the private mirror, that should not be an issue.  From there you can
 just tell freshclam where to find the mirror on your network with an IP
 address and path to the database.

 Be aware that even freshclam will fall back to an http solution should a
 direct download fail, but that should not be a problem with a stable
 network.

 -Al-

 On Jul 22, 2015, at 12:13 PM, Phil Dumont p...@solidstatescientific.com
 wrote:
  I *did* read the private local mirrors stuff.  It offers 3 alternative
  solutions, all of which require http.  If you'll read my original post
 more
  carefully, you'll see that that is what I'm trying to avoid.
 
  On Wed, Jul 22, 2015 at 2:22 PM, Al Varnell alvarn...@mac.com wrote:
  See Private Local Mirrors: 
 http://www.clamav.net/doc/mirrors-private.html
 
  -Al-
 
  On Jul 22, 2015, at 9:04 AM, Phil Dumont wrote:
  I'm considering using clamav on a machine that is not (can not be) on
 the
  network (any network, not even a local one).
 
  I have a few ideas for how to get virus definition updates onto the
  machine, but none of them is quite perfect.
 
  All of them start with getting on an online computer and pulling the
 .cvd
  files (main, daily, bytecode) off the net and onto on optical disk,
 then
  sticking that disk into the offline machine.
 
  Then what?
 
  I'd like to use freshclam, just because that's the official way to
 do it.
 
  I get that I can add some DatabaseCustomURL directives to my
  freshclam.conf, with file URLs that just point directly to wherever the
  optical disk will be mounted.  That works.
 
  The part I haven't figured out yet is if there is any way to get
 freshclam
  *not* to go out on the web to verify the databases.
 
  As far as I can tell, there is no way to tell it to just skip that
 step,
  which is what I would prefer.
 
  Alternatively, is there any way to make it do it locally?
 
  There's PrivateMirror, which would be fine if it's value could be a
 file
  URL,  but it seems to want a host name to build an http URL out of.
 Which
  means, for my offline computer, I have to have at least loopback
 networking
  runnng, and an HTTP server, which I'd rather not do.
 
  I could just let freshclam try and fail to verify the databases.  But
 that
  makes the command take longer than it should while waiting for the http
  attempts to time out, and clutters the logs with unsightly error
 messages.
 
  The only other alternative I can think of is to use cp or rsync or some
  such to copy the .cvd files from the optical disk to /var/lib/clamav
 by
  hand.  This avoids unsightly error messages in the log, but that’s
 because
  it doesn't put *anything* in the logs.  Which is unfortunate, because
 I'd
  like to have a record of when the updates were done.  I suppose I could
  right my own script that copies the databases into place *and* logs the
  fact.
 
  Any input?
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq

 http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Unable to detect pdf virus

2015-07-23 Thread P K

Hi Guys,

I am testing clamav in my local system to detect POST data's from network.
I am newbie in ClamAv and want to test with real time signatures.

I tested with Eicher Test Signature and it works fine.

*But ClamAv is unable to detect CVE-2009-4324 with pdf.*

I see signature is present in daily.cld and if extracted its present in
daily.ldb.
Gmail able to detect same pdf as virus.

Any help on what wrong in my ClamAv system and to fix it.

$ clamscan ~/anti/eicar.com.txt
*/home/pk/anti/eicar.com.txt: Eicar-Test-Signature FOUND*

--- SCAN SUMMARY ---
Known viruses: 3898123
Engine version: 0.98.6
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.480 sec (0 m 6 s)--- took 6sec to detect normal
virus

$ clamscan ~/anti_new/virus/exploit.pdf

*/home/pk/anti_new/virus/exploit.pdf: OK*
--- SCAN SUMMARY ---
Known viruses: 3898123
Engine version: 0.98.6
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 8.100 sec (0 m 8 s)

I generated above virus using this link -
http://www.decalage.info/exefilter_pdf_exploits

I really want to learn ClamAv virus detection and try to enhance it.

Thanks
--PK
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] offline updates

2015-07-23 Thread Phil Dumont

On Thu, Jul 23, 2015 at 2:08 PM, G.W. Haywood cla...@jubileegroup.co.uk
wrote:

 Hi there,

 On Thu, 23 Jul 2015, Phil Dumont wrote:

  I'm considering using clamav on a machine that is not (can not be) on the
 network (any network, not even a local one).


 Unless you can give more detail amounting to some sort of a case for
 doing this, my immediate reaction would be a little less circumspect
 than Mr. Swiger's.  I'd say forget the idea, it's a waste of time,
 and it might even be counterproductive.

 Firstly, the detection rate that you'll get is likely to be poor for
 very recent threats (not least) because your out-of-band updates will
 probably be tardy.


True enough.  But would this not be mitigated by the fact that the more
recent
threats will propagate to the machine more slowly without a network
connection?



 Secondly, without any network connection you'll have trouble keeping
 the software on this mysterious machine up-to-date, which will mean
 that it's rather more vulnerable to attack than it otherwise would be.


Also true enough, but same mitigating factor.



 Taken together these things lead me to postulate that your non-networked
 computer will be more likely to be compromised by things like malicious
 files on removable media (precisely the sort of thing you'll be using to
 tardily transfer the database updates I suppose), than it would be if it
 were networked after all.


Exactly correct.  There is no network-borne threat.  Removable media is
the only thing being protected against.



 But as Chuck says, it's all really up to you.


Well, as I said in my reply to Chuck, it's not really up to me.  It's up to
the folk I'm maintaining the system for.  Which is exactly why I wanted
logging of the definition updates -- so I could show them it's being done.



 Out of interest, what operating system will the unsociable computer run?


CentOS 6




 --

 73,
 Ged.

 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq

 http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] offline updates

2015-07-23 Thread Dennis Peterson

If you have a stand-alone system with no networking and presumably no shared 
storage (scsi or SAN, by example) then you have to span the air gap manually. 
Your isolated system will only be as safe as the last networked system used to 
manually span the air gap. A work-around for that is to have a second isolated 
system, possibly a virtual machine, that can be used to pre-scan files before 
they are transferred to the target machine.


dp

On 7/23/15 9:00 AM, Phil Dumont wrote:

On Thu, Jul 23, 2015 at 11:52 AM, Charles Swiger cswi...@mac.com wrote:


On Jul 23, 2015, at 7:48 AM, Phil Dumont p...@solidstatescientific.com
wrote:
[ ... ]

All I'm saying is that, for the admittedly unusual but definitely simpler
situation of an entirely stand-alone, completely non-networked machine,

it

would be nice if there were a solution that was correspondingly simpler.
One that used the file system only, not networking.

The use-case for virus/malware scanning on a networked machine is obvious,
as
is the need to be able to update A/V signatures.

It's not obvious why a machine which is entirely stand-alone, completely
non-networked
would require virus scanning or a way to update the A/V signatures.


Granted, the requirement is not as great without a network.  But there's
still potential for virus introduction via removable media.



However, if that's
what you want, ...


Not what I want particularly.  A requirement imposed upon me.



...fine-- do a manual copy of the A/V signatures into place
via USB stick, CD/DVD image, etc and then restart clamd to reload them.


Roger.



Regards,
--
-Chuck

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770

2015-07-23 Thread Al Varnell

I know there are often issues when trying to scan a Windows partition from OS
X, so that my be part of your problem.

I always recommend my OS X users who run a Windows partition to scan it with
ClamWIN which is a Windows GUI application for ClamAV.
www.clamwin.com.

-Al[

On Thu, Jul 23, 2015 at 11:15 AM, JD Ackle wrote:

On Wed, 7/22/15, G.W. Haywood cla...@jubileegroup.co.uk wrote:

Subject: Re: [clamav-users] How to clean infection by
Docx.Exploit.CVE_2015_1770
To: clamav-users@lists.clamav.net
Date: Wednesday, July 22, 2015, 5:45 PM

Hi there,

On Wed, 22 Jul 2015, JD Ackle wrote:

I would like to know how can I remove
Docx.Exploit.CVE_2015_1770
from Windows/System32/config/SOFTWARE

As others have said, you might have found a false
positive. You need to
find out if that is the case or not before you do anything
else.

If it is not a false positive but a real infection, then the
ClamAV
users' mailing list cannot really help you with your
question.

ClamAV tells you if it thinks that it has found
something. It is up to
you to decide what to do about it. You *can* choose to
delete files if
they are flagged by ClamAV, but in general that is not
recommended; and
as /Windows/System32/config/SOFTWARE is one of Windows'
registry files,
it will certainly damage your Windows installation if you
delete it.

There are many Internet help sites and similar which can
help you with
your question.

Reading the rest of your message tells me that you need
something. :)
For self-help I personally recommend MalwareBytes
Anti-Malware (MBAM).
If you download it, be careful where you get it from.
Some Websites
have been seen to include malicious software with the
download.

Thank you for your advice, GW.

I tried MBAM and it reported NO infections. However, the first run did crash
the program, so I then used another tool provided by MBAM that stated that
sometimes the main program may be prevented from running by viruses and
that's what the other tool was meant to solve - it did run alright and
reported no threats but...

I then had Norton doing a scan and it found some tracking cookies in Firefox
which is a tad odd on two accounts: 1) Norton had never complained about
these before (but it might just be a new setting included with later
updates...?) and 2) I have Firefox configured to Keep cookies until I close
Firefox (which doesn't necessantly mean they are removed from the hard disk,
maybe they'll just no longer be used again by Firefox after the program
quits...?).

Finally, I thought I might as well install the latest security update from
Microsoft (which I was postponing for a couple days to have it installed on a
clean(er) system).

And then... the latest results from ClamAV run from Linux:
- /Windows/System32/config/ (where the previouly infected SOFTWARE file's
located) is now CLEAN!
- /pagefile.sys however is now clean of Docx.Exploit.CVE_2015_1770 but is
reportedly infected by Exploit.Countdown on every
Remove-said-file-from-within-Linux-Reboot_to_Windows-Reboot-to-Linux-and-run-ClamAV-again.
I had actually forgotten about this report when I told the full story
earlier. This positive was detected at the time I had the Tenga virus and it
was after removing the Tenga virus that the Docx.Exploit.CVE_2015_1770
started being detected.

I am currently doing a new full ClamAV scan of my Windows partition to try
and check if something new comes up. Thus far only pagefile.sys was reported
with said Exploit.Countdown and ... a few warning messages that don't
reference any particular file have come up as well:
LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total
(eight times thus far on the current scan, all of them before the
pagefile.sys detection)
I have no idea what that means but I've noticed it happens every time I run a
scan on a Windows folder (i.e. on more than one file at a time) and never
when scanning a Linux folder.

Just telling all this on this list because I'm not that sure these are false
positives at the moment - hence no point in submiting anything to that list...
I will look for help elsewhere, probably will start off at Microsoft Answers.
If something comes up which I think might be relevant to ClamAV, I'll reply
back on this thread.

Thanks to all that replied.
J.D. Ackle
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770

2015-07-23 Thread Noel Jones

On 7/23/2015 1:15 PM, JD Ackle wrote:

On Wed, 7/22/15, G.W. Haywood cla...@jubileegroup.co.uk wrote:

Subject: Re: [clamav-users] How to clean infection by
Docx.Exploit.CVE_2015_1770
To: clamav-users@lists.clamav.net
Date: Wednesday, July 22, 2015, 5:45 PM

Hi there,

On Wed, 22 Jul 2015, JD Ackle wrote:

I would like to know how can I remove
Docx.Exploit.CVE_2015_1770
from Windows/System32/config/SOFTWARE

As others have said, you might have found a false
positive. You need to
find out if that is the case or not before you do anything
else.

If it is not a false positive but a real infection, then the
ClamAV
users' mailing list cannot really help you with your
question.

There are many Internet help sites and similar which can
help you with
your question.

Thank you for your advice, GW.

Finally, I thought I might as well install the latest security update from
Microsoft (which I was postponing for a couple days to have it installed on a
clean(er) system).

Thanks to all that replied.
J.D. Ackle
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Tracking cookies are exactly what they sound like, and are not an
indicator of malware. You can remove them for privacy reasons.

pagefile.sys is basically a dump of random memory pages. The chance
of a false positive when scanning random data is very high. It's
likely safe to ignore anything reported here if there are no other
indications of a problem.

I don't see any clear sign of infection here.

-- Noel Jones
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770

2015-07-23 Thread JD Ackle

On Wed, 7/22/15, G.W. Haywood cla...@jubileegroup.co.uk wrote:

Subject: Re: [clamav-users] How to clean infection by
Docx.Exploit.CVE_2015_1770
To: clamav-users@lists.clamav.net
Date: Wednesday, July 22, 2015, 5:45 PM

Hi there,

On Wed, 22 Jul 2015, JD Ackle wrote:

I would like to know how can I remove
Docx.Exploit.CVE_2015_1770
from Windows/System32/config/SOFTWARE

As others have said, you might have found a false
positive. You need to
find out if that is the case or not before you do anything
else.

If it is not a false positive but a real infection, then the
ClamAV
users' mailing list cannot really help you with your
question.

There are many Internet help sites and similar which can
help you with
your question.

Thank you for your advice, GW.

I tried MBAM and it reported NO infections. However, the first run did crash
the program, so I then used another tool provided by MBAM that stated that
sometimes the main program may be prevented from running by viruses and that's
what the other tool was meant to solve - it did run alright and reported no
threats but...

I then had Norton doing a scan and it found some tracking cookies in Firefox
which is a tad odd on two accounts: 1) Norton had never complained about these
before (but it might just be a new setting included with later updates...?) and
2) I have Firefox configured to Keep cookies until I close Firefox (which
doesn't necessantly mean they are removed from the hard disk, maybe they'll
just no longer be used again by Firefox after the program quits...?).

Finally, I thought I might as well install the latest security update from
Microsoft (which I was postponing for a couple days to have it installed on a
clean(er) system).

I am currently doing a new full ClamAV scan of my Windows partition to try and
check if something new comes up. Thus far only pagefile.sys was reported with
said Exploit.Countdown and ... a few warning messages that don't reference
any particular file have come up as well:
LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total
(eight times thus far on the current scan, all of them before the pagefile.sys
detection)
I have no idea what that means but I've noticed it happens every time I run a
scan on a Windows folder (i.e. on more than one file at a time) and never when
scanning a Linux folder.

Thanks to all that replied.
J.D. Ackle
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd conf questions

[clamav-users] clamd conf questions

Re: [clamav-users] just a little help please

[clamav-users] just a little help please

Re: [clamav-users] offline updates

[clamav-users] Unable to detect pdf virus

Re: [clamav-users] offline updates

Re: [clamav-users] offline updates

Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770

Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770

Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770

11 matches

Site Navigation

Mail list logo

Footer information