Re: [clamav-users] clamd conf questions
On Jul 23, 2015, at 3:07 PM, Michael Peter roundcube...@alaadin.org wrote: Hi, I have the following questions for clamd.conf configuration #LogRotate yes how many logs clamd will keep ? because there is no option in the conf file on how many logs files clamd should keep after rotations ? How much disk space do you have? As far as I can tell, it will keep rotating the logfile whenever it exceeds LogFileMaxSize and will append --MM-DD_HH:MM:SS timesampt via rename_logg() function. #LogFileMaxSize 2M also incase i set (#LogFileMaxSize 2M) will this enforce the logrotate yes? Supposedly. and is it possible to set log rotate off in this case? I think so-- with LogRotate off, the logs will grow to 2M and then stop. or not possible because #LogFileMaxSize is specified in my conf ? #TCPSocket 3310 #TCPAddr 127.0.0.1 what if i donot want clamd to listen on tcp and only to listen on unix socket? should i leave TCPsocket empty ?? or how to achieve this ? Leave them commented out. and is it wrong to try to disable TCP for clamd ? No; that is the default behavior. Inside clamsmtpd.conf == ClamAddress [ Default: /var/run/clamav/clamd ] so should i configure unix socket in clamdc.onf to be /var/run/clamav/clamd ? so clamsmtp can connect to clamd ? and how to achieve this ? what to add to clamd.conf to achieve this ? LocalSocket /var/run/clamav/clamd Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamd conf questions
Hi, I have the following questions for clamd.conf configuration #LogRotate yes how many logs clamd will keep ? because there is no option in the conf file on how many logs files clamd should keep after rotations ? #LogFileMaxSize 2M also incase i set (#LogFileMaxSize 2M) will this enforce the logrotate yes? and is it possible to set log rotate off in this case? or not possible because #LogFileMaxSize is specified in my conf ? #TCPSocket 3310 #TCPAddr 127.0.0.1 what if i donot want clamd to listen on tcp and only to listen on unix socket? should i leave TCPsocket empty ?? or how to achieve this ? and is it wrong to try to disable TCP for clamd ? Inside clamsmtpd.conf == ClamAddress [ Default: /var/run/clamav/clamd ] so should i configure unix socket in clamdc.onf to be /var/run/clamav/clamd ? so clamsmtp can connect to clamd ? and how to achieve this ? what to add to clamd.conf to achieve this ? Thank you. Michael Peter ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] just a little help please
On Thu, Jul 23, 2015 at 05:28 PM, phoenixcomm wrote: I am new to clamAV so be gentle. the Tk interface is very nice but I have a problem you have only 2 choices to scan home or everything. you need to add other dir as well.. as I have a public drive mounted mnt/MyData/public so how do I scan this dir and my media is mnt/MyMedia/media (lots of movies and music I have to do this as I use NFS for file sharing and these are my exports Perhaps you meant to contact the clamtk developer about this. I don’t think he’s affiliated in any way with Cisco/ClamAV® https://github.com/dave-theunsub/clamtk/issues -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] just a little help please
I am new to clamAV so be gentle. the Tk interface is very nice but I have a problem you have only 2 choices to scan home or everything. you need to add other dir as well.. as I have a public drive mounted mnt/MyData/public so how do I scan this dir and my media is mnt/MyMedia/media (lots of movies and music I have to do this as I use NFS for file sharing and these are my exports Cris ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] offline updates
Maybe I didn't state my point clearly enough. Apparently, my siting http as something I wanted to avoid made you think that it was http in particular that I object to. Not so. It is networking in general I'm trying to avoid. Did you notice that I said the target machine is not on any kind of network, not even a local LAN? It has no wireless. There's no ethernet cable plugged into it. Okay, so the local private mirror solution does not require the final target to use http. So I could do without a web server. But it does require the final target to use networking, yes? DNS? So I *could* make it work, but I'd have to run a domain name server on the target machine, and it would need its loopback network interface running. All this just so the final target, which is the client, can ask the server, which is also the final target machine, one little question that has a short text string for an answer. That seems to me like an awfully big hammer, considering that otherwise, on a stand-alone machine, networking is entirely unnecessary. All I'm saying is that, for the admittedly unusual but definitely simpler situation of an entirely stand-alone, completely non-networked machine, it would be nice if there were a solution that was correspondingly simpler. One that used the file system only, not networking. On Wed, Jul 22, 2015 at 7:00 PM, Al Varnell alvarn...@mac.com wrote: Please read the solutions a bit more closely. The HTTP portion of some of those solutions is to bring the database to the local mirror. Since you have already said you plan to burn optical disks and manually install them on the private mirror, that should not be an issue. From there you can just tell freshclam where to find the mirror on your network with an IP address and path to the database. Be aware that even freshclam will fall back to an http solution should a direct download fail, but that should not be a problem with a stable network. -Al- On Jul 22, 2015, at 12:13 PM, Phil Dumont p...@solidstatescientific.com wrote: I *did* read the private local mirrors stuff. It offers 3 alternative solutions, all of which require http. If you'll read my original post more carefully, you'll see that that is what I'm trying to avoid. On Wed, Jul 22, 2015 at 2:22 PM, Al Varnell alvarn...@mac.com wrote: See Private Local Mirrors: http://www.clamav.net/doc/mirrors-private.html -Al- On Jul 22, 2015, at 9:04 AM, Phil Dumont wrote: I'm considering using clamav on a machine that is not (can not be) on the network (any network, not even a local one). I have a few ideas for how to get virus definition updates onto the machine, but none of them is quite perfect. All of them start with getting on an online computer and pulling the .cvd files (main, daily, bytecode) off the net and onto on optical disk, then sticking that disk into the offline machine. Then what? I'd like to use freshclam, just because that's the official way to do it. I get that I can add some DatabaseCustomURL directives to my freshclam.conf, with file URLs that just point directly to wherever the optical disk will be mounted. That works. The part I haven't figured out yet is if there is any way to get freshclam *not* to go out on the web to verify the databases. As far as I can tell, there is no way to tell it to just skip that step, which is what I would prefer. Alternatively, is there any way to make it do it locally? There's PrivateMirror, which would be fine if it's value could be a file URL, but it seems to want a host name to build an http URL out of. Which means, for my offline computer, I have to have at least loopback networking runnng, and an HTTP server, which I'd rather not do. I could just let freshclam try and fail to verify the databases. But that makes the command take longer than it should while waiting for the http attempts to time out, and clutters the logs with unsightly error messages. The only other alternative I can think of is to use cp or rsync or some such to copy the .cvd files from the optical disk to /var/lib/clamav by hand. This avoids unsightly error messages in the log, but that’s because it doesn't put *anything* in the logs. Which is unfortunate, because I'd like to have a record of when the updates were done. I suppose I could right my own script that copies the databases into place *and* logs the fact. Any input? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Unable to detect pdf virus
Hi Guys, I am testing clamav in my local system to detect POST data's from network. I am newbie in ClamAv and want to test with real time signatures. I tested with Eicher Test Signature and it works fine. *But ClamAv is unable to detect CVE-2009-4324 with pdf.* I see signature is present in daily.cld and if extracted its present in daily.ldb. Gmail able to detect same pdf as virus. Any help on what wrong in my ClamAv system and to fix it. $ clamscan ~/anti/eicar.com.txt */home/pk/anti/eicar.com.txt: Eicar-Test-Signature FOUND* --- SCAN SUMMARY --- Known viruses: 3898123 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 6.480 sec (0 m 6 s)--- took 6sec to detect normal virus $ clamscan ~/anti_new/virus/exploit.pdf */home/pk/anti_new/virus/exploit.pdf: OK* --- SCAN SUMMARY --- Known viruses: 3898123 Engine version: 0.98.6 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 8.100 sec (0 m 8 s) I generated above virus using this link - http://www.decalage.info/exefilter_pdf_exploits I really want to learn ClamAv virus detection and try to enhance it. Thanks --PK ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] offline updates
On Thu, Jul 23, 2015 at 2:08 PM, G.W. Haywood cla...@jubileegroup.co.uk wrote: Hi there, On Thu, 23 Jul 2015, Phil Dumont wrote: I'm considering using clamav on a machine that is not (can not be) on the network (any network, not even a local one). Unless you can give more detail amounting to some sort of a case for doing this, my immediate reaction would be a little less circumspect than Mr. Swiger's. I'd say forget the idea, it's a waste of time, and it might even be counterproductive. Firstly, the detection rate that you'll get is likely to be poor for very recent threats (not least) because your out-of-band updates will probably be tardy. True enough. But would this not be mitigated by the fact that the more recent threats will propagate to the machine more slowly without a network connection? Secondly, without any network connection you'll have trouble keeping the software on this mysterious machine up-to-date, which will mean that it's rather more vulnerable to attack than it otherwise would be. Also true enough, but same mitigating factor. Taken together these things lead me to postulate that your non-networked computer will be more likely to be compromised by things like malicious files on removable media (precisely the sort of thing you'll be using to tardily transfer the database updates I suppose), than it would be if it were networked after all. Exactly correct. There is no network-borne threat. Removable media is the only thing being protected against. But as Chuck says, it's all really up to you. Well, as I said in my reply to Chuck, it's not really up to me. It's up to the folk I'm maintaining the system for. Which is exactly why I wanted logging of the definition updates -- so I could show them it's being done. Out of interest, what operating system will the unsociable computer run? CentOS 6 -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] offline updates
If you have a stand-alone system with no networking and presumably no shared storage (scsi or SAN, by example) then you have to span the air gap manually. Your isolated system will only be as safe as the last networked system used to manually span the air gap. A work-around for that is to have a second isolated system, possibly a virtual machine, that can be used to pre-scan files before they are transferred to the target machine. dp On 7/23/15 9:00 AM, Phil Dumont wrote: On Thu, Jul 23, 2015 at 11:52 AM, Charles Swiger cswi...@mac.com wrote: On Jul 23, 2015, at 7:48 AM, Phil Dumont p...@solidstatescientific.com wrote: [ ... ] All I'm saying is that, for the admittedly unusual but definitely simpler situation of an entirely stand-alone, completely non-networked machine, it would be nice if there were a solution that was correspondingly simpler. One that used the file system only, not networking. The use-case for virus/malware scanning on a networked machine is obvious, as is the need to be able to update A/V signatures. It's not obvious why a machine which is entirely stand-alone, completely non-networked would require virus scanning or a way to update the A/V signatures. Granted, the requirement is not as great without a network. But there's still potential for virus introduction via removable media. However, if that's what you want, ... Not what I want particularly. A requirement imposed upon me. ...fine-- do a manual copy of the A/V signatures into place via USB stick, CD/DVD image, etc and then restart clamd to reload them. Roger. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770
I know there are often issues when trying to scan a Windows partition from OS X, so that my be part of your problem. I always recommend my OS X users who run a Windows partition to scan it with ClamWIN which is a Windows GUI application for ClamAV. www.clamwin.com. -Al[ On Thu, Jul 23, 2015 at 11:15 AM, JD Ackle wrote: On Wed, 7/22/15, G.W. Haywood cla...@jubileegroup.co.uk wrote: Subject: Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770 To: clamav-users@lists.clamav.net Date: Wednesday, July 22, 2015, 5:45 PM Hi there, On Wed, 22 Jul 2015, JD Ackle wrote: I would like to know how can I remove Docx.Exploit.CVE_2015_1770 from Windows/System32/config/SOFTWARE As others have said, you might have found a false positive. You need to find out if that is the case or not before you do anything else. If it is not a false positive but a real infection, then the ClamAV users' mailing list cannot really help you with your question. ClamAV tells you if it thinks that it has found something. It is up to you to decide what to do about it. You *can* choose to delete files if they are flagged by ClamAV, but in general that is not recommended; and as /Windows/System32/config/SOFTWARE is one of Windows' registry files, it will certainly damage your Windows installation if you delete it. There are many Internet help sites and similar which can help you with your question. Reading the rest of your message tells me that you need something. :) For self-help I personally recommend MalwareBytes Anti-Malware (MBAM). If you download it, be careful where you get it from. Some Websites have been seen to include malicious software with the download. Thank you for your advice, GW. I tried MBAM and it reported NO infections. However, the first run did crash the program, so I then used another tool provided by MBAM that stated that sometimes the main program may be prevented from running by viruses and that's what the other tool was meant to solve - it did run alright and reported no threats but... I then had Norton doing a scan and it found some tracking cookies in Firefox which is a tad odd on two accounts: 1) Norton had never complained about these before (but it might just be a new setting included with later updates...?) and 2) I have Firefox configured to Keep cookies until I close Firefox (which doesn't necessantly mean they are removed from the hard disk, maybe they'll just no longer be used again by Firefox after the program quits...?). Finally, I thought I might as well install the latest security update from Microsoft (which I was postponing for a couple days to have it installed on a clean(er) system). And then... the latest results from ClamAV run from Linux: - /Windows/System32/config/ (where the previouly infected SOFTWARE file's located) is now CLEAN! - /pagefile.sys however is now clean of Docx.Exploit.CVE_2015_1770 but is reportedly infected by Exploit.Countdown on every Remove-said-file-from-within-Linux-Reboot_to_Windows-Reboot-to-Linux-and-run-ClamAV-again. I had actually forgotten about this report when I told the full story earlier. This positive was detected at the time I had the Tenga virus and it was after removing the Tenga virus that the Docx.Exploit.CVE_2015_1770 started being detected. I am currently doing a new full ClamAV scan of my Windows partition to try and check if something new comes up. Thus far only pagefile.sys was reported with said Exploit.Countdown and ... a few warning messages that don't reference any particular file have come up as well: LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total (eight times thus far on the current scan, all of them before the pagefile.sys detection) I have no idea what that means but I've noticed it happens every time I run a scan on a Windows folder (i.e. on more than one file at a time) and never when scanning a Linux folder. Just telling all this on this list because I'm not that sure these are false positives at the moment - hence no point in submiting anything to that list... I will look for help elsewhere, probably will start off at Microsoft Answers. If something comes up which I think might be relevant to ClamAV, I'll reply back on this thread. Thanks to all that replied. J.D. Ackle ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770
On 7/23/2015 1:15 PM, JD Ackle wrote: On Wed, 7/22/15, G.W. Haywood cla...@jubileegroup.co.uk wrote: Subject: Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770 To: clamav-users@lists.clamav.net Date: Wednesday, July 22, 2015, 5:45 PM Hi there, On Wed, 22 Jul 2015, JD Ackle wrote: I would like to know how can I remove Docx.Exploit.CVE_2015_1770 from Windows/System32/config/SOFTWARE As others have said, you might have found a false positive. You need to find out if that is the case or not before you do anything else. If it is not a false positive but a real infection, then the ClamAV users' mailing list cannot really help you with your question. ClamAV tells you if it thinks that it has found something. It is up to you to decide what to do about it. You *can* choose to delete files if they are flagged by ClamAV, but in general that is not recommended; and as /Windows/System32/config/SOFTWARE is one of Windows' registry files, it will certainly damage your Windows installation if you delete it. There are many Internet help sites and similar which can help you with your question. Reading the rest of your message tells me that you need something. :) For self-help I personally recommend MalwareBytes Anti-Malware (MBAM). If you download it, be careful where you get it from. Some Websites have been seen to include malicious software with the download. Thank you for your advice, GW. I tried MBAM and it reported NO infections. However, the first run did crash the program, so I then used another tool provided by MBAM that stated that sometimes the main program may be prevented from running by viruses and that's what the other tool was meant to solve - it did run alright and reported no threats but... I then had Norton doing a scan and it found some tracking cookies in Firefox which is a tad odd on two accounts: 1) Norton had never complained about these before (but it might just be a new setting included with later updates...?) and 2) I have Firefox configured to Keep cookies until I close Firefox (which doesn't necessantly mean they are removed from the hard disk, maybe they'll just no longer be used again by Firefox after the program quits...?). Finally, I thought I might as well install the latest security update from Microsoft (which I was postponing for a couple days to have it installed on a clean(er) system). And then... the latest results from ClamAV run from Linux: - /Windows/System32/config/ (where the previouly infected SOFTWARE file's located) is now CLEAN! - /pagefile.sys however is now clean of Docx.Exploit.CVE_2015_1770 but is reportedly infected by Exploit.Countdown on every Remove-said-file-from-within-Linux-Reboot_to_Windows-Reboot-to-Linux-and-run-ClamAV-again. I had actually forgotten about this report when I told the full story earlier. This positive was detected at the time I had the Tenga virus and it was after removing the Tenga virus that the Docx.Exploit.CVE_2015_1770 started being detected. I am currently doing a new full ClamAV scan of my Windows partition to try and check if something new comes up. Thus far only pagefile.sys was reported with said Exploit.Countdown and ... a few warning messages that don't reference any particular file have come up as well: LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total (eight times thus far on the current scan, all of them before the pagefile.sys detection) I have no idea what that means but I've noticed it happens every time I run a scan on a Windows folder (i.e. on more than one file at a time) and never when scanning a Linux folder. Just telling all this on this list because I'm not that sure these are false positives at the moment - hence no point in submiting anything to that list... I will look for help elsewhere, probably will start off at Microsoft Answers. If something comes up which I think might be relevant to ClamAV, I'll reply back on this thread. Thanks to all that replied. J.D. Ackle ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Tracking cookies are exactly what they sound like, and are not an indicator of malware. You can remove them for privacy reasons. pagefile.sys is basically a dump of random memory pages. The chance of a false positive when scanning random data is very high. It's likely safe to ignore anything reported here if there are no other indications of a problem. I don't see any clear sign of infection here. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770
On Wed, 7/22/15, G.W. Haywood cla...@jubileegroup.co.uk wrote: Subject: Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770 To: clamav-users@lists.clamav.net Date: Wednesday, July 22, 2015, 5:45 PM Hi there, On Wed, 22 Jul 2015, JD Ackle wrote: I would like to know how can I remove Docx.Exploit.CVE_2015_1770 from Windows/System32/config/SOFTWARE As others have said, you might have found a false positive. You need to find out if that is the case or not before you do anything else. If it is not a false positive but a real infection, then the ClamAV users' mailing list cannot really help you with your question. ClamAV tells you if it thinks that it has found something. It is up to you to decide what to do about it. You *can* choose to delete files if they are flagged by ClamAV, but in general that is not recommended; and as /Windows/System32/config/SOFTWARE is one of Windows' registry files, it will certainly damage your Windows installation if you delete it. There are many Internet help sites and similar which can help you with your question. Reading the rest of your message tells me that you need something. :) For self-help I personally recommend MalwareBytes Anti-Malware (MBAM). If you download it, be careful where you get it from. Some Websites have been seen to include malicious software with the download. Thank you for your advice, GW. I tried MBAM and it reported NO infections. However, the first run did crash the program, so I then used another tool provided by MBAM that stated that sometimes the main program may be prevented from running by viruses and that's what the other tool was meant to solve - it did run alright and reported no threats but... I then had Norton doing a scan and it found some tracking cookies in Firefox which is a tad odd on two accounts: 1) Norton had never complained about these before (but it might just be a new setting included with later updates...?) and 2) I have Firefox configured to Keep cookies until I close Firefox (which doesn't necessantly mean they are removed from the hard disk, maybe they'll just no longer be used again by Firefox after the program quits...?). Finally, I thought I might as well install the latest security update from Microsoft (which I was postponing for a couple days to have it installed on a clean(er) system). And then... the latest results from ClamAV run from Linux: - /Windows/System32/config/ (where the previouly infected SOFTWARE file's located) is now CLEAN! - /pagefile.sys however is now clean of Docx.Exploit.CVE_2015_1770 but is reportedly infected by Exploit.Countdown on every Remove-said-file-from-within-Linux-Reboot_to_Windows-Reboot-to-Linux-and-run-ClamAV-again. I had actually forgotten about this report when I told the full story earlier. This positive was detected at the time I had the Tenga virus and it was after removing the Tenga virus that the Docx.Exploit.CVE_2015_1770 started being detected. I am currently doing a new full ClamAV scan of my Windows partition to try and check if something new comes up. Thus far only pagefile.sys was reported with said Exploit.Countdown and ... a few warning messages that don't reference any particular file have come up as well: LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total (eight times thus far on the current scan, all of them before the pagefile.sys detection) I have no idea what that means but I've noticed it happens every time I run a scan on a Windows folder (i.e. on more than one file at a time) and never when scanning a Linux folder. Just telling all this on this list because I'm not that sure these are false positives at the moment - hence no point in submiting anything to that list... I will look for help elsewhere, probably will start off at Microsoft Answers. If something comes up which I think might be relevant to ClamAV, I'll reply back on this thread. Thanks to all that replied. J.D. Ackle ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml