Re: [clamav-users] feedback on Installing ClamAV instructions

2016-11-28 Thread Peter Bonivart 
On Mon, Nov 28, 2016 at 6:56 PM, Joel Esler (jesler)  wrote:
> There are a number of package maintainers for ClamAV on Solaris. The 
> installation method differs for each.
>
> I tried to figure out what this was saying a couple of times.
> I've decided that it's trying to say that there are a couple of
> competing packagings of ClamAV for Solaris. (Initially I thought it
> was trying to say that there are multiple package management systems
> for Solaris.)
>
> Assuming I'm right, it would be better to say "Multiple groups have
> packaged ClamAV for Solaris."
> OTOH, if it's trying to talk about competing package management
> systems, then, something like "There are a number of package
> management systems for Solaris, and thus packages of ClamAV."
>
> Would you like to download the latest virus pattern definitions during 
> installation ? (This requires that you have a direct connection to the 
> Internet. If you are behind a proxy server then skip this step.)
>
> It feels like this is missing a section heading. (perhaps it should be
> inside the block below?)
> There's also something odd with the *space* before the `?`
>
> The block itself /feels/ like output from one of the package
> management systems, if so, it probably should identify which one...

I think that the long (Solaris) install output is from Andy's packages
he produced for Citrus IT. I'm not sure they are available any more,
the output shows ClamAV 0.92 and I can't find anything about it on
Citrus IT's web site. If this section can't be verified I think it's
better to remove it since it doesn't help Solaris users, there's not
even a link there.

The section about OpenCSW is current though (I'm the maintainer).
We're at 0.99.2.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] feedback on Installing ClamAV instructions

2016-11-28 Thread Joel Esler (jesler) 
This is fantastic feedback.  I’ve incorporated the fixes (and missing pages!) 
you’ve suggested below.

Much of this content was migrated from our wiki that we took offline years ago, 
and despite my review, I’ve obviously missed a few pages and links.

Always feel free to send this feedback in, or, more directly, a pull request 
into the clamav-faq on GitHub.
--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 22, 2016, at 10:36 PM, timeless 
> wrote:

Hi. Please forgive this long critique of Installing ClamAV [1].

I actually wanted to send an email about an error path using old
versions of ClamAV, but the mailing list [2]
subscription rules said to read the faq first.

I'm aware that the FAQ has some relation to a github repository, some
problems I've identified stem from that original, and some are
specific to the clamnav.net documents rendition.

Installing from source
Check Requirements [link: 
https://www.clamav.net/documents/installing-clamav#requirements]
Uninstall any old version, see UninstallClamAV [not a link!]

I can't find UninstallClamAV anywhere :/ -- note that it shouldn't be
part of the source since I haven't gotten the source

(Note: this isn’t essential, but removes sources of problems).
wget the source gzip file, see WhichVersion [not a link!]

The only "WhichVersion" I can find is
http://tomcat.apache.org/whichversion.html which is obviously not
relevant.

...
GMP [not a link!]: for digital signatures

I can't figure out what GMP is -- a google search for GMP + digital
signature is not fruitful

Debian has a  "gmp" package [3]:
GNU MP is a programmer's library for arbitrary precision
arithmetic (ie, a bignum package). It can operate on signed
integer, rational, and floating point numeric types.

I can't tell if this [4] is the right thing

You don’t necessarily need all packages. Please read ClamOverview [not a link!] 
carefully to understand which ones you need.

I can't find that anywhere either [5]

The line breaks for these are missing:
# apt-get update # apt-get install clamav
# yum install -y epel-release # yum install -y clamav
# yum install -y clamav clamav-update

There are a number of package maintainers for ClamAV on Solaris. The 
installation method differs for each.

I tried to figure out what this was saying a couple of times.
I've decided that it's trying to say that there are a couple of
competing packagings of ClamAV for Solaris. (Initially I thought it
was trying to say that there are multiple package management systems
for Solaris.)

Assuming I'm right, it would be better to say "Multiple groups have
packaged ClamAV for Solaris."
OTOH, if it's trying to talk about competing package management
systems, then, something like "There are a number of package
management systems for Solaris, and thus packages of ClamAV."

Would you like to download the latest virus pattern definitions during 
installation ? (This requires that you have a direct connection to the 
Internet. If you are behind a proxy server then skip this step.)

It feels like this is missing a section heading. (perhaps it should be
inside the block below?)
There's also something odd with the *space* before the `?`

The block itself /feels/ like output from one of the package
management systems, if so, it probably should identify which one...

Linuxpackages.net provides third-party precompiled 
packages for Slackware.
You can find them with this [not a link!] search query [not a link!] on that 
site.

Various Installation Guides for OSX can be found on the Internet, two that we 
have seen are:
http://www.gctv.ne.jp/~yokota/clamav/ 
https://gist.github.com/zhurui1008/4fdc875e557014c3a34e

It would be helpful if the two urls were on separate lines, possibly
in a bulleted list.
It would also be nice if the urls were links (they are when rendered
by github [6])

# /etc/rc.d/rc.clamav start # /etc/rc.d/rc.sendmail restart

here, even the github version is mising the line break

[1] https://www.clamav.net/documents/installing-clamav
[2] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[3] 
https://anonscm.debian.org/viewvc/debian-science/packages/gmp/trunk/debian/control?view=markup
[4] http://gmplib.org/
[5] https://github.com/vrtadmin/clamav-faq/search?utf8=%E2%9C%93=ClamOverview
[6] 
https://github.com/vrtadmin/clamav-faq/blob/a2659f771f5d25af02fbdab9377c530add4135dc/faq/Installing.md
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [clamav-users] Bytecode Update [was:Many Empty Updates]

2016-11-28 Thread Joel Esler (jesler) 
They have been added now, thanks Al for pointing this out to us.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 23, 2016, at 6:31 AM, Al Varnell 
> wrote:

Although I didn't receive any feedback on this one, I did note that the 10/27 
update is now included in bytecode.cvd/.cld and DNS, but the three signatures 
from the  11/16 update to bytecode 285 still don't seem to have been added.

$ dig -t txt current.cvd.clamav.net +short
"0.99.2:57:22587:1479889740:1:63:45268:284"



-Al-

On Thu, Nov 17, 2016 at 09:32 AM, Al Varnell wrote:

Joel,

Also note that even though bytecode 284 was released on 10/27 and 285 on 11/16, 
bytecode.cvd is still at 283 as is the DNS:

$ dig -t txt current.cvd.clamav.net +short
"0.99.2:57:22552:1479385740:1:63:45246:283"

-Al-
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-28 Thread Joel Esler (jesler) 
When I say “disable an engine” I mean, disabling the conviction engine on my 
side that convicts those files.  It’s been turned off for several days now.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 23, 2016, at 6:23 AM, Al Varnell 
> wrote:

Sorry, I didn't realize that Html.Malware.Agent-1834906 was part of the 
problem. It too was dropped in daily - 22584.

Also, Joel mentioned something about disabling an engine, but I don't really 
know how that is accomplished and whether it's reported to us as part of a 
daily.cdiff.

-Al-

On Wed, Nov 23, 2016 at 03:04 AM, Mark Allan wrote:

Thanks for dropping those 3, Joel, however there are still at least 24 
signatures causing problems:

Html.Malware.Agent-1835906
Txt.Malware.Agent-1835883
Txt.Malware.Agent-1835884
Txt.Malware.Agent-1835885
Txt.Malware.Agent-1835886
Txt.Malware.Agent-1835887
Txt.Malware.Agent-1835888
Txt.Malware.Agent-1835889
Txt.Malware.Agent-1835890
Txt.Malware.Agent-1835891
Txt.Malware.Agent-1835892
Txt.Malware.Agent-1835893
Txt.Malware.Agent-1835894
Txt.Malware.Agent-1835896
Txt.Malware.Agent-1835898
Txt.Malware.Agent-1835899
Txt.Malware.Agent-1835900
Txt.Malware.Agent-1835901
Txt.Malware.Agent-1835902
Txt.Malware.Agent-1835903
Txt.Malware.Agent-1835904
Txt.Malware.Agent-1835905
Txt.Malware.Agent-1838194
Txt.Malware.Agent-1838195

Given the vast majority of those are consecutive numbers, it looks like someone 
has uploaded the entire OpenLayers library and tried to report it as infected.

Best regards
Mark


On 22 Nov 2016, at 9:42 pm, Al Varnell 
> wrote:

I see that Daily - 22584 drops three of them:

* Txt.Malware.Agent-1811885

* Txt.Malware.Agent-1835895

* Txt.Malware.Agent-1835897

-Al-

On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:

I am seeing these mostly on files that comprise the OpenLayers library in
phpMyAdmin 4.

On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
>
wrote:

Mark,

Thanks for the feedback, you are right, I am experiencing some high counts
in the Txt.Malware.Agent family.

I’ve disabled this engine for now.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Nov 22, 2016, at 12:02 PM, Mark Allan 
mailto:arkjal...@gmail.com>>> wrote:

Hi all,

I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
containing a number of files which ClamAV incorrectly detects as various
strains of Txt.Malware.Agent

My experience may be slightly skewed, but it seems that the rate of FPs
has increased a lot lately, and they mostly appear to be being caused by
hash-based signatures.  I'm wondering if this is related to Joel's recent
admission that the signature generation process is almost entirely
automated now.

Is it possible that someone is targeting ClamAV and reporting known-clean
files as if they were infected?  To what end, I'm not sure, but I can't
shake the feeling that something's not right...

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA




___
clamav-users mailing list

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-28 Thread Joel Esler (jesler) 
Mark,

Thanks.  I’ve set these to drop, so they should disappear in an upcoming 
release.

Not sure why they were convicted in the first place, I have safe guards that 
should have prevented this, I’ll look into it.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 23, 2016, at 6:04 AM, Mark Allan 
> wrote:

Thanks for dropping those 3, Joel, however there are still at least 24 
signatures causing problems:

Html.Malware.Agent-1835906
Txt.Malware.Agent-1835883
Txt.Malware.Agent-1835884
Txt.Malware.Agent-1835885
Txt.Malware.Agent-1835886
Txt.Malware.Agent-1835887
Txt.Malware.Agent-1835888
Txt.Malware.Agent-1835889
Txt.Malware.Agent-1835890
Txt.Malware.Agent-1835891
Txt.Malware.Agent-1835892
Txt.Malware.Agent-1835893
Txt.Malware.Agent-1835894
Txt.Malware.Agent-1835896
Txt.Malware.Agent-1835898
Txt.Malware.Agent-1835899
Txt.Malware.Agent-1835900
Txt.Malware.Agent-1835901
Txt.Malware.Agent-1835902
Txt.Malware.Agent-1835903
Txt.Malware.Agent-1835904
Txt.Malware.Agent-1835905
Txt.Malware.Agent-1838194
Txt.Malware.Agent-1838195

Given the vast majority of those are consecutive numbers, it looks like someone 
has uploaded the entire OpenLayers library and tried to report it as infected.

Best regards
Mark


On 22 Nov 2016, at 9:42 pm, Al Varnell 
> wrote:

I see that Daily - 22584 drops three of them:

 * Txt.Malware.Agent-1811885

 * Txt.Malware.Agent-1835895

 * Txt.Malware.Agent-1835897

-Al-

On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:

I am seeing these mostly on files that comprise the OpenLayers library in
phpMyAdmin 4.

On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
>
wrote:

Mark,

Thanks for the feedback, you are right, I am experiencing some high counts
in the Txt.Malware.Agent family.

I’ve disabled this engine for now.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Nov 22, 2016, at 12:02 PM, Mark Allan 
mailto:arkjal...@gmail.com>>> wrote:

Hi all,

I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
containing a number of files which ClamAV incorrectly detects as various
strains of Txt.Malware.Agent

My experience may be slightly skewed, but it seems that the rate of FPs
has increased a lot lately, and they mostly appear to be being caused by
hash-based signatures.  I'm wondering if this is related to Joel's recent
admission that the signature generation process is almost entirely
automated now.

Is it possible that someone is targeting ClamAV and reporting known-clean
files as if they were infected?  To what end, I'm not sure, but I can't
shake the feeling that something's not right...

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Maximize availability during rule loading

2016-11-28 Thread Pierre Dehaen 
Hi,

As this question comes back now and then (from me in the past as well), I have 
a proposal IF 
you have enough RAM. On reload:
- start a second instance with a slightly different config file containing 
"LocalSocket 
.../clamd.sock.new"
- wait in the logs for "Database correctly reloaded"
- stop the first instance
- mv .../clamd.sock.new .../clamd.sock

I see some possible issues though:
- Other programs are connected to the original socket, but I suppose the socket 
will be 
deleted when the first instance stops, so the other parties will try to 
reconnect and then 
communicate with the new instance.
- The log file that would be opened and updated by both instances. The 
LogFileUnlock option 
might be necessary but then the messages from one might overwrite those from 
the other. 
So, if possible, the syslog could be used instead. Without the syslog I think 
it would be better 
to define a clamd.log.new for the second instance and rotate the log file after 
the first 
instance is stopped (clamd.log -> clamd.log.prev, clamd.log.new -> clamd.log, 
clamd.log.prev 
-> clamd.log.new). The LogRotate might need to be disabled in the conf file and 
done outside 
of clamd.
- The PidFile should be disabled (both instance would be killed at service 
stop). Anyway on 
my system the service stop procedure uses a "pkill -x $prog", that means it 
would not stop 
the "clamd --config ...clamd.conf.new" if it is running...
- If the database is not reloaded correctly both instances might remain up, we 
should wait for 
the message with a timeout.
- It would not work in TCPSocket mode, only in LocalSocket mode.

Do you think this would work? Of course you would need temporarily an 
additional ~1GB of 
RAM...

Somehow I must say I don't much like this procedure: it's a bit tricky. I would 
prefer to have 2 
real service instances, each with its own configuration file, one persistently 
enabled, the other 
not as it would be enabled temporarily during a db reload. But then I guess I 
would need 2 
different socket, log and pid files.

As I'm using mimedefang to connect to the socket I could maybe make it failover 
to the 
second socket in case the first one is not responding... I think it is a matter 
of updating 
mimedefang-filter:
< my($code, $category, $action) = message_contains_virus();
--
> $ClamdSock = /...first.sock;
> my($code, $category, $action) = message_contains_virus();
> if ($action eq "tempfail") {
>   $ClamdSock = /...second.sock;
>   my($code, $category, $action) = message_contains_virus();
> }

The on reload procedure would do:
- start a second service instance with its different config (socket, log, pid)
- wait in the log for "Database correctly reloaded"
- reload the first instance
- wait in the log for "Database correctly reloaded"
- stop the second instance

Thanks,
Pierre

On 20 Nov 2016 at 17:24, Charles Sprickman wrote:

Hi all,

I have two VMs running clamav and I monitor both with a simple nagios check (it 
sends, 
PING, waits for PONG).  I have been getting quite a few notifications lately 
after adding sane 
security and other 3rd party AV rulesets.  Looking at the logs, I see that my 
timeouts line up 
with the reloading messages:

Nov 20 16:39:02 spam-a clamd[1417]: Reading databases from /var/db/clamav
Nov 20 16:41:14 spam-a clamd[1417]: Database correctly reloaded (7986341 
signatures)

I do have two servers, so if this is expected behavior, I´ll just make nagios 
less touchy and let 
the mail server just fail over to the other box.  If not, what can be done to 
maintain availability 
while the db reloads?  I currently reload every hour (based on clamd.conf), 
occasionally more 
often if there are new rules detected by clamav-unofficial-sigs.

Thanks,

Charles
-- 
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet www.bway.net




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelist based on sign *and* filename?

2016-11-28 Thread Paul Kosinski 
Of course, if anybody is able to find out what the magic filename is,
they could mount a targeted attack.

How are the PDFs generated? Would it be possible to attach a
cryptographic signature to asset to their validity? (That would
probably require an additional step on receipt as well as transmission
to indicate they were OK in spite of ClamAV's red flag.)


On Mon, 28 Nov 2016 14:28:11 -
"Steve Basford"  wrote:

> 
> On Mon, November 28, 2016 1:56 pm, Mathieu D. wrote:
> > Hello,
> >
> >
> > Is there any way to whitelist a file based on it's signature *and*
> > it's filename?
> >
> Not that I know of...
> 
> I guess this *might* be an option.
> 
> 1.  Find something common in your pdf you want to "whitelist", say
> "Your company name or department", convert this to hex.
> 
> 2. Create an ign2 file to ignore the normal PUA file.
> 
> 3. Create an ldb sig, which should do the same at the current PUA
> BUT you are creating a whitelist "phrase".
> 
> eg:
> 
> Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C6976654379636C652044657369676E65722045532031302E30
> 
> eg:
> 
> This is the hex for your phrase:
> 41646F6265204C6976654379636C652044657369676E65722045532031302E30 =
> "Adobe LiveCycle Designer ES 10.0"
> 
> So, if the pdf contains "Javascript" and "Adobe LiveCycle Designer ES
> 10.0" it won't get hit... all other pdf's with Javascript will get
> blocked.
> 
> Not ideal but at least it should work.
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelist based on sign *and* filename?

2016-11-28 Thread Steve Basford 

On Mon, November 28, 2016 1:56 pm, Mathieu D. wrote:
> Hello,
>
>
> Is there any way to whitelist a file based on it's signature *and* it's
> filename?
>
Not that I know of...

I guess this *might* be an option.

1.  Find something common in your pdf you want to "whitelist", say "Your
company name or department", convert this to hex.

2. Create an ign2 file to ignore the normal PUA file.

3. Create an ldb sig, which should do the same at the current PUA
BUT you are creating a whitelist "phrase".

eg:

Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C6976654379636C652044657369676E65722045532031302E30

eg:

This is the hex for your phrase:
41646F6265204C6976654379636C652044657369676E65722045532031302E30 =
"Adobe LiveCycle Designer ES 10.0"

So, if the pdf contains "Javascript" and "Adobe LiveCycle Designer ES
10.0" it won't get hit... all other pdf's with Javascript will get
blocked.

Not ideal but at least it should work.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Whitelist based on sign *and* filename?

2016-11-28 Thread Mathieu D. 
Hello,

Is there any way to whitelist a file based on it's signature *and* it's 
filename?

My case is about a legit PDF file embedding JavaScript sent by users by email. 
Its signature is "PUA.Script.PDF.EmbeddedJavaScript", but its MD5 hash is 
always different (probably because users are saving form data inside).

I am aware of the ".ign2" file to list signatures to ignore:
https://www.clamav.net/documents/how-do-i-ignore-whitelist-a-clamav-signature

But I am afraid it would also whitelist real ransomware or virus embedded into 
PDF files, which is way too dangerous. Therefore I would like to reduce it's 
scope; I can only think of adding the file name, which in my case should almost 
always be the same (the MD5 and file size are always differents).

Maybe using the ".fp" file could helps, if only it would not require the MD5 
hash and the filesize:
http://pig.made-it.com/clamav.html

Thanks,
-- 
Mathieu

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

2016-11-28 Thread Simon Hobson 
Tsutomu Oyamada  wrote:

> Our environment is a local mirror.
> However, it does not matter.
> 
> I wanted to know if there is the case that the DNS TXT of ClamAV have
> not been updated for few days.
> Could it be possibe?
> Is this issue caused by the problem on our enviroment of querying DNS?
> The daily.cvd is updated in real time now.
> Could this issue be happened when the freshclam try to query DNS?

Given that no-one else has seen the same issue, it was most likely a problem 
local to you. It's is unlikely that any of us could guess what that problem was 
given that we can't see your systems.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

2016-11-28 Thread Tsutomu Oyamada 
Our environment is a local mirror.
However, it does not matter.

I wanted to know if there is the case that the DNS TXT of ClamAV have
not been updated for few days.
Could it be possibe?
Is this issue caused by the problem on our enviroment of querying DNS?
The daily.cvd is updated in real time now.
Could this issue be happened when the freshclam try to query DNS?

On Fri, 25 Nov 2016 02:20:16 -0800
Al Varnell  wrote:

> Was this freshclam log the result of checking your local mirror or a ClamAV 
> mirror?  My guess would be that your local mirror was not up-to-date at the 
> time you ran freshclam from a client computer on your local network.
> 
> -Al-
> 
> On Fri, Nov 25, 2016 at 01:57 AM, Tsutomu Oyamada wrote:
> > 
> > Sorry, 
> > 
> > The part of freshclam log is as follows;
> > 
> > ClamAV update process started at Sat Nov  5 05:01:15 2016
> > Using IPv6 aware code
> > Querying current.cvd.clamav.net
> > TTL: 1797
> > Software version from DNS: 0.99.2
> > main.cvd version from DNS: 57
> > main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: 
> > amishhamner)
> > daily.cvd version from DNS: 22473
> > 
> > This log shows that freshclam was started at 5:01 of 5th Nov. and the 
> > result of querying DNS was "daily.cvd version: 22473".
> > According to the mail [clamav-virusdb] which is sent daily, the daily.cvd 
> > version should be 22479 at 5:01 of 5th Nov.
> > 
> > We want to know why freshclam cannot get the latest daily.cvd version.
> > Is this difference of daily.cvd version caused by cache of DNS?
> > 
> > 
> > On Thu, 24 Nov 2016 10:05:13 +
> > Simon Hobson  wrote:
> > 
> >> I realise English is not your main language and this is probably very 
> >> difficult for you to explain in what is to you a foreign language, but I 
> >> don't think we are able to figure out just what is not working ...
> >> 
> >> Tsutomu Oyamada  wrote:
> >> 
> >>> In the present situation fail.
> >> 
> >> What is failing ?
> >> 
> >> Does your local mirror update ?
> >> If not, post logs from freshclam showing the failures to update.
> >> Also post your freshclam config.
> >> 
> >> If your local mirror does update, then we assume your local clients are 
> >> failing to update from your mirror.
> >> If that is the case, post the freshclam logs from a failing client, and 
> >> it's config.
> >> 
> >> ___
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >> 
> >> 
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >> 
> >> http://www.clamav.net/contact.html#ml
> >> 
> > 
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > 
> > 
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> > http://www.clamav.net/contact.html#ml
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml