Re: [clamav-users] ClamTK quarantena
Translation from Italian: Hello I'm using ClamTK on Linux Mint. Always find some PUAs. I analyze them and put some in quarantine or send them to examine. 1) when and where do I receive the analysis of the files sent? 2) Do I keep those in quarantine always there or is it advisable to do something? and what? thank you Roberto Mazzini Giolli coop - Giolli Società Cooperativa Sociale Permanent center for theatrical research and experimentation on the Boal and Freire methods Via Chiesa, 12 43022 Montechiarugolo (PR) fax: 0521-686385 e-mail: segrete...@giollicoop.it web: www.giollicoop.it FaceBook: CooperativaGiolli Sent from my iPad -Al- ClamXAV User > On Nov 13, 2018, at 09:51, Roberto Mazzini wrote: > > Salve > > sto usando ClamTK su Linux Mint. > > Trova sempre dei PUA. > > Li analizzo e metto alcuni in quarantena o mando a esaminare. > > 1) quando e dove ricevo l'analisi dei file inviati? > > 2) tengo quelli in quarantena sempre lì o è consigliabile fare qualcosa? e > cosa? > > grazie > > Roberto Mazzini > > Giolli coop > > -- > Giolli Società Cooperativa Sociale > Centro permanente di ricerca e sperimentazione teatrale > sui metodi Boal e Freire > Via Chiesa, 12 > 43022 Montechiarugolo (PR) > telefax: 0521-686385 > e-mail: segrete...@giollicoop.it > web: www.giollicoop.it > FaceBook: CooperativaGiolli ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Strange behaviors about syslog on Debian
On November 13, 2018 10:28:27 PM UTC, Yasuhiro KIMURA wrote: >Hello, > >I use ClamAV 0.100.2 on Debian 9.6. Everything works fine about virus >scan. But when seeing syslog I found 2 strange behaviors. > >1. Message is written to syslog even if LogSyslog is false. > >On Debian LogSyslog is set to false in both clamd.conf and >frashclam.conf. But there are messages from clamd and freshclam in >/var/log/syslog. > >2. Message itself includes timestamp. > >I also use ClamAV 0.100.2 on FreeBSD 11.2-RELEASE. On FreeBSD >LogSyslog is set to true and messages such as following are written to >syslog. > >Nov 14 06:51:30 freebsd-server freshclam[761]: Received signal: wake up >Nov 14 06:51:30 freebsd-server freshclam[761]: ClamAV update process >started at Wed Nov 14 06:51:30 2018 >Nov 14 06:51:30 freebsd-server freshclam[761]: main.cld is up to date >(version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) >Nov 14 06:51:30 freebsd-server freshclam[761]: daily.cld is up to date >(version: 25117, sigs: 2150146, f-level: 63, builder: neo) >Nov 14 06:51:30 freebsd-server freshclam[761]: bytecode.cld is up to >date (version: 327, sigs: 91, f-level: 63, builder: neo) >Nov 14 06:51:30 freebsd-server freshclam[761]: >-- >Nov 14 06:53:22 freebsd-server clamd[754]: SelfCheck: Database status >OK. > >But on Debian message format is different from that of FreeBSD. > >Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 >-> Received signal: wake up >Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 >-> ClamAV update process started at Wed Nov 14 06:26:54 2018 >Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 >-> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, >builder: sigmgr) >Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 >-> daily.cld is up to date (version: 25117, sigs: 2150146, f-level: 63, >builder: neo) >Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 >-> bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, >builder: neo) >Nov 14 06:27:06 debian-server clamd[559]: Wed Nov 14 06:27:06 2018 -> >SelfCheck: Database status OK. > >It includes timestamp inside message itself. > >Then my question is, which of following category these behaviors fall >into? > >a. Expected and proper behavior. >b. Bug of ClamAV itself. >c. Result of customization by Debian. >d. Bug of package that should be reported to Debian package maintainer. Assuming you haven't made an effort to select sys v init on the Debian system, it's running using systemd. FreeBSD is presumably using sys v. Systemd includes a logging component that probably explains the difference. My guess is a., but almost certainly not b. or c. Scott K ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Strange behaviors about syslog on Debian
Hello, I use ClamAV 0.100.2 on Debian 9.6. Everything works fine about virus scan. But when seeing syslog I found 2 strange behaviors. 1. Message is written to syslog even if LogSyslog is false. On Debian LogSyslog is set to false in both clamd.conf and frashclam.conf. But there are messages from clamd and freshclam in /var/log/syslog. 2. Message itself includes timestamp. I also use ClamAV 0.100.2 on FreeBSD 11.2-RELEASE. On FreeBSD LogSyslog is set to true and messages such as following are written to syslog. Nov 14 06:51:30 freebsd-server freshclam[761]: Received signal: wake up Nov 14 06:51:30 freebsd-server freshclam[761]: ClamAV update process started at Wed Nov 14 06:51:30 2018 Nov 14 06:51:30 freebsd-server freshclam[761]: main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Nov 14 06:51:30 freebsd-server freshclam[761]: daily.cld is up to date (version: 25117, sigs: 2150146, f-level: 63, builder: neo) Nov 14 06:51:30 freebsd-server freshclam[761]: bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, builder: neo) Nov 14 06:51:30 freebsd-server freshclam[761]: -- Nov 14 06:53:22 freebsd-server clamd[754]: SelfCheck: Database status OK. But on Debian message format is different from that of FreeBSD. Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> Received signal: wake up Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> ClamAV update process started at Wed Nov 14 06:26:54 2018 Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> daily.cld is up to date (version: 25117, sigs: 2150146, f-level: 63, builder: neo) Nov 14 06:26:54 debian-server freshclam[504]: Wed Nov 14 06:26:54 2018 -> bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, builder: neo) Nov 14 06:27:06 debian-server clamd[559]: Wed Nov 14 06:27:06 2018 -> SelfCheck: Database status OK. It includes timestamp inside message itself. Then my question is, which of following category these behaviors fall into? a. Expected and proper behavior. b. Bug of ClamAV itself. c. Result of customization by Debian. d. Bug of package that should be reported to Debian package maintainer. Best Regards. --- Yasuhiro KIMURA ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Fwd: Amavisd.conf
- Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers Begin forwarded message: > > Has the Amavisd.conf config file remained constant through Amavis-new. > Is there the latest example version somewhere if it has had changes? > Thanks > Robert ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV mirrors have gotten worse!
"Why are you looking at October reports?" It was the first one. And it also shows that the problem began *before* 0.100.1 was deemed OUTDATED. So, here's one from this morning. I also have 4 from yesterday, 3 from Sunday Nov 11 etc. Posting them all would be a bit tedious. -- Tuesday 13 November 2018 at 10:33:01 -- /opt/clamav/bin/testclam-external --> UPD D 25117/25117/25116 B 327/327/327 M 58/58/58 /opt/clamav/bin/freshclam -v --stdout --on-update-execute=EXIT_1 Current working dir is /opt/clamav.d/clamav.0.100.1/share/clamav Max retries == 1 ClamAV update process started at Tue Nov 13 10:33:02 2018 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 1799 Software version from DNS: 0.100.2 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.1 Recommended version: 0.100.2 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav main.cvd version from DNS: 58 main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) daily.cvd version from DNS: 25117 Retrieving http://database.clamav.net/daily.cvd Using ip '10.11.14.160' for fetching. Trying to download http://database.clamav.net/daily.cvd (IP: 104.16.189.138) Downloading daily.cvd [100%] WARNING: Mirror 104.16.189.138 is not synchronized. Querying daily.0.92.0.0.6810BD8A.ping.clamav.net Giving up on database.clamav.net... Update failed. Your network may be down or none of the mirrors listed in /opt/clamav.d/clamav.0.100.1/etc/freshclam.conf is working. Check https://www.clamav.net/documents/official-mirror-faq for possible reasons. /opt/clamav/bin/freshclam --list-mirrors Mirror #1 IP: 104.16.187.138 Successes: 79 Failures: 7 Last access: Mon Nov 12 19:03:04 2018 Ignore: No - Mirror #2 IP: 104.16.189.138 Successes: 87 Failures: 7 Last access: Tue Nov 13 10:33:07 2018 Ignore: Yes - Mirror #3 IP: 104.16.188.138 Successes: 86 Failures: 6 Last access: Tue Nov 13 02:03:06 2018 Ignore: No - Mirror #4 IP: 104.16.185.138 Successes: 88 Failures: 6 Last access: Mon Nov 12 18:03:07 2018 Ignore: Yes - Mirror #5 IP: 104.16.186.138 Successes: 79 Failures: 7 Last access: Sun Nov 11 09:33:04 2018 Ignore: No -- Tuesday 13 November 2018 at 10:33:08 -- On Tue, 13 Nov 2018 09:49:54 -0800 Dennis Peterson wrote: > On 11/12/18 6:28 PM, Paul Kosinski wrote: > > As some of you may remember, I "solved" the problems of the > > Cloudflare mirrors being out of sync by not relying on what version > > the DNS TXT record reports, but double checking it by retrieving > > the head of the CVD file via curl. > > > Why are you looking at October reports? > > > dp ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV mirrors have gotten worse!
On 11/12/18 6:28 PM, Paul Kosinski wrote: As some of you may remember, I "solved" the problems of the Cloudflare mirrors being out of sync by not relying on what version the DNS TXT record reports, but double checking it by retrieving the head of the CVD file via curl. Why are you looking at October reports? dp ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Information regarding Win.Downloader.DDECmdExec-6715271-0
Dominique Sarrazin wrote: Hi everyone, On October 26^th , ClamAV’s signature database was updated with the addition of Win.Downloader.DDECmdExec-6715271-0, for which I cannot find any information despite my thorough research. sigtool --find-sigs [sig name] |sigtool --decode-sigs will at least tell you what it's matching on, assuming it's an active signature. I don't seem to have that particular signature on any system I manage, so either it's third-party or it was dropped at some point. The closest matches on that sig name that I have are Win.Downloader.DDEObfuscatedCmdExec-6715127-0 and Win.Downloader.DDEObfuscatedCmdExec-6715128-0. Since that update, ClamAV has reported that many tables in our MySQL are susceptible to this vulnerability. I would simply like to know the details of this vulnerability and how to identify it in our database. Scanning the filesystem storage for any DBMS is almost certainly a waste of time and likely to lead to all kinds of bizarre false positives. If you really need to scan the content, scan things before inserting, or do a periodic "retrieve-and-scan" process if you're worried about zero-day malware that might not have had a signature when it was inserted. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ClamTK quarantena
Salve sto usando ClamTK su Linux Mint. Trova sempre dei PUA. Li analizzo e metto alcuni in quarantena o mando a esaminare. 1) quando e dove ricevo l'analisi dei file inviati? 2) tengo quelli in quarantena sempre lì o è consigliabile fare qualcosa? e cosa? grazie Roberto Mazzini Giolli coop -- Giolli Società Cooperativa Sociale Centro permanente di ricerca e sperimentazione teatrale sui metodi Boal e Freire Via Chiesa, 12 43022 Montechiarugolo (PR) telefax: 0521-686385 e-mail: segrete...@giollicoop.it web: www.giollicoop.it FaceBook: CooperativaGiolli _ PRIVACY Ai sensi e per effetti della Legge sulla tutela della riservatezza personale (D. Lgs. 196/03), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate. E' proibito leggere, copiare, usare o diffondere il contenuto della presente missiva senza autorizzazione. Se avete ricevuto questo messaggio per errore, siete pregati di distruggerlo immediatamente. Confidentiality Notice: This message, together with its annexes, contains information to be deemed strictly confidential and is destined only to the addressee(s) identified above who only may use, copy and, under his/their responsibility, further disseminate it. If anyone received this message by mistake or reads it without entitlement is forewarned that keeping, copying, disseminating or distributing this message to persons other than the addressee(s) is strictly forbidden and is asked to transmit it immediately to the sender and to erase the original message received. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml