Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Al Varnell 
Sorry, it appears I was looking in the wrong place. I now believe that ScanMail 
defaults to "Yes".

Sent from my iPad

-Al-

On Dec 7, 2018, at 16:39, Al Varnell wrote:
> Do you have ScanMail enabled? It defaults to not enabled.
> 
> Sent from my iPad
> 
> -Al-
> 
>> On Dec 7, 2018, at 04:47, Sunny Marwah  wrote:
>> 
>> Hi Al Varnell,
>> 
>> Below is the URL which was mentioned in HTML template :
>> 
>> https://gokdenizhealthtourism.com/js/logo2.gif
>> 
>> Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". 
>> Then why ClamAV is not able to identify when "Safebrowsing" option is 
>> already enabled ??
>> 
>> Looking to hear from you on this.
>> 
>> Regards
>> Sunny
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Al Varnell 
Do you have ScanMail enabled? It defaults to not enabled.

Sent from my iPad

-Al-

> On Dec 7, 2018, at 04:47, Sunny Marwah  wrote:
> 
> Hi Al Varnell,
> 
> Below is the URL which was mentioned in HTML template :
> 
> https://gokdenizhealthtourism.com/js/logo2.gif
> 
> Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". 
> Then why ClamAV is not able to identify when "Safebrowsing" option is already 
> enabled ??
> 
> Looking to hear from you on this.
> 
> Regards
> Sunny
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-07 Thread Eric Tykwinski 
This is getting rather technical, and probably some of CloudFlare’s secret 
sauce.
It sounds like the anycast DNS that cloudflare hosts isn’t really working, or 
at least I would assume that they are using anycast.

So you query current.cvd.clamav.net  but are 
getting different results at IAD and BOS.  Now next is the inclusion of 
Comcast, which may and probably is caching DNS records beyond normal TTLs which 
could cause the difference.  I personally always run an Unbound cache server on 
my mailserver networks to cache dns for at least an hour for rbls that I’m not 
rsyncing, but that could cause an issue with Microsoft’s wonderful 10 second MX 
records.  So that’s where I’ve run into this issue, but not often enough since 
I’m just caching for an hour and probably MS expects it.

So my guess, is probably not anycast, but a caching DNS server that is still 
giving older records.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Dec 7, 2018, at 6:20 PM, Paul Kosinski  wrote:
> 
> As some of you may be aware, ever since ClamAV began using Cloudflare,
> we have seen many occasions when files like daily.cvd were not
> available to our LAN until well after the DNS TXT record implied they
> should be.
> 
> However, we discovered that these same files *are* available to our
> Web/email server right away. So what is the difference? The first
> difference is that our Web server (a VM) is offsite, and is served by
> the "IAD" Cloudflare complex, whereas our local setup is served by the
> "BOS" Cloudflare complex.
> 
> The second, and likely explanatory difference, is that our local setup
> is connected via Comcast (a dynamic IP and all that), while our Web
> server (with its static IP etc.) is almost certainly more directly
> connected to the Internet as a whole.
> 
> The workaround we have adopted is as follows: we installed a "tinyproxy"
> server on our offsite VM. To ensure it only proxys for us, it listens on
> the encrypted OpenVPN tunnel we already had in place for FTP uploads
> etc. Then, instead of directly accessing database.clamav.net, freshclam
> uses our remote VM as a proxy,so that the cvd files are downloaded
> indirectly from Cloudflare's IAD server complex (via tinyproxy) rather
> than directly from Cloudflare's BOS server complex.
> 
> Since switching to this workaround a few days ago, we haven't observed
> any delays: the cvd files are available right away when the DNS TXT
> query says they should be.
> 
> I strongly suspect that Comcast is the culprit in the delays that had
> plagued us. This is especially suggested by the fact that Cloudflare
> returns a "Cache-Control:" header similar to:
> 
>  Cache-Control: public, max-age=13672
> 
> where the max-age value varies, but is often several hours.
> 
> In my opinion, for data like ClamAV virus updates, the "Cache-Control:"
> should specify "no-cache". Can Cloudflare do this for ClamAV?
> 
> -
> 
> Below is a pair of recent (pre-workaround) log excerpts. They show a
> delay of over 2.5 hours experienced from BOS (via Comcast) vs no delay
> from IAD.
> 
> Note that the BOS "Date:" timestamp of 16:49:01 GMT *still* shows
> a "Last-Modified:" timestamp of 06:15:18 GMT, while IAD already shows
> the up-to-date "Last-Modified:" timestamp of 14:14:30 GMT at the much
> earlier "Date:" of 14:29:01 GMT!
> 
> 
>  IAD
> 
>Date: Sun, 02 Dec 2018 14:09:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 14:29:01 GMT
>Last-Modified: Sun, 02 Dec 2018 14:14:30 GMT
>ClamAV-VDB:02 Dec 2018 09-13 
> -0500:25173:2167842:63:ba557f61737b9d4b66acc96f7044b524:3nBAOxo97ssSNZb
> 
> 
>  BOS
> 
>Date: Sun, 02 Dec 2018 14:09:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 14:29:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 14:49:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 15:09:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 15:29:02 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 15:49:02 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Micah Snyder (micasnyd) 
In my own testing, it detected this link just fine.

Steps to reproduce:
View the raw source of this email and save it to a file.
Scan the file.

I will note that I did some additional testing. When placing the URL (no link, 
just raw text URL) in an email, ClamAV did not detect it.

Truthfully I don't have as much experience with ClamAV's phishing and 
safebrowsing features as I'd like. I'm not aware if our HTML scanner will do 
the same phish-checks as the Mail parser does. That will take a little more 
investigation and a little more time that I don't have at the moment.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 7, 2018, at 7:47 AM, Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:

Hi Al Varnell,

Below is the URL which was mentioned in HTML template :

https://gokdenizhealthtourism.com/js/logo2.gif

Chrome don't open it due to labeling it dangerous in as per "Safebrowsing". 
Then why ClamAV is not able to identify when "Safebrowsing" option is already 
enabled ??

Looking to hear from you on this.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:50 PM Al Varnell 
mailto:alvarn...@mac.com>> wrote:
If you won't provide the URL to the rest of us users, then we can't help you. 
You'll have to wait to see if the development team gets back to you.

-Al-

On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
Hi Al Varnell,

I have already gone through https://www.clamav.net/documents/safebrowsing.

That URL i have already shared with one of ClamAV development team members

I did not understand your point what you said --- "You will probably need to 
obfuscate it in order to get it through the mail system, something like 
httx://".

My purpose behind using ClamAV is to scan Linux server and plus HTML templates 
which we regularly receive on server.

And the reason behind using "Safebrowing" option is to detect deceptive, 
Phishing URL's in HTML templates in the same way as Chrome warns us before 
opening such URL's. I want ClamAV to detect such files as "Infected" which 
contain deceptive, Phishing URL's.

Waiting for your quick and needful response.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:22 PM Al Varnell 
mailto:alvarn...@mac.com>> wrote:
Have your read the explanation at 
?

Please provide the phishing URL that is failing. You will probably need to 
obfuscate it in order to get it through the mail system, something like 
httx://

-Al-

On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
Hello Micah & Team,

Have not received any response on my last email.

Also, i have enabled Safebrowsing option in freshclam.conf as suggested by you.

Still i can see that ClamAV is not working properly. There is one file placed 
on server and there is one phishing URL available in that file. That URL is so 
deceptive that Chrome is not letting us open that URL due to labeling it as 
"Deceptive" URL.

Why ClamAV is still not able to find that file as "Infected" in scanning even 
after enabling "Safebrowsing" option ??

Waiting for your quick and needful response.

Regards
Sunny

On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
mailto:sunnymar...@trepup.com>> wrote:
Hi Micah,

Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV.

Google safe browsing put a website in 3 categories mentioned below :
1 Secure
2 Info or Not secure
3 Not secure or Dangerous

Curious to know how ClamAV will categorize the HTML file. Let's say, if any 
"Note secure or Dangerous" URL is found, will ClamAV will show it as infected 
file in scanning summary ? If this is the case, i guess in case "Secure" URL is 
found, it will show as OK. And what if URL is found as "Info or Not secure" ?

Regards
Sunny


On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) 
mailto:micas...@cisco.com>> wrote:
It may be worth mentioning that in addition to the [optional] SafeBrowsing CVD 
that you can choose to include, ClamAV has just started including PhishTank 
signatures late last month.

For those who curious, see https://lists.gt.net/clamav/virusdb/.   PhishTank 
signatures are prefixed with Phishtank.Phishing.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 6, 2018, at 3:27 AM, Al Varnell 
mailto:alvarn...@mac.com>> wrote:

Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
dynamic (blacklisted one day and removed the next). ClamAV does malware 
detection over the long haul and trying to keep up with fraudulent web sites 
would be a full time job and better done by other means (e.g. Google Safe 
Browsing).

-Al-

On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
Hello Team,

We are using clamav-0.100.2 to scan few HTML email templates.

Sometimes, there are deceptive URL's mentioned in those templates and that 
template should be detected as infected via ClamAV scan process.

I can see weird output of ClamAV scan process. Sometimes it detect such 
templates as infected and sometimes, it does not detect them as infe

[clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-07 Thread Paul Kosinski 
As some of you may be aware, ever since ClamAV began using Cloudflare,
we have seen many occasions when files like daily.cvd were not
available to our LAN until well after the DNS TXT record implied they
should be.

However, we discovered that these same files *are* available to our
Web/email server right away. So what is the difference? The first
difference is that our Web server (a VM) is offsite, and is served by
the "IAD" Cloudflare complex, whereas our local setup is served by the
"BOS" Cloudflare complex.

The second, and likely explanatory difference, is that our local setup
is connected via Comcast (a dynamic IP and all that), while our Web
server (with its static IP etc.) is almost certainly more directly
connected to the Internet as a whole.

The workaround we have adopted is as follows: we installed a "tinyproxy"
server on our offsite VM. To ensure it only proxys for us, it listens on
the encrypted OpenVPN tunnel we already had in place for FTP uploads
etc. Then, instead of directly accessing database.clamav.net, freshclam
uses our remote VM as a proxy,so that the cvd files are downloaded
indirectly from Cloudflare's IAD server complex (via tinyproxy) rather
than directly from Cloudflare's BOS server complex.

Since switching to this workaround a few days ago, we haven't observed
any delays: the cvd files are available right away when the DNS TXT
query says they should be.

I strongly suspect that Comcast is the culprit in the delays that had
plagued us. This is especially suggested by the fact that Cloudflare
returns a "Cache-Control:" header similar to:

  Cache-Control: public, max-age=13672

where the max-age value varies, but is often several hours.

In my opinion, for data like ClamAV virus updates, the "Cache-Control:"
should specify "no-cache". Can Cloudflare do this for ClamAV?

-

Below is a pair of recent (pre-workaround) log excerpts. They show a
delay of over 2.5 hours experienced from BOS (via Comcast) vs no delay
from IAD.

Note that the BOS "Date:" timestamp of 16:49:01 GMT *still* shows
a "Last-Modified:" timestamp of 06:15:18 GMT, while IAD already shows
the up-to-date "Last-Modified:" timestamp of 14:14:30 GMT at the much
earlier "Date:" of 14:29:01 GMT!


  IAD
  
Date: Sun, 02 Dec 2018 14:09:01 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 14:29:01 GMT
Last-Modified: Sun, 02 Dec 2018 14:14:30 GMT
ClamAV-VDB:02 Dec 2018 09-13 
-0500:25173:2167842:63:ba557f61737b9d4b66acc96f7044b524:3nBAOxo97ssSNZb
  
   
  BOS
  
Date: Sun, 02 Dec 2018 14:09:01 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 14:29:01 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 14:49:01 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 15:09:01 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 15:29:02 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 15:49:02 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 16:09:01 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 16:29:01 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 16:49:01 GMT
Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
ClamAV-VDB:02 Dec 2018 01-14 
-0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
  
Date: Sun, 02 Dec 2018 17:09:01 GMT
Last-Modified: Sun, 02 Dec 2018 14:14:30 GMT
ClamAV-VDB:02 Dec 2018 09-13 
-0500:25173:2167842:63:ba557f61737b9d4b66acc96f7044b524:3nBAOxo97ssSNZb
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Disable MaxFileSize and MaxFileSize to scan the whole system

2018-12-07 Thread Micah Snyder (micasnyd) 
The verbiage of the warning may be a little misleading.  It doesn't tell you 
how much has been scanned prior to the call into cli_scanxz(). It is likely 
that it scanned additional data prior to the call to cli_scanxz(), which counts 
towards the scan limit.

If you re-scan with the --debug flag set, it should report an additional 
debug-level message near the warning you saw, in the form of:
"scansize exceeded (initial: %lu, consumed: %lu, needed: %lu)"

initial:
should be the limit (3999M).
consumed:
should be the amount already scanned.
needed:
should be the amount of data that the cli_scanxz() function has on hand and 
would like to scan.

If you run test this, I would be curious to know what is reported.  That said, 
your comments raises the age old question of if or how ClamAV should report 
that it is unable to finish scanning a file when limits are exceeded.  Most 
clamav scanning code will not report a warning at all like you see with the xz 
scanner, and the only way to determine if limits have been exceeded is to run 
with --blockmax or --alert-exceeds-max (v0.101+).

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Dec 7, 2018, at 3:41 PM, Albert o 
mailto:alberto.bed...@gmail.com>> wrote:

There is something I don't get
this my clamd.conf

user@debian:~/Downloads/clamav-0.101.0$ cat /etc/clamav/clamd.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 100
FollowDirectorySymlinks true
FollowFileSymlinks true
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 2000
LogSyslog true
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground true
Debug 0
PidFile true
MaxEmbeddedPE 3999M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 3999M
MaxHTMLNoTags 3999M
MaxScriptNormalize 3999M
MaxZipTypeRcg 3999M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
ScanPE true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
ExtendedDetectionInfo true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA 1
BlockMax 1
OLE2BlockMacros 1
ArchiveBlockEncrypted 1
ScanPartialMessages 1
PartitionIntersection 1
HeuristicScanPrecedence 1
StructuredDataDetection 1
CommandReadTimeout 5
SendBufTimeout 400
MaxQueue 100
ExtendedDetectionInfo 1
OLE2BlockMacros 1
ScanOnAccess true
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 3999M
MaxFileSize 3999M
MaxRecursion 160
MaxFiles 2
MaxPartitions 1
MaxIconsPE 1
PCREMatchLimit 1
PCRERecMatchLimit 1
PCREMaxFileSize 3999M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 3999M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock true
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 6
BytecodeUnsigned 1
ScanOnAccess 1
OnAccessMaxFileSize 0
OnAccessMountPath /
OnAccessIncludePath /
OnAccessMaxFileSize 0
OnAccessPrevention 1
OnAccessDisableDDD 1

but I still get

LibClamAV Warning: cli_msxml_parse_document: encountered issue in
parsing xml document
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits -
only scanning 27262976 bytes

What am I missing? should't all the files >4G be scanned?
On Tue, Dec 4, 2018 at 4:42 PM Ángel 
mailto:an...@av.16bits.net>> wrote:

On 2018-12-03 at 09:58 -0800, Dennis Peterson wrote:
If it is a big concern you can use the split command to create
"splits" of the suspect file. Split accepts various size arguments
(bytes, lines...) and will create as many files as it takes to split
the entire large file. These can be scanned individually and discarded
when done. There is a risk of a split happening in the middle of a
section that might match a signature but that is small. A work around
is to split a file, scan it, delete the splits, then split it a second
time using a different split size and repeat the scan.

This is obviously tedious and works best on static files. There's
always a way if you don't mind the effort. It is easily scriptable.

dp


Splitting a file will probably make chunks other than the first to
appear as random bytes, rather than having the correct filetype, thus
making some signatures not to be applied.
(the first chunk will _probably_ be detected properly, still splitting
can make it miss what would be found on the full size, eg. splitting a

Re: [clamav-users] "Can't query daily..." entries in log since 0.101.0

2018-12-07 Thread Brian Fluet 
Here's the log content of the most recent freshclam download:

--
ClamAV update process started at Fri Dec  7 13:59:41 2018
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, 
builder: sigmgr)
Downloading daily-25186.cdiff [100%]
daily.cld updated (version: 25186, sigs: 2177189, f-level: 63, 
builder: neo)
Can't query daily.25186.101.1.1.6810BD8A.ping.clamav.net
bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, 
builder: neo)
Database updated (6743529 signatures) from db.US.clamav.net (IP: 
104.16.189.138)
Clamd successfully notified about the update.
--

--
Brian


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] "Can't query daily..." entries in log since 0.101.0

2018-12-07 Thread Joel Esler (jesler) 
Can you give us the full logs please? Not just that one line.  

Sent from my  iPhone

> On Dec 7, 2018, at 15:49, Brian Fluet  wrote:
> 
> Hi All,
> 
> Since installing Win32 portable v0.101.0 I am seeing the following 
> entry in the fresclam.log at each download:
> 
> Can't query daily.25186.101.1.1.6810BD8A.ping.clamav.net
> 
> Is this of concern?
> 
> --
> Brian
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] "Can't query daily..." entries in log since 0.101.0

2018-12-07 Thread Brian Fluet 
Hi All,

Since installing Win32 portable v0.101.0 I am seeing the following 
entry in the fresclam.log at each download:

Can't query daily.25186.101.1.1.6810BD8A.ping.clamav.net

Is this of concern?

--
Brian




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Disable MaxFileSize and MaxFileSize to scan the whole system

2018-12-07 Thread Albert o 
There is something I don't get
this my clamd.conf

user@debian:~/Downloads/clamav-0.101.0$ cat /etc/clamav/clamd.conf
#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 100
FollowDirectorySymlinks true
FollowFileSymlinks true
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 2000
LogSyslog true
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground true
Debug 0
PidFile true
MaxEmbeddedPE 3999M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 3999M
MaxHTMLNoTags 3999M
MaxScriptNormalize 3999M
MaxZipTypeRcg 3999M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
ScanPE true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
ExtendedDetectionInfo true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA 1
BlockMax 1
OLE2BlockMacros 1
ArchiveBlockEncrypted 1
ScanPartialMessages 1
PartitionIntersection 1
HeuristicScanPrecedence 1
StructuredDataDetection 1
CommandReadTimeout 5
SendBufTimeout 400
MaxQueue 100
ExtendedDetectionInfo 1
OLE2BlockMacros 1
ScanOnAccess true
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 3999M
MaxFileSize 3999M
MaxRecursion 160
MaxFiles 2
MaxPartitions 1
MaxIconsPE 1
PCREMatchLimit 1
PCRERecMatchLimit 1
PCREMaxFileSize 3999M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 3999M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock true
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 6
BytecodeUnsigned 1
ScanOnAccess 1
OnAccessMaxFileSize 0
OnAccessMountPath /
OnAccessIncludePath /
OnAccessMaxFileSize 0
OnAccessPrevention 1
OnAccessDisableDDD 1

but I still get

LibClamAV Warning: cli_msxml_parse_document: encountered issue in
parsing xml document
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits -
only scanning 27262976 bytes

What am I missing? should't all the files >4G be scanned?
On Tue, Dec 4, 2018 at 4:42 PM Ángel  wrote:
>
> On 2018-12-03 at 09:58 -0800, Dennis Peterson wrote:
> > If it is a big concern you can use the split command to create
> > "splits" of the suspect file. Split accepts various size arguments
> > (bytes, lines...) and will create as many files as it takes to split
> > the entire large file. These can be scanned individually and discarded
> > when done. There is a risk of a split happening in the middle of a
> > section that might match a signature but that is small. A work around
> > is to split a file, scan it, delete the splits, then split it a second
> > time using a different split size and repeat the scan.
>
> > This is obviously tedious and works best on static files. There's
> > always a way if you don't mind the effort. It is easily scriptable.
> >
> > dp
>
>
> Splitting a file will probably make chunks other than the first to
> appear as random bytes, rather than having the correct filetype, thus
> making some signatures not to be applied.
> (the first chunk will _probably_ be detected properly, still splitting
> can make it miss what would be found on the full size, eg. splitting a
> zip file will lose its central directory...)
>
> Signatures are generally more complex than looking for a certain
> substring...
>
> Best regards
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Can't run ./configure --enable-check, checking linking with check... configure: unable to compile/link with check configure: error: ERROR! Check was configured, but not found.

2018-12-07 Thread Albert o 
user@debian: ./configure --enable-check
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
creating target.h - canonical system defines
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking whether make supports nested variables... yes
checking whether UID '1000' is supported by ustar format... yes
checking whether GID '1000' is supported by ustar format... yes
checking how to create a ustar tar archive... gnutar
checking dependency style of g++... gcc3
checking whether make supports nested variables... (cached) yes
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for ar... ar
checking the archiver (ar) interface... ar
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-unknown-linux-gnu file names to
x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to
toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports
shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking for shl_load... no
checking for shl_load in -ldld... no
checking for dlopen... no
checking for dlopen in -ldl... yes
checking whether a program can dlopen itself... yes
checking whether a statically linked program can dlopen itself... no
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... /usr/bin/ld -m elf_x86_64
checking if the linker (/usr/bin/ld -m elf_x86_64) is GNU ld... yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports
shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static

Re: [clamav-users] Installation problem.

2018-12-07 Thread Dennis Peterson 
The missing tools are either not in your path or not installed. You could run 
yum info */g++ to see if it is installed, and if it is run locate g++ and 
compare locations to your path with echo $PATH.


dp

On 12/6/18 11:28 PM, nikos wrote:

Hello list.

I'm trying to install the now version of clam and it seems to be compilation 
problems.


I run ./configure --sysconfdir=/etc --enable-milter in the programs folder and 
I get the error:


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Issue affecting libclamav in ClamAV 0.101.0

2018-12-07 Thread Micah Snyder (micasnyd) 
Greetings,

I'm writing to let you know about an issue in ClamAV 0.101.0 impacting software 
developers that integrate libclamav into other products on Unix/Linux systems. 
The issue will result in an error when you attempt to compile against a 
system-installed libclamav.

We are working on a fix and will release an 0.101.1 patch release as soon as we 
are able to address the issue. In order to full test the fix and complete the 
due diligence required for a quality build, this will be released shortly after 
the first of the new year.

We apologize for the inconvenience.

Technical details for interested parties:

ClamAV uses a lot of mixed integer variable types internally. The preferred 
types are standard int types (eg int8_t, uint64_t, size_t, ptrdiff_t, etc).

As an ongoing effort to make variable types more consistent throughout the code 
base, we made the mistake of including the `cltypes.h` header file in 
`clamav.h`, which is not only used internally but defines the public libclamav 
API. Because neither the `cltypes.h` header, nor the supporting 
`clamav-config.h` header, are provided when installing libclamav to a system, 
applications built with a system-installed libclamav from version 0.101.0 will 
fail to compile.

To resolve the issue, we will be replacing `cltypes.h` with a new 
`clamav-types.h` file that is generated when you run `./configure` and which 
will be installed alongside `clamav.h` when you run `make install`. This will 
ensure that `clamav.h` has access to the necessary integer types on all 
operating systems and architectures.

To mitigate similar issues in the future, we are adding a test to our 
build-acceptance suite to test building an application against a 
system-installed libclamav library.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Sunny Marwah 
Hi Al Varnell,

Below is the URL which was mentioned in HTML template :

https://gokdenizhealthtourism.com/js/logo2.gif

Chrome don't open it due to labeling it dangerous in as per "Safebrowsing".
Then why ClamAV is not able to identify when "Safebrowsing" option is
already enabled ??

Looking to hear from you on this.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:50 PM Al Varnell  wrote:

> If you won't provide the URL to the rest of us users, then we can't help
> you. You'll have to wait to see if the development team gets back to you.
>
> -Al-
>
> On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
>
> Hi Al Varnell,
>
> I have already gone through https://www.clamav.net/documents/safebrowsing.
>
> That URL i have already shared with one of ClamAV development team members
>
> I did not understand your point what you said --- "You will probably need
> to obfuscate it in order to get it through the mail system, something like
> httx://".
>
> My purpose behind using ClamAV is to scan Linux server and plus HTML
> templates which we regularly receive on server.
>
> And the reason behind using "Safebrowing" option is to detect deceptive,
> Phishing URL's in HTML templates in the same way as Chrome warns us before
> opening such URL's. I want ClamAV to detect such files as "Infected" which
> contain deceptive, Phishing URL's.
>
> Waiting for your quick and needful response.
>
> Regards
> Sunny
>
> On Fri, Dec 7, 2018 at 5:22 PM Al Varnell  wrote:
>
>> Have your read the explanation at <
>> https://www.clamav.net/documents/safebrowsing>?
>>
>> Please provide the phishing URL that is failing. You will probably need
>> to obfuscate it in order to get it through the mail system, something like
>> httx://
>>
>> -Al-
>>
>> On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
>>
>> Hello Micah & Team,
>>
>> Have not received any response on my last email.
>>
>> Also, i have enabled Safebrowsing option in freshclam.conf as suggested
>> by you.
>>
>> Still i can see that ClamAV is not working properly. There is one file
>> placed on server and there is one phishing URL available in that file. That
>> URL is so deceptive that Chrome is not letting us open that URL due to
>> labeling it as "Deceptive" URL.
>>
>> Why ClamAV is still not able to find that file as "Infected" in scanning
>> even after enabling "Safebrowsing" option ??
>>
>> Waiting for your quick and needful response.
>>
>> Regards
>> Sunny
>>
>> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
>> wrote:
>>
>>> Hi Micah,
>>>
>>> Thanks for letting me know about enabling SafeBrowsing CVD option in
>>> ClamAV.
>>>
>>> Google safe browsing put a website in 3 categories mentioned below :
>>> 1 Secure
>>> 2 Info or Not secure
>>> 3 Not secure or Dangerous
>>>
>>> Curious to know how ClamAV will categorize the HTML file. Let's say, if
>>> any "Note secure or Dangerous" URL is found, will ClamAV will show it as
>>> infected file in scanning summary ? If this is the case, i guess in case
>>> "Secure" URL is found, it will show as OK. And what if URL is found as
>>> "Info or Not secure" ?
>>>
>>> Regards
>>> Sunny
>>>
>>>
>>> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <
>>> micas...@cisco.com> wrote:
>>>
 It may be worth mentioning that in addition to the [optional]
 SafeBrowsing CVD that you can choose to include, ClamAV has just started
 including PhishTank signatures late last month.

 For those who curious, see https://lists.gt.net/clamav/virusdb/.
 PhishTank signatures are prefixed with Phishtank.Phishing.


 Micah Snyder
 ClamAV Development
 Talos
 Cisco Systems, Inc.


 On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:

 Frankly, I'm surprised that ClamAV finds any such URL's. They are way
 to dynamic (blacklisted one day and removed the next). ClamAV does malware
 detection over the long haul and trying to keep up with fraudulent web
 sites would be a full time job and better done by other means (e.g. Google
 Safe Browsing).

 -Al-

 On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:

 Hello Team,

 We are using clamav-0.100.2 to scan few HTML email templates.

 Sometimes, there are deceptive URL's mentioned in those templates and
 that template should be detected as infected via ClamAV scan process.

 I can see weird output of ClamAV scan process. Sometimes it detect such
 templates as infected and sometimes, it does not detect them as infected.
 And the URL's i am talking about, are so deceptive that even Google chrome
 browser don't let us open these URL's and show us clear warning as
 "Dangerous" about deceptive website.

 Can you put your views behind such unpredictable behavior ?

 If you want then i can report such URL's on your malware link for
 reporting.

 Regards
 Sunny

 ___
 clamav-users mailing l

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Al Varnell 
If you won't provide the URL to the rest of us users, then we can't help you. 
You'll have to wait to see if the development team gets back to you.

-Al-

On Fri, Dec 07, 2018 at 04:10 AM, Sunny Marwah wrote:
> Hi Al Varnell,
> 
> I have already gone through https://www.clamav.net/documents/safebrowsing 
> .
> 
> That URL i have already shared with one of ClamAV development team members
> 
> I did not understand your point what you said --- "You will probably need to 
> obfuscate it in order to get it through the mail system, something like 
> httx://".
> 
> My purpose behind using ClamAV is to scan Linux server and plus HTML 
> templates which we regularly receive on server. 
> 
> And the reason behind using "Safebrowing" option is to detect deceptive, 
> Phishing URL's in HTML templates in the same way as Chrome warns us before 
> opening such URL's. I want ClamAV to detect such files as "Infected" which 
> contain deceptive, Phishing URL's.
> 
> Waiting for your quick and needful response. 
> 
> Regards
> Sunny
> 
> On Fri, Dec 7, 2018 at 5:22 PM Al Varnell  > wrote:
> Have your read the explanation at 
>  >?
> 
> Please provide the phishing URL that is failing. You will probably need to 
> obfuscate it in order to get it through the mail system, something like 
> httx://
> 
> -Al-
> 
> On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
>> Hello Micah & Team,
>> 
>> Have not received any response on my last email.
>> 
>> Also, i have enabled Safebrowsing option in freshclam.conf as suggested by 
>> you.
>> 
>> Still i can see that ClamAV is not working properly. There is one file 
>> placed on server and there is one phishing URL available in that file. That 
>> URL is so deceptive that Chrome is not letting us open that URL due to 
>> labeling it as "Deceptive" URL.
>> 
>> Why ClamAV is still not able to find that file as "Infected" in scanning 
>> even after enabling "Safebrowsing" option ??
>> 
>> Waiting for your quick and needful response.
>> 
>> Regards
>> Sunny
>> 
>> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah > > wrote:
>> Hi Micah,
>> 
>> Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV. 
>> 
>> Google safe browsing put a website in 3 categories mentioned below : 
>> 1 Secure
>> 2 Info or Not secure
>> 3 Not secure or Dangerous
>> 
>> Curious to know how ClamAV will categorize the HTML file. Let's say, if any 
>> "Note secure or Dangerous" URL is found, will ClamAV will show it as 
>> infected file in scanning summary ? If this is the case, i guess in case 
>> "Secure" URL is found, it will show as OK. And what if URL is found as "Info 
>> or Not secure" ?
>> 
>> Regards
>> Sunny
>> 
>> 
>> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) > > wrote:
>> It may be worth mentioning that in addition to the [optional] SafeBrowsing 
>> CVD that you can choose to include, ClamAV has just started including 
>> PhishTank signatures late last month.
>> 
>> For those who curious, see https://lists.gt.net/clamav/virusdb/ 
>> .   PhishTank signatures are prefixed 
>> with Phishtank.Phishing.
>> 
>>  
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> 
>> 
>>> On Dec 6, 2018, at 3:27 AM, Al Varnell >> > wrote:
>>> 
>>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
>>> dynamic (blacklisted one day and removed the next). ClamAV does malware 
>>> detection over the long haul and trying to keep up with fraudulent web 
>>> sites would be a full time job and better done by other means (e.g. Google 
>>> Safe Browsing).
>>> 
>>> -Al-
>>> 
>>> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
 Hello Team,
 
 We are using clamav-0.100.2 to scan few HTML email templates.
 
 Sometimes, there are deceptive URL's mentioned in those templates and that 
 template should be detected as infected via ClamAV scan process.
 
 I can see weird output of ClamAV scan process. Sometimes it detect such 
 templates as infected and sometimes, it does not detect them as infected. 
 And the URL's i am talking about, are so deceptive that even Google chrome 
 browser don't let us open these URL's and show us clear warning as 
 "Dangerous" about deceptive website. 
 
 Can you put your views behind such unpredictable behavior ? 
 
 If you want then i can report such URL's on your malware link for 
 reporting.
 
 Regards
 Sunny
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net 
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
>>>

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Sunny Marwah 
Hi Al Varnell,

I have already gone through https://www.clamav.net/documents/safebrowsing.

That URL i have already shared with one of ClamAV development team members

I did not understand your point what you said --- "You will probably need
to obfuscate it in order to get it through the mail system, something like
httx://".

My purpose behind using ClamAV is to scan Linux server and plus HTML
templates which we regularly receive on server.

And the reason behind using "Safebrowing" option is to detect deceptive,
Phishing URL's in HTML templates in the same way as Chrome warns us before
opening such URL's. I want ClamAV to detect such files as "Infected" which
contain deceptive, Phishing URL's.

Waiting for your quick and needful response.

Regards
Sunny

On Fri, Dec 7, 2018 at 5:22 PM Al Varnell  wrote:

> Have your read the explanation at <
> https://www.clamav.net/documents/safebrowsing>?
>
> Please provide the phishing URL that is failing. You will probably need to
> obfuscate it in order to get it through the mail system, something like
> httx://
>
> -Al-
>
> On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
>
> Hello Micah & Team,
>
> Have not received any response on my last email.
>
> Also, i have enabled Safebrowsing option in freshclam.conf as suggested by
> you.
>
> Still i can see that ClamAV is not working properly. There is one file
> placed on server and there is one phishing URL available in that file. That
> URL is so deceptive that Chrome is not letting us open that URL due to
> labeling it as "Deceptive" URL.
>
> Why ClamAV is still not able to find that file as "Infected" in scanning
> even after enabling "Safebrowsing" option ??
>
> Waiting for your quick and needful response.
>
> Regards
> Sunny
>
> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah 
> wrote:
>
>> Hi Micah,
>>
>> Thanks for letting me know about enabling SafeBrowsing CVD option in
>> ClamAV.
>>
>> Google safe browsing put a website in 3 categories mentioned below :
>> 1 Secure
>> 2 Info or Not secure
>> 3 Not secure or Dangerous
>>
>> Curious to know how ClamAV will categorize the HTML file. Let's say, if
>> any "Note secure or Dangerous" URL is found, will ClamAV will show it as
>> infected file in scanning summary ? If this is the case, i guess in case
>> "Secure" URL is found, it will show as OK. And what if URL is found as
>> "Info or Not secure" ?
>>
>> Regards
>> Sunny
>>
>>
>> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) <
>> micas...@cisco.com> wrote:
>>
>>> It may be worth mentioning that in addition to the [optional]
>>> SafeBrowsing CVD that you can choose to include, ClamAV has just started
>>> including PhishTank signatures late last month.
>>>
>>> For those who curious, see https://lists.gt.net/clamav/virusdb/.
>>> PhishTank signatures are prefixed with Phishtank.Phishing.
>>>
>>>
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc.
>>>
>>>
>>> On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:
>>>
>>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way to
>>> dynamic (blacklisted one day and removed the next). ClamAV does malware
>>> detection over the long haul and trying to keep up with fraudulent web
>>> sites would be a full time job and better done by other means (e.g. Google
>>> Safe Browsing).
>>>
>>> -Al-
>>>
>>> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
>>>
>>> Hello Team,
>>>
>>> We are using clamav-0.100.2 to scan few HTML email templates.
>>>
>>> Sometimes, there are deceptive URL's mentioned in those templates and
>>> that template should be detected as infected via ClamAV scan process.
>>>
>>> I can see weird output of ClamAV scan process. Sometimes it detect such
>>> templates as infected and sometimes, it does not detect them as infected.
>>> And the URL's i am talking about, are so deceptive that even Google chrome
>>> browser don't let us open these URL's and show us clear warning as
>>> "Dangerous" about deceptive website.
>>>
>>> Can you put your views behind such unpredictable behavior ?
>>>
>>> If you want then i can report such URL's on your malware link for
>>> reporting.
>>>
>>> Regards
>>> Sunny
>>>
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>>
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>>
>> --
>> Regards
>> Sunny
>> System Engineer
>> Mob : +91 9711155549
>>
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
> __

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Al Varnell 
Have your read the explanation at 
>?

Please provide the phishing URL that is failing. You will probably need to 
obfuscate it in order to get it through the mail system, something like 
httx://

-Al-

On Fri, Dec 07, 2018 at 03:17 AM, Sunny Marwah wrote:
> Hello Micah & Team,
> 
> Have not received any response on my last email.
> 
> Also, i have enabled Safebrowsing option in freshclam.conf as suggested by 
> you.
> 
> Still i can see that ClamAV is not working properly. There is one file placed 
> on server and there is one phishing URL available in that file. That URL is 
> so deceptive that Chrome is not letting us open that URL due to labeling it 
> as "Deceptive" URL.
> 
> Why ClamAV is still not able to find that file as "Infected" in scanning even 
> after enabling "Safebrowsing" option ??
> 
> Waiting for your quick and needful response.
> 
> Regards
> Sunny
> 
> On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah  > wrote:
> Hi Micah,
> 
> Thanks for letting me know about enabling SafeBrowsing CVD option in ClamAV. 
> 
> Google safe browsing put a website in 3 categories mentioned below : 
> 1 Secure
> 2 Info or Not secure
> 3 Not secure or Dangerous
> 
> Curious to know how ClamAV will categorize the HTML file. Let's say, if any 
> "Note secure or Dangerous" URL is found, will ClamAV will show it as infected 
> file in scanning summary ? If this is the case, i guess in case "Secure" URL 
> is found, it will show as OK. And what if URL is found as "Info or Not 
> secure" ?
> 
> Regards
> Sunny
> 
> 
> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd)  > wrote:
> It may be worth mentioning that in addition to the [optional] SafeBrowsing 
> CVD that you can choose to include, ClamAV has just started including 
> PhishTank signatures late last month.
> 
> For those who curious, see https://lists.gt.net/clamav/virusdb/ 
> .   PhishTank signatures are prefixed 
> with Phishtank.Phishing.
> 
>  
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
>> On Dec 6, 2018, at 3:27 AM, Al Varnell > > wrote:
>> 
>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way to 
>> dynamic (blacklisted one day and removed the next). ClamAV does malware 
>> detection over the long haul and trying to keep up with fraudulent web sites 
>> would be a full time job and better done by other means (e.g. Google Safe 
>> Browsing).
>> 
>> -Al-
>> 
>> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
>>> Hello Team,
>>> 
>>> We are using clamav-0.100.2 to scan few HTML email templates.
>>> 
>>> Sometimes, there are deceptive URL's mentioned in those templates and that 
>>> template should be detected as infected via ClamAV scan process.
>>> 
>>> I can see weird output of ClamAV scan process. Sometimes it detect such 
>>> templates as infected and sometimes, it does not detect them as infected. 
>>> And the URL's i am talking about, are so deceptive that even Google chrome 
>>> browser don't let us open these URL's and show us clear warning as 
>>> "Dangerous" about deceptive website. 
>>> 
>>> Can you put your views behind such unpredictable behavior ? 
>>> 
>>> If you want then i can report such URL's on your malware link for reporting.
>>> 
>>> Regards
>>> Sunny
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net 
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
>> 
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> 
>> 
>> http://www.clamav.net/contact.html#ml 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
> 
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> 
> 
> http://www.clamav.net/contact.html#ml 
> 
> 
> -- 
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549

-Al-
-- 
Al Varnell
Mountain View, CA





___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-07 Thread Sunny Marwah 
Hello Micah & Team,

Have not received any response on my last email.

Also, i have enabled Safebrowsing option in freshclam.conf as suggested by
you.

Still i can see that ClamAV is not working properly. There is one file
placed on server and there is one phishing URL available in that file. That
URL is so deceptive that Chrome is not letting us open that URL due to
labeling it as "Deceptive" URL.

Why ClamAV is still not able to find that file as "Infected" in scanning
even after enabling "Safebrowsing" option ??

Waiting for your quick and needful response.

Regards
Sunny

On Thu, Dec 6, 2018 at 4:41 PM Sunny Marwah  wrote:

> Hi Micah,
>
> Thanks for letting me know about enabling SafeBrowsing CVD option in
> ClamAV.
>
> Google safe browsing put a website in 3 categories mentioned below :
> 1 Secure
> 2 Info or Not secure
> 3 Not secure or Dangerous
>
> Curious to know how ClamAV will categorize the HTML file. Let's say, if
> any "Note secure or Dangerous" URL is found, will ClamAV will show it as
> infected file in scanning summary ? If this is the case, i guess in case
> "Secure" URL is found, it will show as OK. And what if URL is found as
> "Info or Not secure" ?
>
> Regards
> Sunny
>
>
> On Thu, Dec 6, 2018 at 3:19 PM Micah Snyder (micasnyd) 
> wrote:
>
>> It may be worth mentioning that in addition to the [optional]
>> SafeBrowsing CVD that you can choose to include, ClamAV has just started
>> including PhishTank signatures late last month.
>>
>> For those who curious, see https://lists.gt.net/clamav/virusdb/.
>> PhishTank signatures are prefixed with Phishtank.Phishing.
>>
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>>
>>
>> On Dec 6, 2018, at 3:27 AM, Al Varnell  wrote:
>>
>> Frankly, I'm surprised that ClamAV finds any such URL's. They are way to
>> dynamic (blacklisted one day and removed the next). ClamAV does malware
>> detection over the long haul and trying to keep up with fraudulent web
>> sites would be a full time job and better done by other means (e.g. Google
>> Safe Browsing).
>>
>> -Al-
>>
>> On Wed, Dec 05, 2018 at 11:33 PM, Sunny Marwah wrote:
>>
>> Hello Team,
>>
>> We are using clamav-0.100.2 to scan few HTML email templates.
>>
>> Sometimes, there are deceptive URL's mentioned in those templates and
>> that template should be detected as infected via ClamAV scan process.
>>
>> I can see weird output of ClamAV scan process. Sometimes it detect such
>> templates as infected and sometimes, it does not detect them as infected.
>> And the URL's i am talking about, are so deceptive that even Google chrome
>> browser don't let us open these URL's and show us clear warning as
>> "Dangerous" about deceptive website.
>>
>> Can you put your views behind such unpredictable behavior ?
>>
>> If you want then i can report such URL's on your malware link for
>> reporting.
>>
>> Regards
>> Sunny
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
> --
> Regards
> Sunny
> System Engineer
> Mob : +91 9711155549
>
>

-- 
Regards
Sunny
System Engineer
Mob : +91 9711155549
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Installation problem.

2018-12-07 Thread Robert Chalmers 


My reasons for querying C++ is this in your log


> checking for cc++... no

> checking whether the C++ compiler works... no



and as you are building 101, if you want to stop freshclam dumping an exit 
error in your logs - it still work, just gives a false error. change this

freshclam/freshclamcodes.h from

typedef enum fc_error_tag {
FC_SUCCESS  = 0,
FC_UPTODATE = 1,

to

typedef enum fc_error_tag {
FC_SUCCESS  = 0,
FC_UPTODATE = 0,

The clamav code maintainers are aware of this…

robert

> On 7 Dec 2018, at 07:28, nikos  wrote:
> 
> Hello list.
> 
> I'm trying to install the now version of clam and it seems to be compilation 
> problems.
> 
> I run ./configure --sysconfdir=/etc --enable-milter in the programs folder 
> and I get the error:
> 
> checking for g++... no
> checking for c++... no
> checking for gpp... no
> checking for aCC... no
> checking for CC... no
> checking for cxx... no
> checking for cc++... no
> checking for cl.exe... no
> checking for FCC... no
> checking for KCC... no
> checking for RCC... no
> checking for xlC_r... no
> checking for xlC... no
> checking whether the C++ compiler works... no
> configure: error: in `/home/admin/clamav-0.101.0':
> configure: error: C++ compiler cannot create executables
> See `config.log' for more details
> 
> I always install clam from source, as the previous versions. The funny thing 
> is, if exctract and run configure in the previous version clamav-0.100.2 
> every works fine!
> 
> I have a server with latest centos release, full updated.
> 
> Any suggestions?
> 
> Thank you in advance, Nikos.
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

Robert Chalmers
https://robert-chalmers.uk
aut...@robert-chalmers.uk
@R_A_Chalmers

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Installation problem.

2018-12-07 Thread Gary R. Schmidt 

On 2018-12-07 18:28, nikos wrote:

Hello list.

I'm trying to install the now version of clam and it seems to be
compilation problems.

I run ./configure --sysconfdir=/etc --enable-milter in the programs
folder and I get the error:

checking for g++... no
checking for c++... no
checking for gpp... no
checking for aCC... no
checking for CC... no
checking for cxx... no
checking for cc++... no
checking for cl.exe... no
checking for FCC... no
checking for KCC... no
checking for RCC... no
checking for xlC_r... no
checking for xlC... no
checking whether the C++ compiler works... no
configure: error: in `/home/admin/clamav-0.101.0':
configure: error: C++ compiler cannot create executables
See `config.log' for more details

I always install clam from source, as the previous versions. The funny
thing is, if exctract and run configure in the previous version
clamav-0.100.2 every works fine!

I have a server with latest centos release, full updated.

Any suggestions?

Given that your command line works for me, and that your old version is 
fine, I suspect a problem with what you have downloaded, so try getting 
it again.


Anther thought is that you have run out of space in /home/admin.

And a third is just run configure without any options.

Cheers,
GaryB-)
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml