Re: [clamav-users] pwdb files still supported ?

2019-02-06 Thread Andrew Williams 
Thanks for the additional information.

I wonder if the issue encountered here, then, is that certain .zip files
fail to be extracted successfully.  See:
https://bugzilla.clamav.net/show_bug.cgi?id=12235 for a reported instance
of this.  More investigation will be needed to figure out why this is
happening.

-Andrew

On Wed, Feb 6, 2019 at 12:47 PM Scott Kitterman 
wrote:

> Yes.  Debian packages are built with yara support.
>
> Scott K
>
> On February 6, 2019 5:22:48 PM UTC, Arnaud Jacques <
> webmas...@securiteinfo.com> wrote:
> >Hello Andrew,
> >
> >I use clamav provided by debian 8.11 :
> >dpkg -l|grep clam
> >ii  clamav 0.100.2+dfsg-0+deb8u1  amd64
> >anti-virus utility for Unix - command-line interface
> >ii  clamav-base 0.100.2+dfsg-0+deb8u1  all
> >
> >anti-virus utility for Unix - base package
> >ii  clamav-daemon 0.100.2+dfsg-0+deb8u1
> >amd64anti-virus utility for Unix - scanner daemon
> >ii  clamav-freshclam 0.100.2+dfsg-0+deb8u1
> >amd64anti-virus utility for Unix - virus database update
> >utility
> >ii  clamdscan 0.100.2+dfsg-0+deb8u1  amd64
> >anti-virus utility for Unix - scanner client
> >ii  libclamav7 0.100.2+dfsg-0+deb8u1  amd64
> >anti-virus utility for Unix - libraryrt
> >ii  libclamunrar7 0.99-0+deb8u3
> >amd64anti-virus utility for Unix - unrar support
> >
> >How to know if it is compiled with yara support ? clamscan --debug does
> >
> >not seem to provide the information.
> >
> >On
> >
> https://buildd.debian.org/status/package.php?p=clamav=jessie-security
> ,
> >
> >there is "no logs" for amd64
> >o.O
> >Other log files seems to show Debian compiles with yara support.
> >For example :
> >
> https://buildd.debian.org/status/fetch.php?pkg=clamav=i386=0.100.2%2Bdfsg-0%2Bdeb8u1=1540398955=0
> >
> >Le 06/02/2019 à 17:32, Andrew Williams a écrit :
> >> Hey Arnaud,
> >>
> >> I recently noticed a bug that causes .pwdb files to not be loaded
> >from
> >> the db directory when ClamAV is compiled without Yara support.  Is
> >> your ClamAV built with Yara support, and if not, can you try
> >compiling
> >> with Yara support and see whether this fixes the issue for you?  This
> >
> >> issue will be fixed in an upcoming release.
> >>
> >> Thanks,
> >>
> >> -Andrew
> >> Research Engineer
> >> Malware Research Team
> >>
> >> On Wed, Feb 6, 2019 at 11:16 AM Arnaud Jacques
> >> mailto:webmas...@securiteinfo.com>>
> >wrote:
> >>
> >> Hello,
> >>
> >> It seems .pwdb files does not work since version 0.100.2 (may be
> >> since
> >> 0.100.0).
> >> It has this format :
> >>
> >> cat passwords.pwdb
> >> ZipPasswordInfected;Engine:51-255;0;infected
> >>
> >> This file is in ClamAV databases directory (/var/lib/clamav/) and
> >> ClamAV
> >> does not detect malwares when Zip is protected by the "infected"
> >> password. Manually unzipped, ClamAV is enable to detect the
> >malware.
> >>
> >> Is the format of .pwdb files has changed since 0.100.x ?
> >> Is it still supported on recent ClamAV version ?
> >>
> >> --
> >> Cordialement / Best regards,
> >>
> >> Arnaud Jacques
> >> Gérant de SecuriteInfo.com
> >>
> >> Téléphone : +33-(0)3.44.39.76.46
> >> E-mail : a...@securiteinfo.com 
> >> Site web : https://www.securiteinfo.com
> >> Facebook :
> >> https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> >> Twitter : @SecuriteInfoCom
> >>
> >> Securiteinfo.com
> >> La Sécurité Informatique - La Sécurité des Informations.
> >> 266, rue de Villers
> >> 60123 Bonneuil en Valois
> >>
> >> ___
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >>
> >>
> >> ___
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:

Re: [clamav-users] Input Stream Scanning for very large files

2019-02-06 Thread Dennis Peterson 
Should have been file type as reported by the file command. Any usage of ClamAV 
outside its design objectives is vulnerable to failure, but the method I pointed 
out works, period. But if asked if I thought it was worth it I would say no, of 
course not. The OP seems determined though. ClamAV is first and foremost an 
acceptable real-time email scanner with limited ability to do file system and 
stream scanning.


dp


On 2/3/19 2:37 PM, Ángel wrote:

On 2019-01-25 at 18:43 -0800, Dennis Peterson wrote:

You can easily use the unix split command and cat to scan files of any size. Or
use perl to break stream file segments to the stream. The first file in a split
or segment contains the file time and will need to be concatenated to the
beginning of each split or segment so clamav knows what it is. It doesn't matter
if the file makes no sense just so long as no malware is found. You will need
two split sizes in order to ensure a signature doesn't span splits which means
at least two runs of each large file, but that is trivial when scripted. SSD
drives would be useful.

dp

Sorry, but I think ClamAV is smarter than what you seem to think. While
this will allow clamav to still detect some signatures, your approach
will trivially fail for:
* Extended signatures that specify an offset (can create both False
Positives and Negatives)
* Logical signatures using eg. FileSize or NumberOfSections.
* Container signatures, as the container will be corrupted
* Hash signatures


Kind regards


PS: I assume you meat 'file mime', not 'file time'
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] pwdb files still supported ?

2019-02-06 Thread Scott Kitterman 
Yes.  Debian packages are built with yara support.

Scott K

On February 6, 2019 5:22:48 PM UTC, Arnaud Jacques  
wrote:
>Hello Andrew,
>
>I use clamav provided by debian 8.11 :
>dpkg -l|grep clam
>ii  clamav 0.100.2+dfsg-0+deb8u1  amd64    
>anti-virus utility for Unix - command-line interface
>ii  clamav-base 0.100.2+dfsg-0+deb8u1  all 
>
>anti-virus utility for Unix - base package
>ii  clamav-daemon 0.100.2+dfsg-0+deb8u1  
>amd64    anti-virus utility for Unix - scanner daemon
>ii  clamav-freshclam 0.100.2+dfsg-0+deb8u1  
>amd64    anti-virus utility for Unix - virus database update
>utility
>ii  clamdscan 0.100.2+dfsg-0+deb8u1  amd64    
>anti-virus utility for Unix - scanner client
>ii  libclamav7 0.100.2+dfsg-0+deb8u1  amd64    
>anti-virus utility for Unix - libraryrt
>ii  libclamunrar7 0.99-0+deb8u3  
>amd64    anti-virus utility for Unix - unrar support
>
>How to know if it is compiled with yara support ? clamscan --debug does
>
>not seem to provide the information.
>
>On 
>https://buildd.debian.org/status/package.php?p=clamav=jessie-security,
>
>there is "no logs" for amd64
>o.O
>Other log files seems to show Debian compiles with yara support.
>For example : 
>https://buildd.debian.org/status/fetch.php?pkg=clamav=i386=0.100.2%2Bdfsg-0%2Bdeb8u1=1540398955=0
>
>Le 06/02/2019 à 17:32, Andrew Williams a écrit :
>> Hey Arnaud,
>>
>> I recently noticed a bug that causes .pwdb files to not be loaded
>from 
>> the db directory when ClamAV is compiled without Yara support.  Is 
>> your ClamAV built with Yara support, and if not, can you try
>compiling 
>> with Yara support and see whether this fixes the issue for you?  This
>
>> issue will be fixed in an upcoming release.
>>
>> Thanks,
>>
>> -Andrew
>> Research Engineer
>> Malware Research Team
>>
>> On Wed, Feb 6, 2019 at 11:16 AM Arnaud Jacques 
>> mailto:webmas...@securiteinfo.com>>
>wrote:
>>
>> Hello,
>>
>> It seems .pwdb files does not work since version 0.100.2 (may be
>> since
>> 0.100.0).
>> It has this format :
>>
>> cat passwords.pwdb
>> ZipPasswordInfected;Engine:51-255;0;infected
>>
>> This file is in ClamAV databases directory (/var/lib/clamav/) and
>> ClamAV
>> does not detect malwares when Zip is protected by the "infected"
>> password. Manually unzipped, ClamAV is enable to detect the
>malware.
>>
>> Is the format of .pwdb files has changed since 0.100.x ?
>> Is it still supported on recent ClamAV version ?
>>
>> -- 
>> Cordialement / Best regards,
>>
>> Arnaud Jacques
>> Gérant de SecuriteInfo.com
>>
>> Téléphone : +33-(0)3.44.39.76.46
>> E-mail : a...@securiteinfo.com 
>> Site web : https://www.securiteinfo.com
>> Facebook :
>> https://www.facebook.com/pages/SecuriteInfocom/132872523492286
>> Twitter : @SecuriteInfoCom
>>
>> Securiteinfo.com
>> La Sécurité Informatique - La Sécurité des Informations.
>> 266, rue de Villers
>> 60123 Bonneuil en Valois
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] pwdb files still supported ?

2019-02-06 Thread Arnaud Jacques 

Hello Andrew,

I use clamav provided by debian 8.11 :
dpkg -l|grep clam
ii  clamav 0.100.2+dfsg-0+deb8u1  amd64    
anti-virus utility for Unix - command-line interface
ii  clamav-base 0.100.2+dfsg-0+deb8u1  all  
anti-virus utility for Unix - base package
ii  clamav-daemon 0.100.2+dfsg-0+deb8u1  
amd64    anti-virus utility for Unix - scanner daemon
ii  clamav-freshclam 0.100.2+dfsg-0+deb8u1  
amd64    anti-virus utility for Unix - virus database update utility
ii  clamdscan 0.100.2+dfsg-0+deb8u1  amd64    
anti-virus utility for Unix - scanner client
ii  libclamav7 0.100.2+dfsg-0+deb8u1  amd64    
anti-virus utility for Unix - libraryrt
ii  libclamunrar7 0.99-0+deb8u3  
amd64    anti-virus utility for Unix - unrar support


How to know if it is compiled with yara support ? clamscan --debug does 
not seem to provide the information.


On 
https://buildd.debian.org/status/package.php?p=clamav=jessie-security, 
there is "no logs" for amd64

o.O
Other log files seems to show Debian compiles with yara support.
For example : 
https://buildd.debian.org/status/fetch.php?pkg=clamav=i386=0.100.2%2Bdfsg-0%2Bdeb8u1=1540398955=0


Le 06/02/2019 à 17:32, Andrew Williams a écrit :

Hey Arnaud,

I recently noticed a bug that causes .pwdb files to not be loaded from 
the db directory when ClamAV is compiled without Yara support.  Is 
your ClamAV built with Yara support, and if not, can you try compiling 
with Yara support and see whether this fixes the issue for you?  This 
issue will be fixed in an upcoming release.


Thanks,

-Andrew
Research Engineer
Malware Research Team

On Wed, Feb 6, 2019 at 11:16 AM Arnaud Jacques 
mailto:webmas...@securiteinfo.com>> wrote:


Hello,

It seems .pwdb files does not work since version 0.100.2 (may be
since
0.100.0).
It has this format :

cat passwords.pwdb
ZipPasswordInfected;Engine:51-255;0;infected

This file is in ClamAV databases directory (/var/lib/clamav/) and
ClamAV
does not detect malwares when Zip is protected by the "infected"
password. Manually unzipped, ClamAV is enable to detect the malware.

Is the format of .pwdb files has changed since 0.100.x ?
Is it still supported on recent ClamAV version ?

-- 
Cordialement / Best regards,


Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com 
Site web : https://www.securiteinfo.com
Facebook :
https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

___
clamav-users mailing list
clamav-users@lists.clamav.net 
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] pwdb files still supported ?

2019-02-06 Thread Andrew Williams 
Hey Arnaud,

I recently noticed a bug that causes .pwdb files to not be loaded from the
db directory when ClamAV is compiled without Yara support.  Is your ClamAV
built with Yara support, and if not, can you try compiling with Yara
support and see whether this fixes the issue for you?  This issue will be
fixed in an upcoming release.

Thanks,

-Andrew
Research Engineer
Malware Research Team

On Wed, Feb 6, 2019 at 11:16 AM Arnaud Jacques 
wrote:

> Hello,
>
> It seems .pwdb files does not work since version 0.100.2 (may be since
> 0.100.0).
> It has this format :
>
> cat passwords.pwdb
> ZipPasswordInfected;Engine:51-255;0;infected
>
> This file is in ClamAV databases directory (/var/lib/clamav/) and ClamAV
> does not detect malwares when Zip is protected by the "infected"
> password. Manually unzipped, ClamAV is enable to detect the malware.
>
> Is the format of .pwdb files has changed since 0.100.x ?
> Is it still supported on recent ClamAV version ?
>
> --
> Cordialement / Best regards,
>
> Arnaud Jacques
> Gérant de SecuriteInfo.com
>
> Téléphone : +33-(0)3.44.39.76.46
> E-mail : a...@securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
>
> Securiteinfo.com
> La Sécurité Informatique - La Sécurité des Informations.
> 266, rue de Villers
> 60123 Bonneuil en Valois
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] pwdb files still supported ?

2019-02-06 Thread Arnaud Jacques 

Hello,

It seems .pwdb files does not work since version 0.100.2 (may be since 
0.100.0).

It has this format :

cat passwords.pwdb
ZipPasswordInfected;Engine:51-255;0;infected

This file is in ClamAV databases directory (/var/lib/clamav/) and ClamAV 
does not detect malwares when Zip is protected by the "infected" 
password. Manually unzipped, ClamAV is enable to detect the malware.


Is the format of .pwdb files has changed since 0.100.x ?
Is it still supported on recent ClamAV version ?

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml