Re: [clamav-users] Can't allocate memory ERROR

2021-01-07 Thread Micah Snyder (micasnyd) via clamav-users 
Some users have reported an issue where the file size limits aren't working for 
files larger than 2GB.  If your MaxFileSize is default or is otherwise set less 
than 2GB and you're still seeing this error it may be the same issue. See:
  - https://bugzilla.clamav.net/show_bug.cgi?id=12374 
  - https://bugzilla.clamav.net/show_bug.cgi?id=12649

I haven't yet investigated, but I'm hoping to look into this bug in the coming 
weeks.

Regards,
Micah

> -Original Message-
> From: clamav-users  On Behalf Of
> G.W. Haywood via clamav-users
> Sent: Thursday, January 7, 2021 9:32 AM
> To: Kevin Faber via clamav-users 
> Cc: G.W. Haywood 
> Subject: Re: [clamav-users] Can't allocate memory ERROR
> 
> Hi there,
> 
> On Thu, 7 Jan 2021, Kevin Faber via clamav-users wrote:
> 
> > We are using c-icap to interface with ClamAV 0.103.0 and seeing the
> following error in the clamd.scan log file when scanning large files.
> >
> > The RHEL host has 8gb of ram and is attempting to scan a 9gb file.  Are 
> > there
> any configuration changes that can be made to fix this or do we just increase
> ram?
> >
> > fd[21]: Can't allocate memory ERROR
> 
> What is it that you're scanning, and why do you want to scan it?
> 
> Please read the documentation and the configuration files, and search the list
> archives for information about maximum scan sizes which are discussed here
> now and again, e.g.
> 
> https://marc.info/?l=clamav-users=157549176313237=2
> 
> Basically you can't usefully scan anything bigger than about 4GBytes, for some
> cases 2GBytes.  In most cases I think it's probably futile to try to scan such
> large files anyway.  Chopping them into pieces so as to scan the pieces begs 
> all
> sorts of questions.  If they're archives of multiple files you could extract 
> the
> contents to scan separately.
> 
> It's possible to construct a tiny compressed archive file which will produce
> ridiculously large files when uncompressed, or perhaps e.g.
> trigger some regex issue in a scanner, resulting in denial of service.
> Don't do it.  Sometimes people want to scan the disc images of their
> filesystems, or those of virtual machines.  Try not to do that either.
> 
> --
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't allocate memory ERROR

2021-01-07 Thread G.W. Haywood via clamav-users 

Hi there,

On Thu, 7 Jan 2021, Kevin Faber via clamav-users wrote:


We are using c-icap to interface with ClamAV 0.103.0 and seeing the following 
error in the clamd.scan log file when scanning large files.

The RHEL host has 8gb of ram and is attempting to scan a 9gb file.  Are there 
any configuration changes that can be made to fix this or do we just increase 
ram?

fd[21]: Can't allocate memory ERROR


What is it that you're scanning, and why do you want to scan it?

Please read the documentation and the configuration files, and search
the list archives for information about maximum scan sizes which are
discussed here now and again, e.g.

https://marc.info/?l=clamav-users=157549176313237=2

Basically you can't usefully scan anything bigger than about 4GBytes,
for some cases 2GBytes.  In most cases I think it's probably futile to
try to scan such large files anyway.  Chopping them into pieces so as
to scan the pieces begs all sorts of questions.  If they're archives
of multiple files you could extract the contents to scan separately.

It's possible to construct a tiny compressed archive file which will
produce ridiculously large files when uncompressed, or perhaps e.g.
trigger some regex issue in a scanner, resulting in denial of service.
Don't do it.  Sometimes people want to scan the disc images of their
filesystems, or those of virtual machines.  Try not to do that either.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2021-01-07 Thread Orion Poplawski 
Lilia -

  Virus database is updated daily and updated last night.  Still seeing one
this morning:

Virus Urlhaus.Malware.364328-9787819-0:

https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
1 Time(s)

Though that is a different signature.

Orion

On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote:
> Hi Orion!
> 
> Those NBD signatures were updated at the beginning of the week and should not
> FP anymore. Please update your ClamAV db and let us know if the issue 
> persists.
> 
> Best regards,
> 
> Lilia Gonzalez
>  Malware Research Team
>  Cisco Talos
> 
> 
> On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski  > wrote:
> 
> Lilia -
> 
>   Thanks for the response.   We're seeing some others getting triggered as
> well:
> 
>     Virus Urlhaus.Malware.490516-9766015-0:
>    10.21.2.5
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> : 2 
> Time(s)
>    10.21.2.5
> 
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> 
> :
> 2 Time(s)
>    10.21.2.5
> 
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> 
> :
> 1 Time(s)
>    10.21.2.5
> 
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> 
> :
> 1 Time(s)
>    10.21.2.5
> 
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> 
> :
> 1 Time(s)
> 
>     Virus Urlhaus.Malware.161756-8797115-0:
>        10.10.20.7
> 
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> 
> :
> 1 Time(s)
>        10.11.1.3
> 
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc
> 
> :
> 1 Time(s)
> 
> 
> Orion
> 
> On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Thank you for reporting this. URLhaus is a partner that generates a 
> list of
> > ClamAV signatures to target malicious URLs. Signature
> > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> > files, which is why it is alerting on the URLs you mentioned. We found 
> these
> > FPs some weeks ago and added an extra check on new ClamAV signatures to
> > prevent them from alerting on legitimate URLhaus content. We are 
> currently
> > updating older ClamAV signatures to ensure they don't FP on 
> non-malicious
> > HTML files.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski  
> > >> wrote:
> >
> >     Can anyone give me some details about the
> Urlhaus.Malware.452652-9766253-0
> >     signature?  We're seeing following URLs trigger it:
> >
> >     https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> 
> >      >
> >   
>  
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> 
> 
> >   
>  
>  
> >
> >   
>  
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> 
>

[clamav-users] Can't allocate memory ERROR

2021-01-07 Thread Kevin Faber via clamav-users 
Hello,

We are using c-icap to interface with ClamAV 0.103.0 and seeing the following 
error in the clamd.scan log file when scanning large files.

The RHEL host has 8gb of ram and is attempting to scan a 9gb file.  Are there 
any configuration changes that can be made to fix this or do we just increase 
ram?

fd[21]: Can't allocate memory ERROR

Thanks,
Kevin

___
 DISCLAIMER: This message (including any attachments) may contain confidential, 
proprietary, privileged and/or private information. The information is intended 
to be for the use of the individual or entity designated above. If you are not 
the intended recipient of this message, please notify the sender immediately, 
and delete the message and any attachments. Any disclosure, reproduction, 
distribution or other use of this message or any attachments by an individual 
or entity other than the intended recipient is prohibited. The security of our 
clients is a top priority. Therefore, we have put efforts into ensuring that 
the message is error and virus-free. Unfortunately, full security of the email 
cannot be ensured as, despite our efforts, the data included in emails could be 
infected, intercepted, or corrupted. Therefore, the recipient should check the 
email for threats with proper software, as the sender does not accept liability 
for any damage inflicted by viewing the content of this email.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about Urlhaus.Malware.452652-9766253-0

2021-01-07 Thread Lilia Gonzalez Medina 
 Hi Orion!

Those NBD signatures were updated at the beginning of the week and should
not FP anymore. Please update your ClamAV db and let us know if the issue
persists.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski  wrote:

> Lilia -
>
>   Thanks for the response.   We're seeing some others getting triggered as
> well:
>
> Virus Urlhaus.Malware.490516-9766015-0:
>10.21.2.5
> https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt: 2
> Time(s)
>10.21.2.5
>
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 2 Time(s)
>10.21.2.5
>
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> :
> 1 Time(s)
>10.21.2.5
>
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> :
> 1 Time(s)
>10.21.2.5
>
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt
> :
> 1 Time(s)
>
> Virus Urlhaus.Malware.161756-8797115-0:
>10.10.20.7
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
> 1 Time(s)
>10.11.1.3
> https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc:
> 1 Time(s)
>
>
> Orion
>
> On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote:
> > Hi Orion!
> >
> > Thank you for reporting this. URLhaus is a partner that generates a list
> of
> > ClamAV signatures to target malicious URLs. Signature
> > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML
> > files, which is why it is alerting on the URLs you mentioned. We found
> these
> > FPs some weeks ago and added an extra check on new ClamAV signatures to
> > prevent them from alerting on legitimate URLhaus content. We are
> currently
> > updating older ClamAV signatures to ensure they don't FP on non-malicious
> > HTML files.
> >
> > Best regards,
> >
> > Lilia Gonzalez
> > Malware Research Team
> > Cisco Talos
> >
> > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski  > > wrote:
> >
> > Can anyone give me some details about the
> Urlhaus.Malware.452652-9766253-0
> > signature?  We're seeing following URLs trigger it:
> >
> > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
> > 
> >
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> >
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> > <
> https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt
> >
> >
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> > <
> https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt
> >
> >
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> > <
> https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt
> >
> >
> > Which seems to be the online update URLs for the urlhaus filter.
> Does
> > ClamAV
> > deem urlhaus a bad actor?
> >
> > Thanks,
> >   Orion
> >
> > --
> > Orion Poplawski
> > Manager of NWRA Technical Systems  720-772-5637
> > NWRA, Boulder/CoRA Office FAX: 303-415-9702
> > 3380 Mitchell Lane   or...@nwra.com
> > 
> > Boulder, CO 80301 https://www.nwra.com/
> > 
> >
> > ___
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net 
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> > 
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> >
> > http://www.clamav.net/contact.html#ml
> > 
> >
> >
> > ___
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems  720-772-5637
> NWRA, Boulder/CoRA Office FAX:

Re: [clamav-users] Help please

2021-01-07 Thread Mark Burzenski via clamav-users 
Fantastic! I was hoping there was an easier way than trying to learn all
the manual steps and still get my work done.
Will try it ASAP
THANK YOU !!



On Thu, Jan 7, 2021 at 7:44 AM Matus UHLAR - fantomas 
wrote:

> On 05.01.21 22:33, Richard Graham via clamav-users wrote:
> >You also may want to install it from the Ubuntu repo.
> >
> >https://help.ubuntu.com/community/ClamAV
> >https://packages.ubuntu.com/focal/clamav
>
> I recommend installing clamav using ubuntu packages, especially when you
> don't know hot to compile/install from sources.
>
>
> >On Tue, Jan 5, 2021 at 9:36 PM David Copeland 
> wrote:
> >> You might have a look at:
> >>
> >>
> >>
> https://www.clamav.net/documents/installation-on-debian-and-ubuntu-linux-distributions
>
> >> On 2021-01-05 2:29 p.m., Mark Burzenski via clamav-users wrote:
> >> I downloaded the tar.gz for Clamav, then gunzipped it, then moved it to
> >> its own directory and un tarred it. Now I have a directory full of files
> >> and no idea how to get clamav installed.
> >>
> >> New to Linux
> >> using Ubuntu 20.04 in a Virtual box environment.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> If Barbie is so popular, why do you have to buy her friends?
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can we consume .ldb files in ClamAV Ubuntu?

2021-01-07 Thread Luca Sironi via clamav-users 
Hello, thank you for your answer.
I understand your point, i guess i should simply trust the project
repository.

I was asked to check whether i could integrate informations coming from

https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-clam.ldb

with a pre existing clamav installation but i have limited access to the
internet so i could not easily add another  CustomerDatabase entry.
So i asked on the ML if that was gonna became part of the standard
repository.
I thought that Red Eye could provide the best signatures to identify binary
stuff they got leaked.

Yes, i was trying to compare the ldb file content with
sigtool --unpack content  of daily.cvd and main.cvd

regards
Luca


Il giorno gio 7 gen 2021 alle ore 14:47 G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> ha scritto:

> Hi there,
>
> On Wed, 6 Jan 2021, Luca Sironi via clamav-users wrote:
>
> > How can i crosscheck a .ldb file like the one published from Red Eye
> > with the content of the cvd files i download from clamav?
>
> Please define "crosscheck".  If you mean that you want to check that
> two different types of signature store produced by two (or likely
> more) different signature writers contain the same signatures for some
> malware or other, then be aware that both the names of the signatures
> and the signatures themselves are chosen by the writers.  There is no
> reason to suppose that two different people will choose the same text
> for the things that they put in their signature stores, so no reason
> why the signatures themselves should be the same, and no reason why
> the names of the signatures should even vaguely resemble each other.
> The signatures may not even use the same methods of comparison with
> the malware.  Some signatures will look for things in mail, some for
> things in files.  There's more, see the documentation about writing
> signatures on the ClamAV Website.
>
> If you want to check whether the same malware is detected by two or
> more different sets of signatures, then scan a sample of the malware
> with one or other of the signature sets loaded.
>
> > I tried to unpack those with sigtool but the syntax of the cvd is
> > much more clear a signature, a name.
>
> Your problem is not clear.  What did you do?  Please show the exact
> commands, the resulting output if it is reasonably concise, and why
> you didn't like the result.  Did you try simply looking at the files
> with a pager?
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 
http://www.sironi.tk

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can we consume .ldb files in ClamAV Ubuntu?

2021-01-07 Thread G.W. Haywood via clamav-users 

Hi there,

On Wed, 6 Jan 2021, Luca Sironi via clamav-users wrote:


How can i crosscheck a .ldb file like the one published from Red Eye
with the content of the cvd files i download from clamav?


Please define "crosscheck".  If you mean that you want to check that
two different types of signature store produced by two (or likely
more) different signature writers contain the same signatures for some
malware or other, then be aware that both the names of the signatures
and the signatures themselves are chosen by the writers.  There is no
reason to suppose that two different people will choose the same text
for the things that they put in their signature stores, so no reason
why the signatures themselves should be the same, and no reason why
the names of the signatures should even vaguely resemble each other.
The signatures may not even use the same methods of comparison with
the malware.  Some signatures will look for things in mail, some for
things in files.  There's more, see the documentation about writing
signatures on the ClamAV Website.

If you want to check whether the same malware is detected by two or
more different sets of signatures, then scan a sample of the malware
with one or other of the signature sets loaded.


I tried to unpack those with sigtool but the syntax of the cvd is
much more clear a signature, a name.


Your problem is not clear.  What did you do?  Please show the exact
commands, the resulting output if it is reasonably concise, and why
you didn't like the result.  Did you try simply looking at the files
with a pager?

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Help please

2021-01-07 Thread Matus UHLAR - fantomas 

On 05.01.21 22:33, Richard Graham via clamav-users wrote:

You also may want to install it from the Ubuntu repo.

https://help.ubuntu.com/community/ClamAV
https://packages.ubuntu.com/focal/clamav


I recommend installing clamav using ubuntu packages, especially when you
don't know hot to compile/install from sources.



On Tue, Jan 5, 2021 at 9:36 PM David Copeland  wrote:

You might have a look at:


https://www.clamav.net/documents/installation-on-debian-and-ubuntu-linux-distributions



On 2021-01-05 2:29 p.m., Mark Burzenski via clamav-users wrote:
I downloaded the tar.gz for Clamav, then gunzipped it, then moved it to
its own directory and un tarred it. Now I have a directory full of files
and no idea how to get clamav installed.

New to Linux
using Ubuntu 20.04 in a Virtual box environment.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

2021-01-07 Thread Andrew C Aitchison via clamav-users 

On Thu, 7 Jan 2021, G.W. Haywood via clamav-users wrote:


Hi there,

On Wed, 6 Jan 2021, Zvi Kave via clamav-users wrote:


Can you send link to your posts about root directory scan?


https://marc.info/?l=clamav-users=1=2


The footer of every message from the list has a link
  https://lists.clamav.net/mailman/listinfo/clamav-users
which points to the archive at
  https://lists.clamav.net/pipermail/clamav-users/

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

2021-01-07 Thread G.W. Haywood via clamav-users 

Hi there,

On Wed, 6 Jan 2021, Zvi Kave via clamav-users wrote:


Can you send link to your posts about root directory scan?


https://marc.info/?l=clamav-users=1=2

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Regarding CMake build System in ClamAV project

2021-01-07 Thread Satish Kumar via clamav-users 
Dear ClamAV Team,

I would like to know the detailed steps to convert the auto-tool project to a 
CMake project. As per the latest version of ClamAV, I have come to know that 
auto-tools is replaced by CMake build systems.actually, I am looking for a good 
tutorial/documentation  which helps me  to convert the autotool  project to 
cmake project
could any one of you  please help me on this and thank you in advance

Regards,Satish Yaduvanshi

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

2021-01-07 Thread Pierre Dehaen 
Right, that's why I suggested to make a full scan daily/weekly. 

Scanning is not bulletproof neither, as the virus signature comes by definition 
after the virus 
creation. If you have some trust in your OS provider then additional basic 
tools like rpm -qV, 
dpkg -V or debsums (even if not perfect) could be used to verify the 
authenticity of the 
package files in your reference snapshot. Elfsign could be used to check 
binaries, if they are 
signed (on Solaris they are, not sure on Linux), and the kernel could enforce 
the check on 
execution if desired (still on Solaris). Auditd is also available... but I stop 
here because, 
questionning who we can trust, we could end up with the chain of trust and the 
TPM chip... 
secured by God's signature as you know.

Anyway, as the initial idea was to stop scanning during work hours, I think my 
suggestions (to 
scan changed files only during these hours) were still safer...

Pierre


On 6 Jan 2021 at 12:53, Paul Kosinski via clamav-users wrote:

The problem with only scanning files that have changed since they were
last scanned is that there usually have been virus signature updates in
the meantime. So you could have an "old" file that contains what was a
zero-day virus at the time it was scanned, and now there is a signature
that would detect it.


On Wed, 06 Jan 2021 11:56:47 +0100
"Pierre Dehaen"  wrote:

> Hi,
> 
> On 6 Jan 2021 at 9:58, G.W. Haywood via clamav-users wrote:
> 
> > > My goal is to terminate scan of big number of files like '/' on CPU busy 
> > > hours.  
> > Do not scan everything under the root directory.  
> 
> Use zfs, make regular snapshots, scan once, then use zfs diff to find the 
> new/changed(/removed) files, scan these only.
> 
> Or make a full scan every week if desired, then use a auditing program to 
> regularly search for 
> the files that were added/updated(/removed), scan these only. These auditing 
> programs use 
> hash signatures which are faster to compute than doing full virus scans, but 
> they will anyway 
> make a lot of i/o as they will read all files. If you are really constrained 
> by the i/o you could run 
> a less secure but lighter audit based on the file attributes (size, 
> ownership, mode, dates...) 
> and once a day/week a full audit...
> 
> There are many options...
> 
> HTH,
> Pierre

> 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml