I've been attempting to lighten the load for SpamAssassin a little by
creating signatures for the stock and pill spams that are flooding in
these days. More specifically, I'm creating signatures for the attached
images in the spams. (Upgrading SA, to be able to use OCR plugins and
so on, is not
Henrik Krohns wrote:
I don't get it.. unless you have some big honeypot, maybe 5% of traffic
contain small images to be OCRd. If your server can't handle that, I guess
it's running out of juice anyway. :)
Well... yeah. g The basic problem is that all the other garbage
(with the occasional
Kris Deugau wrote:
From the problems I'm having with supposedly malformed signatures, it
looks like there's an effective complexity limit; from the problems in
*matching* a signature that's finally been found to be acceptable, it
looks like there's a (lower) limit on what Clam can actually
aCaB wrote:
Kris Deugau wrote:
ImgSpam.Misc.5:0:0:474946383761??(01|00)??00442c??(01|00)??0084(00|48|53)(00|15)(00|30|1c)f0f0f0(f0|e0|c0)f0(e0|b0|f0|d0|c0)f0(00|f0|40)(00|d0|e0|60|70)(f0|90|00|c0)(e0|90|00|b0|70)f0??(00|90|40|7d|10)(f0|ea)??(f0|00|e0|d0|46)
Hi Kris
Tomasz Kojm wrote:
A few corrections :-)
Ah! The Voice of Authority! g
aCaB [EMAIL PROTECTED] wrote:
1) you always need at least 2 static bytes before and after a wildcard
(though a serie of ?? is fine)
with 0.9x it's enough to have a block of 2 static bytes somewhere in a part
of
Jim Goode wrote:
I am currently running version 0.88.7 on SME 6.0.1-01 (built on Red Hat
7.x).
[EMAIL PROTECTED] tmp]# rpm -qa | grep clam
clamav-es-libs-0.88.7-es01
clamav-es-0.88.7-es01
OK, so you've got a pair of packages called clamav-es-libs and
clamav-es.
I downloaded:
[EMAIL
xue wen wrote:
To whom it may concern,
I have tried to understand the signatures in the ClamAV's database. I have
succeeded to add a string signature into .db file. And when I tried to add a
regular expression into signature, there were some errors. I have referred
to the document of
Jiri Demel wrote:
Is there any possiility to have some sort of a local whitelist
for the phishing heuristics in ClamAV?
Or should I try to solve it in MimeDefang from which I call ClamAV?
Since you're using MIMEDefang to call ClamAV, I'd suggest something like
what I've done; phishing
Chambers, Phil wrote:
I have a local ndb file containing signatures of some spear phishing
attacks targeted specifically at us.
I recently added another signature and it cause clamd to shut down!
I'm afraid I can't help much with solving your problem, but I certainly
know what you're going
CentOS 5, Clam installed from RPMForge repo.
Was running 0.95.1 when this happened yesterday, upgrading to 0.95.2
didn't change anything.
[r...@snafu kdeugau]# /etc/init.d/clamd restart
Stopping Clam AntiVirus Daemon:[FAILED]
Starting Clam AntiVirus Daemon: LibClamAV
Dennis Peterson wrote:
Kris Deugau wrote:
clamscan seems to be able to read the database files just fine.
Any suggestions on what to poke to get more detail on what's actually
broken?
Send the result of running clamconf and ps -ef |grep [c]lam
Seems this was a SELinux issue after all
Steven Stern wrote:
Checking outgoing mail is pointless. Why bother?
So you can reduce malware propagation? (And as a result, maybe not end
up on everyone's local blacklist for spewing garbage...)
If I were mailing malware, I'd be sure to mark that it had been scanned,
approved, and was
Jerry wrote:
On Wed, 24 Feb 2010 10:33:09 -0500
Kris Deugau kdeu...@vianet.ca articulated:
Steven Stern wrote:
Checking outgoing mail is pointless. Why bother?
So you can reduce malware propagation? (And as a result, maybe not
end up on everyone's local blacklist for spewing garbage
(FWIW, the original inverse question/argument was about blindly
accepting third-party claims that something was clean; I responded
noting that I would [mostly] happily trust third-party claims that
something *wasn't* clean.)
Jerry wrote:
Lets take this from the top.
You, and other
Jerry wrote:
On Thu, 25 Feb 2010 16:40:13 -0500
Bowie Bailey bowie_bai...@buc.com articulated:
Abide by what edict? Email marked as containing a virus is simply
rejected. If a spammer or bot wishes to send out viruses from my
network, they'll have to bypass my MTA to do it, which is more
Chuck Swiger wrote:
On Feb 25, 2010, at 5:24 PM, Jerry wrote:
Lets take this from the top.
[ ... ]
The morgue is getting full of flogged-to-death horses and slain strawman
arguments. Please stop.
Butbutbut... It's still horse-shaped! And I think I saw that bale of
straw move!
-kgd,
I just received a report from a customer about a legitimate Amazon.ca
order confirmation that tripped the
Phishing.Heuristics.Email.SpoofedDomain code in Clamav (0.95.3 from
Debian lenny volatile).
I'm not sure what this heuristic test looks for, but after inspecting
the message source I'm
Török Edwin wrote:
It should already be whitelisted:
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?:17-
X:.+:.+images\.amazon\.com([/?].*)?:17-
What is the domain of the image, and the domain of the href target?
Can you craft a simple example html mail with just
Török Edwin wrote:
The existing whitelist doesn't pass because amazon.com doesn't have
anything preceding it.
Try this:
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:(.+\.)?amazon\.com([/?].*)?:17-
Looks good, thanks!
I've put this in daily.wdb on the live servers; is that the
I've had reports of several FPs due to PhishingScanURLs recently - is
there any way it can be made less aggressive rather than just turning it
off outright?
The messages triggering it so far have been both outgoing and incoming
mail from our customers: forwarded copies of legitimate
Török Edwin wrote:
On 04/22/2010 05:26 PM, Kris Deugau wrote:
I've had reports of several FPs due to PhishingScanURLs recently - is
there any way it can be made less aggressive rather than just turning it
off outright?
You could remove domains from daily.pdb
I don't seem to have
Török Edwin wrote:
Are you sure it was a Heuristics.Phishing.*, or Phishing.Heuristics.*
detection?
It doesn't look at the subject line at all.
Pretty certain; I don't recall the username so it's a bit hard to check
back in the mail logs.
What does the 17- at the end indicate?
It
I'd whitelist the specific URLs in question, but they vary from message
to message, since they're in the form:
http://www.google.com/url?sa=Xq=http://othersite
(the full URL runs about 500 characters in total - so far as I
understand the SpoofedDomain heuristic, it's only that first pair
the
heuristics rules (for those who can't whitelist these messages further
upstream)?
-kgd
Kris Deugau wrote:
I'd whitelist the specific URLs in question, but they vary from message
to message, since they're in the form:
http://www.google.com/url?sa=Xq=http://othersite
(the full URL runs
ANANT S ATHAVALE wrote:
Dear List,
I am replying to my own query. Please suggest a way to solve my problem.
You have two basic options for reducing or eliminating false positives
from the heuristic phishing test within ClamAV's setup:
- Get a copy of the message, or enough of a copy, that
I tried twice yesterday, but the submission was refused as not detected
by Clamav both times, likely since I haven't managed to extract a
suitable fragment of the document that's triggering the FP.
I have not received an OK from the customer to release the complete
attachment that triggered
G.W. Haywood wrote:
The ClamAV database mirrors appear to have a growing capacity problem.
Torrents are intended to alleviate the problem, and it takes, oh, ten
minutes to set one up. Scripts already exist which could be adapted
fairly easily to use torrents instead of mirrors to download the
Bruno Barosa wrote:
Hi, can anyone help?
Running on Centos 5.x (various versions from 5.4 to 5.8) 64bit.
Epel installed, RPMForge unninstalled, and prefer to keep it this way.
[root@myserver ~]# yum update clamav
...
No Packages marked for Update
Your choices are:
1) Wait for EPEL to
Bruno Barosa wrote:
Hi,
The issue is not beeing able to update the clamav core.
Nigel posted about databse updates, if i understood it right.
I'm quoting my original post:
Hi, can anyone help?
Running on Centos 5.x (various versions from 5.4 to 5.8) 64bit.
Epel installed, RPMForge
Alain Zidouemba wrote:
Massimo,
Actually, I'd recommend you send it in here:
http://www.clamav.net/lang/en/sendvirus/
That way we can review your file that was detected
as BC.Exploit.CVE_2012_0165 and tell you if you are dealing with a true
positive of a false positive. In the case of a
Greg Folkert wrote:
On Tue, 2013-06-11 at 14:38 -0400, Kris Deugau wrote:
(Resend; list seems to have gone black-hole for a few days)
FYI, I saw your last e-mail on Wednesday of last week on this very
subject. I didn't have any answers so I didn't respond.
Curious. I didn't get a copy
Alain Zidouemba wrote:
The following seems to work for me:
X:\.scotiarewards\.com:\.scotiabank\.com
It will be released shortly to whitelist the redirection from
scotiarewards.com to scotiabank.com
Thanks!
However, I tried adding this to daily.wdb locally, and I'm still getting
the
Kees Theunissen wrote:
Or just check your virus-filter logs.
*blink*
*poke*
Ah, that *is* enabled on my account. I had forgotten that.
Both your messages were rejectecd by my filter. The log shows:
Messsage rejected because of virus Heuristics.Phishing.Email.SpoofedDomain.
It triggered
Chuck Swiger wrote:
Only, when they use a mechanism like ports/pkgsrc/dselect/yum/etc to
update the installed version of freshclam, that mechanism leaves the old
version of the daemon running rather than stopping and restarting
freshclam to pick up the new version.
Or worse, inists on
Paolo De Michele wrote:
the support reply:
While it is possible, due to the nature of SSD storage we do not
support swap space on droplets.
honestly, I do not think that increasing my VPS to 1gb of ram solve the
situation
how can I fix it?
If you won't add RAM, and your hosting provider
Gene Heskett wrote:
On Sunday 02 February 2014 09:12:36 G.W. Haywood did opine:
You might be. IF I understand what you're doing, it seems to me that
you're piping a stream of data to the standard input of a process and
asking that process to scan the stream for interesting things. You
Thorvald Hallvardsson wrote:
Hi,
I have got clamav running on the box and recently had a complain from the
customer saying that he is getting viruses. In fact Clamav is finding
phishing messages but any virus (besides eicar) is not being found. Tried
to test it from the command line and it
Bowie Bailey wrote:
I highly recommend the Sanesecurity signatures. They catch much more
than the stock signatures. They also catch spam, scam, phishing, and
other misc junk emails. I haven't had any problems with false positives.
Here's the breakdown from my recent logs:
818 Total
I just came across a FP report for a hit from
Heuristics.Phishing.Email.SpoofedDomain.
On checking the message by hand, it no longer triggers this test, either
on my desktop test/dev system running 0.98.4, or on the production
servers running 0.97.6.
Examining the message by hand, the best guess
Al Varnell wrote:
You have certainly found the correct pair as your message is still showing up
immediately as infected here.
... and here, too; I wondered why my message hadn't shown up in my
clamav mail folder...
Heuristics detections are accomplished by the engine, not a specific
Tim Edwards wrote:
The recent addition of Zip.Suspect.MiscDoubleExtension signatures has been
causing a lot of trouble for us, as it keeps getting flagged for completely
innocuous files such as foo_handle_pdf.js.
One common thread I've been seeing is that people reporting specific
cases are
Kris Deugau wrote:
How do I whitelist all combinations of TLD 1 and TLD 2 with/without
subdomains in one entry?
I've just had a series of FP reports, all appear to be triggered by a
Scotiabank internal mail system URL that shows scotiabank.com (with a
host/subdomain in some messages
How do I whitelist all combinations of TLD 1 and TLD 2 with/without
subdomains in one entry?
I've just had a series of FP reports, all appear to be triggered by a
Scotiabank internal mail system URL that shows scotiabank.com (with a
host/subdomain in some messages, without in others) and a real
G.W. Haywood wrote:
> Hi there,
>
> On Mon, 2 Nov 2015, Hajo Locke wrote:
>
>> ... It seems to be so easy for a php-programmer to generate infinite
>> number of malwarefiles ...
>
> That's correct.
>
> Any .php file sent here goes straight to /dev/null without inspection.
I can't say I've
I've been seeing Javscript malware on and off where (one layer of) the
Javascript obfuscation is done by taking the real code, sticking in
random characters every other character, wrapping it in one or more
strings, and then using string manipulation to pull out the original
characters and execute
Jingo Administrator wrote:
Already more than a week ago I posted my first question to the list. I
must admit I'm a bit disappointed that nobody responds. Is it that I
asked a silly question? Or is the issue just to hard to solve and just
nobody wants to burn his fingers on it?
It's like more
Marco wrote:
> Hello,
>
> I installed clamd server (0.98.7) with clamav-milter using RPM of EPEL.
>
> With this installation, after every freshclam update session, clamd is
> forced to read the DB:
>
> 2015-09-29T09:12:41.244383+02:00 av1 clamd[15201]: Reading databases
> from /var/lib/clamav
Alex wrote:
> Steve Basford wrote:
>> I've posted the email here:
>> http://pastebin.com/n4WRjmzE
>
>> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema
>> Before inserting .: .f.email.americanexpress.com
>> Lookup result: in regex list
>> Phishcheck:host:.r.smartbrief.com
>>
Groach wrote:
> As a side note: is anyone surprised a virus hasnt been released,
> embedded in a 'password protected' Zip file (to fool AV scans) with the
> body of the email sayuing something like "to fight against viruses and
> to protect you, it is password protected. Your password is:
Gene Heskett wrote:
> But, I do wish that clamd would send me a substitute email advising that
> it has stashed a suspect incoming email into the
> mailfile /var/spool/mail/virii. I try to look that file over for FP's,
> but quickly get lost in the visual garbage because its probably a zip'd
Steve Basford wrote:
> 1) .rmd/.zmd databases are obsolete, they are replaced with .cdb
>
> More details:
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
Does anyone have any examples of valid signatures for the .cdb sigfiles?
I've tried a couple of times to port some
Charles Swiger wrote:
> The milter approach is less flexible. With a scoring mechanism, you can rate
> actual viruses sufficiently negative that the scoring algorithm will always
> reject them.
That depends on the milter you're using. My own favoured milter is
MIMEDefang, which allows you do
Charles Swiger wrote:
> On Jul 19, 2016, at 10:39 AM, Kris Deugau <kdeu...@vianet.ca> wrote:
>> ClamAV hits on any of the Heuristics.* tests get flagged instead of
>> treated the same as the signature-based hits, and that flag either
>> causes an an adjustment in the Sp
Alex wrote:
> Hi,
>
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
>
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool
Steven Morgan wrote:
> Please try clamscan --scan-html=no to turn off normalization.
Mmmm. I suppose that's technically the functionality I'm asking for,
but in its current form it's a pretty blunt instrument - it's all or
nothing, especially if set for clamd with the "ScanHTML" option in
Kris Deugau wrote:
> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?
As a complement to that question, is there a way to *force* other
Javascript files to be n
Is there a way to force matching on the raw file, or at least control
the normalization to some degree so that formatting and details in the
original code aren't lost?
I've been coming across .wsf files in .zip files, which are essentially
Javascript wrapped in a very thin wrapper:
[insert
Matus UHLAR - fantomas wrote:
> On 15.09.16 00:51, Reindl Harald wrote:
>> frankly i have seen companies blocking every .doc and .xls attachment
>> with a reject info that you should use .docx and .xslx becasue they
>> can't contain macros (would be .docm for the new formats)
>
> .docm is docx
crazy thinker wrote:
> Hi,
>
> I would you like to get each file status call back in *Clamdscan output*
> while perfrom scan over a dirtectory using *clamdscan*. but i able to get
> a file status call back *(OR | ERROR| FOUND)* in *Clamdscan output* when
> i perfrom scan over a *single
Alex wrote:
> Please don't send me to the amavis list - there must be someone who
> uses both clamav and amavis that understands what's happening here.
Much like SpamAssassin, Clamav in and of itself can only say "Matched
signature " or "Triggered heuristic test ", or "Didn't match
anything".
Joel Esler (jesler) wrote:
> Dave,
>
> Check out:
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
Unfortunately this document still leaves a number of questions, since
it's quite easy to create a signature that looks to be valid but which
ClamAV won't accept. And the
John T. Bryan wrote:
> I’ve been running ClamAV now for some years as the virus-checking plug-in on
> my main multi-client mail server. For a long time, I was very pleased with
> it and how easily I was able to integrate it into the custom software back
> when I first switched to it.
>
> Lately,
Groach wrote:
> If I could exclude the Clam default
> signatures and just continue to use Sane then I would and then I could
> turn back on quarantining to make our systems safe again.
You can; turn off freshclam and delete the stock signature files.
Also make sure that you don't use the
Al Varnell wrote:
> On Dec 27, 2016, at 1:53 PM, demonhunter wrote:
>> Office Open XML file format (.doc(x|m), .xls(x|m), etc.,
>> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with
>> macros typically contain an OLE2 file named vbaProject.bin. This signature
>>
Mark Foley wrote:
> Kees - thanks for that info. So, basically I'd have to start a new clamd with
> a
> different socket and therefore pointing to a different config file. Not sure
> then what the point of the --config-file parameter to clamdscan is ...
It allows you to call a different clamd
Mark Foley wrote:
So, the question posted below remains:
Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux?
Any valid signature file will be loaded and used.
Any *invalid* signature file will cause clamd to exit.
If clamd is running, and you've been able to
Cedric Knight wrote:
Devs - is it possible to block PDFs based on containing '/JavaScript'
and '/OpenAction' (or '/Launch')? I wish ClamAV has a hierarchy from
definite signatures first to secondly checking heuristics...
Not a ClamAV developer, but yes, you can create a signature for this.
nobswolf wrote:
Hello,
I just added virus support by ClamAV to my email-server. I am almost
satisfied. It already catched some "zero days".
But I'd like to separate the detection of junk from the detection of
malware. So I'd like to disable the junk detection in ClamAV.
I commented out the
Joel Esler (jesler) wrote:
We already distribute some third party feeds into the official database, we
have a program for that which can be found on our website.
For my part I would far prefer an enhancement to freshclam to allow it
to download arbitrary third-party signature sets, much as
outre...@epsilon.com wrote:
Hi Al,
Could you please confirm exactly what is the issue you see with the links? As
far as I can see, they use standard link tracking.
^^
In my experience that, in and of itself, is often the problem.
The
Crystalslave wrote:
Return-Path: harlequin...@gmail.com
First off, my apologies for the confusion. This is my first time
posting to a mailing list; I didn't really know how to handle the
return path thing, so I had to start over. Is this better? The return
path goes at the top of the message
micah anderson wrote:
I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that
the reason this is happening is because of Outlook's "advanced threat
protection" which wraps urls in a "safelink" url,
I really didn't
richard parker wrote:
I am sure this is something obvious to the experienced but not to a bit of
a newbie such as myself. I am struggling with installation with the
following being reported
E: dpkg was interrupted, you must manually run 'sudo dpkg --configure -a'
to correct the problem.
Chris Johnson wrote:
I have on access scanning configured and we successfully run a script
when a virus is found. This script allows us to make a log that the
file was scanned and a virus found. However we'd also like to run a
script to make a log when the file has been scanned and no virus
Ravi wrote:
Thanks Kris for your comments. Currently we scan the incoming
files(zips/archives) placed on the local hard drive with the
clamdscan(which uses clamd daemon), Can you share more info on what you
meant on handling the result differently if we are using the clamdscan?
Whatever calls
G.W. Haywood wrote:
Hi there,
On Tue, 16 Jan 2018, Kris Deugau wrote:
I'm trying to create signatures to match a particular series of
large to very large spams whose main identifier is a
I'm trying to create signatures to match a particular series of large to
very large spams whose main identifier is a
Paul B. wrote:
Ok, I got the same errors from Synaptics upon trying to install a
completely unrelated program:
E: clamav-base: subprocess installed post-installation script returned
error exit status 1
E: clamav-freshclam: dependency problems - leaving unconfigured
E: clamav: dependency
Chris wrote:
Using nc -l 3310 in one terminal and nc 127.0.0.1 3310 I get:
nc -l 3310
test
this is a test
nc 127.0.0.1 3310
test
this is a test
So, IIUC I can talk to port 3310 with 127.0.0.1 or am I incorrect?
nc -l should have returned an error if clamd was actually listening on
that
I've had a customer reporting problems sending a supposedly all-text
(likely actually multipart text+html with no hand-added attachments)
triggering this signature.
Since it's a hash I'm baffled by what it might be misfiring on in a
legitimate more-or-less text-only message.
I don't yet
J Doe wrote:
I note though that man 5 freshclam.conf states that clamd is *NOT* set to
update by default, however when I installed the package on Ubuntu 16.04.03 LTS,
it has put in 3600 for an update frequency.
Between freshclam and clamd there are three options here that operate
Win.Trojan.Agent-6584188-0 is a hash matching the executable from the
32-bit build of ProduKey. One of our staff doing an assets audit
triggered it by emailing the .zip to another staff member.
I've confirmed that the .zip and the files in it match a fresh download
from the developer's site,
Paul wrote:
Hi
I have 2 emails which have tripped
Heuristics.Phishing.Email.SpoofedDomain (4 times in each email using
clamscan -x option)
Is the output from clamscan -x --debug shown below indicate the
offending url pair triggering Heuristics.Phishing.Email.SpoofedDomain?
LibClamAV
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. I've found an issue that is either an
implementation limit or a bug in ClamAV's handling of Yara rules.
I've narrowed it down to an issue with the "#" condition variant.
For a rule like so:
rule
d
references in patterns in all other pattern-matching signature types,
since I have another Yara rule for a series of obfuscated Javascript
that uses a similar type of regex pattern.
-kgd
Regards
Mark.
On 14/03/18 20:47, Kris Deugau wrote:
I'm still chasing signatures for a certain c
G.W. Haywood wrote:
Hi Kris,
On Thu, 15 Mar 2018, Kris Deugau wrote:
I'm still chasing signatures for a certain class of (very) oversized
spam with malformed HTML. ...
Would you be able to send me a few samples? Preferably with full headers.
I've been able to create logical (.ldb
Dino Edwards wrote:
Answering my own question on the /var/run and the /run directories.
There is a link between the two, I just didn’t go up a level in the
directory structure. The question about the error still remains though.
The chown and mkdir look a bit suspect to me; I'm not seeing
Johnny Time wrote:
Hi Folks,
We use Clamav and we wonder if we can whitelist some extensions on our
virus scan ?
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
If you're looking to block all files except a limited set
Tilman Schmidt wrote:
Am 29.10.18 um 17:33 schrieb Kris Deugau:
Tilman Schmidt wrote:
Am 26.10.18 um 15:34 schrieb Johnny Time:
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*
zhuangxiaohui wrote:
Dear guys,
Thanks to your team for providing us a such wonderful anti-virus soft.
But, I got some problems there.
I have some servers(Centos6/7). Most of them have 1GB memory, 600M
available.
But also servers with low memory. For example 512M memory, 200M available.
When
Jerry wrote:
We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files
exchanged with other offices. I have not seen a virus in any of them since
2010. Seems like you might be doing business with the wrong type of people.
I work for an ISP, managing our mail filtering services.
Tilman Schmidt wrote:
Am 26.10.18 um 15:34 schrieb Johnny Time:
For exemple, we wanted to authorize only a white list which contains
*.doc,*.xls,*.pdf and ban the others extensions.
Surely you meant to write "*.docx,*.xlsx,*.pdf"?
*.doc and *.xls are the old, malware-prone MS-Office
Brent Clark wrote:
Good day Guys
I have setup two clamd servers.
On my Webservers, I need to stream a file to the clamd for scanning.
I would like to ask, how would I specify two TCPAddr.
If I specify just one, server, everything works ok.
Ive tried various options and google does not
Dominique Sarrazin wrote:
Hi everyone,
On October 26^th , ClamAV’s signature database was updated with the
addition of Win.Downloader.DDECmdExec-6715271-0, for which I cannot find
any information despite my thorough research.
sigtool --find-sigs [sig name] |sigtool --decode-sigs will at
Benny Pedersen wrote:
why is https even blocked ? :(
please whitelist https signatures
There's no reason a hacked HTTPS website couldn't host malware. And
there's no reason a spam domain couldn't get a certificate (from Let's
Encrypt, or somewhere else) if they carefully time their
Paul wrote:
Hi
I have been looking at using the -z option on either clamdscan or
clamscan and stumbled onto some odd behavior.
This is with version 101.1. 101.0 also behaves the same.
Take 2 paultest-010E110713-000 is constructed from test/clam.mail with
the addition of a line of text to
Avinash Sonawane via clamav-users wrote:
On Mon, 13 May 2019 16:21:15 +0200
Matus UHLAR - fantomas wrote:
loading takes time, much time.
How much time are we talking about here? I suppose by 'time' we mean
loading time (load binary and signatures) + processing time (comparing
signatures).
Dorian ROSSE via clamav-users wrote:
Yes that doesn,’t works as Following…
*checking for llvm-config... /usr/bin/llvm-config*
*configure: Using external LLVM*
*checking for supported LLVM version... no (6.0.0)*
*configure: error: LLVM < 3.7 required, but "6.0.0"(600) found*
*configure:
Joel Esler (jesler) via clamav-users wrote:
I mean, it's possible not to download the official definitions and just point
at a custom file right?
*nod* This works fine. I have a secondary Clam instance set up to use
only a selection of third-party signatures that I do not absolutely
trust
G.W. Haywood via clamav-users wrote:
To find out what might work and what might not, here's what I did:
==
Using 'clamd':
8<--
1. I moved the 'main.cld' and
1 - 100 of 145 matches
Mail list logo