[clamav-users] Signature generation problems

I'm having some issues creating a hex signature to match some PHP code I've run across. I've pulled the snippet of the PHP code that I want to match on and created the signature using sigtool --hex-dump, but when I try testing against it, there are no matches. However, if I convert the entire

Re: [clamav-users] Signature generation problems

-Original Message- Could be a whitespace character issue. Try to see if ClamAV normalizes your php script: clamscan --debug --leave-temps --tempdir=yourtempdir yourphpscript.php Go to yourtempdir and see if there is a file(s) there. Look for any differences between it and your

[clamav-users] Identifying all infections in a file...

Is there any way to get a list of all the signatures that match a file with multiple infections? For example, I have a file that's been infected with both PHP and JavaScript code (or even multiple, different, PHP code blocks), how would I be able to get all the signatures that match? My primary

[clamav-users] Scanning GIF files for malicious content

with this would be much appreciated... --Maarten Broekman ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml

[clamav-users] Scanning image files with embedded malware

All, I've been struggling with this particular issue for some time and I took a look at the recent git commits, but I'm not sure if this issue is covered by the fix for BB#5409 (I don't have access to look at BB#5409 so I'm not sure of the details on it). I

Re: [clamav-users] Scanning image files with embedded malware

-Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- boun...@lists.clamav.net] On Behalf Of David Raynor On Mon, Aug 13, 2012 at 4:28 PM, Maarten Broekman mbroek...@maileig.comwrote: All, I have a PHP.Remoteadmin-3 php script. I

Re: [clamav-users] Problems detecting PHP bots

-Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- boun...@lists.clamav.net] On Behalf Of Henri Salo Subject: [clamav-users] Problems detecting PHP bots Hello, Is there a way to configure ClamAV to scan also files with starting GIF87a/GIF89a? We

[clamav-users] Generating signatures for malware

Does anyone know of a tool that would take strings in a hex signature and turn them into appropriate wildcards? For instance, I want to strip out all the http://; and https://; and replace them with {7-8} to reduce the size of the signature and get more 'useful' strings in the signature? There

Re: [clamav-users] Generating signatures for malware

-Original Message- Despite the statement of your objective it isn't clear to me what you think you're going to achieve. My expectation would be a very large increase in the false positive rates if you attempt to use signatures modified in the way you describe. Can you be more

Re: [clamav-users] Generating signatures for malware

-Original Message- The rate of false positives is wholly dependent on the strings that you are replacing with wildcards. As an example, when generating signatures to identify phishing content (say, content targeting bank customers), I wanted to be able to strip out

Re: [clamav-users] Which is the current stable release?

0.97.6 is available from the SourceForge download page. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users- boun...@lists.clamav.net] On Behalf Of Frank Chan Sent: Monday, September 17, 2012 2:41 PM To: clamav-users@lists.clamav.net ClamAV users ML

[clamav-users] Deep scanning of image files

One thing I'm seeing more and more of is malware code (be it PHP or ASP) embedded after GIF headers. ClamAV sees the GIF header and treats it like an image (properly), but then ClamAV sees an HTML signature later in the file. However, it doesn't do any normalization on that HTML data. Would it

Re: [clamav-users] Deep scanning of image files

track this by adding a bug at https://bugzilla.clamav.net/? Thanks, Matt Done. Bug 5978. Thanks, Maarten On Tue, Oct 23, 2012 at 2:18 PM, Maarten Broekman mbroek...@maileig.com wrote: One thing I'm seeing more and more of is malware code (be it PHP or ASP) embedded after GIF headers

Re: [clamav-users] LibClamAV Warnings

-Original Message- LibClamAV Warning: Bytecode run timed out in interpreter after 765000 opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error code LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV Error: Opcode 45 of type 0 is not implemented yet!

Re: [clamav-users] LibClamAV Warnings

? Matt On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman mbroek...@maileig.com wrote: -Original Message- LibClamAV Warning: Bytecode run timed out in interpreter after 765000 opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error code LibClamAV Warning: Bytecode

Re: [clamav-users] LibClamAV Warnings

it and then send it to me. Matt On Fri, Nov 16, 2012 at 11:30 AM, Maarten Broekman mbroek...@maileig.com wrote: Yep. I have a .js file that triggers the Bytecode 37 error. I've filed a bug against the CVD with it. Bug 6140 - Bytecode 37 failed to run: Unknown error code

Re: [clamav-users] LibClamAV Warnings

, 2012 at 11:41 AM, Maarten Broekman mbroek...@maileig.com wrote: I have a bugzilla account but I don't have the right permissions to see that bug. You are not authorized to access bug #6139. --Maarten -Original Message- From: clamav-users-boun...@lists.clamav.net

Re: [clamav-users] How can I run clamdscan as a standard user?

What are the permissions on the clamd socket file? You might also try setting up clamd to listen on an IP/port and connect to it that way if the unix socket doesn't work. --Maarten On 12/3/13, 10:23 AM, mcmurchy1917-cla...@yahoo.co.uk mcmurchy1917-cla...@yahoo.co.uk wrote: Hello Henri Results

Re: [clamav-users] Hint for creating signatures

: not had enough coffee, so not fully tested etc. Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Maarten Broekman Endurance

Re: [clamav-users] False positives submitted but still viewed as viruses

If you don't want to wait, you can also whitelist the files in your own database files. Run either of the following: sigtool --sha256 sigtool --md5 Put the output into a '.fp' file in your db directory and that should whitelist that specific file so it's not reported. --Maarten On Mon,

Re: [clamav-users] How to trick clamav

You would probably want to set up a private mirror on your laptop and then use that to sync your desktop. That way you can update your laptop whenever you want and when you're connected to you home network, you can update your desktop. https://www.clamav.net/documents/private-local-mirrors

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

I am seeing these mostly on files that comprise the OpenLayers library in phpMyAdmin 4. On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) wrote: > Mark, > > Thanks for the feedback, you are right, I am experiencing some high counts > in the Txt.Malware.Agent family. > >

[clamav-users] Using 'allmatch' with streams

Is anyone able to speak to whether allowing 'allmatch' to work with streams is on the map? 'allmatch' was one of the features that I was really looking forward to, but the fact that it doesn't work when you are scanning streams is a major letdown. --Maarten

Re: [clamav-users] ClamAV md5 hash DB

If the tarball doesn't match the MD5 hash then it's likely that a file within the tarball matches the malicious MD5. ClamAV looks at all the files within tarballs and zip files individually as well as the tarball as a whole. --Maarten On Wed, Jul 12, 2017 at 8:44 AM, Srinivasreddy R <

Re: [clamav-users] ClamAV md5 hash DB

Sorry for the double reply... You can also use sigtool --find-sigs to find the signature that it's reporting and isolate it. On Wed, Jul 12, 2017 at 8:59 AM, Maarten Broekman < maarten.broek...@gmail.com> wrote: > If the tarball doesn't match the MD5 hash then it's likely that a file

Re: [clamav-users] Auto Scan any plugged in usb strogage device with ClamAV

The functionality to do it on OS X is OS X related, not ClamAV related. Your best option would be to ask around on Mac OS X developer forums. On Mon, Jul 10, 2017 at 6:07 AM, crazy thinker wrote: > I want to do it on teriminal. Could you explain core logic that

Re: [clamav-users] Question about ClamAV

Your understanding of scanning techniques is flawed at best (I believe this has been pointed out multiple times). Both techniques have issues with false positive and false negative matches. The only significant difference is how they perform against unknown threats. In that regard, heuristic

Re: [clamav-users] Question about ClamScan

Crazy, the 'users' mailing list is what you are sending this questions to. You keep addressing this list as 'developers'. There is a separate mailing list where developers who write the internals of ClamAV talk. That is the appropriate forum for ALL of your questions. You really haven't had a

Re: [clamav-users] Unable to download database

For me, 3 of the 5 db.local.clamav.net addresses have 100% packet loss: $ host db.local.clamav.net db.local.clamav.net is an alias for db.us.rr.clamav.net. db.us.rr.clamav.net has address 200.236.31.1 db.us.rr.clamav.net has address 208.72.56.53 db.us.rr.clamav.net has address 69.12.162.28

Re: [clamav-users] Unable to download database

ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms *--- 207.57.106.31 ping statistics ---* *1 packets transmitted, 0 received, 100% packet loss, time 0ms* On Wed, Aug 23, 2017 at 1:26 PM, Maarten Broekman < maarten.broek...@gmail.com> wrote: > For me, 3 of t

Re: [clamav-users] Recommended workstation usage?

There are far more than 31 signatures that have the potential to impact Linux systems. There are, in truth, over 23,000 signatures that are able to detect malware on Linux and Unix systems. Most "Linux" signatures only contain the word Unix, however. Additionally, keep in mind that these are only

[clamav-users] Massive amount of false positives on Html.Trojan.Iframe-6390207-0 / Html.Trojan.Iframe-6390207-0

VIRUS NAME: Html.Trojan.Iframe-6390207-0 TDB: Engine:51-255,FileSize:16384-65536,Target:3 LOGICAL EXPRESSION: 0 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:

Re: [clamav-users] Same file, different signatures detected

JAR files can be unpacked like tarballs so it is likely that there is a common file in each that matches those hashes. Maarten Sent from a tiny keyboard > On Aug 7, 2018, at 04:54, Albrecht, Peter wrote: > > Hi, > >> I don't see how that is even remotely possibly. They are three completely

Re: [clamav-users] Help With clamscan vs clamdscan

For clamdscan to work you need to enable LocalSocket at the very least. On Mon, Aug 20, 2018 at 5:32 PM Michael Newman wrote: > > On Aug 20, 2018, at 23:00, Al Varnell wrote: > > > Please post the results of the following Terminal Command: > > sudo clamconf > > > MrMuscle:~ mnewman$ sudo

Re: [clamav-users] Help With clamscan vs clamdscan

Yep. That's fine. /tmp or /var/tmp (or /run) is usually where it goes anyway. Welcome to the ClamAV club :) On Mon, Aug 20, 2018 at 7:45 PM Michael Newman wrote: > > On Aug 20, 2018, at 23:00, *Maarten Broekman* wrote: > > > For clamdscan to work you need to enable LocalSoc

Re: [clamav-users] ERROR 403: Forbidden

I'm, having to use the normal update method > to ensure it uses the correct IP) > > > > -- > *From:* clamav-users on behalf of > Maarten Broekman > *Sent:* 28 August 2018 11:24 > *To:* ClamAV users ML > *Subject:* Re: [clamav-users] ERROR

Re: [clamav-users] ERROR 403: Forbidden

idden > 2018-08-28 13:37:49 ERROR 403: Forbidden. > > > ------ > *From:* clamav-users on behalf of > Maarten Broekman > *Sent:* 28 August 2018 13:16 > *To:* ClamAV users ML > *Subject:* Re: [clamav-users] ERROR 403: Forbidden > > Gotcha. Yeah, the error is b

Re: [clamav-users] ERROR 403: Forbidden

> On Aug 28, 2018, at 06:17, Jon Roberts wrote: > > From the troubled server: > > wget http://database.clamav.net/main-55.cdiff > --2018-08-28 11:14:43-- http://database.clamav.net/main-55.cdiff > Resolving database.clamav.net... 104.16.189.138, 104.16.187.138, > 104.16.188.138, ... >

Re: [clamav-users] Help With clamscan vs clamdscan

Check the logs and config files. Clamscan loads the databases itself before running. It does not need clamd to be running in order to work. Clamdscan attempts to use a socket to talk with clamd for the scanning of files. If there is an error, one of two things is happening: Either the

Re: [clamav-users] FW:

ClamAV can scan any type of file. That said, it can unpack certain kinds of archives and scan the files inside. Also, ClamAV signatures can be written for specific kinds of files (PE files, text, etc) and they will only be used for those types. I haven’t tried increasing the size beyond that

Re: [clamav-users] Clamav Definitions vs. Devel-Clamav Definitions

he clamav site, but only found the standard signature set. > > Also - in case I do get a hold of extra signatures - would I have to merge > them into the existing definition set or simply run these in a separate > scan ? > > Thanks. > > Peter > > > On Thu, Mar 29, 2

Re: [clamav-users] Clamav Definitions vs. Devel-Clamav Definitions

Hi Peter, Given the name of that virus, I would guess that your hosting provider is using some extra virus definitions that aren’t part of the standard ClamAV distribution. It doesn’t have to do with the engine in this case. You should get in touch with them about that. Maarten Broekman

Re: [clamav-users] ping database.clamav.net

Régis, This is a feature of DNS where a name can resolve to multiple IPs for load balancing and resiliency. Depending on what serves ‘database.clamav.net’ it may just be a round-robin response or it may resolve to an IP based on which one is responding faster to requests or simply which one

Re: [clamav-users] ping database.clamav.net

<regis.hous...@gmail.com> wrote: > yes but for this IP this not a clamav website ! > > dev.lepartidegauche.fr (178.33.105.132) > > > thank you > > > Le 29/03/2018 à 13:11, Maarten Broekman a écrit : > > Régis, > > This is a feature of DNS where

Re: [clamav-users] ClamAV performance overhead on RHEL & Solaris

new signatures. After the swap, the memory for the old signatures > would be released by the loader thread. This would take more memory > during signature update, but it might be a worthwhile option. > > > On Sat, 17 Mar 2018 17:17:17 -0400 > Maarten Broekman <maarten.broek.

Re: [clamav-users] ClamAV performance overhead on RHEL & Solaris

Some considerations: - the longest “delay” will occur when reloading signature databases. If reducing the delay is important, run multiple instances with smaller signatures in each. ESPECIALLY, if you’re going to writing your own story signatures or using databases that change often. -

Re: [clamav-users] Question regarding SIGUSR2 and clamd

You might be able to open the socket that clamd is listening on and attempt to ping it. I forget if it replies with PONG while it's in the middle of reloading. It's been a while since I tried to do that. On Thu, Mar 22, 2018 at 6:40 AM, Ralf Hildebrandt < ralf.hildebra...@charite.de> wrote: >

Re: [clamav-users] Is there any documentation on what signatures mean?

; > In order to decide on an appropriate course of action I'd like to know > what the perceived threat is, ie. *why* someone thought that a file > matching that particular signature would be malicious. > That's not something sigtool can provide. > > > Am 28.06.2018 um 13:22 sc

Re: [clamav-users] Is there any documentation on what signatures mean?

Answered TL;Dr Use sigtool to find and decode the signature. Sent from a tiny keyboard > On Jun 28, 2018, at 06:57, Nikita Yerenkov-Scott > wrote: > > Hello, > > A question on this matter exists on this Linux site: >

Re: [clamav-users] Mailing list DMARC problem

Or, I don't know, recipients that are enforcing DMARC could simply follow the steps from the previous section. The mailing list doesn't own the messages sent to it (we don't see "From: clamav-users"). Recipients should whitelist the mailing list per:

Re: [clamav-users] [External] Re: Scan very slow

Given that the PhishTank signatures, specifically, have been causing the performance issues, no. It's not unreasonable to want to pull them, and only them, out. Having them in a separate db file would be highly beneficial to those of us that don't want or need them at all. Barring that, having a

Re: [clamav-users] [External] Re: Scan very slow

Having the Phishtank sigs as an additional optional database would be great and, from my perspective, well worth the effort since we don't use them. On Sun, Apr 7, 2019 at 9:44 AM Micah Snyder (micasnyd) via clamav-users < clamav-users@lists.clamav.net> wrote: > Tim, > > > > There are a couple

Re: [clamav-users] Problem with freshclam updating daily-25380.cdiff

I'm not sure if the safebrowsing.cld is included in the daily cdiff, but the current safebrowsing.cld takes between 50 and 70 seconds to *load* into clamscan, where a copy from February loads in <5 seconds. safebrowsing data: Old (fast): ClamAV-VDB:13 Feb 2019 13-16

Re: [clamav-users] Problem with freshclam updating daily-25380.cdiff

> Maarten, > > Thanks for reporting that. There is an ordering difference of the content > in the latest GDB file which is affecting the load time, and we will be > fixing that in the next safebrowsing CVD version. > > Dave R. > > On Wed, Mar 6, 2019 at 10:42 AM Maarten

[clamav-users] Problem with new safebrowsing file

The new safebrowsing cvd (starting with version 48473) seems to be sorted in a way that increases the load time of that file by several orders of magnitude. I have a previous version from February where the entries in the gdb section are sorted like this:

Re: [clamav-users] Problem with new safebrowsing file

: 70c61f41e52b5a2134ff7e272f5a6df1 > > SHA256 (safebrowsing.gdb) = > 7f6645b8d865de3992be1ad5de215afd848acee4c021eed4818fdb760f76b57e > > Something must be different. > > Dave R. > > On Wed, Mar 6, 2019 at 5:39 PM Maarten Broekman via clamav-users < > clamav-users@lists.clamav.net> wrote: > >> The new safebrowsin

Re: [clamav-users] Scan very slow

. --Maarten Broekman Full scans without the daily cvd/cld: Scan time ~60seconds Full scans with the daily from March 11th: Scan time: 84seconds Full scans with the daily from March 17th: Scan time: 109seconds ~/clamav# ls -larth /tmp/clamdtest*/daily.cld -rw-r--r-- 1 clamav clamav 110M Mar 11 04

Re: [clamav-users] [External] Re: Scan very slow

type 0, > whereas we’d split the Phishtank.Phishing signatures up by target type to > reduce scan times of files where the signatures won’t apply. It should > also speed things up quite a bit for other file types to split those up by > Target types. > > > > Further research

Re: [clamav-users] Problems scanning for PUAs

I think the PUA version are just potentially unwanted things that exhibit trojan-like behavior but aren't confirmed trojans. As for the original question, it looks like it's only using the first part of that to determine the group of PUAs to ignore. These are the 'PUA' families (and associated

[clamav-users] Filetype determination

One problem that we're running into is that we encounter web pages and cgi scripts that are "inconsistently" normalized. I put "inconsistently" in quotes because without fully knowing the way ClamAV normalizes files, it is sometimes difficult to understand why two similar files might be normalized

Re: [clamav-users] [External] Re: Scan very slow

Clearly the latest daily.cvd is performing better, but the remaining "Phishtank" sigs are *not* a majority of the slowness. I unpacked the current (?) cvd (ClamAV-VDB:09 Apr 2019 03-53 -0400:25414:1548262:63:X:X:raynman:1554796413) and then ran a test scan with each part to see what the load

Re: [clamav-users] [External] Re: Scan very slow

Are the "Phish" REPHISH signatures still in the daily or were they removed as well? Those were causing part of the issue. --Maarten On Wed, Apr 17, 2019 at 5:24 AM Al Varnell via clamav-users < clamav-users@lists.clamav.net> wrote: > An additional 3968 Phishtank.Phishing.PHISH_ID_???

Re: [clamav-users] [External] Re: Scan very slow

at 7:03 AM Al Varnell via clamav-users < clamav-users@lists.clamav.net> wrote: > There are still 2515 "Phish.Phishing.REPHISH_ID_" signatures in > daily.ldb > > -Al- > > On Apr 17, 2019, at 03:36, Maarten Broekman > wrote: > > Are the "Phis

Re: [clamav-users] ClamAV: Local Private Mirror

I'd have to agree. Bandwidth is the least of the concern. Control is paramount. On Tue, Jul 30, 2019 at 7:26 AM Henrik K wrote: > > Control. Is it really necessary to go over basic IT management practises > here? > > On Tue, Jul 30, 2019 at 05:13:50PM +, Joel Esler (jesler) via >

Re: [clamav-users] Use of clamav-daemon.socket? (0.102.0)

For my install, I had multiple instances of clamd running (in order to have different databases loaded for different purposes) and the systemd sockets were throwing errors about other processes using them, which in turn caused the additional instances of clamd service units to fail. However, the

Re: [clamav-users] Html.Malware.Agent-7380889-0 false positive on Apache files?

That's a hash signature. My guess is that there's 315 byte file inside the jar that was marked. The 2.4 version of fop has a 315 byte class file (PDFColorSpace.class) in it with a different MD5 hash. You might want to unpack the fop.jar and see if any of the files there match. Chances are some

Re: [clamav-users] Multiple Clam Daemons on a single system

> On Mar 5, 2020, at 05:09, Ashish Poddar via clamav-users > wrote: > >  > Hi all, > > We have a situation where we run a clamav daemon to scan files on a system. > However, in the process, we only use about 10% CPU in the system. We would > naturally like to increase this number. We were

Re: [clamav-users] How to decode virus signature

You can pipe that to sigtool --decode-sigs to see what it is. What I usually use is: $ sigtool --find-sigs BAD_RULE | awk '{ print $NF }' | sigtool --decode-sigs On Thu, Sep 10, 2020 at 9:55 PM Olivier via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi, > > I have a virus signature

Re: [clamav-users] Php.Trojan.MSShellcode-81 FOUND on MS IIS log file?

In all likelihood, it means that a GET or POST payload contained the signature. Whether or not the request containing the signature was successful in injecting it into your site is a question that only you will be able to answer. You can use sigtool to find the signature and again to decode the

Re: [clamav-users] Failed to update virus definitions

Chances are you are using a version of ClamAV older than 0.100 and/or using wget/curl to get the updates rather than using the approved methods (freshclam / cvdupdate). https://www.clamav.net/documents/end-of-life-policy-eol https://www.clamav.net/documents/freshclam-faq Additionally, there are

Re: [clamav-users] LibClamAV Warning: PNG: Unexpected early end-of-file

While verbose (-v) is helpful in some cases, you probably want to use the debug option to get the large volume of LibClamAV messages. I find debug is far more useful than verbose most times. Maarten Sent from a tiny keyboard > On Apr 5, 2021, at 04:17, Vivek Patil via clamav-users > wrote: >

Re: [clamav-users] Mac OS Big Sur on M1

Use homebrew unless you absolutely need the release candidate version. I installed ClamAV 0.103.3 via homebrew on my M1 Mac and it runs pretty well. On Wed, Sep 1, 2021 at 3:33 PM Vaughn A. Hart wrote: > Hi Folks, > > So I figured out the issue. It looks like during the install/upgrade that >

Re: [clamav-users] Why does clamonacc says /var/www does not exist (among other things)?

It depends on the OS, but if you have something like AppArmor or GrSecurity, you may need to grant the appropriate permissions there to allow access even for root. --Maarten On Thu, Sep 9, 2021 at 2:34 PM Micah Snyder (micasnyd) via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi! > >

Re: [clamav-users] ClamAV is not respecting Phishing* settings.

To further Ged's point, these signatures that are hitting are extended logical signatures. Phishing signatures have a very specific format that are either solely looking at hostnames, host prefixes, link destinations and alternate text, and displayed hostnames (

Re: [clamav-users] Netapp hidden files

Hi Jeff, You would want to add those .snapshot paths to "ExcludePath" directives in your clamd.conf file for clamd / clamdscan or use the "--exclude-dir" option for clamscan. You'll probably want to write a wrapper script for clamscan to build up the list of .snapshot directories to ignore at

Re: [clamav-users] Nonsensical noreplies from ClamAV team

"If you provided a description that suggests otherwise..." is a past tense conditional referring to the form submission. That phrase is the equivalent to this longer "If you put information in the description that suggests the sample is not clean..." On Thu, Nov 18, 2021 at 2:27 PM G.W. Haywood

Re: [clamav-users] [ext] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd

On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users < clamav-users@lists.clamav.net> wrote: > * Arnaud Jacques via clamav-users : > > Is it just me, or? > > Same here: > > # clamdscan -V > ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021 > > # sigtool -l|tail >

Re: [clamav-users] [ext] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd

I've opened https://github.com/Cisco-Talos/clamav/issues/389 for this issue. The issue *shouldn't* be causing problems with scanning (it wasn't causing a problem for me), but if it is please add a comment to the issue to that effect. --Maarten On Wed, Nov 24, 2021 at 11:19 AM Maarten Broekman

Re: [clamav-users] [ext] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd

On Wed, Nov 24, 2021 at 10:42 AM Maarten Broekman < maarten.broek...@gmail.com> wrote: > > > On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users < > clamav-users@lists.clamav.net> wrote: > >> * Arnaud Jacques via clamav-users : >&g

Re: [clamav-users] clamav DOA

Cody, it looks like you’re running ClamAV 0.101.2. That version is too old. If you upgrade to 0.103.4, you should be able to start downloading the db files again. What kind of system are you on? Is ClamAV prepackaged for you or did you build from source? -Maarten Sent from a tiny keyboard >

Re: [clamav-users] Solaris users in a bind

All versions of ClamAV prior to 0.103 are essentially EOL at this point. The only options for Solaris 10 are likely to build from source, along with all the prerequisites. --Maarten On Sat, Nov 6, 2021 at 7:54 AM Sunhux G via clamav-users < clamav-users@lists.clamav.net> wrote: > > We're still

Re: [clamav-users] Where can I download daily.cvd, bytecode.cvd and main.cvd from?

On Mon, Jan 17, 2022 at 9:53 AM Andrew C Aitchison via clamav-users < clamav-users@lists.clamav.net> wrote: > On Mon, 17 Jan 2022, Nick Howitt via clamav-users wrote: > > > - not > > have to install some uncommon download package and then download them. > That > > is making people jump through

Re: [clamav-users] Where can I download daily.cvd, bytecode.cvd and main.cvd from?

Running freshclam after the package is installed should pull any/all of the files that are missing. That is probably the best way to do it. --Maarten On Mon, Jan 17, 2022 at 8:32 AM Nick Howitt via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi, > I am trying to package ClamAV

Re: [clamav-users] SSL Authentication Error

I would double-check to make sure python3 is using the correct CA bundle. On recent python3 versions, that should be the certifi bundle. $ which python3 /opt/homebrew/bin/python3 $ /opt/homebrew/bin/python3 --version Python 3.9.10 $ python3 -m certifi

Re: [clamav-users] Prevent root users from running infected files

1. You’re excluding root in the config so you won’t be able to prevent from accessing malicious files. 1A. You shouldn’t run clamd as root. run it as another user (like “clamav” or “clamd”) 2. You are limiting it to only scan files in /home on-access 2A. You would likely want it to scan the

Re: [clamav-users] human friendly signatures

On Tue, Mar 15, 2022 at 1:53 PM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Tue, 15 Mar 2022, Laurent S. via clamav-users wrote: > >> using Yara's engine in clamav directly is something that has been > >> brought up time and again. It is possible. My

Re: [clamav-users] Virus database not updated since 14th July 2021

What version of ClamAV are you using? July of last year sounds about when EOL versions of ClamAV were blocked wholesale and the 'acceptable version' was moved up and all prior versions were blocked. EOL has moved several times since then as well. Currently, the current stable version 0.104 and I

Re: [clamav-users] Minor bug or working as intended?

There's not a lot that you can do in Yara rules that you can't do in LDB sigs... for what it's worth, here's a logical sig that detects the same thing as the Yara rules... mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb| sigtool --decode-sigs VIRUS NAME:

Re: [clamav-users] Virus not detected

The accepted way would be to supply a link to the VirusTotal scan that didn't detect it. --Maarten On Mon, Mar 21, 2022 at 4:36 PM Jorge Bastos wrote: > It's just the link :P > How would you be able to test then? ;) > > ok won't send again.. but the default virus db doesn't seems to be >

Re: [clamav-users] Malware found on datadog folder in centos. Is it false-positive?

Looks like the signature was dropped already because sigtool doesn't find it anymore after I updated the databases through freshclam. --Maarten On Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users < clamav-users@lists.clamav.net> wrote: > Well yes, the fact that it was the only scanner

Re: [clamav-users] why is clamscan excluding home directory ?

As Ged pointed out, the fact that /home is mounted as a separate mount-point (even though it's the same device), leads the system to see them as different filesystems (you can umount /home without umount'ing /) As a result, your use of cross-fs=no tells clamscan to not cross filesystem boundaries

Re: [clamav-users] why is clamscan excluding home directory ?

so it should get to /home, see it is still > on the same filesystem and scan it. > > No ? > > > On Friday, 8 April 2022, 19:02:42 BST, Maarten Broekman < > maarten.broek...@gmail.com> wrote: > > > As Ged pointed out, the fact that /home is mounted as a sep

Re: [clamav-users] On access scanning causes system lockup with certain directories

I'm not sure if this IS the answer, but my guess would be that ClamAV needs to access files in /usr/lib64... And it has to scan (and come back with an OK result) before access is allowed... resulting in scans being blocked which, in turn, results in ALL processes being blocked while waiting on the

Re: [clamav-users] Amazon/SpoofedDomain FP

That's indicating that there is a link in the email that's displaying " www.americanexpress.com" but is actually going to "www.amazonbusiness.com". It's hard to help without seeing the original email code. On Thu, Mar 17, 2022 at 12:55 PM Alex via clamav-users < clamav-users@lists.clamav.net>

Re: [clamav-users] FreshClam received error code 429 from the ClamAV Content Delivery Network (CDN).

What version of ClamAV are you using? What do the logs show? If you are before 0.103, then your version is too old. https://docs.clamav.net/faq/faq-eol.html Maarten Sent from a tiny keyboard > On Jun 22, 2022, at 05:08, Kachare, Ganesh, Vodafone (External) via > clamav-users wrote: > >  >

Re: [clamav-users] Permanently banned from clamav

Downloading the entire databases unnecessarily (using web browsers, etc) is banned because it results in higher volumes of data transfer which, in turn, costs more money. As such, using things other than freshclam or cvdupdate were explicitly banned. There’s not much else to say. Maarten

Re: [clamav-users] Clamav found in php files Archive.Test.Agent2-9953724-0

This is a new signature that was added today. It's rather complicated and, with the "Test" in the name, I'm not sure it's meant to be published. We'll have to wait to hear from the ClamAV folks on that matter, but you can submit it as a false positive (for those Wordpress zips) using the False

Re: [clamav-users] Clamav found in php files Archive.Test.Agent2-9953724-0

It's 100% a bad signature and should get removed. I just checked the current version of the akismet plugin ( https://wordpress.org/plugins/akismet/) from WordPress and it is detected by this signature but by nothing else: https://virusscan.jotti.org/en-US/filescanjob/00ecsxf7es

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format There are examples of the wdb format a bit lower on the page. Essentially, you would create a file "good_urls.wdb" in the same directory as the existing ClamAV database files and put in an appropriate line to handle the domains

Re: [clamav-users] PUA detected. False Positive?

e keeping PUA > checks still enabled for other cases. > > In the past I've not had great success searching entirely on my own. > > joe a. > > On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote: > > A "PUA" is a "potentially unwanted applica

  1   2   >