I'm having some issues creating a hex signature to match some PHP code
I've run across. I've pulled the snippet of the PHP code that I want to
match on and created the signature using sigtool --hex-dump, but when I
try testing against it, there are no matches. However, if I convert the
entire
-Original Message-
Could be a whitespace character issue. Try to see if ClamAV normalizes
your php script:
clamscan --debug --leave-temps --tempdir=yourtempdir yourphpscript.php
Go to yourtempdir and see if there is a file(s) there. Look for any
differences between it and your
Is there any way to get a list of all the signatures that match a file
with multiple infections? For example, I have a file that's been
infected with both PHP and JavaScript code (or even multiple, different,
PHP code blocks), how would I be able to get all the signatures that
match? My primary
with this would be much appreciated...
--Maarten Broekman
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
All,
I've been struggling with this particular issue for some
time and I took a look at the recent git commits, but I'm not sure if
this issue is covered by the fix for BB#5409 (I don't have access to
look at BB#5409 so I'm not sure of the details on it).
I
-Original Message-
From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
boun...@lists.clamav.net] On Behalf Of David Raynor
On Mon, Aug 13, 2012 at 4:28 PM, Maarten Broekman
mbroek...@maileig.comwrote:
All,
I have a PHP.Remoteadmin-3 php script. I
-Original Message-
From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
boun...@lists.clamav.net] On Behalf Of Henri Salo
Subject: [clamav-users] Problems detecting PHP bots
Hello,
Is there a way to configure ClamAV to scan also files with starting
GIF87a/GIF89a? We
Does anyone know of a tool that would take strings in a hex signature
and turn them into appropriate wildcards? For instance, I want to strip
out all the http://; and https://; and replace them with {7-8} to
reduce the size of the signature and get more 'useful' strings in the
signature? There
-Original Message-
Despite the statement of your objective it isn't clear to me what you
think you're going to achieve. My expectation would be a very large
increase in the false positive rates if you attempt to use signatures
modified in the way you describe. Can you be more
-Original Message-
The rate of false positives is wholly dependent on the strings
that
you are replacing with wildcards.
As an example, when generating signatures to identify phishing
content (say, content targeting bank customers), I wanted to be
able
to strip out
0.97.6 is available from the SourceForge download page.
-Original Message-
From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
boun...@lists.clamav.net] On Behalf Of Frank Chan
Sent: Monday, September 17, 2012 2:41 PM
To: clamav-users@lists.clamav.net ClamAV users ML
One thing I'm seeing more and more of is malware code (be it PHP or ASP)
embedded after GIF headers. ClamAV sees the GIF header and treats it
like an image (properly), but then ClamAV sees an HTML signature later
in the file. However, it doesn't do any normalization on that HTML
data. Would it
track this by adding a bug at
https://bugzilla.clamav.net/?
Thanks,
Matt
Done. Bug 5978.
Thanks,
Maarten
On Tue, Oct 23, 2012 at 2:18 PM, Maarten Broekman
mbroek...@maileig.com wrote:
One thing I'm seeing more and more of is malware code (be it PHP or
ASP) embedded after GIF headers
-Original Message-
LibClamAV Warning: Bytecode run timed out in interpreter after 765000
opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error
code
LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV
Error: Opcode 45 of type 0 is not implemented yet!
?
Matt
On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman
mbroek...@maileig.com wrote:
-Original Message-
LibClamAV Warning: Bytecode run timed out in interpreter after
765000
opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error
code
LibClamAV Warning: Bytecode
it and then send it to me.
Matt
On Fri, Nov 16, 2012 at 11:30 AM, Maarten Broekman
mbroek...@maileig.com wrote:
Yep. I have a .js file that triggers the Bytecode 37 error. I've
filed a bug against the CVD with it.
Bug 6140 - Bytecode 37 failed to run: Unknown error code
, 2012 at 11:41 AM, Maarten Broekman
mbroek...@maileig.com wrote:
I have a bugzilla account but I don't have the right permissions to
see that bug.
You are not authorized to access bug #6139.
--Maarten
-Original Message-
From: clamav-users-boun...@lists.clamav.net
What are the permissions on the clamd socket file? You might also try
setting up clamd to listen on an IP/port and connect to it that way if the
unix socket doesn't work.
--Maarten
On 12/3/13, 10:23 AM, mcmurchy1917-cla...@yahoo.co.uk
mcmurchy1917-cla...@yahoo.co.uk wrote:
Hello Henri
Results
: not had enough coffee, so not fully tested etc.
Cheers,
Steve
Sanesecurity.com
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Maarten Broekman
Endurance
If you don't want to wait, you can also whitelist the files in your own
database files.
Run either of the following:
sigtool --sha256
sigtool --md5
Put the output into a '.fp' file in your db directory and that should
whitelist that specific file so it's not reported.
--Maarten
On Mon,
You would probably want to set up a private mirror on your laptop and then
use that to sync your desktop. That way you can update your laptop
whenever you want and when you're connected to you home network, you can
update your desktop.
https://www.clamav.net/documents/private-local-mirrors
I am seeing these mostly on files that comprise the OpenLayers library in
phpMyAdmin 4.
On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler)
wrote:
> Mark,
>
> Thanks for the feedback, you are right, I am experiencing some high counts
> in the Txt.Malware.Agent family.
>
>
Is anyone able to speak to whether allowing 'allmatch' to work with streams
is on the map? 'allmatch' was one of the features that I was really
looking forward to, but the fact that it doesn't work when you are scanning
streams is a major letdown.
--Maarten
If the tarball doesn't match the MD5 hash then it's likely that a file
within the tarball matches the malicious MD5. ClamAV looks at all the files
within tarballs and zip files individually as well as the tarball as a
whole.
--Maarten
On Wed, Jul 12, 2017 at 8:44 AM, Srinivasreddy R <
Sorry for the double reply...
You can also use sigtool --find-sigs to find the signature that it's
reporting and isolate it.
On Wed, Jul 12, 2017 at 8:59 AM, Maarten Broekman <
maarten.broek...@gmail.com> wrote:
> If the tarball doesn't match the MD5 hash then it's likely that a file
The functionality to do it on OS X is OS X related, not ClamAV related.
Your best option would be to ask around on Mac OS X developer forums.
On Mon, Jul 10, 2017 at 6:07 AM, crazy thinker
wrote:
> I want to do it on teriminal. Could you explain core logic that
Your understanding of scanning techniques is flawed at best (I believe this
has been pointed out multiple times). Both techniques have issues with
false positive and false negative matches. The only significant difference
is how they perform against unknown threats. In that regard, heuristic
Crazy,
the 'users' mailing list is what you are sending this questions to. You
keep addressing this list as 'developers'. There is a separate mailing list
where developers who write the internals of ClamAV talk. That is the
appropriate forum for ALL of your questions. You really haven't had a
For me, 3 of the 5 db.local.clamav.net addresses have 100% packet loss:
$ host db.local.clamav.net
db.local.clamav.net is an alias for db.us.rr.clamav.net.
db.us.rr.clamav.net has address 200.236.31.1
db.us.rr.clamav.net has address 208.72.56.53
db.us.rr.clamav.net has address 69.12.162.28
ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
*--- 207.57.106.31 ping statistics ---*
*1 packets transmitted, 0 received, 100% packet loss, time 0ms*
On Wed, Aug 23, 2017 at 1:26 PM, Maarten Broekman <
maarten.broek...@gmail.com> wrote:
> For me, 3 of t
There are far more than 31 signatures that have the potential to impact
Linux systems. There are, in truth, over 23,000 signatures that are able to
detect malware on Linux and Unix systems. Most "Linux" signatures only
contain the word Unix, however. Additionally, keep in mind that these are
only
VIRUS NAME: Html.Trojan.Iframe-6390207-0
TDB: Engine:51-255,FileSize:16384-65536,Target:3
LOGICAL EXPRESSION: 0
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
JAR files can be unpacked like tarballs so it is likely that there is a common
file in each that matches those hashes.
Maarten
Sent from a tiny keyboard
> On Aug 7, 2018, at 04:54, Albrecht, Peter wrote:
>
> Hi,
>
>> I don't see how that is even remotely possibly. They are three completely
For clamdscan to work you need to enable LocalSocket at the very least.
On Mon, Aug 20, 2018 at 5:32 PM Michael Newman wrote:
>
> On Aug 20, 2018, at 23:00, Al Varnell wrote:
>
>
> Please post the results of the following Terminal Command:
>
> sudo clamconf
>
>
> MrMuscle:~ mnewman$ sudo
Yep. That's fine. /tmp or /var/tmp (or /run) is usually where it goes
anyway. Welcome to the ClamAV club :)
On Mon, Aug 20, 2018 at 7:45 PM Michael Newman wrote:
>
> On Aug 20, 2018, at 23:00, *Maarten Broekman* wrote:
>
>
> For clamdscan to work you need to enable LocalSoc
I'm, having to use the normal update method
> to ensure it uses the correct IP)
>
>
>
> --
> *From:* clamav-users on behalf of
> Maarten Broekman
> *Sent:* 28 August 2018 11:24
> *To:* ClamAV users ML
> *Subject:* Re: [clamav-users] ERROR
idden
> 2018-08-28 13:37:49 ERROR 403: Forbidden.
>
>
> ------
> *From:* clamav-users on behalf of
> Maarten Broekman
> *Sent:* 28 August 2018 13:16
> *To:* ClamAV users ML
> *Subject:* Re: [clamav-users] ERROR 403: Forbidden
>
> Gotcha. Yeah, the error is b
> On Aug 28, 2018, at 06:17, Jon Roberts wrote:
>
> From the troubled server:
>
> wget http://database.clamav.net/main-55.cdiff
> --2018-08-28 11:14:43-- http://database.clamav.net/main-55.cdiff
> Resolving database.clamav.net... 104.16.189.138, 104.16.187.138,
> 104.16.188.138, ...
>
Check the logs and config files.
Clamscan loads the databases itself before running. It does not need clamd to
be running in order to work.
Clamdscan attempts to use a socket to talk with clamd for the scanning of
files. If there is an error, one of two things is happening:
Either the
ClamAV can scan any type of file. That said, it can unpack certain kinds of
archives and scan the files inside. Also, ClamAV signatures can be written for
specific kinds of files (PE files, text, etc) and they will only be used for
those types.
I haven’t tried increasing the size beyond that
he clamav site, but only found the standard signature set.
>
> Also - in case I do get a hold of extra signatures - would I have to merge
> them into the existing definition set or simply run these in a separate
> scan ?
>
> Thanks.
>
> Peter
>
>
> On Thu, Mar 29, 2
Hi Peter,
Given the name of that virus, I would guess that your hosting provider is
using some extra virus definitions that aren’t part of the standard ClamAV
distribution. It doesn’t have to do with the engine in this case.
You should get in touch with them about that.
Maarten Broekman
Régis,
This is a feature of DNS where a name can resolve to multiple IPs for load
balancing and resiliency. Depending on what serves ‘database.clamav.net’ it may
just be a round-robin response or it may resolve to an IP based on which one is
responding faster to requests or simply which one
<regis.hous...@gmail.com>
wrote:
> yes but for this IP this not a clamav website !
>
> dev.lepartidegauche.fr (178.33.105.132)
>
>
> thank you
>
>
> Le 29/03/2018 à 13:11, Maarten Broekman a écrit :
> > Régis,
> > This is a feature of DNS where
new signatures. After the swap, the memory for the old signatures
> would be released by the loader thread. This would take more memory
> during signature update, but it might be a worthwhile option.
>
>
> On Sat, 17 Mar 2018 17:17:17 -0400
> Maarten Broekman <maarten.broek.
Some considerations:
- the longest “delay” will occur when reloading signature databases. If
reducing the delay is important, run multiple instances with smaller signatures
in each. ESPECIALLY, if you’re going to writing your own story signatures or
using databases that change often.
-
You might be able to open the socket that clamd is listening on and attempt
to ping it. I forget if it replies with PONG while it's in the middle of
reloading. It's been a while since I tried to do that.
On Thu, Mar 22, 2018 at 6:40 AM, Ralf Hildebrandt <
ralf.hildebra...@charite.de> wrote:
>
;
> In order to decide on an appropriate course of action I'd like to know
> what the perceived threat is, ie. *why* someone thought that a file
> matching that particular signature would be malicious.
> That's not something sigtool can provide.
>
>
> Am 28.06.2018 um 13:22 sc
Answered
TL;Dr
Use sigtool to find and decode the signature.
Sent from a tiny keyboard
> On Jun 28, 2018, at 06:57, Nikita Yerenkov-Scott
> wrote:
>
> Hello,
>
> A question on this matter exists on this Linux site:
>
Or, I don't know, recipients that are enforcing DMARC could simply follow
the steps from the previous section. The mailing list doesn't own the
messages sent to it (we don't see "From: clamav-users").
Recipients should whitelist the mailing list per:
Given that the PhishTank signatures, specifically, have been causing the
performance issues, no. It's not unreasonable to want to pull them, and
only them, out. Having them in a separate db file would be highly
beneficial to those of us that don't want or need them at all. Barring
that, having a
Having the Phishtank sigs as an additional optional database would be great
and, from my perspective, well worth the effort since we don't use them.
On Sun, Apr 7, 2019 at 9:44 AM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Tim,
>
>
>
> There are a couple
I'm not sure if the safebrowsing.cld is included in the daily cdiff, but
the current safebrowsing.cld takes between 50 and 70 seconds to *load* into
clamscan, where a copy from February loads in <5 seconds.
safebrowsing data:
Old (fast): ClamAV-VDB:13 Feb 2019 13-16
> Maarten,
>
> Thanks for reporting that. There is an ordering difference of the content
> in the latest GDB file which is affecting the load time, and we will be
> fixing that in the next safebrowsing CVD version.
>
> Dave R.
>
> On Wed, Mar 6, 2019 at 10:42 AM Maarten
The new safebrowsing cvd (starting with version 48473) seems to be sorted
in a way that increases the load time of that file by several orders of
magnitude.
I have a previous version from February where the entries in the gdb
section are sorted like this:
: 70c61f41e52b5a2134ff7e272f5a6df1
>
> SHA256 (safebrowsing.gdb) =
> 7f6645b8d865de3992be1ad5de215afd848acee4c021eed4818fdb760f76b57e
>
> Something must be different.
>
> Dave R.
>
> On Wed, Mar 6, 2019 at 5:39 PM Maarten Broekman via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> The new safebrowsin
.
--Maarten Broekman
Full scans without the daily cvd/cld: Scan time ~60seconds
Full scans with the daily from March 11th: Scan time: 84seconds
Full scans with the daily from March 17th: Scan time: 109seconds
~/clamav# ls -larth /tmp/clamdtest*/daily.cld
-rw-r--r-- 1 clamav clamav 110M Mar 11 04
type 0,
> whereas we’d split the Phishtank.Phishing signatures up by target type to
> reduce scan times of files where the signatures won’t apply. It should
> also speed things up quite a bit for other file types to split those up by
> Target types.
>
>
>
> Further research
I think the PUA version are just potentially unwanted things that exhibit
trojan-like behavior but aren't confirmed trojans.
As for the original question, it looks like it's only using the first part
of that to determine the group of PUAs to ignore.
These are the 'PUA' families (and associated
One problem that we're running into is that we encounter web pages and cgi
scripts that are "inconsistently" normalized. I put "inconsistently" in
quotes because without fully knowing the way ClamAV normalizes files, it is
sometimes difficult to understand why two similar files might be normalized
Clearly the latest daily.cvd is performing better, but the remaining
"Phishtank" sigs are *not* a majority of the slowness.
I unpacked the current (?) cvd (ClamAV-VDB:09 Apr 2019 03-53
-0400:25414:1548262:63:X:X:raynman:1554796413) and then ran a test scan
with each part to see what the load
Are the "Phish" REPHISH signatures still in the daily or were they removed
as well? Those were causing part of the issue.
--Maarten
On Wed, Apr 17, 2019 at 5:24 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> An additional 3968 Phishtank.Phishing.PHISH_ID_???
at 7:03 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> There are still 2515 "Phish.Phishing.REPHISH_ID_" signatures in
> daily.ldb
>
> -Al-
>
> On Apr 17, 2019, at 03:36, Maarten Broekman
> wrote:
>
> Are the "Phis
I'd have to agree. Bandwidth is the least of the concern. Control is
paramount.
On Tue, Jul 30, 2019 at 7:26 AM Henrik K wrote:
>
> Control. Is it really necessary to go over basic IT management practises
> here?
>
> On Tue, Jul 30, 2019 at 05:13:50PM +, Joel Esler (jesler) via
>
For my install, I had multiple instances of clamd running (in order to have
different databases loaded for different purposes) and the systemd sockets
were throwing errors about other processes using them, which in turn caused
the additional instances of clamd service units to fail. However, the
That's a hash signature. My guess is that there's 315 byte file inside the
jar that was marked. The 2.4 version of fop has a 315 byte class file
(PDFColorSpace.class) in it with a different MD5 hash. You might want to
unpack the fop.jar and see if any of the files there match. Chances are
some
> On Mar 5, 2020, at 05:09, Ashish Poddar via clamav-users
> wrote:
>
>
> Hi all,
>
> We have a situation where we run a clamav daemon to scan files on a system.
> However, in the process, we only use about 10% CPU in the system. We would
> naturally like to increase this number. We were
You can pipe that to sigtool --decode-sigs to see what it is.
What I usually use is:
$ sigtool --find-sigs BAD_RULE | awk '{ print $NF }' | sigtool --decode-sigs
On Thu, Sep 10, 2020 at 9:55 PM Olivier via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi,
>
> I have a virus signature
In all likelihood, it means that a GET or POST payload contained the
signature. Whether or not the request containing the signature was
successful in injecting it into your site is a question that only you will
be able to answer.
You can use sigtool to find the signature and again to decode the
Chances are you are using a version of ClamAV older than 0.100 and/or using
wget/curl to get the updates rather than using the approved methods
(freshclam / cvdupdate).
https://www.clamav.net/documents/end-of-life-policy-eol
https://www.clamav.net/documents/freshclam-faq
Additionally, there are
While verbose (-v) is helpful in some cases, you probably want to use the debug
option to get the large volume of LibClamAV messages. I find debug is far more
useful than verbose most times.
Maarten
Sent from a tiny keyboard
> On Apr 5, 2021, at 04:17, Vivek Patil via clamav-users
> wrote:
>
Use homebrew unless you absolutely need the release candidate version.
I installed ClamAV 0.103.3 via homebrew on my M1 Mac and it runs pretty
well.
On Wed, Sep 1, 2021 at 3:33 PM Vaughn A. Hart wrote:
> Hi Folks,
>
> So I figured out the issue. It looks like during the install/upgrade that
>
It depends on the OS, but if you have something like AppArmor or
GrSecurity, you may need to grant the appropriate permissions there to
allow access even for root.
--Maarten
On Thu, Sep 9, 2021 at 2:34 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi!
>
>
To further Ged's point, these signatures that are hitting are extended
logical signatures. Phishing signatures have a very specific format that
are either solely looking at hostnames, host prefixes, link destinations
and alternate text, and displayed hostnames (
Hi Jeff,
You would want to add those .snapshot paths to "ExcludePath" directives
in your clamd.conf file for clamd / clamdscan or use the "--exclude-dir"
option for clamscan.
You'll probably want to write a wrapper script for clamscan to build up
the list of .snapshot directories to ignore at
"If you provided a description that suggests otherwise..." is a past tense
conditional referring to the form submission. That phrase is the equivalent
to this longer "If you put information in the description that suggests the
sample is not clean..."
On Thu, Nov 18, 2021 at 2:27 PM G.W. Haywood
On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
clamav-users@lists.clamav.net> wrote:
> * Arnaud Jacques via clamav-users :
> > Is it just me, or?
>
> Same here:
>
> # clamdscan -V
> ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021
>
> # sigtool -l|tail
>
I've opened https://github.com/Cisco-Talos/clamav/issues/389 for this
issue. The issue *shouldn't* be causing problems with scanning (it wasn't
causing a problem for me), but if it is please add a comment to the issue
to that effect.
--Maarten
On Wed, Nov 24, 2021 at 11:19 AM Maarten Broekman
On Wed, Nov 24, 2021 at 10:42 AM Maarten Broekman <
maarten.broek...@gmail.com> wrote:
>
>
> On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> * Arnaud Jacques via clamav-users :
>&g
Cody, it looks like you’re running ClamAV 0.101.2. That version is too old. If
you upgrade to 0.103.4, you should be able to start downloading the db files
again.
What kind of system are you on? Is ClamAV prepackaged for you or did you build
from source?
-Maarten
Sent from a tiny keyboard
>
All versions of ClamAV prior to 0.103 are essentially EOL at this point.
The only options for Solaris 10 are likely to build from source, along with
all the prerequisites.
--Maarten
On Sat, Nov 6, 2021 at 7:54 AM Sunhux G via clamav-users <
clamav-users@lists.clamav.net> wrote:
>
> We're still
On Mon, Jan 17, 2022 at 9:53 AM Andrew C Aitchison via clamav-users <
clamav-users@lists.clamav.net> wrote:
> On Mon, 17 Jan 2022, Nick Howitt via clamav-users wrote:
>
> > - not
> > have to install some uncommon download package and then download them.
> That
> > is making people jump through
Running freshclam after the package is installed should pull any/all of the
files that are missing. That is probably the best way to do it.
--Maarten
On Mon, Jan 17, 2022 at 8:32 AM Nick Howitt via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi,
> I am trying to package ClamAV
I would double-check to make sure python3 is using the correct CA bundle.
On recent python3 versions, that should be the certifi bundle.
$ which python3
/opt/homebrew/bin/python3
$ /opt/homebrew/bin/python3 --version
Python 3.9.10
$ python3 -m certifi
1. You’re excluding root in the config so you won’t be able to prevent from
accessing malicious files.
1A. You shouldn’t run clamd as root. run it as another user (like “clamav” or
“clamd”)
2. You are limiting it to only scan files in /home on-access
2A. You would likely want it to scan the
On Tue, Mar 15, 2022 at 1:53 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi there,
>
> On Tue, 15 Mar 2022, Laurent S. via clamav-users wrote:
> >> using Yara's engine in clamav directly is something that has been
> >> brought up time and again. It is possible. My
What version of ClamAV are you using? July of last year sounds about when
EOL versions of ClamAV were blocked wholesale and the 'acceptable version'
was moved up and all prior versions were blocked. EOL has moved several
times since then as well. Currently, the current stable version 0.104 and I
There's not a lot that you can do in Yara rules that you can't do in LDB
sigs... for what it's worth, here's a logical sig that detects the same
thing as the Yara rules...
mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb|
sigtool --decode-sigs
VIRUS NAME:
The accepted way would be to supply a link to the VirusTotal scan that
didn't detect it.
--Maarten
On Mon, Mar 21, 2022 at 4:36 PM Jorge Bastos wrote:
> It's just the link :P
> How would you be able to test then? ;)
>
> ok won't send again.. but the default virus db doesn't seems to be
>
Looks like the signature was dropped already because sigtool doesn't find
it anymore after I updated the databases through freshclam.
--Maarten
On Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Well yes, the fact that it was the only scanner
As Ged pointed out, the fact that /home is mounted as a separate
mount-point (even though it's the same device), leads the system to see
them as different filesystems (you can umount /home without umount'ing /)
As a result, your use of cross-fs=no tells clamscan to not cross filesystem
boundaries
so it should get to /home, see it is still
> on the same filesystem and scan it.
>
> No ?
>
>
> On Friday, 8 April 2022, 19:02:42 BST, Maarten Broekman <
> maarten.broek...@gmail.com> wrote:
>
>
> As Ged pointed out, the fact that /home is mounted as a sep
I'm not sure if this IS the answer, but my guess would be that ClamAV needs
to access files in /usr/lib64... And it has to scan (and come back with an
OK result) before access is allowed... resulting in scans being blocked
which, in turn, results in ALL processes being blocked while waiting on the
That's indicating that there is a link in the email that's displaying "
www.americanexpress.com" but is actually going to "www.amazonbusiness.com".
It's hard to help without seeing the original email code.
On Thu, Mar 17, 2022 at 12:55 PM Alex via clamav-users <
clamav-users@lists.clamav.net>
What version of ClamAV are you using?
What do the logs show?
If you are before 0.103, then your version is too old.
https://docs.clamav.net/faq/faq-eol.html
Maarten
Sent from a tiny keyboard
> On Jun 22, 2022, at 05:08, Kachare, Ganesh, Vodafone (External) via
> clamav-users wrote:
>
>
>
Downloading the entire databases unnecessarily (using web browsers, etc) is
banned because it results in higher volumes of data transfer which, in turn,
costs more money. As such, using things other than freshclam or cvdupdate were
explicitly banned.
There’s not much else to say.
Maarten
This is a new signature that was added today. It's rather complicated and,
with the "Test" in the name, I'm not sure it's meant to be published. We'll
have to wait to hear from the ClamAV folks on that matter, but you can
submit it as a false positive (for those Wordpress zips) using the False
It's 100% a bad signature and should get removed.
I just checked the current version of the akismet plugin (
https://wordpress.org/plugins/akismet/) from WordPress and it is detected
by this signature but by nothing else:
https://virusscan.jotti.org/en-US/filescanjob/00ecsxf7es
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
There are examples of the wdb format a bit lower on the page. Essentially,
you would create a file "good_urls.wdb" in the same directory as the
existing ClamAV database files and put in an appropriate line to handle the
domains
e keeping PUA
> checks still enabled for other cases.
>
> In the past I've not had great success searching entirely on my own.
>
> joe a.
>
> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
> > A "PUA" is a "potentially unwanted applica
1 - 100 of 104 matches
Mail list logo