Oliver Stöneberg wrote:
You should really cleanup your signatures. I have a Phishing set of
512 Phishing of which 23 are not recognised by ClamAV. From those
only 4 are captured by your signatures, which are the following:
Firstly, thanks for the feedback. Although I must say, I'm
disappo
Webmaster wrote:
Your signatures are based on HTML (Filetype = 3).
Shouldn't it be based on Mail (Filetype = 4) ?
Interesting... I'll do some tests later today changing the type.
The interesting thing though, is that when you go to the online database
search site http://clamav-du.securesi
Dennis Davis wrote:
Very useful. I started using these signatures on this University's
mail servers on Monday. Appended below are the stats on the
incoming crap they stopped yesterday (Tuesday).
Virus Count
-
Mark Twells wrote:
Where might I obtain these unofficial signatures?
http://www.sanesecurity.com/clamav/
Cheers,
Steve
___
http://lurker.clamav.net/list/clamav-users.html
jef moskot wrote:
The latest batch seems to include a number of false positives, so I had to
revert. I don't want to submit private user data, but an example is the
apparently legit report from eBay entitled "Changes to eBay User Agreement
and Privacy Policy".
Other issues include apparently
I'm getting false positives with
Html.Phishing.Auction.Gen009.Sanesecurity.06020102
Marking legit eBay communications as Phish; bid confirmations, outbid
notices, "you won" notices.
Okay, I've disabled this sig and re-uploaded... that should fix it until
i can find sample email.
One thing
Dennis Peterson wrote:
I can verify it blocks legitimate mail from Ebay (outbidnotice and endofitem).
I cannot provide samples for obvious reasons.
Thanks to all for the reports... the signature was faulty and I've now
disabled it.I've re-uploaded, with it removed.
Sorry for all this
Hi,
Just thought this was interesting, now that Sven has recently added some
up-to-date phishing signatures (official, of course):
Virus Stats, from my ISP, for 12 hours today:
HTML.Phishing.Bank-303: 25,025 copies stopped (sig added 2006-02-04)
HTML.Phishing.Bank-292: 12,995 copies stopped (
Can someone please tell me how ClamAV goes about phishing detection? I presume
it has something to do with libcurl going out to a web site and some checks
being performed on whatever is returned.
Not normally... most fishing detection is done by matching text/html
that is common, looks odd
Hi,
You'll all be glad to hear I don't intend to post here every time I do
an update of the sigs,
but as I've added a few sigs today and updated the main website a
little, I thought post to the list:
http://www.sanesecurity.com/clamav/
For those interested, here are some stats from a couple
I was looking for this but I did not find a lot of info about it this
morning and I was wondering if anyone could give me some help... I
would like to setup my ClamAV with Phishing Signatures but as I said I
was unable to find much info on how to do it. I did find lots of
sources with differe
BitFuzzy wrote:
I decoded the hex string and it actually matches "Dear PayPal Member\n"
(PayPal instead of Paypal)
Yea, I caught that, it doesn't make any difference
Hi,
In your first post you said you'd tried these:
Email.Phishing.Paypal.Test.0227001:0:*:446561722050617950616c204d656d62
Tomasz Kojm wrote:
It's not worrying at all. It would be worrying if ClamAV was silently using
a broken signature somehow but it properly reports an error:
Thanks for confirming checking. Well, under cygwin, this is what it does:
C:\CLAMAV~1\bin>clamscan c:\samples
C:\CLAMAV~1\bin>
Tha
Firstly, I just wanted to say a big thanks to everyone who's sent
samples, encouragement and comments,
regarding the unofficial phishing signatures!
Secondly, just updated the Unofficial ClamAV Phishing Signatures, which
now contain 690 sigs :)
I've updated the site here with links to live st
Hi All,
In order to optimize the use of my bandwidth for the unofficial phishing
signatures, I want to put up a few
example scripts on the main page of my site that users should use to
download the phish.ndb file.
The reason is that I've got quite a few users, downloading every 15
mins, the
Leonardo Rodrigues Magalhães wrote:
sanesecurity.com would need rsync daemon running.
Sure it will work. But is it rsync really needed for syncinc a
single file that bzip/gzipped will hardly get over 300k ??
Hi All,
Firstly, I just wanted to say a big thank you for everybody's feedbac
Bill Landry wrote:
a) phish.ndb.gz
Definately.
I agree.
Okay folks, I've put together a dos script to create the phish.ndb.gz
file and have just updated both the compressed
and un-compressed versions.
The file you need is: http://www.sanesecurity.com/clamav/phish.ndb.gz
I'll pop back he
Christopher X. Candreva wrote:
I've atached my updated Perl script. It will now check the compressed
archive, and if it is updated download and upcompress it.
Thank you!
I'll sort out the website tomorrow hopefully, with some of sample
"recommended" scripts.
Cheers,
Steve
> On Monday 24 Apr 2006 22:35, Steve Basford wrote:
> Steve, is it your intention to name the file inside the .gz phishc.ndb,
> consistently, so I can script on that basis?
Arghhh... sorry that really should have been phish.ndb, I've now
corrected the script
> u
Sorry about this but will people please check their download
scripts, to make sure that they are:
a) only downloading the phish.ndb.gz file
b) only downloading the above file, when there has been a change to it.
c) only checking for changes - no less than hourly.
Realistically, I would thin
> Hii ,
> From last few days i am getting lot of mail hits containing
> "Win32/TrojanDownloader.Small.CIE" Virus. Guys have any one come across
> this virus what does it do and how hazardous it is.
All I could find was:
http://www.sophos.com/security/analyses/trojdwnldrdda.html
If the trojan is
Odhiambo Washington wrote:
> ..and today there were so many false positives
>
>
Hi,
If you haven't already... contact them with the raw email that
matched and the virus name that was reported and
I'm sure they'll get it fixed.
Cheers,
Steve
__
Hi All,
Anyone else seeing this sort of thing?
C:\CLAMAV~1\bin>freshclam
ClamAV update process started at Fri Aug 4 18:52:23 2006
main.cvd is up to date (version: 39, sigs: 58116, f-level: 8, builder:
tkojm)
ERROR: getfile: daily-1635.cdiff not found on remote server
ERROR: getpatch: Can't downl
Been ages since I posted anything about the sigs... so just a reminder,
they are still being updated:
Phishing and Scam Signatures for:
ClamAV
Windows Installer versions for:
w32 clamav
ClamWin
ClamMail
http://www.sanesecurity.com/clamav/
Cheers,
Steve
___
> I've noticed the above in my hourly syslog snip thoughout the day today.
> Its
> not appearing each and every time a message is checked. Could someone
> advise
> me on what the problem may be and what the fix might be?
First of all I need to apologise to everyone using the Sanesecurity
scam.ndb.
Ben Lambrey wrote:
> We received several samples of Trojan.Conka.A (name by BitDefender)
> Trojan.MGK
> (name by FRISK) at our viruswall last week.
> I've submitted a sample of the captured virus twice to Clamav, but is still
> undetected by Clamav. I wonder why?
>
Hi Ben,
While you wait f
Christopher X. Candreva wrote:
> In my experience, it means a database maintainer who made a simple mistake
> in one line.
>
I don't think this'll really add anything useful to the discussion
but I've seen that happen in one of the mrsbl
databases.. but there are some small things the non
Hi All,
95% of all SaneSecurity signature users are finally using the gzipped
compressed phish.ndb.gz database...
so I've now removed all the signatures from the old uncompressed
phish.ndb file and just left one "test" signature,
so it doesn't break anyone's system
FinallyAs the year draws t
[EMAIL PROTECTED] wrote:
> I am not available at the moment
etc. ;)
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Jay Lee wrote:
> one more. Again, sorry.
>
It's not me you have to worry about... it's the "others" ;)
Good reminder to everyone though :)
Cheers,
Steve
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clama
carren stuart wrote:
> Is there some reason why my posts aren't even being acknowledged? I
> can't believe that nobody knows the answer to my question. This IS the
> users list and I'm a user, so could somebody PLEASE help me with this.
>
>
Hi,
Sorry I can't really help you... but I did find
Salvatore wrote:
> FixStaleSocket
>
How about:
**FixStaleSocket yes
FixStaleSocket no
In other words, the format for .conf files changed in 0.90... you need yes/no
after the option.
Example:
http://svn.clamav.net/websvn/filedetails.php?repname=clamav-devel&path=%2Ftrunk%2Fetc%2Fclamd.conf&rev
Sean Pinegar wrote:
> I trusted clamav for a long time but ran across an interesting problem today.
> I received an e-mail from a friend that included a powerpoint. I opened the
> powerpoint in linux and wine flagged it as a virus (not sure how wine knew
> there was a virus...can anyone enligh
Hi,
Just a heads up for those using the msrbl sigs.
As of last week:
"Downloading of the signature files is currently only available via rsync":
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb /path/MSRBL-SPAM.ndb
rsync rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb
/path/MSRB
Dennis Peterson wrote:
>
> My guess is the MSRBL folks would like it if you downloaded the new
> files only if the file has been modified.
>
I think you're right... the size of their images .ndb file
(un-compressed) jumped to about 7.5 meg in size and I guess shifting
that amount of data for x us
On 9 June 2022 13:17:29 Vangelis Katsikaros via clamav-users
wrote:
Hi
I am not a security person so I apologize if the question sounds stupid.
I'd like to ask if there is a signature in the clamav DB to recognise
Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote
cod
On 22 July 2022 10:15:27 Thomas Barth via clamav-users
wrote:
Hello,
I use ClamAV unofficial signatures and it seems that I get a false
positiv, I m not sure. A known person with a gmail-address and MS
Outlook 16.0 X-Mailer tries to send me a mail with a link to google docs
(Google Sheets) an
On 28 January 2023 16:07:04 Richard Rosner via clamav-users
wrote:
Very interesting to know. Sadly that doesn't help. I added
--exclude-dir="C:\\PROGRA~2\\" --exclude-dir="C:\\PROGRA~1\\" and tried
running in both PowerShell and CMD, no success, it always ends up scanning
Program Files.
Rich
The attached file was some small HTML file containing malicious obfuscated
javascript.
Just to note that at my workplace 1 user received a similar email, using
older email threads to make it look convincing
and a with a single html attachment.
0/55 av's so far 6 hours after submitting..
In
On 4 May 2023 14:04:26 newcomer01 via clamav-users
wrote:
Hi there,
do we have currently a problem with the database files?
my cronjob, stops without any error or something on scanning files and in
case did not delete his tmp files.
What version of clamav? What linux version? Memory/disk sp
On 23 May 2023 21:59:22 Paul Netpresto wrote:
Hello
What should the behaviour of a running clamd be when it comes across a
malformed database during a signature-reload.
Clamd.conf has setting "ConcurrentDatabaseReload no"
Regards Paul
Hi Paul,
Is there is a malformed database freshclam w
On 24 May 2023 18:52:04 Paul Netpresto wrote:
Hi
I have found that 1.0.1 and 0.103.8 both behave badly if they find a
malformed db. Agreed freshclam checks out the clamav/cisco db's.
I have yet to determine what unofficial db caused the failure. They should
all have been verified before be
On 24 May 2023 18:52:04 Paul Netpresto wrote:
Hi
I have found that 1.0.1 and 0.103.8 both behave badly if they find a
malformed db. Agreed freshclam checks out the clamav/cisco db's.
I have yet to determine what unofficial db caused the failure. They should
all have been verified before be
22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon May 22 13:45:02 2023 -> ERROR: accept() failed: Too many open files
Mon
On 24 May 2023 21:57:33 Steve Basford via clamav-users
wrote:
Could you do a ls of the clamav database folder... So I can see what
databases you are using
Sorry all should have been of list... Duh ;)
Cheers,
Steve
Twitter: @sanesecurity
___
Manage
Multi False Positive reports... Just a heads up.
Cheers,
Steve
Sanesecurity.com
Twitter: @sanesecurity
___
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a compr
On 31 August 2023 09:33:24 energynorman--- via clamav-users
wrote:
..additional, also these were found now by the version 1.2.0
(whitelisting?):
--- SCAN SUMMARY ---
Known viruses: 8862874
Engine version: 1.2.0
Scanned directories: 91
Scanned files: 416
Infected files: 0
Dat
On 31 August 2023 09:30:46 energynorman--- via clamav-users
wrote:
Dear clamav Teams,
we are using some Debian 12 servers with PiHole Systems:
OS: Debian GNU/Linux 12 (bookworm) aarch64
Host: Raspberry Pi 4 Model B Rev 1.4
Kernel: 6.1.21-v8+
Uptime: 4 hours
Packages: 2830 (dpkg), 14 (snap)
On 15 December 2023 16:49:49 "Micah Snyder \(micasnyd\) via clamav-users"
wrote
Fixed an issue decrypting some PDF's with an empty password.
Hi Micah,
Just tested and it's decoding URLs now :)
I also wanted to say a huge Thank You for all the programming bug fixes/new
features and support wo
On 8 March 2024 13:20:53 Ralph Seichter via clamav-users
wrote:
I am also happy to report that the new HTTP mirror for SaneSecurity
signature files is chugging along nicely. Over the last days, I have
counted 4672 unique client connections accessing these files, with a
slow but steady increas
On 30 April 2024 10:42:39 Nathan Millard via clamav-users
wrote:
Hi, when I am scanning using clamav on windows I am getting lots of errors
staying “Failed to open file. ERROR”
Does anyone know how to solve this? Seems like it would be a permissions
problem?
Hi.
While there is a windows
On 17 May 2024 13:26:27 Julia Korhonen via clamav-users
wrote:
Upon running command curl http://database.clamav.net, I received a message
indicating that my access was blocked. However, upon reviewing my network
settings and conducting diagnostic tests, I could not find any explicit
indication
--- Begin Message ---
On Tue, May 15, 2018 12:57 pm, Todd Aiken via clamav-users wrote:
> ___
> clamav-users mailing list clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
>
> Help us build a comprehensive
501 - 553 of 553 matches
Mail list logo