Re: [clamav-users] ClamAV(R) blog: Are you still attempting to download safebrowsing.cvd?
To give a quick update on this, a new version of safebrowsing.cvd was published yesterday that removes all but a minimal number of signatures needed for it to be loaded correctly by ClamAV. The block on safebrowsing.cvd download attempts was also lifted, and a corresponding zero-byte CDIFF published, which means that existing installations running FreshClam with the SafeBrowsing option set should expect a quick update that replaces the prior, 40 MB safebrowsing.cvd (if present) with the 1 KB latest one. -Andrew On Thu, Apr 8, 2021 at 6:33 PM Micah Snyder (micasnyd) via clamav-users < clamav-users@lists.clamav.net> wrote: > So it's actually kinda funny you should ask that. In 0.103.2 we > deprecated the SafeBrowsing option in freshclam.conf which means it will no > longer add safebrowsing to the list of desired databases. > > FreshClam has two options "ExcludeDatabase" and "ExtraDatabase" for > adding/removing official CVD's to the list of databases to update. In > version 0.102+, FreshClam detects if you have a CVD database in your > database directory that isn't in the list (eg. because you excluded it, or > no longer include an "extra" database) and will remove it. > > I didn't realize that deprecating the SafeBrowsing option would cause > FreshClam to remove the old safebrowsing.cld file until I read your > question and the thought struck me. I just tested it now. I found that in > 0.103.2 if you used to have safebrowsing.cld (or safebrowsing.cvd), > FreshClam will automatically remove it for you. > > -Micah > > > -Original Message- > > From: clamav-users On Behalf Of > > Matus UHLAR - fantomas > > Sent: Thursday, April 8, 2021 5:40 AM > > To: clamav-users@lists.clamav.net > > Subject: Re: [clamav-users] ClamAV® blog: Are you still attempting to > > download safebrowsing.cvd? > > > > >Dne středa 7. dubna 2021 19:41:34 CEST, Joel Esler (jesler) via > > >clamav-users napsal(a): > > >> > Are you still attempting to download safebrowsing.cvd? > > >> > > > >> > It has come to our attention that a few of you (about 515,000 of > > >> > you, to be more accurate), are still attempting to download the > > >> > safebrowsing.cvd file from the official ClamAV mirrors. This > > >> > tells us that these attempted downloads are an installation of > > >> > FreshClam (a non-updated FreshClam.conf or other script) that have > > >> > not been updated to remove the safebrowsing database.> > > > > On 07.04.21 21:04, Vladislav Kurz via clamav-users wrote: > > >These could be Debian users. The debian package offers to enable > > >safebrowsing.cvd, and there is no indication that it is discontinued. > > >Perhaps, if you talk to Debian Clamav maintainers, they could release > > >an update that disables this option without asking ? > > > > it's disabled by default, but yes, that disabling it unconditionally > would be > > good > > > > The question is, if the old safebrowsing.cld has to be removed if it > exists. > > > > >Anyway I was one of those, and now disabling it everywhere... > > > > +1 > > -- > > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > > Warning: I wish NOT to receive e-mail advertising to this address. > > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > > 2B|!2B, that's a question! > > > > ___ > > > > clamav-users mailing list > > clamav-users@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Virus def download results in 403 Forbidden
Setting the 'TestDatabases' option to false in freshclam.conf will prevent freshclam from loading the database file into memory before replacing the actual CVDs that clamd will use. The potential downside with this is that if a CVD ends up having load issues for some reason (which shouldn't happen given the testing we do on our end) clamd won't load in any signatures from that CVD. With the TestDatabases option enabled, there can be issues on memory constrained systems since clamd will have a copy of the CVDs loaded into memory and then freshclam will load another copy into memory at the same time, but the benefit is that if a new CVD does have issues loading for some reasons then it won't replace the previous set of CVDs that clamd has been able to load successfully. -Andrew Andrew Williams Malware Research Team Cisco Talos On Fri, Mar 5, 2021 at 1:53 PM Mark Pizzolato - Clamav-Win32 via clamav-users wrote: > I've never seen any problem with freshclam's memory footprint. > > On my Windows box, freshclam runs taking up all of 2.6MB. > > Clamd, on the other hand sucks down 1.4GB. > > There is no need to run clamd for the situation you are dealing with. > > On Friday, March 5, 2021 at 10:45 AM, Joel Esler wrote: > > My current suggestion is setup Freshclam to do the initial update. > > > > Directly downloading the raw cld files is no longer scalable. > > > > > On Mar 5, 2021, at 1:29 PM, Ritch Parker wrote: > > > > > > I originally tried to setup Freshclam but found that, like the scan, it > > consumes a large amount of memory. I have an instance large enough to > run > > the scans, but it is on an internal subnet without external access… but > > downloading files takes almost no memory, so to save some cost I just > setup > > a small instance on the public subnet to download the daily file… doing > a once > > every four hour check, then move the file to the larger instance. Was > going > > to update further to do a head request, but then it stopped working :( > > ...Really was just looking for an update solution that could be run with > a very > > small amount of memory and resources and this seemed to be the best fit. > > > > > > > > >> On Mar 5, 2021, at 10:20 AM, Joel Esler (jesler) via clamav-users > > us...@lists.clamav.net> wrote: > > >> > > >> Are you using Freshclam to download the updates? > > >> > > >>> On Mar 5, 2021, at 12:58 PM, Ritch Parker wrote: > > >>> > > >>> Hello, > > >>> > > >>> Yesterday, for some reason, all my AWS VMs receive a 403 Forbidden > > response from clamav when attempting to pull the latest cvd files. I’ve > tried > > from two different instances, from a lambda, and then from my local > > machine. All result in the same response: > > >>> > > >>> $ wget http://database.clamav.net/daily.cvd > > >>> --2021-03-05 09:47:46-- http://database.clamav.net/daily.cvd > > >>> Resolving database.clamav.net (database.clamav.net)... > > >>> 104.16.218.84, 104.16.219.84 Connecting to database.clamav.net > > (database.clamav.net)|104.16.218.84|:80... connected. > > >>> HTTP request sent, awaiting response... 403 Forbidden > > >>> 2021-03-05 09:47:48 ERROR 403: Forbidden. > > >>> > > >>> Not sure how I can resolve this. Is this temporary? I been > checking once > > every 4 hours and no change. > > >>> > > >>> Thanks > > >>> > > >>> ___ > > >>> > > >>> clamav-users mailing list > > >>> clamav-users@lists.clamav.net > > >>> https://lists.clamav.net/mailman/listinfo/clamav-users > > >>> > > >>> > > >>> Help us build a comprehensive ClamAV guide: > > >>> https://github.com/vrtadmin/clamav-faq > > >>> > > >>> http://www.clamav.net/contact.html#ml > > >> > > >> > > >> ___ > > >> > > >> clamav-users mailing list > > >> clamav-users@lists.clamav.net > > >> https://lists.clamav.net/mailman/listinfo/clamav-users > > >> > > >> > > >> Help us build a comprehensive ClamAV guide: > > >> https://github.com/vrtadmin/clamav-faq > > >> > > >> http://www.clamav.net/contact.html#ml > > > > > > > > > ___ > > > > clamav-users mailing list > > clamav-users@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] About Madeba-8019734
Michel, Thanks for reporting this to us. This signature hit is indeed a false positive, and the signature should be dropped shortly -Andrew Andrew Williams Malware Research Team Cisco Talos On Mon, Jul 6, 2020 at 1:19 PM Ralf Hildebrandt via clamav-users < clamav-users@lists.clamav.net> wrote: > * Michel GALLE : > > Hi Everyone, > > > > it's my first post here. > > > > I try to get information about "Xls.Malware.Madeba-8019734-0". > > > > Clamav informed me a previously clean (or supposedly to be clean) xls > file > > is in fact infected by Xls.Malware.Madeba-8019734-0. > > > > The file was not modified or edited. > > > > I found that Malware.Madeba-8019734-0 definition was added to Clamav the > 13 > > june 2020 or so, in Version 25842 of clamav signatures. > > > > My question is : where I can find more information about > > Malware.Madeba-8019734-0 ? Is there a better website/service referencing > all > > malwares known ? > > > # sigtool --find-sigs Xls.Malware.Madeba-8019734-0 | sigtool > --decode-sigs > VIRUS NAME: Xls.Malware.Madeba-8019734-0 > TDB: Engine:51-255,Target:2 > LOGICAL EXPRESSION: 0&1&2&3&4&5 > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > -- Limits in place 2004-09-23 ... > * SUBSIG ID 1 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > Dim RABJI1 As String > * SUBSIG ID 2 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > Dim words(100) As String > * SUBSIG ID 3 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > FLITIES = words(DOZAL > * SUBSIG ID 4 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > If PAST4 > 0 Then > * SUBSIG ID 5 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > words(85 > > So, as you can see the signature consists of 6 subsignatures numbered > 0-5, ll of which must match. It sort-of looks highly specific to me. > > Ralf Hildebrandt > Charité - Universitätsmedizin Berlin > Geschäftsbereich IT | Abteilung Netzwerk > > Campus Benjamin Franklin (CBF) > Haus I | 1. OG | Raum 105 > Hindenburgdamm 30 | D-12203 Berlin > > Tel. +49 30 450 570 155 > ralf.hildebra...@charite.de > https://www.charite.de > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Virus Definition Byte Sequences
sigtool can be used to show the starting offset of signature matches, like in the example below: $ sigtool --test-sigs manual/sigs.ldb build/test.exe VIRUS NAME: Test.Sig.LDB_1of2_PE_ICON_1 TDB: Engine:51-255,Target:1,IconGroup1:TEST_ICON_GROUP_1 LOGICAL EXPRESSION: 0 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> SUBSIG: 434c414d41565f544553545f5052494e54465f535452494e475f MATCH: ** YES/CHECK OFFSET ** (50 matches at offsets: 1173430 1173380 1160786 1160736 1113386 1113336 1065986 1065936 1018586 1018536 971186 971136 923786 923736 876386 876336 828986 828936 781586 781536 734186 734136 686786 686736 639386 639336 591986 591936 544586 544536 497186 497136 449786 449736 402386 402336 354986 354936 307586 307536 260186 260136 212786 212736 165386 165336 117986 117936 70586 70536) You'll need to put the full definition of the sigs you want to search for in their own clamav database file with the correct file extension (like sigs.ldb in the example above for an LDB sig). You can find the full definition of a signature in the ClamAV database via sigtool using sigtool --find-sigs. For example: sigtool --find-sigs=Win.Dropper.Ramnit-8009875-1 [daily.ldb] Win.Dropper.Ramnit-8009875-1;Engine:51-255,Target:1;0&1&2&3&4;6f754d4e7539;5c2d52445e6d;7a4f6e4f4530;413759616320;50285e38283420 In that example, you would put Win.Dropper.Ramnit-8009875-1;Engine:51-255,Target:1;0&1&2&3&4;6f754d4e7539;5c2d52445e6d;7a4f6e4f4530;413759616320;50285e38283420 into sigs.ldb and then pass that as the argument to sigtool --test-sigs along with the matching sample path. There are some known issues with sigtool --test-sigs, but hopefully it works well enough for your use case Hope that helps! -Andrew On Tue, Jun 30, 2020 at 6:27 PM Singletary, Garrett (GE Healthcare) via clamav-users wrote: > Hello, > > > > I had a few files flagged recently by ClamAV with a couple different > signatures. I am trying to find out which part of the file the virus > signature was found in. Is it possible to map the definitions provided by > ClamAV to actual byte signatures so that I can map myself? Is it possible > to get the byte range where the pattern was found? Thanks in advance for > the help. > > > > -Garrett > > > > > > > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV 0.102.2 needs a "--without-systemd" option
Paul, You should be able to use `--with-systemdsystemunitdir=no` to make it so that `make install` won't try to register clamd as a systemd service -Andrew On Sun, Apr 19, 2020 at 1:26 PM Paul Kosinski via clamav-users < clamav-users@lists.clamav.net> wrote: > I finally built 0.102.2 a few days ago and was rather shocked that it was > tightly integrated into systemd. In a point release, converting ClamAV into > a mandatory server strikes me as weird, especially since there is no > "--without-systemd" option. > > I am not philosophically opposed to systemd (its partial ordering of > dependencies is actually quite elegant), but I have never used ClamAV in > conjunction with systemd (although I might consider it in the future). > > Now for some details... > > The way I always have built ClamAV is to install each new version in /opt > under its version number. This allows me to try out the new version without > needing to shut down the running version. Then I switch to the new version > almost atomically by changing one symlink (e.g., /opt/clamav -> > /opt/clamav.0.102.2) and restarting clamd. So if the new version has some > problem, I can switch back (also almost atomically). > > Luckily, my procedure was not totally wiped out by the systemd issue due > to the fact that (for extra security) I never run "make install" as root. I > always create the new ClamAV version directory in /opt owned by the build > user and install as that user (followed by "chown -R 0.0" etc.). So the > install failed without adding weird stuff to my systemd environment. > > I then worked around the problem by studying the "configure" options and > found that there was an option "--with-systemdsystemunitdir". So I pointed > that to a harmless new directory (/opt/clamav.0.102.2/systemd) and reran > "configure", "make", "make check" and "make install", which then all > worked, and showed me what the new systemd files contained. > > Thus I would strongly recommend adding a "--without-systemd" option to the > new "configure". If I hadn't employed my workaround, "make install" (as > root) would have added those 3 files to the standard systemd environment. > This have totally broken the way I support multiple versions of ClamAV, as > those files have *absolute* paths to the new version of ClamAV no matter > where installed. > > P.S. I run freshclam via cron and my own "getfreshclam" wrapper. This > allows me to keep older signature files around in case a new version has a > serious problem. (It was also quite useful in investigating the multi-hour > out-of-date problem with Cloudflare's BOS mirror.) > > Finally, note that simply using systemd and thus freshclam's builtin > periodic update mechanism (instead of cron) wouldn't easily allow keeping > previous signature files around as backups. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Detect Signed Malicious Binaries Using .CRB File Signature
Irshad, The recent ClamAV 0.102 release introduces (reintroduces?) the ability to write blacklist .crb rules that cause a matching sample to be detected as malicious without requiring other signatures to match. Updating the documentation you highlighted is still on my TODO list, but is true for previous versions in the recent past. I too have wondered about that blog post - I haven't checked to see if this functionality existed in the ClamAV from 2013, but if so it must have been hindered at some point (and likely went unnoticed, since blacklist .crb rules haven't seen much use). Hope that helps! Let me know if you have any other questions -Andrew Andrew Williams Malware Research Team Cisco Talos On Mon, Oct 14, 2019 at 4:35 AM Irshad via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi Guys, > > I have a multiple signed malwares. I want to create detection using the > certificate that is used to sign them. I came across an old blog from > ClamAV folks. > https://blog.clamav.net/2013/02/authenticode-certificate-chain.html > Where the author creates a signature for the revoked certificate and adds > it to .crtdb to detect the signed malicious binary. Recent versions of > ClamAV don't recognize .crtdb file, it seems to be replaced by .crb file. > In the documentation, I found this > > The .crb format supports blacklist rule entries, but these cannot > currently be used as a basis for malware detection. Instead, as currently > implemented, these entries just override .crb rules which would otherwise > whitelist a given sample > https://www.clamav.net/documents/microsoft > -authenticode-signature-verification > > My question is, Is there any way to detect signed malicious binaries using > signing certificate properties like the author does in the old blog > mentioned above. > > Thank you :) I am new to ClamAV. Please forgive my ignorance. > > Have a nice day, you all. :) > > Regards, > Irshad Muhammad. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Running round in circles here.
It looks like that error message comes from https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/clamdscan/proto.c#L112, and is generated when a call to getaddrinfo (a C standard library function) fails. The values passed to this call are directly based on what's in the clamd config file, so as Ged Haywood suggested, it'd be helpful to see what your config looks like so that we can diagnose further. Specifically, this code deals with the LocalSocket, TCPSocket, and TCPAddr configuration options. -Andrew On Mon, Sep 9, 2019 at 7:31 AM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hello again, > > On Mon, 9 Sep 2019, G.W. Haywood via clamav-users wrote: > > > telnet localhost 3311 > > That should of course have been > > telnet localhost 3313 > > to connect to the port given in the configuration. > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
There is a configuration option to have ClamAV only load the official signatures but this setting is disabled by default (it's the OfficialDatabaseOnly setting for clamd, and '--official-db-only' for clamscan). One exception to this is for bytecode signatures - only official bytecode signatures are loaded by default. This can be changed by using '--bytecode-unsigned=yes' for clamscan, and for clamd it looks like the BytecodeSecurity setting can be used (depending on how ClamAV is built). Although there is some code in ClamAV that ensures daily.cvd/daily.cld get loaded before some other rule files if they are present, in general ClamAV only cares about the file extension and uses that to determine whether it should try to load a given set of rules. This makes it easy to use third-party or custom rules - with clamd you can just copy the rule files into the DatabaseDirectory directory and with clamscan you can either copy the rules into the default rule directory or specify the path to the custom rules with the '-d' flag. Hope that helps! -Andrew On Sat, Aug 24, 2019 at 11:54 AM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Sat, 24 Aug 2019, Joel Esler (jesler) wrote: > > > I mean, it's possible not to download the official definitions and > > just point at a custom file right? > > No idea. Haven't tried it. If you can, it seems like it would be a > security hole. The code seems to be saying that it wants to load the > daily.c[lv]d file before anything else; the name is hard-coded into > the file I mentioned; and those files are signed. Given that there's > already been some discussion along these lines (e.g. see the link in > my last post) I'd be surprised if nobody else has tried it, but I've > been surprised before. :) > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan for dummy file with /dev/zero takes longer
Taizo, The reason for the difference is that there are a lot of subsignatures used in the published set of logical signatures that begin with some number of zeroes (more so than the majority of random byte sequences), so the ClamAV pattern matcher has to do a lot more work on the all-zeroes file determining that none of the signatures fully match. Also, there are likely some short all-zero subsigs that get used based on how certain subsignature features are implemented, and these can also affect performance on large files consisting mainly of zeroes. Hope that helps! Thanks for asking about this - your observation is a good reminder to us that a large all-zero file makes a good test case for catching signatures that might have egregious performance impacts. :) -Andrew Andrew Williams Malware Research Team Cisco Talos On Tue, Jul 9, 2019 at 11:07 PM Taizo ITO wrote: > Hello, > > I'm trying to get some stats on how long a scan takes by different > size, but I encountered an unexpected behavior when scanning a file > generated in a specific way. > A scan for a dummy file filled with /dev/zero takes much longer than > with /dev/urandom. I think the processing time should be the same or > less. > I'd like to know how to avoid this problem because that may cause stuck > service. > I'm using ClamAV version 0.101.2/25504. > > You can reproduce the problem by doing the following. > > A 10MB file with /dev/zero: Takes almost 7 times as long as /dev/urandom. > ``` > $ dd if=/dev/urandom of=dummy-dd-10MB-with-urandom.iso bs=10MB count=1 > $ dd if=/dev/zero of=dummy-dd-10MB-with-zero.iso bs=10MB count=1 > $ ls -ltr dummy-dd-10MB-with-* > -rw-r--r-- 1 user user 1000 Jul 9 03:41 dummy-dd-10MB-with-zero.iso > -rw-r--r-- 1 user user 1000 Jul 9 03:41 dummy-dd-10MB-with-urandom.iso > > $ time (echo "SCAN dummy-dd-10MB-with-zero.iso" | nc -U > /var/run/clamd.scan/clamd.sock) > dummy-dd-10MB-with-zero.iso: OK > real 0m4.056s > user 0m0.008s > sys 0m0.004s > > $ time (echo "SCAN dummy-dd-10MB-with-urandom.iso" | nc -U > /var/run/clamd.scan/clamd.sock) > dummy-dd-10MB-with-urandom.iso: OK > real 0m0.569s > user 0m0.012s > sys 0m0.000s > ``` > > > A 250MB file with /dev/zero: Takes almost 8 times as long as /dev/urandom. > ``` > $ dd if=/dev/zero of=dummy-dd-250MB-with-zero.iso bs=25MB count=10 > $ dd if=/dev/urandom of=dummy-dd-250MB-with-urandom.iso bs=25MB count=10 > $ ls -ltr dummy-dd-250MB-with-* > -rw-r--r-- 1 user user 25000 Jul 9 03:44 > dummy-dd-250MB-with-urandom.iso > -rw-r--r-- 1 user user 25000 Jul 9 03:44 dummy-dd-250MB-with-zero.iso > > $ time (echo "SCAN dummy-dd-250MB-with-zero.iso" | nc -U > /var/run/clamd.scan/clamd.sock) > dummy-dd-250MB-with-zero.iso: OK > real 1m42.949s > user 0m0.009s > sys 0m0.003s > > $time (echo "SCAN dummy-dd-250MB-with-urandom.iso" | nc -U > /var/run/clamd.scan/clamd.sock) > dummy-dd-250MB-with-urandom.iso: OK > real 0m12.905s > user 0m0.004s > sys 0m0.007s > ``` > > Thanks. > > -- > Taizo Ito > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] performance degradation of clamscan
Over the last few years, Talos has invested significant amounts of time and effort into improving the infrastructure we use to automate ClamAV signature creation and testing, and especially within the last 6-9 months, this has allowed us to push out signatures for known threats much faster than we ever have before. In addition, where much of the automated coverage we could provide in the past was hash-based, we are increasingly able to create logical signatures that match on tens or hundreds of samples at a time. This increase in the breadth and depth of coverage likely plays a part in the performance degradation experienced. I don't have an old daily.cvd handy, but looking at a directory listing of an unpacked daily.cvd from December 2018, daily.ldb is now 5 times as large as it was then (it's currently 21 MBs with 69,874 rules). This translate into a longer signature load time when running clamscan or when starting/restarting clamd, and contributes to a lesser extent to an increased file scan time. We've analyzed several sets of signatures where, when aggregated, they contribute to large slow-downs of scan times for certain file types. We've been able to deploy work-arounds for the cases that we've identified, but if you observe any files that seem especially slow to be scanned relative to their size, do let us know so we can investigate further. Also, we've spent some time investigating ways that ClamAV itself can be optimized, but haven't yet taken any concrete actions on this front (to my knowledge). -Andrew Andrew Williams Malware Research Team Cisco Talos On Tue, Jul 9, 2019 at 3:39 PM Paul Kosinski via clamav-users < clamav-users@lists.clamav.net> wrote: > I have uploaded 4 CVDs and 2 CLDs to: > > http://iment.com/paste-bin/ClamAV-Sigs/ > > The names include the dates (and times) they were downloaded. > > The reason for CVD vs CLD is that Cloudflare made running our own > "mirror" impractical. The CVD version delivered by Cloudflare's "BOS" > Anycast server was often behind the version advertised by the DNS TXT. > This caused freshclam to fail, since we triggered off the DNS TXT, so > we had to switch to using CDIFFs from *each* machine on our LAN to > update its CLDs. (Luckily there are only a few, so bandwidth was OK.) > > Note that a CLD (after unZIPping) will be much bigger than the > equivalent CVD, which might change the timings. > > It will be interesting to see the results! > > > > On Tue, 9 Jul 2019 12:05:53 +0100 > Slarty Bartfast via clamav-users wrote: > > > > On Mon, 8 Jul 2019 10:47:18 -0500 > > > "J.R. via clamav-users" wrote: > > > > > > One way you *could* get an older .cvd file is to extract it from the > > > relevant ClamAV package available on many different linux distro's. > > > Be sure to disable freshclam though (obviously). > > > > Thanks for the suggestion; I was able to get some older signatures > > from some older rpm packages e.g. https://pkgs.org/download/clamav-db > > > > However, these were mostly main.cvd and so old that comparisons > > weren't all that useful unfortunately. > > > > I don't think the main apt-based distros have included signatures in > > their packages for quite some time AFAICS. > > > > > Paul Kosinski clamav-users > > > Mon Jul 8 12:48:47 EDT 2019 > > > > > > We have a large number of old daily.cvd and daily.cld accumulated > > > over the past several years. I have kept them in case an update > > > caused a problem and I had to go back to make ClamAV work until the > > > next update. (I really should delete most of them!) > > > > > > Given some dates, I could upload a few to our Website and provide > > > URLs. > > > > Thanks for the offer, that would be great. Ideally perhaps it'd be > > useful to see daily signatures from something like: > > > > * end of Dec 2017 / start of Jan 2018 > > * end of Mar / start of Apr 2018 > > * end of Jun / start of Jul 2018 > > * end of Sep / start of Oct 2018 > > * end of Dec 2018 / start of Jan 2019 > > * end of Mar / start of Apr 2019 > > > > Any samples covering roughly that period would be useful; doesn't > > have to be these specific dates / intervals. > > > > Very much appreciate if you could share links to these, thanks again. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Regarding ClamAV performance
Does your platform have GNU time or strace? Try running clamscan with '/usr/bin/time -v' and/or 'strace -c' and compare the output with that of your Ubuntu host. I wonder if loading the signature DB is causing excessive page faults on the system without as much memory (time -v will tell you how many page faults there were). Here's an example run from an Ubuntu VM: $ /usr/bin/time -v clamscan requirements.txt requirements.txt: OK --- SCAN SUMMARY --- Known viruses: 8990282 Engine version: 0.100.0 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 62.459 sec (1 m 2 s) Command being timed: "clamscan requirements.txt" User time (seconds): 35.13 System time (seconds): 27.24 Percent of CPU this job got: 99% Elapsed (wall clock) time (h:mm:ss or m:ss): 1:02.54 Average shared text size (kbytes): 0 Average unshared data size (kbytes): 0 Average stack size (kbytes): 0 Average total size (kbytes): 0 Maximum resident set size (kbytes): 1005616 Average resident set size (kbytes): 0 Major (requiring I/O) page faults: 0 Minor (reclaiming a frame) page faults: 251128 Voluntary context switches: 2 Involuntary context switches: 2220 Swaps: 0 File system inputs: 8 File system outputs: 8 Socket messages sent: 0 Socket messages received: 0 Signals delivered: 0 Page size (bytes): 4096 Exit status: 0 -Andrew On Wed, May 29, 2019 at 3:50 AM Narashimman Srinivasan < msriniva...@mvista.com> wrote: > Hi > > In custom target, testing of clamAV (0.101.2) scanning set of > files/folders when RFS is from SD-MMC appears > same time taken (~13 mins) with(~1.8GB)/without swap memory under 1 GB RAM. > On comparison clamAV (0.101.2) with Ubuntu host (6 GB, 64 bits), time > taken is always quicker (~42 secs). > > Following is log where time taken is almost same for scanning single file > or set of files on custom target (1 GB RAM) > running with Linux kernel 4.9, where root file system is from SD-MMC card. > > Please let me know your valuable feedback. > > clamscan ./ > ./.viminfo: OK > > --- SCAN SUMMARY --- > Known viruses: 6123265 > Engine version: 0.101.2 > Scanned directories: 1 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 774.923 sec (12 m 54 s) > --- > > > clamscan ./* > ./101/clamav-freshclam-0.101.2-r0.2.2.cortexa9hf_neon.rpm: OK > ./101/clamav-0.101.2-r0.2.2.cortexa9hf_neon.rpm: OK > ./101/clamav-libclamav-0.101.2-r0.2.2.cortexa9hf_neon.rpm: OK > ./101-old/clamav-0.101-r0.2.cortexa9hf_neon.rpm: OK > ./101-old/clamav-lic-0.101-r0.2.cortexa9hf_neon.rpm: OK > ./101-old/clamav-libclamav-0.101-r0.2.cortexa9hf_neon.rpm: OK > ./101-old/clamav-freshclam-0.101-r0.2.cortexa9hf_neon.rpm: OK > ./101-old1/clamav-0.101-r0.2.cortexa9hf_neon.rpm: OK > ./101-old1/clamav-libclamav-0.101-r0.2.cortexa9hf_neon.rpm: OK > ./101-old1/clamav-freshclam-0.101-r0.2.cortexa9hf_neon.rpm: OK > ./99/clamav-lic-0.99.2-r0.1.cortexa9hf_neon.rpm: OK > ./99/clamav-libclamav-0.99.2-r0.1.cortexa9hf_neon.rpm: OK > ./99/clamav-freshclam-0.99.2-r0.1.cortexa9hf_neon.rpm: OK > ./99/clamav-0.99.2-r0.1.cortexa9hf_neon.rpm: OK > > --- SCAN SUMMARY --- > Known viruses: 6123265 > Engine version: 0.101.2 > Scanned directories: 4 > Scanned files: 14 > Infected files: 0 > Data scanned: 7.56 MB > Data read: 3.74 MB (ratio 2.02:1) > Time: 791.395 sec (13 m 11 s) > - > Thank & Regards > Manjunatha Srinivasan N > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [External] Re: Scan very slow
As of daily-25458, we've updated the Email.Phishing.VOF2 signatures such that they should have better performance when scanning larger email files. Specifically, the signatures each had a PCRE component that began by looking for the string 'filename', and as it turns out, the PCRE library will begin evaluating the regex more thoroughly each time the first character in the regex is encountered in a file being scanned. It also turns out that RTF files, which get embedded in emails as plain text, can consist of a surprisingly large number of f's. In an email we were testing with that had an embedded RTF file, the email was ~13 million bytes in size, and ~10 million of those were the letter f! We modified the regex to begin by looking for a semicolon, which is much less common in RTF files and is not in the base64 character set. Please let us know if you encounter any other cases of unreasonably slow scan times, and we will do our best to investigate. Thank you! -Andrew Andrew Williams Malware Research Team Cisco Talos On Wed, Apr 10, 2019 at 8:57 PM Micah Snyder (micasnyd) via clamav-users < clamav-users@lists.clamav.net> wrote: > JME, > > As you've pointed out, it appears that some signatures containing a PCRE > regex components are responsible for slow scan times on larger email files. > > I did a bunch of profiling similar to what Maarten did earlier in order to > narrow it down. I found that Email.Phishing.VOF2 signatures are performing > slower with the eml sample you sent me. Email.Phishing.VOF2 signatures > contain a PCRE regex component to alert on email attachments with specific > names. Now that we've determined which signatures are performing slowly in > these cases, I am hopeful that we will be able to optimize the > Email.Phishing.VOF2 signatures to improve performance. > > I will note that your idea to lower the PCRERecMatchLimit setting to 1 > will effectively neuter all signatures that rely on regexes and so I can't > recommend this. > > Regards, > Micah > > > On 4/10/19, 12:36 PM, "clamav-users on behalf of JME via clamav-users" < > clamav-users-boun...@lists.clamav.net on behalf of > clamav-users@lists.clamav.net> wrote: > > Helo, > > I managed to significantly reduce the problems of very long analysis, > more than 400sec on some emails. Not by disabling PhishingSignatures that > did not work. But putting: PCRERecMatchLimit to 1. > The PCRE analyzes are thus bypassed, but SafeBrawsing and the other > scans continue to work. Is it a mistake to precede as well? > > Regards, > JME > > -Message d'origine- > De : clamav-users De la part > de Brent Clark via clamav-users > Envoyé : mercredi 10 avril 2019 12:33 > À : ClamAV users ML > Cc : Brent Clark > Objet : Re: [clamav-users] [External] Re: Scan very slow > > Thanks for doing this. > > What Im getting out of your feedback is that maybe you guys need to > look to implementing or relooking at your CI process(es). > > Before pushing a commit, your CI can run the same test(s) and alert on > slow or long running scans. > > All this can be automated and report on issues. > > I highly recommend to doing this, I dont think you guys realise how > many systems are running and dependent on Clamav. Might be a good time to > too remind the community and ask to support and donate for the project. > > HTH > > Regards > Brent > > On 2019/04/09 17:58, Maarten Broekman via clamav-users wrote: > > Clearly the latest daily.cvd is performing better, but the remaining > > "Phishtank" sigs are _not_ a majority of the slowness. > > > > I unpacked the current (?) cvd (ClamAV-VDB:09 Apr 2019 03-53 > > -0400:25414:1548262:63:X:X:raynman:1554796413) and then ran a test > > scan with each part to see what the load times looked like: > > > > daily.cdb Time: 0.007 sec (0 m 0 s) > > daily.cfg Time: 0.004 sec (0 m 0 s) > > daily.crb Time: 0.006 sec (0 m 0 s) > > *daily.cvd Time: 11.384 sec (0 m 11 s)* > > daily.fp Time: 0.009 sec (0 m 0 s) > > daily.ftm Time: 0.005 sec (0 m 0 s) > > daily.hdb Time: 0.303 sec (0 m 0 s) > > daily.hdu Time: 0.006 sec (0 m 0 s) > > daily.hsb Time: 1.093 sec (0 m 1 s) > > daily.hsu Time: 0.005 sec (0 m 0 s) > > daily.idb Time: 0.006 sec (0 m 0 s) > > *daily.ldb Time: 5.563 sec (0 m 5 s) > > * > > daily.ldu Time: 0.005 sec (0 m 0 s) > > daily.mdb Time: 0.061 sec (0 m 0 s) >
Re: [clamav-users] YARA rule - Fileszie
Nibin, For text files, ClamAV will do normalization (which, among other things, will condense whitespace) and scan against that file as well, so maybe the PHP script after normalization is < 1024 bytes? To confirm, try running clamscan with '--debug --leave-temps' and then look for messages like 'saving normalized file to' to get the path of the normalized file(s). What is the size of that/those file(s)? -Andrew On Fri, May 17, 2019 at 1:12 PM Nibin V M via clamav-users < clamav-users@lists.clamav.net> wrote: > Hello All, > > I am not sure whether its a basic question...but I am struggling with > this issue for a few days. I have created a rule with the following > condition. > > === > condition: > is_php and filesize < 1024 and $str1 and ($str2 or $str3 or $str4) > > > Ideally, I want to scan the files only under 1KB. But it is triggering for > files which is bigger than 1KB. For example. > > > [root@server1 ~]# stat -c '%n %s' /home/gal2.php > /home/gal2.php 3693 > [root@server1 ~]# clamscan -d me.yara /home/gal2.php > /home/gal2.php: YARA.My_Test_Rule.UNOFFICIAL FOUND > === > > So as you can see the file is 3K+ in size but still triggering the rule. > If I reduce the filesize to 600 it will work fine. What can be the cause? > But when I try using direct YARA command this issue is not happening. > > Any help will be appreciated...thanks in advance. > > -- > Regards > > Nibin. > > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Possible FP Doc.Trojan.Agent-6923110-0
Hey Graeme, Doc.Trojan.Agent-6923110-0 has been dropped as of this morning's daily.cvd build. Thanks for bringing this FP to our attention. For reference, the signature was generated from a cluster of documents similar to and including the one below: https://www.virustotal.com/gui/file/7cf485fb365ef45d1d5253ef104ae418f9cb18dff0500e5bb7c8ad3a32220ab5 >From doing some quick research on the underlying VB script contained within, there is some code that looks a little suspicious, but the vast majority appears to be code associated with documents produced by Oracle Web Applications Desktop Integrator (ADI). This signature mistakenly matches on the latter. >From searching online, I was able to find some clean spreadsheets created via Oracle Web ADI and have added those to our clean sample database, so that future signatures which might mistakenly match on these documents and spreadsheets won't pass our False Positive testing. Thanks again, and let me know if you have any questions -Andrew Andrew Williams Malware Research Engineer Cisco Talos On Wed, Apr 10, 2019 at 1:44 PM Graeme Fowler via clamav-users < clamav-users@lists.clamav.net> wrote: > Thanks; I'm well aware of that. > > I can well understand the rationale behind the signature - however it > looks like the code is established in normal usage. The user in question > requested a more recent copy of the template sheet they work with from the > upstream organisation, which too was blocked at the boundary (as I > expected). > > I'm loathe to put it into the ignore list as there's obviously good reason > for the sig in the first place; what I can't see is whether any other Clam > sites have seen the same issue, hence raising it here. > > It may be that the sig is a bit too broad, but equally it may be entirely > based on observed malware - and if we've got genuine files using the same > code as malware or the other way round, that leaves us in a bit of a pickle. > > Graeme > > > From: clamav-users on behalf of > Brent Clark via clamav-users > Sent: 10 April 2019 13:38 > To: ClamAV users ML > Cc: Brent Clark > Subject: Re: [clamav-users] Possible FP Doc.Trojan.Agent-6923110-0 > > To whitelist a specific signature from the database you just add the > signature name into a local file with the .ign2 extension and store it > inside /var/lib/clamav. > > i.e. echo 'Doc.Trojan.Agent-6923110-0' >> /var/lib/clamav/whitelist.ign2 > > HTH > Regards > Brent Clark > > > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Txt.Trojan.Kryptik-6887991-0 FOUND
Michael, The reported detections are likely false positives (I too am seeing matches on Chrome cache files). The signature will be dropped soon. Thanks for bringing this to our attention. -Andrew Andrew Williams Malware Research Team Cisco Talos On Tue, Mar 12, 2019 at 7:08 PM Michael Newman via clamav-users < clamav-users@lists.clamav.net> wrote: > Mac OS 10.14.3 > > I wake up this morning to find that clamav has discovered sixteen > instances of this: > > Txt.Trojan.Kryptik-6887991-0 FOUND > > Most of these are in Chrome cache files, but a few were in Apple Automator > cache files. > > I’ve searched around, but find precious little on this infecting Macs. > (Lots on Windows.) > > Can someone point me in the right direction to find out just what this is, > where it came from and how I can get rid of it? > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] pwdb files still supported ?
Thanks for the additional information. I wonder if the issue encountered here, then, is that certain .zip files fail to be extracted successfully. See: https://bugzilla.clamav.net/show_bug.cgi?id=12235 for a reported instance of this. More investigation will be needed to figure out why this is happening. -Andrew On Wed, Feb 6, 2019 at 12:47 PM Scott Kitterman wrote: > Yes. Debian packages are built with yara support. > > Scott K > > On February 6, 2019 5:22:48 PM UTC, Arnaud Jacques < > webmas...@securiteinfo.com> wrote: > >Hello Andrew, > > > >I use clamav provided by debian 8.11 : > >dpkg -l|grep clam > >ii clamav 0.100.2+dfsg-0+deb8u1 amd64 > >anti-virus utility for Unix - command-line interface > >ii clamav-base 0.100.2+dfsg-0+deb8u1 all > > > >anti-virus utility for Unix - base package > >ii clamav-daemon 0.100.2+dfsg-0+deb8u1 > >amd64anti-virus utility for Unix - scanner daemon > >ii clamav-freshclam 0.100.2+dfsg-0+deb8u1 > >amd64anti-virus utility for Unix - virus database update > >utility > >ii clamdscan 0.100.2+dfsg-0+deb8u1 amd64 > >anti-virus utility for Unix - scanner client > >ii libclamav7 0.100.2+dfsg-0+deb8u1 amd64 > >anti-virus utility for Unix - libraryrt > >ii libclamunrar7 0.99-0+deb8u3 > >amd64anti-virus utility for Unix - unrar support > > > >How to know if it is compiled with yara support ? clamscan --debug does > > > >not seem to provide the information. > > > >On > > > https://buildd.debian.org/status/package.php?p=clamav=jessie-security > , > > > >there is "no logs" for amd64 > >o.O > >Other log files seems to show Debian compiles with yara support. > >For example : > > > https://buildd.debian.org/status/fetch.php?pkg=clamav=i386=0.100.2%2Bdfsg-0%2Bdeb8u1=1540398955=0 > > > >Le 06/02/2019 à 17:32, Andrew Williams a écrit : > >> Hey Arnaud, > >> > >> I recently noticed a bug that causes .pwdb files to not be loaded > >from > >> the db directory when ClamAV is compiled without Yara support. Is > >> your ClamAV built with Yara support, and if not, can you try > >compiling > >> with Yara support and see whether this fixes the issue for you? This > > > >> issue will be fixed in an upcoming release. > >> > >> Thanks, > >> > >> -Andrew > >> Research Engineer > >> Malware Research Team > >> > >> On Wed, Feb 6, 2019 at 11:16 AM Arnaud Jacques > >> mailto:webmas...@securiteinfo.com>> > >wrote: > >> > >> Hello, > >> > >> It seems .pwdb files does not work since version 0.100.2 (may be > >> since > >> 0.100.0). > >> It has this format : > >> > >> cat passwords.pwdb > >> ZipPasswordInfected;Engine:51-255;0;infected > >> > >> This file is in ClamAV databases directory (/var/lib/clamav/) and > >> ClamAV > >> does not detect malwares when Zip is protected by the "infected" > >> password. Manually unzipped, ClamAV is enable to detect the > >malware. > >> > >> Is the format of .pwdb files has changed since 0.100.x ? > >> Is it still supported on recent ClamAV version ? > >> > >> -- > >> Cordialement / Best regards, > >> > >> Arnaud Jacques > >> Gérant de SecuriteInfo.com > >> > >> Téléphone : +33-(0)3.44.39.76.46 > >> E-mail : a...@securiteinfo.com <mailto:a...@securiteinfo.com> > >> Site web : https://www.securiteinfo.com > >> Facebook : > >> https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > >> Twitter : @SecuriteInfoCom > >> > >> Securiteinfo.com > >> La Sécurité Informatique - La Sécurité des Informations. > >> 266, rue de Villers > >> 60123 Bonneuil en Valois > >> > >> ___ > >> clamav-users mailing list > >> clamav-users@lists.clamav.net > ><mailto:clamav-users@lists.clamav.net> > >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > >> > >> > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > >> >
Re: [clamav-users] pwdb files still supported ?
Hey Arnaud, I recently noticed a bug that causes .pwdb files to not be loaded from the db directory when ClamAV is compiled without Yara support. Is your ClamAV built with Yara support, and if not, can you try compiling with Yara support and see whether this fixes the issue for you? This issue will be fixed in an upcoming release. Thanks, -Andrew Research Engineer Malware Research Team On Wed, Feb 6, 2019 at 11:16 AM Arnaud Jacques wrote: > Hello, > > It seems .pwdb files does not work since version 0.100.2 (may be since > 0.100.0). > It has this format : > > cat passwords.pwdb > ZipPasswordInfected;Engine:51-255;0;infected > > This file is in ClamAV databases directory (/var/lib/clamav/) and ClamAV > does not detect malwares when Zip is protected by the "infected" > password. Manually unzipped, ClamAV is enable to detect the malware. > > Is the format of .pwdb files has changed since 0.100.x ? > Is it still supported on recent ClamAV version ? > > -- > Cordialement / Best regards, > > Arnaud Jacques > Gérant de SecuriteInfo.com > > Téléphone : +33-(0)3.44.39.76.46 > E-mail : a...@securiteinfo.com > Site web : https://www.securiteinfo.com > Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > Twitter : @SecuriteInfoCom > > Securiteinfo.com > La Sécurité Informatique - La Sécurité des Informations. > 266, rue de Villers > 60123 Bonneuil en Valois > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
