Re: [clamav-users] Reference a normalized variable name without hardcoding a specific one?
Hello Kris, [...] > /(n\d+).htmldomstuff;function(\1);/ > > Do any of Clam's signature types support something like this? I use : 6e3?3?3? that matches n000, n003, n024, n781 ... -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Slow PDF Scanning pt 3.
Hi all, You implied that this causes ClamAV's PDF parser to fail to extract (dump) some images. We should fix it so that it will correctly extract every image, as image detection is very useful in identifying phishing documents and other malicious documents and emails. Good news ! I'm waiting for that ! -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] official document for creating signatures ?
Le 30/03/2023 à 12:23, newcomer01 via clamav-users a écrit : Hello Arnaud, does this help? https://docs.clamav.net/manual/Signatures.html kind greetings Marc Thank you Marc ! Have a good day ! -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] official document for creating signatures ?
Hello, Where is the official document for creating signatures ? https://www.clamav.net/doc/latest/signatures.pdf -> 404 https://github.com/Cisco-Talos/clamav/blob/main/docs/signatures.pdf -> 404 -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail :a...@securiteinfo.com Site web :https://www.securiteinfo.com Facebook :https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] clamdscan: show clean files?
Le 13/03/2023 à 15:39, Damian via clamav-users a écrit : Faster with parallel command : find /tmp/files -type f |parallel clamdscan --no-summary {} Cannot confirm: bench@sigil:/$ time find /usr/share/doc/texinfo -type f | parallel clamdscan --fdpass --no-summary {} | tail -n 2 /usr/share/doc/texinfo/AUTHORS: OK /usr/share/doc/texinfo/NEWS.Debian.gz: OK real 0m4,241s user 0m3,101s sys 0m3,324s bench@sigil:/$ time find /usr/share/doc/texinfo -type f -exec clamdscan --fdpass --no-summary {} + | tail -n 2 /usr/share/doc/texinfo/AUTHORS: OK /usr/share/doc/texinfo/NEWS.Debian.gz: OK real 0m0,299s user 0m0,015s sys 0m0,033s bench@sigil:/$ time find /usr/share/doc/texinfo -type f | parallel clamdscan --fdpass --no-summary {} | tail -n 2 /usr/share/doc/texinfo/AUTHORS: OK /usr/share/doc/texinfo/NEWS.Debian.gz: OK real 0m4,273s user 0m3,222s sys 0m3,513s bench@sigil:/$ time find /usr/share/doc/texinfo -type f -exec clamdscan --fdpass --no-summary {} + | tail -n 2 /usr/share/doc/texinfo/AUTHORS: OK /usr/share/doc/texinfo/NEWS.Debian.gz: OK real 0m0,343s user 0m0,004s sys 0m0,047s Disk cache hits. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] clamdscan: show clean files?
Hello, However, this might work for you: find /tmp/files -type f -exec clamdscan --no-summary {} + Faster with parallel command : find /tmp/files -type f |parallel clamdscan --no-summary {} -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published
Hi, Le 20/02/2023 à 13:11, Brent Clark via clamav-users a écrit : Good day Guys Anyone on Debian Buster and Bullseye? How serious is this? Does anyone have any suggestions. Cause there is no packages available. Package is available (0.103.8) in Bulleye proposed update : https://tracker.debian.org/pkg/clamav -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [EXTERNAL] Re: Off Line Signature updates.
Hi Andy, Le 30/01/2023 à 17:27, GARLICK, Andy W via clamav-users a écrit : Thanks Joel, It seems like it is no longer possible to download the signatures directly. If they can be, could you provide the link please? https://packages.microsoft.com/clamav/ -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?
Hello Andy, My config file already excludes: ExcludePUA Packed ExcludePUA Downloader And adding “Packer” (and restarting ClamD) will NOT exclude the above “Packer” !? Should work : ExcludePUA PUA.Win.Packer.BorlandCpp-8 ExcludePUA PUA.Win.Packer.BorlandDelphi-12 -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Writing signatures for ClamAV antivirus since 2006 ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ClamAV scan time improvement
Hello, Le 08/11/2022 à 19:02, Vijay Kumar Kamannavar via clamav-users a écrit : Hello Team, We are leveraging ClamAV agent for our vm's malware detection. we tried to scan a vm with 30GB used space and it took approx 1.30Hrs(we tried to capture certain file extensions to reduce number of files and passed file lists as arguments to clamdclient) Note: 1. we tried above test with 4 core 8GB vm 2. We tried clamdscan as below /bin/parallel -j 10 clamdscan -m --fdpass --no-summary --file-list Why -j 10 if you have only 4 cores ? If you want to scan /my_path directory and subdirectories, I suggest the following : find /my_path -type f | parallel clamdscan -mi --fdpass --no-summary {} -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ClamAV on RHEL9 with FIPS enabled
Hello, Oct 24 12:07:45 rhel9test clamd[46661]: ERROR: Can't allocate memory You do not have enough RAM. Do you have, at leaset 8Gb ? -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ClamAV-milter and JSON attachments
Hello Milos, infected by Archived_JS.UNOFFICIAL UNOFFICIAL means this signature has not been created by ClamAV official. You should find who published this signature, and ask them. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Getting 1020 error when curling
Hello, Le 29/08/2022 à 09:21, Yong Jie YEOH (GOVTECH) via clamav-users a écrit : Hi, I would like to check. I have a QA environment which has a forward proxy to forward to specific whitelisted url. Just a few days ago, I got to know that my clamav fails to update daily. I went to the forward proxy and tried to curl myself, I got a 1020 error, When I do it with wget, I got 403 error. Any idea why ? Do not use curl. Do not use wget. Use freshclam. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] FreshClam received error code 429 from the ClamAV Content Delivery Network (CDN).
Hello Ganesh, If you use Debian buster, then is is *not* Debian sid. Please use this command to know the version number : clamdscan -V Le 22/06/2022 à 12:24, Kachare, Ganesh, Vodafone (External) via clamav-users a écrit : Thanks Maarten for your response. I am using clamav-daemon and clamav-freshclam packages on Debian buster-slim custome docker image. Debian -- Details of package clamav-daemon in sid <https://packages.debian.org/unstable/clamav-daemon> – I can see its stable version is 0.103.3+dfsg-0+deb11u1 <https://packages.debian.org/source/stable/clamav> Regards, Ganesh C2 General *From:*Maarten Broekman *Sent:* 22 June 2022 10:16 *To:* ClamAV users ML *Cc:* Kachare, Ganesh, Vodafone (External) *Subject:* Re: [clamav-users] FreshClam received error code 429 from the ClamAV Content Delivery Network (CDN). *CYBER SECURITY WARNING:*This email is from an external source - be careful of attachments and links. Please follow the Cyber Code and report suspicious emails. What version of ClamAV are you using? What do the logs show? If you are before 0.103, then your version is too old. https://docs.clamav.net/faq/faq-eol.html <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.clamav.net%2Ffaq%2Ffaq-eol.html=05%7C01%7Cganesh.kachare%40vodafone.com%7Cb7a2e3493feb4809a70e08da542fcfa0%7C68283f3b84874c86adb3a5228f18b893%7C0%7C0%7C637914861601197606%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=ClM3rJMy5UxbXLVU8n%2FFZZh%2Fd1eItKMFlFEVEjToa8E%3D=0> Maarten Sent from a tiny keyboard On Jun 22, 2022, at 05:08, Kachare, Ganesh, Vodafone (External) via clamav-users mailto:clamav-users@lists.clamav.net>> wrote: Hi All, I am using ClamAV engine and recently starting getting error 403 and error 429 from CDN while downloading CVD updates. I am using freshclam for downloading CVD updates. I am not sure why CDN have blocked us from downloading the cvd updates. Could anyone please explain how to resolve this issue. Here is my config for freshclam.conf ## DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose false LogSyslog false LogFacility LOG_LOCAL6 LogFileMaxSize 0 LogRotate true LogTime true Foreground false Debug false MaxAttempts 5 DatabaseDirectory /var/lib/clamav DNSDatabaseInfo current.cvd.clamav.net ConnectTimeout 30 ReceiveTimeout 0 TestDatabases yes ScriptedUpdates yes CompressLocalDatabase no Bytecode true NotifyClamd /etc/clamav/clamd.conf # Check for new database 1 times a day Checks 1 DatabaseMirror db.local.clamav.net DatabaseMirror database.clamav.net DatabaseOwner node HTTPProxyServer squid-proxy.local HTTPProxyPort 3128 # Regards, Ganesh C2 General ___ clamav-users mailing list clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users> Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation <https://github.com/Cisco-Talos/clamav-documentation> https://docs.clamav.net/#mailing-lists-and-chat <https://docs.clamav.net/#mailing-lists-and-chat> ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ignore yara rule
Hello Dino, echo -n "invalid_trailer_structure" >>local.ign2 should do the job. Le 12/04/2022 à 18:58, Dino Edwards via clamav-users a écrit : Hi, Using clamav-unofficial-signatures and I’m trying to ignore a yara rule due to many FPs. The blocked message refers to the YARA.invalid_trailer_structure.UNOFFICIAL as the offending signature. However, entering any of following in local.ign2 file, clamav ignores it and keeps blocking: *YARA.invalid_trailer_structure* Any idea what I’m doing wrong here? thanks ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] --config-file= bug
Hello, Le 30/03/2022 à 14:36, Gabriel via clamav-users a écrit : Hello As it seems clamdscan always load the default clamAV config file and ignore --config-file= (if passed) e.g. I tried clamdscan --verbose --config-file=/usr/local/test/clamd_custom.conf /home/files/* I tried to change various settings in clamd_custom.conf e.g. DetectPUA , PhishingSignatures , PhishingScanURLs and other and these new settings are fully ignored. This problem exists in current and old recent clamAV versions If you have an alternate config file for clamd, then it means you must have a second clamd daemon in memory. So I hope your settings in clamd_custom.conf about TCPSocket is different than 3310. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Malware found on datadog folder in centos. Is it false-positive?
FP confirmed (I guess) : https://www.virustotal.com/gui/file/217ae5161a0e08c0fb873858806e3478c9775caffce5168b50ec885e358c199d Le 31/01/2022 à 12:30, Al Varnell via clamav-users a écrit : First I would upload the file to https://virustotal.com to see if any other scanners identify the file as malware. Sent from my iPad -Al- On Jan 31, 2022, at 03:21, Nick Theofanidis via clamav-users wrote: Hello, i hope everyone is well. while scanning my database vps clamav found Win.Malware.Generic-9937882-0 on /opt/datadog-agent/embedded/lib/python3.8/ensurepip/_bundled/pip-21.1.1-py3-none-any.whl, the server is running Centos 7 so a win based malware not likely dangerous but it makes me wonder, is it a malware or is it a false positive? I am new to all this so i would like some guidelines as to what should i check and how should i proceed... thanks in advance, N. Theofanidis ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd
Is it me, or ? # clamdscan -V ClamAV 0.103.3/26363/Wed Nov 24 10:19:30 2021 # sigtool -l|tail Win.Dropper.Bancos-9768280-0 Win.Dropper.Reconyc-9768288-0 Win.Dropper.Razy-9768290-0 Win.Malware.Hematite-9768293-0 Xls.Malware.Alien-9768417-0 Xls.Dropper.BlueTriangle0920-9763021-1 ERROR: listdb: Malformed pattern line 84057 (file /tmp/clamav-390e415af0c5bd568a636008e8bcc32f.tmp/daily.ldb) ERROR: listdb: Error listing database /tmp/clamav-390e415af0c5bd568a636008e8bcc32f.tmp/daily.ldb ERROR: listdb: Can't list directory /var/lib/clamav/daily.cvd ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd Tryed to delete /var/lib/clamav/daily.cvd then freshclam. Database test passed successfully. And still get the problem. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] IP List for Virus Definition Domain
Hello, Le 15/09/2021 à 19:17, G.W. Haywood via clamav-users a écrit : Hi there, On Wed, 15 Sep 2021, James Freeman wrote: Is there a list of IPs that the ClamAV domain used to download virus definition resolves to? Here's the (very short) list that it resolves to from my location: $ dig +short database.clamav.net database.clamav.net.cdn.cloudflare.net. 104.16.218.84 104.16.219.84 It's a content delivery network - do the same query where you are and you'll probably get different answers. But you won't get a complete list unless you qeury from locations all over the planet. Couldflare public IPs are avalaible : https://www.cloudflare.com/ips/ -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] .cvd Downloads?
Hello, Le 30/08/2021 à 22:32, Skylar Orr via clamav-users a écrit : Hello, all. I'm wondering where the main.cvd, bytecode.cvd, and daily.cvd files went off to. It's been some time since I've seen them, and I utilize a private server for which a private local mirror is not feasible. Is there a way to get one's hands on these? https://packages.microsoft.com/clamav/ -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Broken media detection
Zvi, When I try to open it, I get error message: agam.jpg: It looks like we don't support this file format. If you look at the content of the file with an hexadecimal editor, you see garbage. It has no known file format. The file format is defined with the content of a file, not with the filename/extension. For me, and for ClamAV, it is not an image. Verify with "file" command line tool : #file agam.jpg agam.jpg: data -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Broken media detection
Hello Zvi, Le 24/06/2021 à 10:09, Zvi Kave via clamav-users a écrit : Hi, I tried to use "clamscan --alert-broken-media=yes ag.jpg" to detect spoiled JPEG files by RYUK ransomware. Seems that it was not detected - ag.jpg OK. Perhaps I use it not correctly? Perhaps JPG file format is strictly correct (even if the datas of the image are corrupted). Please advise . You should send your sample to https://www.clamav.net/reports/malware -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] vistumbler as false positive
Anyway, according to the official website "Vistumbler is wireless network scanner", aka a hack tool and should be detected as PUA at minimum. https://www.clamav.net/documents/potentially-unwanted-applications-pua Le 09/04/2021 à 05:59, Eero Volotinen a écrit : got response: ” There are three downloads available for 10.7 The SHA256 of those files should be Vistumbler_v10-7.exe - ECA2ACE14102F623E1C2490257FB645611314C918E45A845AE7337CEFA6FFD01 Vistumbler_v10-7.zip - 7CC806B74131BCCA5AE11EE81E39152DBC61F1477108FFDE7E416927C196DBA0 Vistumbler_v10-7_Portable.zip - F729B9BBAEADFF288D78655B996102CC4274CB2D5527F58A1464EEF3BE9D636C All 3 should contain the same files. * the non portable zip is just vistumbler with default settings (storing data in your profile temp directory and documents folder) * the exe file is just the zip file packed into an installer with NSIS ( https://nsis.sourceforge.io/Main_Page <https://nsis.sourceforge.io/Main_Page> ) * the portable version has different settings which cause temp files and save files to be stored inside the same directory as the program (better for portable use) instead of inside your windows profile. I went and reanalyzed the file you submitted to virus total and it looks like bitdefender no longer considers them viruses, so it seems they consider it a false positive. You can see if you go to the link you posted above, https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection <https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection>bitdefender has removed the detection” Eero On Thu 8. Apr 2021 at 17.02, Andrew C Aitchison via clamav-users mailto:clamav-users@lists.clamav.net>> wrote: On Thu, 8 Apr 2021, Eero Volotinen wrote: > https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe> > > Looks like this is (vistumbler) detected as false positive. and On Thu, 8 Apr 2021, Arnaud Jacques wrote: > At first look, ClamAV is not the only one that flags it as malware : > https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection <https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection> and https://vistumbler.en.lo4d.com/virus-malware-tests <https://vistumbler.en.lo4d.com/virus-malware-tests> but that has a different sha256sum. Hmm. If I feed the github URL into virustotal it comes up clean https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection <https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection> but if I download the file and give that to virustotal I get https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection <https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection> (the bit between file/ and /detection matches the sha256sum of my file and that on https://vistumbler.en.lo4d.com/virus-malware-tests <https://vistumbler.en.lo4d.com/virus-malware-tests> ). Initially that page reported 19 security vendors flagged this file as malicious Size 6.92 MB direct-cpu-clock-access invalid-signature nsis overlay peexe runtime-modules signed but when I asked virustotal to rescan, "19 security vendors" changed to "16 security vendors". I have put my copy at: https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe <https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe> I think this means that raw.github.com <http://raw.github.com> has given out at least three different versions of this file. Eero, could you pass this back to the Vistumbler developer "Andrew" (Calcutt?) please ? # file Vistumbler_v10-7.exe Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive # host raw.github.com <http://raw.github.com> raw.github.com <http://raw.github.com> has address 185.199.108.133 raw.github.com <http://raw.github.com> has address 185.199.109.133 raw.github.com <http://raw.github.com> has address 185.199.110.133 raw.github.com <http://raw.github.com> has address 185.199.111.133 On Thu, 8 Apr 2021, Eero Volot
Re: [clamav-users] vistumbler as false positive
Hello, At first look, ClamAV is not the only one that flags it as malware : https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection Le 08/04/2021 à 11:41, Eero Volotinen a écrit : Thanks. I submitted files via that url. clamscan Vistumbler_v1* / root/Vistumbler_v10-7.exe: OK /root/Vistumbler_v10-7_Portable.zip: Win.Malware.Generic-9819492-0 FOUND /root/Vistumbler_v10-7.zip: Win.Malware.Generic-9819492-0 FOUND So. looks like this is false positive on vistumbler.. Eero On Thu, Apr 8, 2021 at 5:03 AM Al Varnell via clamav-users mailto:clamav-users@lists.clamav.net>> wrote: Without knowing the name of the infection I can't provide even a guess as to whether it is or not, but the exact answer to your question is for you to report it by filling out the form found @https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp> including the file itself. Sent from my iPad -Al- On Apr 7, 2021, at 18:03, Eero Volotinen mailto:eero.voloti...@iki.fi>> wrote: https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe <https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe> Looks like this is (vistumbler) detected as false positive. How to fix this? Eero ___ clamav-users mailing list clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users> Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml> ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] LibClamAV Warning: PNG: Unexpected early end-of-file
Hello Vivek, I am scanning my system using "clamscan -i -r --cross-fs=no -f "$list_file"" using a shell script. Please remove "-i" : "clamscan -r --cross-fs=no -f "$list_file"" ... and you will get all files scanned, including the one that trigger the warning -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Detection rate
Hello Maria, Le 30/03/2021 à 01:03, María Belén Bonino via clamav-users a écrit : Hey there! Are there any independent testing results to show the current ClamAV detection rate? Since years, we publish our daily statistics : https://www.securiteinfo.com/attaques/hacking/stats_malwares_internet.shtml The page is in french, but you can use Google traduction : https://translate.google.com/translate?sl=fr=en=https://www.securiteinfo.com/attaques/hacking/stats_malwares_internet.shtml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] signature for cve2017-11882
Hello Jigar, clam clam 312952834 Mar 9 10:48 securiteinfoold.hdb clam clam 16405860 Mar 26 09:36 securiteinfo.hdb clam clam 7203325 Mar 26 09:36 securiteinfohtml.hdb clam clam 8421132 Mar 26 13:32 securiteinfoascii.hdb Why you do not have javascript.ndb ??? It can detect some cve2017-11882. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] (no subject)
Hello, I’m using clamwin antivirus on windows server 2003 but now I can’t update anymore. You probably can use ClamAV for Windows (https://www.clamav.net/downloads) and start learning how it works in command line. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Can’t allocate memory error
Hello Michael Le 02/03/2021 à 13:44, Michael Kyriacou via clamav-users a écrit : I was not aware of any other way to avoid scanning large files. Where can I find such solutions? As an example scan all files below 50Mb : find /your_path -type f -size -50M|parallel clamdscan -mi --fdpass --no-summary {} -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...
Joel, I would like to see more third party signature providers distribute through the signed packages so that every user is getting the signatures instead of a few. Last month I sent a generic sig using https://www.clamav.net/reports/signature and AFAIK it is still not published. If you do not publish the signature I created and I gave you, I'd be happy to know why. I have several generic signature ready to give you if you are agree to publish them. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Looks like we've gotten a new variant of Emotet getting through...
Hi, ... or you can use SecuriteInfo signatures. The lastest emotet malwares variant are already detected today. More information at http://ow.ly/LqfdL -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [EXTERNAL] clamav scan of changed files
Hello, I did some search and was able to find a few ways of doing it but I would also like your suggestions. I run this script from cron: #!/bin/sh export PATH=/usr/bin:$PATH find /data -type f -mtime -7 >scanfiles clamscan -f scanfiles -i rm -f scanfiles If you have parallel tool, the fastest way I found is : find /data -type f -mtime -7 |parallel clamdscan -mi --fdpass --no-summary {} -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] 回复: Way to access .cvd file
Jack, Run with Administrator rights. Le 31/08/2020 à 07:16, Gao Hui via clamav-users a écrit : Thanks for your help, Arnaud. But I meet this error : PS C:\program files\clamav> .\sigtool --unpack-current=daily LibClamAV Error: cli_untgz: Cannot create file .\COPYING ERROR: unpack: Can't unpack file C:\program files\clamav\database\daily.cvd PS C:\program files\clamav> .\sigtool --unpack="C:\Program Files\ClamAV\database\daily.cvd" LibClamAV Error: cli_untgz: Cannot create file .\COPYING ERROR: unpack: Can't unpack file C:\Program Files\ClamAV\database\daily.cvd PS C:\program files\clamav> I tried both ways. I copied daily.cvd to C:\program files\clamav\ directory and used --unpack-current and used command "--unpack=FILE", but both failed. Can you give me any hint? Thanks! ---- *发件人:* clamav-users 代表 Arnaud Jacques *发送时间:* 2020年8月31日 4:24 *收件人:* Gao Hui via clamav-users *主题:* Re: [clamav-users] Way to access .cvd file Hello Jack, sigtool --unpack-current=daily Le 31/08/2020 à 05:27, Gao Hui via clamav-users a écrit : Hey folks, I am studying the ClamAV recently and I am trying to see how the database works. So, is there anyway to see how's the data looks like in the .cvd file? Or how can I open the .cvd file in plantext? Thanks Jack ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Way to access .cvd file
Hello Jack, sigtool --unpack-current=daily Le 31/08/2020 à 05:27, Gao Hui via clamav-users a écrit : Hey folks, I am studying the ClamAV recently and I am trying to see how the database works. So, is there anyway to see how's the data looks like in the .cvd file? Or how can I open the .cvd file in plantext? Thanks Jack ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] own hex-based rules do not match if more complex strings are used
Hello Maybe use "echo -n" to avoid final carriage return in string. Le 14/08/2020 à 10:16, Stefan Bauer via clamav-users a écrit : Hi, given is a very simple example test-file: # more BAD.file %PDF-1.7 5 0 obj /F << /Type /FileSpec /F (http://bad.url/crap.xlsx) /V true /FS /URL >> >> another bad string 5 0 obj Now i add a string to a new test.db file: # SIG=`echo "another bad string" | sigtool --hex-dump` && echo "sig1=$SIG" > test.db and let it scan: # clamscan -d /root/test.db /root/BAD.file /root/BAD.file: sig1.UNOFFICIAL FOUND --- SCAN SUMMARY --- Known viruses: 1 Engine version: 0.102.4 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.004 sec (0 m 0 s) Works. However using a more complex string, does not: SIG=`echo "/F << /Type /FileSpec /F (http" | sigtool --hex-dump` && echo "sig1=$SIG" > test.db # clamscan -d /root/test.db /root/BAD.file /root/BAD.file: OK --- SCAN SUMMARY --- Known viruses: 1 Engine version: 0.102.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.004 sec (0 m 0 s) What am I doing wrong? Thank you. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamscan signature scan report
Hello Vaijay, clamscan -z is very usefull for what you need. Example : /ClamAV/bin/./clamscan” -z -d “/Clam/All_sigs/Sigs.ndb” -l “/Clam/sig_report.txt” Le 28/06/2020 à 05:51, Vijay Naidu via clamav-users a écrit : Hello ClamAV users, I occasionally use clamscan to perform signature matching. It’s a great tool to test the unofficial signatures. However, I only get a report at the end of the cumulative/collated signatures. Is there a way to get a report of individual signature instead of cumulative. Currently, I only use one signature per database in .ndb format to test the performance of that signature. Is there a way where we can get an individual report by placing all the signatures in a single database? The current script that I use is as follows: “/ClamAV/bin/./clamscan” -d “/Clam/Individual_sigs/Sig1.ndb” -l “/Clam/sigs_1/sig1_report.txt” “/ClamAV/bin/./clamscan” -d “/Clam/Individual_sigs/Sig2.ndb” -l “/Clam/sigs_2/sig2_report.txt” “/ClamAV/bin/./clamscan” -d “/Clam/Individual_sigs/Sig3.ndb” -l “/Clam/sigs_3/sig3_report.txt” “/ClamAV/bin/./clamscan” -d “/Clam/Individual_sigs/Sig4.ndb” -l “/Clam/sigs_4/sig4_report.txt” And so on… I have around 200k signatures to test and can take a long time to finish. Any help would be highly appreciated. Happy to test the beta version if needed. Many thanks, Vijay ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamav website down ?
Hello, Is it me of Clamav website is down ? -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.60.47.09.81 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Signatures for ClamAV antivirus : http://ow.ly/LqfdL ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsubmit error 500
It works now. Thank you. Le 01/05/2020 à 18:43, Joel Esler (jesler) via clamav-users a écrit : Interesting, please try again? I'm not able to replicate the issue. On 5/1/20, 12:42 PM, "clamav-users on behalf of Arnaud Jacques" wrote: Hello Joel, Every time. Le 01/05/2020 à 17:46, Joel Esler (jesler) via clamav-users a écrit : > Does it happen every time, or just once? > > On 5/1/20, 10:42 AM, "clamav-users on behalf of Arnaud Jacques" wrote: > > Hello, > > Using clamsubmit, I got : > Unexpected POST submit response code: 500 > > -- > Cordialement / Best regards, > > Arnaud Jacques > Gérant de SecuriteInfo.com > > Téléphone : +33-(0)3.44.39.76.46 > E-mail : a...@securiteinfo.com > Site web : https://www.securiteinfo.com > Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 > Twitter : @SecuriteInfoCom > > Securiteinfo.com > La Sécurité Informatique - La Sécurité des Informations. > 266, rue de Villers > 60123 Bonneuil en Valois > > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsubmit error 500
Hello Joel, Every time. Le 01/05/2020 à 17:46, Joel Esler (jesler) via clamav-users a écrit : Does it happen every time, or just once? On 5/1/20, 10:42 AM, "clamav-users on behalf of Arnaud Jacques" wrote: Hello, Using clamsubmit, I got : Unexpected POST submit response code: 500 -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamsubmit error 500
Hello, Using clamsubmit, I got : Unexpected POST submit response code: 500 -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scanning files with ClamAV on Windows
Hello, Which signatures to use? The default ones that come with the example config? Any that you can get hold of. There are a lot of them about. The Sansecurity signatures get a good press but I use them to fight spam rather than protect against malware. I personally think that if you can find malware on a machine, it's already too late to be looking. According to https://www.securiteinfo.com/attaques/hacking/stats_malwares_internet.shtml (updated daily), ClamAV official detects 10% of daily malwares, SaneSecurity detects 10% of daily malwares, SecuriteInfo.com detects 93% of daily malwares. SaneSecurity is very good and very reliable to detect spams, or malware in mail flow (exe in zip, js in zip ...). But SecuriteInfo.com is the best to detect malware files. I personnaly recommand SecuriteInfo.com signatures for malware hunting: https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml?lg=en -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] DB updates of (only) securiteinfo.hdb failing since last nite (Failed to load new database: Malformed database). what's up?
Hello, last nite my ClamAV instance's DB update attempts (via freshclam) started failing for just "securiteinfo.hdb" This was due to a disk full on our side. Sorry for that. This has been resolved now. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?
Hello, Le 03/01/2020 à 00:06, G.W. Haywood via clamav-users a écrit : Hi there, On Thu, 2 Jan 2020, J.R. via clamav-users wrote: All good :-) Going to remove javascript.ndb too. Sorry again. Rather than deleting entire signature databases because of one false positive, why don't you either: 1. Whitelist the file (if it's static) or 2. Whitelist the signature(s) ... And report the false positive to the ClamAV team? All false positives from SecuriteInfo.com signatures should be sent to webmas...@securiteinfo.com. Thank you. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why virus definition DB download url is not https?
Hello, As far as I know, only the lastest version of freshclam (0.102.x) does support https. Le 12/12/2019 à 20:45, kaifeng zeng via clamav-users a écrit : Hi, One of the recommended way to get the latest Virus definition DB is through the following link. Why they are not https? Thanks! http://database.clamav.net/main.cvd http://database.clamav.net/daily.cvd http://database.clamav.net/bytecode.cvd Kaifeng ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Sigtool problem
Hello, Le 27/11/2019 à 19:07, Paul via clamav-users a écrit : root@larch:/tmp/paul# sigtool --unpack-current daily.cld As far as I know : sigtool --help|grep unpack-current --unpack-current=SHORTNAME Unpack local CVD/CLD into cwd So the command line should be : sigtool --unpack-current=daily -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A better zip bomb
Hello Brent, https://www.bamsoftware.com/hacks/zipbomb/ I took the liberty of spinning up a vagrant instance to find out for myself. Here you can see I scanned the zip file, thats made available from the above site. As you can see, clamav (inconjunction with Sanesecurity), the file passed. vagrant@stretch:~/src$ clamscan zbsm.zip zbsm.zip: OK --- SCAN SUMMARY --- Known viruses: 8944025 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 63.13 MB Data read: 0.04 MB (ratio 1616.20:1) Time: 196.787 sec (3 m 16 s) No need 3rd party signatures, official ClamAV seems to work fine with these files : clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND --- SCAN SUMMARY --- Known viruses: 8748540 Engine version: 0.101.4 Scanned directories: 1 Scanned files: 3 Infected files: 3 Data scanned: 169.38 MB Data read: 53.22 MB (ratio 3.18:1) Time: 396.918 sec (6 m 36 s) -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Automated submissions to third party databases?
Ged, Did you try spam_marketing.ndb from securiteinfo.com ? We detect many spams/phishing. Thanks - no, I don't use that one. It's listed at Sanesecurity as having a high false positive rate. As far as I know, this review has not been updated since years. We fight false positives as soons as we discover one. This is our priority. Anyway, the best choice is to give a try, custom the signatures if necessary, and make your own opinion, not only rely on 3rd party evaluation from years ago. About my own tests, on several mail servers, spam_marketing.ndb detects a lot more spam and phishing than SaneSecurity signatures. No offense to SaneSecurity, it is just my own opinion. spam_marketing.ndb does not pretend to replace SaneSecurity, but is a complement. ... could you please send spam/phishing/malwares to malw...@surfezsanspub.fr ? I will set that up today, and also contact you off-list. Good ! Thank you very much. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Automated submissions to third party databases?
Hello Ged, So I'm flagging up quite a few messages which are guaranteed spam, but which aren't in any of the third-party databases that I'm using. The successes are all 'Sanesecurity.Junk.N', where 'N' is usually a five-digit number beginning with '5'. The detection success rate is in the region of 35% at present, so I'm collecting ~two out of three. Did you try spam_marketing.ndb from securiteinfo.com ? We detect many spams/phishing. My milter can very easily process these messages, in any way, and then send them, or the results of this processing, in any format and by any means, to anyone who'd like to have that information. Once set up, it could do it all in real time, without manual intervention at my end. Any takers? Sure, could you please send spam/phishing/malwares to malw...@surfezsanspub.fr ? Thank you Ged ! -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsubmit error
Hello Jerry, It works now for me (clamsubmit compiled from 0.102.0-beta sources). It seems older version does not work anymore. Le 13/08/2019 à 15:02, Jerry via clamav-users a écrit : On Mon, 12 Aug 2019 16:43:23 +0200, Arnaud Jacques stated: Same error message with 0.102.0-beta and 0.101.2 * truncated * FreeBSD 12.0-RELEASE-p9 clamd -V ClamAV 0.101.2/25540/Tue Aug 13 04:16:47 2019 invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsubmit error
Same error message with 0.102.0-beta and 0.101.2 Le 12/08/2019 à 16:36, Joel Esler (jesler) via clamav-users a écrit : How about now? On Aug 12, 2019, at 3:40 AM, Arnaud Jacques wrote: Hello Joel, clamsubmit compiled from source from clamav-0.102.0-beta and from clamav-0.100.3 get same error message : invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission. Where does this message come from ? Communication between client and server ? Datas submitted ? Server side error ? Le 09/08/2019 à 07:53, Joel Esler (jesler) via clamav-users a écrit : We’re looking into this Arnaud. Sent from my iPad On Aug 8, 2019, at 11:09, Arnaud Jacques wrote: Hello Micah, Still got the same error on each submitted file. Le 08/08/2019 à 17:18, Micah Snyder (micasnyd) via clamav-users a écrit : Clamsubmit currently uses web forms from the clamav.net submission pages. The error output is, admittedly, pretty terrible when something goes wrong. I've seen that type of error output before when there was an outage on the web server side for collecting these but in my own test just now I had no problems uploading either malware or false positive reports. Can you please try again? -Micah On 8/8/19, 8:38 AM, "clamav-users on behalf of Arnaud Jacques" wrote: Hello, Using clamsubmit for Debian 10.0 : clamsubmit -v ClamAV 0.101.2/25535/Thu Aug 8 10:18:42 2019 for I in ./*; do clamsubmit -N 'SecuriteInfo' -e webmas...@securiteinfo.com -n $I; done invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned... etc ... I am running command in root user. Files are read/write access. What's wrong ? Thank you. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Be
Re: [clamav-users] clamsubmit error
Hello Joel, clamsubmit compiled from source from clamav-0.102.0-beta and from clamav-0.100.3 get same error message : invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission. Where does this message come from ? Communication between client and server ? Datas submitted ? Server side error ? Le 09/08/2019 à 07:53, Joel Esler (jesler) via clamav-users a écrit : We’re looking into this Arnaud. Sent from my iPad On Aug 8, 2019, at 11:09, Arnaud Jacques wrote: Hello Micah, Still got the same error on each submitted file. Le 08/08/2019 à 17:18, Micah Snyder (micasnyd) via clamav-users a écrit : Clamsubmit currently uses web forms from the clamav.net submission pages. The error output is, admittedly, pretty terrible when something goes wrong. I've seen that type of error output before when there was an outage on the web server side for collecting these but in my own test just now I had no problems uploading either malware or false positive reports. Can you please try again? -Micah On 8/8/19, 8:38 AM, "clamav-users on behalf of Arnaud Jacques" wrote: Hello, Using clamsubmit for Debian 10.0 : clamsubmit -v ClamAV 0.101.2/25535/Thu Aug 8 10:18:42 2019 for I in ./*; do clamsubmit -N 'SecuriteInfo' -e webmas...@securiteinfo.com -n $I; done invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned... etc ... I am running command in root user. Files are read/write access. What's wrong ? Thank you. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.fa
Re: [clamav-users] clamsubmit error
Hello Micah, Still got the same error on each submitted file. Le 08/08/2019 à 17:18, Micah Snyder (micasnyd) via clamav-users a écrit : Clamsubmit currently uses web forms from the clamav.net submission pages. The error output is, admittedly, pretty terrible when something goes wrong. I've seen that type of error output before when there was an outage on the web server side for collecting these but in my own test just now I had no problems uploading either malware or false positive reports. Can you please try again? -Micah On 8/8/19, 8:38 AM, "clamav-users on behalf of Arnaud Jacques" wrote: Hello, Using clamsubmit for Debian 10.0 : clamsubmit -v ClamAV 0.101.2/25535/Thu Aug 8 10:18:42 2019 for I in ./*; do clamsubmit -N 'SecuriteInfo' -e webmas...@securiteinfo.com -n $I; done invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned... etc ... I am running command in root user. Files are read/write access. What's wrong ? Thank you. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamsubmit error
Hello, Using clamsubmit for Debian 10.0 : clamsubmit -v ClamAV 0.101.2/25535/Thu Aug 8 10:18:42 2019 for I in ./*; do clamsubmit -N 'SecuriteInfo' -e webmas...@securiteinfo.com -n $I; done invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned. Unable to continue submission.invalid cfduid and/or session id values provided by clamav.net/presigned... etc ... I am running command in root user. Files are read/write access. What's wrong ? Thank you. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Freshclam seems locked and can not be unlocked.
Hello Jari, freshclam is running as daemon. If you want to run it manually, then stop the daemon before : /etc/init.d/clamav-freshclam stop Le 04/08/2019 à 05:08, Jari Kosonen via clamav-users a écrit : jari@jari-PC:~$ sudo freshclam ERROR: /var/log/clamav/freshclam.log is locked by another process ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log). -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ***Spam 3.041*** clamd using 100% CPU in Fedora 30 with sendmail & clamav-milter, : Probe for slot 1 returned: failed
Hello, Le 02/08/2019 à 16:45, J.R. via clamav-users a écrit : I just checked (again) today and SecuriteInfo.com doesn't support HTTP compression when downloading its signatures... Yes, I know. It could be a future feature on our side. Not so easy to implement. It needs development. On the positive side, you do have the 'Last-Modified' header so at least a client isn't always re-downloading an unchanged file. Fortunately, yes :) -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ***Spam 3.041*** clamd using 100% CPU in Fedora 30 with sendmail & clamav-milter, : Probe for slot 1 returned: failed
Hello, Le 02/08/2019 à 05:37, J.R. via clamav-users a écrit : Indeed we do use clamav-unofficial-sigs from https://github.com/extremeshok/clamav-unofficial-sigs/ And interesting timing just announced a new version: Version 6.0 (30 July 2019) I noticed recently he was doing a ton of bugfixes to the script. There's not any new features or data sources, new features : Add timestamp support (do not re-download not modified files, saves bandwidth) + wget and curl uses compression for the transfer (detected when supported, saves bandwidth) new datasource : Added SECURITEINFO securiteinfoold.hdb It is a good idea to upgrade this script on our systems. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Win.Malware.Krucky-7009041-0 false positive
Yes, confirmed Le 21/07/2019 à 13:05, Groach via clamav-users a écrit : Confirmed.? Updated and rescanned: Scan Started Sun Jul 21 12:02:25 2019 --- --- SCAN SUMMARY --- Known viruses: 6349264 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.93 MB Data read: 0.89 MB (ratio 1.04:1) Time: 51.901 sec (0 m 51 s) -- Completed -- Thanks Al. On 21/07/2019 10:54, Al Varnell via clamav-users wrote: It has been dropped by daily 25517 which should have been available about an hour ago and I'm no longer seeing it in the database after a freshclam update. -Al- ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Win.Malware.Krucky-7009041-0 false positive
Hello, Signature of Win.Malware.Krucky-7009041-0 has been ignored in securiteinfo.ign2 since days, maybe weeks. Download it now for free at https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml?lg=en Le 20/07/2019 à 13:35, Groach via clamav-users a écrit : Already have done. But I have never (no exaggeration) had any success with it being actioned when reported only on that website. So I am also sending this notification to the mail list on the hope that that is more productive. Thanks On 20/07/2019 12:22, Matus UHLAR - fantomas wrote: On 20.07.19 11:53, Groach via clamav-users wrote: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe: Win.Malware.Krucky-7009041-0 FOUND The file is from Adobe Acrobat (genuine file from 2011). Virustotal hash: https://www.virustotal.com/gui/file/5821567d7dd99623257aea794023ef4200e6e17fd09656b40d97c44a35c701bb Can we get the definition reviewed/removed please? you should report false positive on: https://www.clamav.net/reports/fp ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] SecuriteInfo.com.Spam-12370
Hello Bowie, Le 24/06/2019 à 22:45, Bowie Bailey a écrit : Anyone else having issues with this signature? It seems to decode to "yahoo.com". VIRUS NAME: SecuriteInfo.com.Spam-12370 TARGET TYPE: MAIL OFFSET: * DECODED SIGNATURE: yahoo.com It's been blocking a bunch of emails that were forwarded from my Yahoo account. I already whitelisted it and sent a report to SecuriteInfo. Thank you very much for the report. I am sorry for this mistake. Yes, the signature has been dropped just 2 hours after I have been informed. I corrected my scripts, so it should never happen again. I hope so ! -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Andr.Dropper.Shedun-6840512-0 false positive ?
Hello, Btw, Andr.Dropper.Shedun-6840810-0 has same problem. Le 04/06/2019 à 09:11, Arnaud Jacques a écrit : Hello, For me, Andr.Dropper.Shedun-6840512-0 seems a false positive : VIRUS NAME: /tmp/daily/daily.ldb:Andr.Dropper.Shedun-6840512-0 TDB: Engine:51-255,FileSize:4096-16384,Target:0 LOGICAL EXPRESSION: 0 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: lvik/system/DexClassLoader;Ljava/io/BufferedOutputStream;Lja As far as I know, DexClassLoader and BufferedOutputStream are legit Java/Android classes, and not malware related. What do you think about ? -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Andr.Dropper.Shedun-6840512-0 false positive ?
Hello, For me, Andr.Dropper.Shedun-6840512-0 seems a false positive : VIRUS NAME: /tmp/daily/daily.ldb:Andr.Dropper.Shedun-6840512-0 TDB: Engine:51-255,FileSize:4096-16384,Target:0 LOGICAL EXPRESSION: 0 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: lvik/system/DexClassLoader;Ljava/io/BufferedOutputStream;Lja As far as I know, DexClassLoader and BufferedOutputStream are legit Java/Android classes, and not malware related. What do you think about ? -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] PUA.Andr.Trojan.Mobidash-6888313-0
Hello, PUA.Andr.Trojan.Mobidash-6888313-0 is a false positive : VIRUS NAME: /tmp/daily/daily.ldu:PUA.Andr.Adware.Domob-6888036-0 TDB: Engine:51-255,FileSize:1048576-4194304,Target:0 LOGICAL EXPRESSION: 0 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: @-_1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Faux positif ClamAV
Hello Lionel, L'exécutable en question est le fichier "*jfxrt.jar*" (Java FX Runtime JAR File) et il est considéré comme "*PUA.Andr.Adware.Dowgin-6888245-0*" par ClamAV alors qu'aucun autre antivirus ne le voit comme une menace (testé avec VirusTotal). If you look at the screenshot of Virustotal you sent, you can see that Clamav does not detect the sample. On my own Linux computer I cannot reproduce your problem : # sha256sum jfxrt.jar 2a554529f3556cc79c2e42e22a467cc5f189bd2c73ba626cf66908a1d6474034 jfxrt.jar # clamscan -V ClamAV 0.100.3/25468/Sun Jun 2 10:00:03 2019 # clamscan --detect-pua jfxrt.jar --max-filesize=30 --max-scansize=30 --max-scriptnormalize=30 --max-htmlnormalize=30 --max-recursion=30 --max-embeddedpe=300M jfxrt.jar: OK --- SCAN SUMMARY --- Known viruses: 8924964 Engine version: 0.100.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 26.12 MB Data read: 17.59 MB (ratio 1.48:1) Time: 114.523 sec (1 m 54 s) Are you up-to-date ? What is your version of Clamav ? What is your version of signature databases ? -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] virus/malware risk level
Hello, Using clamav... Is there any way to find out what is the risk level (score/priority/...) of the detected virus/malware? From my own opinion : PUA detected malwares are risk : LOW All other detected malwares are risk : MAXIMUM (if not a false positive). -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Duplicate database, 525 minutes to complete, >90% CPU
Hello Clark, Running for 525 minutes at >90% CPU seems not good. Causes noticeable delay in command line activity for all users. Could you please send us the result of these command lines : cat /proc/cpuinfo free -m Thank you -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] PDF Scanning
David, Here is an example : Create a file pdf.ndb in your clamav signatures directory (usually /var/lib/clamav/) In this file put this : testpdf:10:*:4f70656e416374696f6e*4a617661536372697074 Save the file, and restart Clamav. Then clamdscan should detect the pdf with "OpenAction" and "Javascript". More information about creating signatures for Clamav at : https://www.clamav.net/documents/creating-signatures-for-clamav Le 11/04/2019 à 19:29, David Hendrick a écrit : Hi Arnaud, Could you explain how I do this? If this something I can add to clamd.conf? Many thanks, David -Original Message- From: clamav-users On Behalf Of Arnaud Jacques Sent: Thursday 11 April 2019 18:27 To: clamav-users@lists.clamav.net Subject: Re: [clamav-users] PDF Scanning Hello David, Le 11/04/2019 à 19:20, David Hendrick a écrit : Hi there, Does anyone know if there's a way to have ClamAV detect PDF files that have items such as "OpenAction" or "JavaScript" or "JS"? You can do any detection using Clamav. *But* if you detect PDF containing "OpenAction" and "Javascript" or "JS" you will have a lot of false positives. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Malformed pattern daily.ldb version 25410
Hello, sigtool --find-sigs Doc.Trojan.Agent-6923124-0 | sigtool --decode-sigs I don't understand why this signature is so long, and why it is based on always changing variables. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] freshclam -V output
Sean, Here is the resolution I applied when I get this problem (on Debian OS) : # clamdscan -V ClamAV 0.100.0 (not information about loaded databases) vi /etc/systemd/system/clamav-daemon.socket.d/extend.conf [Socket] ListenStream=127.0.0.1:3310 (check if the 2 above lines are present) systemctl --system daemon-reload systemctl restart clamav-daemon.socket systemctl restart clamav-daemon.service vi /etc/clamav/clamd.conf TCPSocket 3310 TCPAddr 127.0.0.1 /etc/init.d/clamav-daemon restart (it worked at this point). Hope it helps Le 20/03/2019 à 13:12, Sean Clark via clamav-users a écrit : Arnaud, Thank you so much for the direction! I am still having problems. I get a server working, but I try to apply what I thought was the fix to other servers and it does not work. I am missing the target Could you/or someone help me with the failure scenarios? * the virus database is not (already) loaded in memory How do I verify for this? * when clamdscan client cannot connect to clamd daemon $ps -aux | grep clam sean.cl+ 372 0.0 0.0 13136 1052 pts/0 S+ 11:48 0:00 grep clam $ freshclam -V ClamAV 0.100.2 I don’t see any daemon running on the servers that are working and not working. What are the connection details for this? Just to recap the problem statement is that ‘freshclam -V’ does not have the right output. Thanks, Sean Clark <> Sr Network Engineer “An ounce of prevention is worth a pound of cure” ServiceNow <> office 425-305-2269 *From: *clamav-users on behalf of Arnaud Jacques *Reply-To: *ClamAV users ML *Date: *Thursday, March 14, 2019 at 9:43 AM *To: *"clamav-users@lists.clamav.net" *Subject: *Re: [clamav-users] freshclam -V output *[External Email]* ** Hello Sean, Le 14/03/2019 à 13:53, Sean Clark via clamav-users a écrit : Hello, I have read through the archives and could not find a solution. Also I apologize in advance as this might be dumb question. We have our monitoring setup to check the update status from the output of `freshclam -V`. We are using clamav on Ubuntu and CentOS. We cannot figure out what controls the output behavior described below. *This is what we have always seen:* (CentOS Linux release 7.4.1708 (Core)) $ freshclam -V ClamAV 0.98.7/25387/Wed Mar 13 11:24:46 2019 *This is the problem we are facing when porting over to Ubuntu* (Ubuntu 18.04.1 LTS) $ freshclam -V ClamAV 0.99.4 OR $ freshclam -V ClamAV 0.100.2 As you can see its lacking what we believe is the ‘latest definitions update time’. I see the man page says `-V` should just be version so I am not sure how we are getting that time stamp. Any thoughts on this? It happens when the virus database is not (already) loaded in memory and/or when clamdscan client cannot connect to clamd daemon (tcp or socket problem). -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail :a...@securiteinfo.com <mailto:a...@securiteinfo.com> Site web :https://www.securiteinfo.com <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.securiteinfo.com=DwMDaQ=Zok6nrOF6Fe0JtVEqKh3FEeUbToa1PtNBZf6G01cvEQ=bsOGoFUL2hxM4uEAycB9huubhS2KF5MoFEHyC01Cs0w=uB7EYN5Kyqg0eo0tdJfmthbYA1hmqqv1NWCfJZqonXU=gxkxeXtiQ-oISdE05ScylHwhsRgiuRnGyE5Lfc21DAU=> Facebook :https://www.facebook.com/pages/SecuriteInfocom/132872523492286 <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_pages_SecuriteInfocom_132872523492286=DwMDaQ=Zok6nrOF6Fe0JtVEqKh3FEeUbToa1PtNBZf6G01cvEQ=bsOGoFUL2hxM4uEAycB9huubhS2KF5MoFEHyC01Cs0w=uB7EYN5Kyqg0eo0tdJfmthbYA1hmqqv1NWCfJZqonXU=9EskCuuMdLCkfRpJPI7CAhohVsNrxuyxaRJmb_8z4zg=> Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Slow reload
Hello Bowie, I did a check on the SecuriteInfo signatures. I grepped my clamd logs for hits on SecuriteInfo signatures and then matched them to the file they came from. #1 was spam_marketing.ndb with 110 hits #2 was javascript.ndb with 10 hits And that was it. securiteinfo.hdb, securiteinfohtml.hdb, and securiteinfoascii.hdb did not produce a single hit on my system in the past year. Unfortunately, removing those signatures does not have much of an effect on the reload times. Do you have Professional subscription ? If no : you'll have many more hits if you have Professional subscription. If yes : you forget some important databases to get more hits. Please login to you account. Anyway, here are sorted loading time on my system (Intel i7-6700 CPU) using time clamscan -d : securiteinfo0hour.hdb : 0.021s securiteinfo.mdb : 0.033s securiteinfopdf.hdb : 0.047s securiteinfohtml.hdb : 0.076s securiteinfoascii.hdb : 0.163s securiteinfoandroid.hdb : 0.214s spam_marketing.ndb : 0.332s securiteinfo.hdb : 0.894s securiteinfoold.hdb : 6.801s javascript.ndb : 21.133s An antivirus is like any other software : it has minimum requirements. Every years, it is dozen of thousands malwares in the wild. If we want to detect all of them, we have to include them in antivirus databases. That's why I recommend to get a *fast* CPU and a lot of RAM, because it still growing past years ! In my opinion it is a bad idea to run clamAV+our provided databases signatures on low performance CPU (VMs, embeeded systems, old hardware, ...) Could you please tell us the CPU you use ? -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Slow reload
Hello Bowie, Le 19/03/2019 à 15:35, Bowie Bailey a écrit : ClamAV is taking about 2 1/2 minutes to reload its database on my mail server. This seems to frequently happen when we are sending an email, so the Thunderbird will time out on the send (although the message will frequently go through anyway). I do have a bunch of third party signatures installed from Sanesecurity and SecuriteInfo. Is there a way to get timing information on which signature files are taking the longest to load? Or is this mainly a function of file size? javascript.ndb is taking most of the reload time. You can test the time to reload without this file. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan very slow
Jean-Michel, Le 18/03/2019 à 14:55, Jean-Michel via clamav-users a écrit : Hello, Thanks for your feedback. Indeed, there are many elements in this file. It is surprising that the analysis is so long. I tested the file with 6 other antivirus (paid), the analysis lasts less than one second. That does not mean scanning is deep and detection is maximum :) Do you think that it is possible for example to limit the number "embedded items in this PDF file" in order to reduce the analysis time? I think so. Please see --max-files option of clamscan (clamdscan has same option in clamd.conf) Maybe more usefull options using : clamscan --help|grep max I guess you can play with such options to optimize your scan. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan very slow
Hello, Did you have the same problem ? Is there not a bug ? Seems same here : clamdscan -m --fdpass * /tmp/esploso_A3TH.pdf: OK --- SCAN SUMMARY --- Infected files: 0 Time: 59.406 sec (0 m 59 s) Using clamscan --debug shows there is a LOT of embedded items in this PDF file (2886 files extracted and scanned from this PDF). -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Database updated over unencrypted connection?
Hello, Le 15/03/2019 à 16:04, instaham--- via clamav-users a écrit : Leonardo Rodrigues wrote: the databases are digitally signed, and any modification, such in a man-in-the-middle attack, would break the signature and freshclam would refuse to run the files. Sounds good. Can you please explain how this works in detail? Apt places GPG keys in the system and uses them to verify downloaded data. It doesn't seem that ClamAV placed any GPG keys in my system. So how is the verification happening? Read on https://lists.clamav.net/pipermail/clamav-users/2018-October/007053.html : " The .cvd files have an internal cryptographic signature that's checked by freshclam and clamd/clamscan. If freshclam and/or clamd accepts the files, you can be assured they are official and unmodified. This is built into clam; no external tools are called. " Btw, it is working for official signatures. 3rd party signatures provide hash based checksum files. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Database updated over unencrypted connection?
Hello, You can read this thread and make your own opinion : https://lists.clamav.net/pipermail/clamav-users/2014-December/001129.html Le 14/03/2019 à 19:26, instaham--- via clamav-users a écrit : Hi everybody, I assume that when I run "freshclam", the virus database is updated over an unencrypted and plain http connection. The default configuration doesn't seem to use https. Isn't this kind of insecure (Man-in-the-middle-attacks, etc.)? Are there any https mirrors available and, if yes, how can I configure ClamAV to use these instead? Or is some kind of verification of the data happening in the background (such as apt in Debian is using GPG)? Hope you can help me with this. Thanks ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] freshclam -V output
Hello Sean, Le 14/03/2019 à 13:53, Sean Clark via clamav-users a écrit : Hello, I have read through the archives and could not find a solution. Also I apologize in advance as this might be dumb question. We have our monitoring setup to check the update status from the output of `freshclam -V`. We are using clamav on Ubuntu and CentOS. We cannot figure out what controls the output behavior described below. *This is what we have always seen:* (CentOS Linux release 7.4.1708 (Core)) $ freshclam -V ClamAV 0.98.7/25387/Wed Mar 13 11:24:46 2019 *This is the problem we are facing when porting over to Ubuntu* (Ubuntu 18.04.1 LTS) $ freshclam -V ClamAV 0.99.4 OR $ freshclam -V ClamAV 0.100.2 As you can see its lacking what we believe is the ‘latest definitions update time’. I see the man page says `-V` should just be version so I am not sure how we are getting that time stamp. Any thoughts on this? It happens when the virus database is not (already) loaded in memory and/or when clamdscan client cannot connect to clamd daemon (tcp or socket problem). -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] broken link
Corrected. Le 10/03/2019 à 02:44, Thomas McCourt (tmccourt) via clamav-users a écrit : Those links should of been corrected Friday ( yesterday), are you still having the issue ? On Mar 6, 2019, at 4:53 AM, Arnaud Jacques wrote: Hello, https://www.clamav.net/documents/doc is broken. Link found at https://www.clamav.net/documents/miscellaneous-faq. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] broken link
Hello, https://www.clamav.net/documents/doc is broken. Link found at https://www.clamav.net/documents/miscellaneous-faq. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] possible to use clamscan to search for strings in mail?
Hello Alex, We do have a large IMAP ~200GB, and in order to find letters containing specific "keyword", grep is not good because of base64 encoding. So the idea is to look through with antivirus scanner for "virus" inside letters, which is not a virus but a (not sure, may be) "bytecode signature" = "keyword" Sounds good? A link to a howto will be appreciated. Yes it is possible. Please see the official documentation : https://www.clamav.net/documents/creating-signatures-for-clamav -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV freshclam third-party signatures support?
Hello Paul, I would really like to see clamav-unofficial-sigs be replaced with a simple configuration file for freshclam that adds the additional third-party signatures to the freshclam download process. The config file could be shipped with freshclam itself but disabled by default. Our provided signatures (https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml) are freshclam.conf compatible. No need extra 3rd party download script. All details about freshclam configuration is explained in your personnal account (https://www.securiteinfo.com/clients/customers/signup). -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Using clamav to test for bad links in incoming emails
Hello, javascript.ndb and spam_marketing.ndb could help too : https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml Le 09/02/2019 à 00:47, Eric Tykwinski a écrit : Check out SaneSecurity: https://sanesecurity.com/usage/signatures/ Specifically: phish, winnow_phish_complete_url I’m sure there’s others as well. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 On Feb 8, 2019, at 6:07 PM, Gene Heskett <mailto:ghesk...@shentel.net>> wrote: Hello all; Has anyone rigged clamd to check what looks like questionable links contained in incoming emails? It seems over the last 2 weeks my spam has tripled, and I suspect the real payload is in the urls in the message. Or is this so time consuming and bandwidth wasting its not worth it? Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> ___ clamav-users mailing list clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] pwdb files still supported ?
Hello Andrew, I use clamav provided by debian 8.11 : dpkg -l|grep clam ii clamav 0.100.2+dfsg-0+deb8u1 amd64 anti-virus utility for Unix - command-line interface ii clamav-base 0.100.2+dfsg-0+deb8u1 all anti-virus utility for Unix - base package ii clamav-daemon 0.100.2+dfsg-0+deb8u1 amd64 anti-virus utility for Unix - scanner daemon ii clamav-freshclam 0.100.2+dfsg-0+deb8u1 amd64 anti-virus utility for Unix - virus database update utility ii clamdscan 0.100.2+dfsg-0+deb8u1 amd64 anti-virus utility for Unix - scanner client ii libclamav7 0.100.2+dfsg-0+deb8u1 amd64 anti-virus utility for Unix - libraryrt ii libclamunrar7 0.99-0+deb8u3 amd64 anti-virus utility for Unix - unrar support How to know if it is compiled with yara support ? clamscan --debug does not seem to provide the information. On https://buildd.debian.org/status/package.php?p=clamav=jessie-security, there is "no logs" for amd64 o.O Other log files seems to show Debian compiles with yara support. For example : https://buildd.debian.org/status/fetch.php?pkg=clamav=i386=0.100.2%2Bdfsg-0%2Bdeb8u1=1540398955=0 Le 06/02/2019 à 17:32, Andrew Williams a écrit : Hey Arnaud, I recently noticed a bug that causes .pwdb files to not be loaded from the db directory when ClamAV is compiled without Yara support. Is your ClamAV built with Yara support, and if not, can you try compiling with Yara support and see whether this fixes the issue for you? This issue will be fixed in an upcoming release. Thanks, -Andrew Research Engineer Malware Research Team On Wed, Feb 6, 2019 at 11:16 AM Arnaud Jacques mailto:webmas...@securiteinfo.com>> wrote: Hello, It seems .pwdb files does not work since version 0.100.2 (may be since 0.100.0). It has this format : cat passwords.pwdb ZipPasswordInfected;Engine:51-255;0;infected This file is in ClamAV databases directory (/var/lib/clamav/) and ClamAV does not detect malwares when Zip is protected by the "infected" password. Manually unzipped, ClamAV is enable to detect the malware. Is the format of .pwdb files has changed since 0.100.x ? Is it still supported on recent ClamAV version ? -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com <mailto:a...@securiteinfo.com> Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] pwdb files still supported ?
Hello, It seems .pwdb files does not work since version 0.100.2 (may be since 0.100.0). It has this format : cat passwords.pwdb ZipPasswordInfected;Engine:51-255;0;infected This file is in ClamAV databases directory (/var/lib/clamav/) and ClamAV does not detect malwares when Zip is protected by the "infected" password. Manually unzipped, ClamAV is enable to detect the malware. Is the format of .pwdb files has changed since 0.100.x ? Is it still supported on recent ClamAV version ? -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] 2 false positives
Hello, https://www.virustotal.com/fr/file/b8683dcfab91cd8862fe27eedf4a7b953e5171f517c3e1b2b147b6c0589ccbe4/analysis/1548074926/ https://www.virustotal.com/fr/file/acd1df347fffca036466e36b6c38b89480117b33c7ec5712b9cc9ab69f98bb94/analysis/1548074939/ https://www.virustotal.com/fr/file/3280cfb299d7e42753556a4524fe8187808dafae266cc44dfce32b3dc2525d70/analysis/1548074954/ -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] is clamav.securiteinfo.com no more?
Thank you for your answer Al. I am not offended, I'm just asking question to be sure to understand. Have a good day ! Le 05/12/2018 à 06:38, Al Varnell a écrit : Not official, but it's a pretty standard response from those of us in the computer security business when we see it. I'm surprised that you haven't observed it before, but I posted it publicly as a PSA to anybody else who might be subscribed to this list. Sorry if you were offended by my doing so. Sent from my iPad -Al- On Dec 4, 2018, at 21:08, Arnaud Jacques wrote: Did you speak the official voice of Cisco/Sourcefire/ClamAV ? Is it official rule of this mailing list ? If not, then your personal point of view could be sent directly to my email. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] is clamav.securiteinfo.com no more?
Al, Did you speak the official voice of Cisco/Sourcefire/ClamAV ? Is it official rule of this mailing list ? If not, then your personal point of view could be sent directly to my email. Thank you, Al. Anyway I don't understand why securiteinfo.com related questions are not sent to webmas...@securiteinfo.com but posted in this mailing list Le 05/12/2018 à 05:26, Al Varnell a écrit : Arnaud, Please don't use url shortness here, especially one that apparently doesn't allow previews of the actual url I'm being redirected to. Way too many phishing attempts use such tools. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] is clamav.securiteinfo.com no more?
Hello Dennis, Yes it is dead since years. It has been replaced by this : http://ow.ly/LqfdL Le 05/12/2018 à 04:09, Dennis Peterson a écrit : I don't see a dns response for that site and logs show no recent connection. dp -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about sending sample process
Hello Luca, If I remember well, clamsubmit only works since versions 0.100.x of ClamAV. It seems you are still using version 0.99.4. Question 1 - Is this process correct to send samples? Yes it it. Question 2 - How much time is required to validate a sample and get the A/V db updated? Days? Months? Depending of many things on ClamAV team side, it can take just a few hours, or days, or ... never. - Actually a scan of all the stuff retrieved from that website have this results while I expect to have a 100% If you expect 100% detection, please use at least the last version of ClamAV. And some 3rd party signatures can help to get full detection : https://sanesecurity.com http://ow.ly/LqfdL -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] freshclam crash (0.101.0 beta win x64)
Hello, Using http://www.clamav.net/downloads/beta/clamav-0.101.0-beta-win-x64-portable.zip I have a crash when running freshclam. freshclam.conf is : DatabaseMirror db.fr.clamav.net DatabaseMirror database.clamav.net DatabaseCustomURL http://www.securiteinfo.com/get/signatures/my-private-key/securiteinfo.ign2 (if you want to test, you have to log in https://www.securiteinfo.com/clients/customers/account and replace "my-private-key" with your personnal key) Windows crash details : Signature du problème : Nom d’événement de problème: APPCRASH Nom de l’application: freshclam.exe Version de l’application: 0.101.0.0 Horodatage de l’application: 5bd2a347 Nom du module par défaut: freshclam.exe Version du module par défaut: 0.101.0.0 Horodateur du module par défaut: 5bd2a347 Code de l’exception: c005 Décalage de l’exception: 86f7 Version du système: 6.3.9600.2.0.0.768.101 Identificateur de paramètres régionaux: 1036 Information supplémentaire n° 1: 0e1f Information supplémentaire n° 2: 0e1ffc3538323901b82a70fbed8c1386 Information supplémentaire n° 3: c87c Information supplémentaire n° 4: c87c37e806231de5493af5ecfbde894a -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] could it help...
Hello Jean-François, My question is, can I use the 30 that is not detected, have them pass through VirusTotal and gradually upload them to the www.clamav.net/reports/malware <http://www.clamav.net/reports/malware> page. You can use clamsubmit to submit a file. To submit 30 files to ClamAV you can create a bash script. It is faster than using the webform on clamav website. Syntax is : clamsubmit -e your_email -N your_name -n the_file_to_submit So would it help to make clamav better or is it going to be just very annoying and get myself banned As far as I know, it is OK to submit a lot of files to ClamAV team. I do it sometimes too. I sure would like to have clamav detect at least 90% of the lot. It would be a long process but my health is not good and I am stuck home with nothing to do. Doing that would at least make me feel useful a little. Yes, it will take time to ClamAV team to create signatures based on submitted samples. If you want immediate better detection you can use 3rd party signatures for example : https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml https://sanesecurity.com/usage/signatures/ Maybe the best point is to submit samples to ClamAV that are not detected by anyone ? Btw, be sure to submit *malwares* to ClamAV. Malware collections like VirusShare contains a lot of false positives... -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] whitelist with clamav-milter
Hello Jerry, I then restarted the milter. Unfortunately, the email is still marked as Spam. I thought that clamav-milter would simply ignore the file. X-Virus-Status: Infected (SecuriteInfo.com.Spam-4701.UNOFFICIAL) You can whitelist the signature this way : https://www.securiteinfo.com/services/anti-spam-anti-virus/whitelisting_clamav_signatures.shtml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] secure download of .cvd files ?
That's why I asked in 2014 about freshclam support of SSL : http://lists.clamav.net/pipermail/clamav-users/2014-December/001098.html Le 31/08/2018 à 12:08, Al Varnell a écrit : I'm not aware of any, but all database components are verified for authenticity by freshclam after download. -Al- On Fri, Aug 31, 2018 at 02:00 AM, Henrik Hoeg Thomsen1 wrote: Do clamav offer a encrypted download alternative to the unencrypted http based wget used to update the signatue database? wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/daily.cvd wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net: <http://db.local.clamav.net:4/>/main.cvd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] secure download of .cvd files ?
Le 31/08/2018 à 11:00, Henrik Hoeg Thomsen1 a écrit : Do clamav offer a encrypted download alternative to the unencrypted http based wget used to update the signatue database? May be : https://packages.microsoft.com/clamav/ Should be enough reliable. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Malwarepatrol false positive
Hello, Do it yourself: https://www.securiteinfo.com/services/anti-spam-anti-virus/whitelisting_clamav_signatures.shtml Btw, users/customers of https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml have no problem because the signature has been included in securiteinfo.ign2. Le 21/08/2018 à 13:31, Al Varnell a écrit : OK, I don't think there is anything that ClamAV can do about it since it's an UNOFFICIAL. Maybe Steve Basford from SaneSecurity can put some pressure on them. He usually reads what's posted here. -Al- On Tue, Aug 21, 2018 at 04:27 AM, Dave McMurtrie wrote: They did this in April, 2017 also. When I reported it as a false positive at that time, they responded with: "Thank you for contacting us. There is a file hosted there with a vague AV classification. After further reviewing it, we've decided to remove the URL from our block lists and data feeds." I'm beginning to get the feeling they don't have any type of review process in place. On Mon, 20 Aug 2018, Al Varnell wrote: Submit to fp (at) malwarepatrol.net <http://malwarepatrol.net>. -Al- On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote: Hi, fyi # sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs VIRUS NAME: MBL_12952716 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE: https://drive.google.com ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Keymarble Yara rule?
Le 12/08/2018 à 13:59, Alessandro Vesely a écrit : On Sat 11/Aug/2018 19:43:34 +0200 G.w. Haywood wrote: Hi there, On Sat, 11 Aug 2018, Alessandro Vesely wrote: Re: Keymarble Yara rule? 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d |MZthis is a dumm| 0010 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65 |y keymarble file| 0020 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61 6b | created for mak| 0030 69 6e 67 20 74 65 73 74 73 0a 00 00 40 00 00 00 |ing tests...@...| 0040 50 45 62 63 39 62 37 35 61 33 31 31 37 37 35 38 |PEbc9b75a3117758| ... (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them The second offset looks wrong to me. Why? uint32(0x3c) is 0x0040... Because, each line is 16 bytes long (0x10). So "0040" is in hexadecimal, not decimal. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsubmit error code 500
--- Begin Message --- Hello Micah, Is there anything unusual about the file you were submitting when this occured? I don't think so. It happends on different files submitted. I guess you will find the cause viewing logs of your webserver. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois --- End Message --- ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamsubmit error code 500
--- Begin Message --- Hello, Using clamsubmit I got this error message back : Unexpected POST submit response code: 500 By sniffing frames I see : HTTP: HTTP/1.1 204 No Content HTTP: POST /reports/submit HTTP/1.1 HTTP: HTTP/1.1 500 Internal Server Error Any hint ? -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois --- End Message --- ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsubmit error
--- Begin Message --- Hello Joel, > We may be able to provide you a better way to do this, if you have a massive amount? Yes a have massive amount, but anyway there is no problem for me to use clamsubmit. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois --- End Message --- ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsubmit error
Hello Jesler, Is that you sending us all those submissions?! Fantastic amount! Yes it is me. Is it too much samples for you ? I got so many to upload... Time for Clamav to create generic signatures to detect all of these ;) -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsubmit error
Hello, clamsubmit with ClamAV 0.100.0 should work fine. I am surprised to see that error. We fixed code in the near vicinity to that error statement shortly before the 0.100 release. I got deeper today : I listened HTTP flow when I use clamsubmit version 0.100.0 : GET /reports/malware HTTP/1.1 Host: www.clamav.net Accept: */* HTTP/1.1 301 Moved Permanently Date: Wed, 09 May 2018 13:56:37 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 09 May 2018 14:56:37 GMT Location: https://www.clamav.net/reports/malware Server: cloudflare CF-RAY: 4184aba783bb68ba-CDG It seems clamsubmit use wrong (old) URL. How is it possible in v0.100.0 ? Bonus : it sends malware or false positive using HTTP, non encrypted submission. So it could transfert sensitive information on the network in clear text using clamsubmit. -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamsubmit error
Le 06/05/2018 à 00:27, Joel Esler (jesler) a écrit : Are you using a current version of clamsubmit? Yes. Using Debian : clamsubmit -v ClamAV 0.100.0/24544/Sun May 6 06:28:26 2018 -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml