Re: [clamav-users] Bitdefender Antivirus Plus slows down my computers to a crawl

2023-10-26 Thread Eric Tykwinski via clamav-users 
Honestly, this is actually a good question.  I would have normally suggested
Cisco's windows free endpoint software: https://www.immunet.com/
But as you can see, they are stopping support at the beginning of next year.

Window's built-in Defender is usually good enough for me, but Cisco might
have something else in the works to replace Immunet?

-Original Message-
From: clamav-users  On Behalf Of
Turritopsis Dohrnii Teo En Ming via clamav-users
Sent: Thursday, October 26, 2023 8:21 AM
To: ClamAV users ML 
Cc: Turritopsis Dohrnii Teo En Ming ;
c...@teo-en-ming-corp.com
Subject: [clamav-users] Bitdefender Antivirus Plus slows down my computers
to a crawl

Subject: Bitdefender Antivirus Plus slows down my computers to a crawl

Good day from Singapore,

When I was using Windows 10 Home on my home desktop computer, Bitdefender
Antivirus Plus slows down my home computer (and also my Aftershock gaming
laptop) to a crawl.

[1] Opening Google Chrome web browser took a very long time.

[2] Opening websites took a very long time (Google Chrome tabs are
frequently not responding).

[3] Opening MP4 and other videos with VLC video player took a very long
time.

Uninstalling Bitdefender Antivirus Plus could not solve the performance
degradation issue.

I was forced to upgrade to Windows 11 Home. But it is free.

Bitdefender Antivirus Plus worked well with Windows 11 Home for a while.

After some time, it began to slow down my computer again.

[1] Opening Google Chrome web browser took a very long time.

[2] Opening websites took a very long time (Google Chrome tabs are
frequently not responding).

[3] Opening MP4 and other videos with VLC video player took a very long
time.

This time round, I was able to solve the issue by uninstalling Bitdefender
Antivirus Plus. But I had to uninstall all the 3 components, namely,
Bitdefender Antivirus Plus, Bitdefender VPN, and Bitdefender Agent. You must
uninstall Bitdefender Agent component to solve the performance degradation
issue.

My Windows 11 Home computer is able to go back to blazing fast speeds after
uninstalling Bitdefender Antivirus Plus completely.

When can we have ClamAV Antivirus for Windows 10/11 with Real Time
Protection together with Ransomware Protection? I realize that I cannot use
Bitdefender Antivirus Plus any more, because it will slow down my computers
again. I have wasted my money purchasing Bitdefender Antivirus Plus.

I am hoping Cisco will develop ClamAV Antivirus for Windows 10/11 with Real
Time Protection together with Ransomware Protection. But I have no idea when
that will happen.

Thank you.

Regards,

Mr. Turritopsis Dohrnii Teo En Ming
Targeted Individual in Singapore
Blogs:
https://tdtemcerts.blogspot.com
https://tdtemcerts.wordpress.com
GIMP also stands for Government-Induced Medical Problems.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0

2023-07-11 Thread Eric Tykwinski via clamav-users 
Taken care of… I think it only uploaded the one sample, but I think all three 
were just test emails send by the MS customer.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jul 11, 2023, at 5:30 PM, Micah Snyder (micasnyd)  
> wrote:
> 
> You can submit FP reports through https://www.clamav.net/reports/fp 
> <https://www.clamav.net/reports/fp>
> 
> Our threat research team has automation in place behind this submission 
> portal to investigate and resolve FP's. 
> 
> Regards,
> Micah
> 
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> From: clamav-users  on behalf of Eric 
> Tykwinski via clamav-users 
> Sent: Tuesday, July 11, 2023 1:04 PM
> To: 'ClamAV users ML' 
> Cc: Eric Tykwinski 
> Subject: [clamav-users] Needed to whitelist 
> Email.Phishing.RPMSG_Downloader-10004958-0
>  
> Just a heads up, we had a legitimate customer receiving Office 365 secure 
> emails get hit with this filter.
> I’m not sure what the original rule was for, but I’m assuming it was for 
> phishing emails, but seems to be a bit too loose on the rules to not get 
> false positives.
>  
> Clam team, if you need headers or anything let me know.
>  
> Sincerely,
>  
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0

2023-07-11 Thread Eric Tykwinski via clamav-users 
Just a heads up, we had a legitimate customer receiving Office 365 secure
emails get hit with this filter.

I'm not sure what the original rule was for, but I'm assuming it was for
phishing emails, but seems to be a bit too loose on the rules to not get
false positives.

 

Clam team, if you need headers or anything let me know.

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published

2023-02-21 Thread Eric Tykwinski via clamav-users 
> -Original Message-
> From: clamav-users  On Behalf Of Scott 
> Kitterman via clamav-users
> Sent: Monday, February 20, 2023 2:18 PM
> To: ClamAV users ML 
> Cc: Scott Kitterman 
> Subject: Re: [clamav-users] ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions 
> published
>
> No.  Ubuntu package maintenance is separate from Debian's.
>
> Scott K

For those interested, David Gonzales just released the patches to 
security-proposed on Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Question Exception Rule

2022-12-29 Thread Eric Tykwinski via clamav-users 
Marc,

> -Original Message-
> From: clamav-users  On Behalf Of
newcomer01 via clamav-users
> Sent: Thursday, December 29, 2022 10:05 AM
> To: ClamAV User Mailinglist 
> Cc: newcomer01 
> Subject: [clamav-users] Question Exception Rule
>
> Hi @ all,
>
> who can I contact to get an exemption for ClamAV
("Heuristics.Phishing.Email.SpoofedDomain")?
> This in my case is an absolutely legitimize sender (my Bank).

It's in the documentation:
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format

> Regards
> Marc

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How many viruses/malware is clamav protecting us from?

2022-12-15 Thread Eric Tykwinski via clamav-users 
Al,

> From: clamav-users  On Behalf Of Al 
> Varnell via clamav-users
>  Sent: Thursday, December 15, 2022 9:20 AM
>  To: ClamAV users ML 
>  Cc: Al Varnell 
>  Subject: Re: [clamav-users] How many viruses/malware is clamav protecting us 
> from?
>
>  I don't believe I understand your question. Are you asking what malware 
> clamav is protecting you against? If so the simple answer is all malware 
> (viruses >  are just one type of malware).

"sigtool --find-sigs ." should work to list all current rules, but yeah unless 
you are looking for something specific, I don't know the reason you would want 
them.


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How many viruses/malware is clamav protecting us from?

2022-12-15 Thread Eric Tykwinski via clamav-users 
Michael,

 

Here’s the update mailing list: 
https://lists.clamav.net/mailman/listinfo/clamav-virusdb

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users  On Behalf Of Michael 
Kyriacou via clamav-users
Sent: Thursday, December 15, 2022 9:10 AM
To: ClamAV users ML 
Cc: Michael Kyriacou 
Subject: [clamav-users] How many viruses/malware is clamav protecting us from?

 

Hello, is there a way to see how viruses/malware clamav current protects us 
from. Additionally, is there a way to see the amount of added virus 
definitions/signatures per update if clamav? 

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] GCP Management

2022-10-17 Thread Eric Tykwinski via clamav-users 
Ged,

I think he's talking about the Google Marketplace images, like AWS images.
Personally instead of relying on a third party to setup the vm, I would just
setup a quick docker instance and use the official ClamAV image.
https://hub.docker.com/r/clamav/clamav

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

-Original Message-
From: clamav-users  On Behalf Of G.W.
Haywood via clamav-users
Sent: Monday, October 17, 2022 12:25 PM
To: Jason Hamrick via clamav-users 
Cc: G.W. Haywood 
Subject: Re: [clamav-users] GCP Management

Hi there,

On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:

> I was testing the scanner in my GCP project, however I seem to be 
> unable to upgrade and am being limited. Is there an updated package or 
> any way to update this within the GCP terminal shell?

I'm unfamiliar with GCP.  I take it you mean Google Cloud Platform but it
would be easier, at least for me, if your descriptions are more specific.

You've said "testing the scanner" but you haven't said which scanner.
Can we take it that it's ClamAV?  Are you using clamscan, clamd, etc.?

Again making assumptions, before we talk about updating ClamAV can you tell
us what version you're using now?

What are the symptoms of "being limited"?

-- 

73,
Ged.


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV Action is not working on WHM/cPanel

2022-10-13 Thread Eric Tykwinski via clamav-users 
Joel,

As far as I know it should be managed by cPanel, but I haven’t run it in ages.
My suggestion would be to ask here: https://forums.cpanel.net/ 


> On Oct 13, 2022, at 4:49 PM, Joel Esler via clamav-users 
>  wrote:
> 
> I am betting that Inmotion is running an old version of ClamAV that can’t 
> update anymore.  
> 
> I’d bet money on that.
> 
>> On Oct 13, 2022, at 1:43 PM, Javier Camacho via clamav-users 
>>  wrote:
>> 
>> Hi there, I am not sure if this the correct channel to request help. We have 
>> a dedicated WHM/cPanel server at Inmotion Hosting. We have been using ClamAV 
>> for years and it still working well to detect email infected and delete/move 
>> them using a cronjob at cPanel level, but not sure since what version of 
>> WHM/cPanel, ClamAV stopped executing an action (delete of move email 
>> infected). Inmotion hosting support said that they cannot help us with a 3er 
>> party application, so, I was wondering if somebody can point me to the right 
>> direction to this problem. Thanks.
>>  
>> ___
>> 
>> Manage your clamav-users mailing list subscription / unsubscribe:
>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>> 
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation 
>> 
>> 
>> https://docs.clamav.net/#mailing-lists-and-chat 
>> 
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Anyone running a cluster on K8s?

2022-09-12 Thread Eric Tykwinski via clamav-users 
I’ve been more and more moving things over to K8s from Docker, and just 
wondering if anyone is running a stateful set, IE I only want 1 server to run 
freshclam, but use the same defs for all other clamd deamons.

I’m assuming I can just put Example in freshclam.conf, and send a clamdscan 
—reload to the service to hit them all?

Any guidance would be appreciated.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Please help

2022-08-31 Thread Eric Tykwinski via clamav-users 
Jan,

Look in clamd.conf for something like:

LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666

or

TCPSocket 3310
TCPAddr xxx.xxx.xxx.xxx

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

-Original Message-
From: clamav-users  On Behalf Of Jan
Elliott
Sent: Wednesday, August 31, 2022 3:05 PM
To: clamd user questions 
Subject: [clamav-users] Please help

TO:  "clamd user questions" 

QUESTION:  When I try to execute the command "clamd"  I get the following
message:
   ERROR: Please define server type (local and/or TCP)

BACKGROUND; I worked in Bell Labs for 17 years, where I learned UNIX. After
leaving, I got assistance from a former co-worker to install Linux on my
laptop in 2002.
Since then, I've used Fedora Red Hat versions 12, 24, and recently had my
laptop upgraded to version 36. My experience with system administration is
limited and I no longer have someone with UNIX/Linux admin knowledge to
assist me. The person who installed Fedora v36 suggested I try CLAMD to get
rid of a virus/whatever that apparently infected my Chrome browser when I
went to a music site I had been using for several years; the site now causes
continual pornographic pop-ups!!

I also have a Firefox browser and used it to download a new Chrome after I
deleted the infected one, but I still get the pop-ups. Was able to install
CLAMD (rpm) and have read most of the man pages I could find, and checked
what configuration files, etc., I could find, but still get the ERROR
message.  What do I need to read, edit, run, etc. to successfully get the
"clamd" command to work.

HELP, please!!!   Thanx,  Jan Elliott

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Permanently banned from clamav

2022-07-02 Thread Eric Tykwinski via clamav-users 
I’ll be a little more kind, as this could be freshclam didn’t work maybe 
because of CGNAT and CloudFlare, and perhaps he’s troubleshooting with direct 
downloads.  My suggestion would be run "freshclam —debug”.  Heads up to the 
Clam team for really good logging on debug for showing such details going 
through SSL CAs, web transactions, et al…

CGNAT on ip4 wouldn’t surprise me, as I’ve personally seen issues with other 
CDNs, Netflix, Disney+, et al….

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jul 2, 2022, at 1:57 PM, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi Grant,
> 
> On Sat, 2 Jul 2022, Grant Taylor via clamav-users wrote:
>> On 7/2/22 7:50 AM, G.W. Haywood via clamav-users wrote:
>>> Regular downloading of the entire daily database is not acceptable.
>> 
>> Please clarify what "regularly" means in this case?
> 
> I think Mr. Broekman has answered well enough, but I need to reply to
> you because I don't want you to think I've ignored you, Grant.
> 
>> Once a day / hour / week / month / other?
> 
> I don't know, it isn't my CDN.  But I did give a link for further
> reading.  I think there's enough there for a reasonable man, and I
> know you fit that description. :)
> 
>> Regular just implies a cadence without specifying what that cadence is.
> 
> Yes, it does. :)
> 
>> I understand that freshclam / cvupdate have some optimizations to
>> determine if an update is needed or not.
> 
> There's more to it than just whether or not an update is needed.
> 
>> I fail to see how using chrome, et al., or anything other than
>> freshclam / cvupdate, with a weekly cadence will cause any problems
>> for any server, much less reputable CDN.
>> What am I not understanding?  Please clarify what problem(s) was
>> (were) caused.
> 
> To run a Content Delivery Network costs money.  Abuse of it costs a
> lot of money unnecessarily - and there was chronic, egregious abuse.
> In my view, the providers of ClamAV went *well* beyond the call of
> duty before finally putting their metaphorical foot down.  If it had
> been my own money, I would have been a lot less patient.
> 
> It isn't just the traffic.  There are processes hanging around waiting
> for slow connections as well.  As of today, the daily file is around
> 185 Mbytes.  Downloading it here would take a quarter of an hour.  In
> the past two months freshclam here has taken an average of 2.9 seconds
> to download a diff file.  Scale that up to the global demand and it's
> a factor of at least several hundred just on the process count.
> 
> When people download 185 Mbytes instead of downloading a few kilobytes
> to get the same result it incurs very significant, unnecessary costs
> which are borne by those who provide the data - free of charge - to
> people who are routinely abusing the service.  And they've been asked
> not to do it, so, well, it's just rude!
> 
> -- 
> 
> 73,
> Ged.
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Off topic question...

2022-06-29 Thread Eric Tykwinski via clamav-users 
Ged,

> Hi there,
> 
> On Wed, 29 Jun 2022, Eric Tykwinski via clamav-users wrote:
>
>> Any one have an abuse contact for Cisco IronPorts hosted service?
>>
>> Customer of ours received a phishing email from a Cisco client but 
>> wasn't sent by them, at least that what I'm being told.
>
> I don't think you can rely on the customer's say-so.  You need to get a
complete copy of the message - especially full headers - for analysis.
> Having said that here's a random hit:

I forwarded the raw message and our server logs to
ph...@access.ironport.com, which took me awhile to find on Cisco's site.
Hopefully that works.  The email itself came from Cisco IronPorts (Address
216.71.155.135 resolves to esa2.hc2580-79.iphmx.com.)
The sending client is on Cisco:
chesco.org. 0   IN  MX  10 mx2.hc2580-79.iphmx.com.
chesco.org. 0   IN  MX  10 mx1.hc2580-79.iphmx.com.

I didn't see any DKIM signatures in the headers, so I'm not sure if it was a
legit encrypted email or a phishing scam.
But definitely looked hokey with an html attachment asking for info, and
some long javascript which I wasn't going to attempt to figure out.

> https://www.abuseipdb.com/check/184.94.240.92
> 
> If it's really Cisco, and all else fails, I'd send a report to the abuse
address for cisco.com (and to SpamCop - Cisco owns SpamCop of course...:)
>
> -- 
> 
> 73,
> Ged.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Off topic question...

2022-06-29 Thread Eric Tykwinski via clamav-users 
Any one have an abuse contact for Cisco IronPorts hosted service?

 

Customer of ours received a phishing email from a Cisco client but wasn't
sent by them, at least that what I'm being told.

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] DoD/IL4/Federal use case

2022-04-19 Thread Eric Tykwinski 
Department of Defense (United States)

Impact Level 4

 

It’s a grading system that should say what the requirements are to reach that 
level.

I honestly have no clue what the requirements are, but they should be listed on 
the site.

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users  On Behalf Of Ivan 
Zanoth via clamav-users
Sent: Tuesday, April 19, 2022 2:33 PM
To: ClamAV users ML 
Cc: Ivan Zanoth 
Subject: Re: [clamav-users] DoD/IL4/Federal use case

 

Our luck? Idk what is DoD for IL4?

Ivan

 

Em ter., 19 de abr. de 2022 às 15:28, Enver Bahar via clamav-users 
 escreveu:

Hi,

I tried before but didn't get a response, any directions would be great:

I read on some forums that ClamAV is approved for federal use and
approved by DoD for IL4 - is that correct? If so, where can I find
such information?

Best

___

clamav-users mailing list
clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> 
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus not detected

2022-03-21 Thread Eric Tykwinski 
Jorge,

There are a lot of alternative signatures.
Sanesecurity: http://sanesecurity.com/
Malware Patrol: https://www.malwarepatrol.net/clamav-configuration-guide/
or you can use something like clamav-unofficial-sigs: 
https://github.com/extremeshok/clamav-unofficial-sigs


> On Mar 21, 2022, at 4:35 PM, Jorge Bastos  wrote:
> 
> It's just the link :P
> How would you be able to test then? ;)
> 
> ok won't send again.. but the default virus db doesn't seems to be enought, 
> is there other db's to include?
> The windows defender detected the .rar as virus imediately so i guess it's a 
> known one no?
> 
> Jorge
> 
> On 2022-03-21 17:33, Ralph Seichter via clamav-users wrote:
> 
>> * Jorge Bastos:
>> 
>>> I have a virus file that came on an email, and clamav doesn't detect
>>> [...]
>>> Here's the file.
>> 
>> Seriously? Do *NOT* send virus files to a public mailing list.
>> 
>> -Ralph
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net 
>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>> 
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> 
>> 
>> http://www.clamav.net/contact.html#ml 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] human friendly signatures

2022-03-16 Thread Eric Tykwinski 
Steve,

I like the idea, but why the hex; hex?
Just thinking about my recent issues with direct deposit phishing emails from 
gmail.com and they are written probably by people, so I can’t really hash it, 
and have to regex it.

> On Mar 16, 2022, at 5:10 PM, Steve Basford  
> wrote:
> 
> On 16 March 2022 20:29:19 "Micah Snyder \(micasnyd\) via clamav-users" 
> mailto:clamav-users@lists.clamav.net>> wrote:
> 
>>  yara rule loading logic works right now.
>> 
>> > (3) a way to specify that a rule is to match in
>> > (a) mail headers only or
>> > (b) mail body only or
>> > (c) both;
>> 
>> 
> 
> Just a random early thought... could .ldb be extended... by reading the whole 
> message processing  as normal... but if its a header line mark as h, body 
> with a b... 
> 
> So if the ldb could be extended with h/b... you could still use the normal 
> ldb logic... 
> 
> Test;Engine:81-255,Target:0;(h0=0);hex;hex
> 
> Test;Engine:81-255,Target:0;(b0);
> 
> h=headers only line
> b=body only line
> 
> So h0 hex will only match if its a header line
> So b0 hex will only matt h if its a body line
> Sorry for the formatting.. on mobile.
> 
> Cheers,
> 
> Steve
> Twitter: @sanesecurity
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> 
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> 
> 
> http://www.clamav.net/contact.html#ml 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Current replacement for --max-ratio?

2022-01-14 Thread Eric Tykwinski 
Ged,

When did clamav start scanning iso files?  
I just tried this and found a eicar.txt file, so yes it does work.

For email, I always just blocked iso extensions.  Still doesn’t like MacOS cdr 
extensions, but a great improvement.

Sincerely,

Eric Tykwinski

> On Jan 14, 2022, at 6:21 PM, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
> On Fri, 14 Jan 2022, Kris Deugau wrote:
> 
>> I've just come across a presumed-malicious .zip file of about 500K that 
>> contains a ~315M ISO image, which in turn appears to contain a ~315M 
>> executable file.
>> 
>> After a bit of searching and testing I see the --max-ratio option has been 
>> removed from clamscan, and ArchiveMaxCompressionRatio in clamd.conf has been 
>> deprecated.
>> 
>> Are there any remaining (or new?) options that might help flag 
>> hypercompressed files like this?
> 
> If you're using clamd, perhaps try the AlertExceedsMax option together
> with the MaxScanSize and/or MaxFileSize options.  No it's not the same. :/
> 
> Did this arrive in mail, Kris?
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Does ClamAV scan attachments embedded in .msg files

2022-01-14 Thread Eric Tykwinski 
Andreas,

 

It’s in the man pages for clamscan, and clamd.conf

 

#man clamscan:

   --scan-mail[=yes(*)/no]

  Scan mail files. If you turn off this option, the original files 
will still  be  scanned,  but  without

  parsing individual messages/attachments.

 

#man clamd.conf:

   ScanMail BOOL

  Enable scanning of mail files.

  If you turn off this option, the original files will still be  
scanned,  but  without  parsing

  individual messages/attachments.

  Default: yes

 

So by default it will scan mail and decode attachments.

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users  On Behalf Of Andreas 
Wittig
Sent: Friday, January 14, 2022 6:17 AM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] Does ClamAV scan attachments embedded in .msg files

 

Dear ClamAV community,

 

I'd like to know, whether ClamAV scans attachments embedded in .msg 
<http://.msg>  files. I could not find an answer to this question in the 
documentation or FAQ. Please help. 

 

Also, I'd be interested to learn where to find that information in the source 
code to avoid future questions.

 

Thanks,

Andreas


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Linode Clam AV Updates

2021-03-19 Thread Eric Tykwinski 
Sweet,  who’s first OVH or Hetzner, they are probably the biggest spammers I 
see on MailOps, but I’m also a subscriber.
I’m thinking Amazon is just considered too big, or too much of a PIMA to 
outright RBL.
Seriously though, I wouldn’t complain either way, because I know the 
repercussions from subscribing to these providers irl.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Mar 19, 2021, at 7:52 PM, Joel Esler (jesler) via clamav-users 
>  wrote:
> 
> Linode is our second biggest abuser. 
> 
> Slow your updater down. 
> 
> Sent from my  iPhone
> 
>> On Mar 19, 2021, at 19:40, Grant Taylor via clamav-users 
>>  wrote:
>> 
>> On 3/19/21 4:57 PM, Bill Speidel wrote:
>>> hi,
>> 
>> Hi,
>> 
>>>Clam AV has put it's database behind Cloudflare...  as a result the 
>>> updates no longer work because Cloudflare is blocking Linode.com 
>>> machines...  the updates are getting a 429 error saying that we are "rate 
>>> limited"...  if this continues it will make Clam AV useless because 
>>> eventually the database will be so out of date that new viruses will get 
>>> through...
>> 
>> Um ...
>> 
>> My Linode seems to still be getting updates.
>> 
>> I'm not seeing any errors in the freshclam log file.
>> 
>> Note:  I don't know if it makes any difference or not, but I am using my own 
>> DNS server and not Linode's.
>> 
>>>There should be some way for Clam AV to tell Cloudflare  to unhide the 
>>> AV database and fix the 429 errors
>>> thanks,
>> 
>> I'd like to learn more about the format of the current.cvd.clamav.net TXT 
>> record.  The numbers in the end of my freshclam log file match some of the 
>> numbers in the TXT record.  But I can't quite grock the pattern to know for 
>> sure.
>> 
>> # host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'
>> current.cvd.clamav.net descriptive text 
>> "0.103.1:59:26113:1616196540:0:63:49191:333"
>> 1616197107
>> Fri Mar 19 17:00:25 2021 -> --
>> Fri Mar 19 18:00:25 2021 -> Received signal: wake up
>> Fri Mar 19 18:00:25 2021 -> ClamAV update process started at Fri Mar 19 
>> 18:00:25 2021
>> Fri Mar 19 18:00:26 2021 -> main.cvd is up to date (version: 59, sigs: 
>> 4564902, f-level: 60, builder: sigmgr)
>> Fri Mar 19 18:00:26 2021 -> daily.cld is up to date (version: 26113, sigs: 
>> 3964163, f-level: 63, builder: raynman)
>> Fri Mar 19 18:00:26 2021 -> bytecode.cld is up to date (version: 333, sigs: 
>> 92, f-level: 63, builder: awillia2)
>> Fri Mar 19 18:00:26 2021 -> --
>> 
>> 
>> 
>> 
>> 
>> -- 
>> Grant. . . .
>> unix || die
>> 
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Exchange attacks...

2021-03-13 Thread Eric Tykwinski 
Joel, Micah,

Just as a side note, I was compromised with everyone else, but thankfully have 
mitigated before things got too out of hand from what I can tell.
Looks like the webshells are both caught from a scan I just did to test out:
Asp.Trojan.Webshell0321-9840176-0

Thanks for the update….

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] QNAP - Cannot update virus definition & cannot wget *.cvd (receive error 403 forbidden)

2021-03-07 Thread Eric Tykwinski 
Joel,

Of course it isn’t up to date…
Mine is running 0.102.2  so it updates, but not 103.x
He’s got an older version, so maybe that they disabled updates…  This I doubt, 
but I’m running on an intel chipset so can’t rule out.
My guess is a symbolic link is corrupt now after checking reddit real quick:
https://www.reddit.com/r/qnap/comments/dcnjzo/clamav_virus_definition_downloads_failing/
 
<https://www.reddit.com/r/qnap/comments/dcnjzo/clamav_virus_definition_downloads_failing/>

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Mar 7, 2021, at 5:48 PM, Joel Esler (jesler) via clamav-users 
>  wrote:
> 
> So, Qnap is up to date?  But people using older versions need to update their 
> Qnap software?  Is that what’re your saying?
> 
> It seems like the holdouts are ClamWin and Qnap.  A lot of the issues that I 
> have seen of versions lower than 0.100 are those two.
> 
> — 
> Sent from my  iPad
> 
>> On Mar 7, 2021, at 17:38, Eric Tykwinski  wrote:
>> 
>> I’ve got a QNAP at my house.  Looks like it’s fine on the newest version:
>> v4.5.3.1594
>> Given it’s outdated, but that doesn’t surprise me much:
>> ClamAV 0.102.2/26100/Sat Mar  6 07:05:22 2021
>> 
>> 
>> 
>> Sincerely,
>> 
>> Eric Tykwinski
>> TrueNet, Inc.
>> P: 610-429-8300
>> 
>>> On Mar 7, 2021, at 4:29 PM, Eero Volotinen  wrote:
>>> 
>>> Looks like qnap need to update to supported clamav version?
>>> 
>>> Eero
>>> 
>>> On Sun, Mar 7, 2021 at 10:54 PM Thomas Guerlinze via clamav-users 
>>>  wrote:
>>> Hello All,
>>> 
>>> I restarted an old QNAP NAS (TS419P).
>>> I updated the firmware to the latest version available for this model 
>>> (4.3.3.1432 build 20200106).
>>> 
>>> I tried to use the GUI provided by QNAP to update the ClamAV on the NAS. I 
>>> received "update failed" message.
>>> 
>>> I made some searches on the ClamAV users Archives (and saw some similar 
>>> threads) but none of them could be used to solve the issue.
>>> 
>>> If I download the .cvd files manually 
>>> (http://database.clamav.net/bytecode/daily/main) through my browser on a PC 
>>> and then copy them in the appropriate folder on the NAS and launch a scan, 
>>> it works.
>>> If I try to "automate" this download with WGET or CURL it does not work 
>>> either (respectively error 403 or 1020).
>>> 
>>> I do not know how to proceed to keep a ClamAV instance update without 
>>> manual intervention.
>>> 
>>> Thanks already for your help,
>>> 
>>> Tom
>>> 
>>> 
>>> 
>>> ___
>>> 
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>>> ___
>>> 
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> 
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] QNAP - Cannot update virus definition & cannot wget *.cvd (receive error 403 forbidden)

2021-03-07 Thread Eric Tykwinski 
I’ve got a QNAP at my house.  Looks like it’s fine on the newest version:
v4.5.3.1594
Given it’s outdated, but that doesn’t surprise me much:
ClamAV 0.102.2/26100/Sat Mar  6 07:05:22 2021



Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Mar 7, 2021, at 4:29 PM, Eero Volotinen  wrote:
> 
> Looks like qnap need to update to supported clamav version?
> 
> Eero
> 
> On Sun, Mar 7, 2021 at 10:54 PM Thomas Guerlinze via clamav-users 
>  wrote:
> Hello All,
> 
> I restarted an old QNAP NAS (TS419P).
> I updated the firmware to the latest version available for this model 
> (4.3.3.1432 build 20200106).
> 
> I tried to use the GUI provided by QNAP to update the ClamAV on the NAS. I 
> received "update failed" message.
> 
> I made some searches on the ClamAV users Archives (and saw some similar 
> threads) but none of them could be used to solve the issue.
> 
> If I download the .cvd files manually 
> (http://database.clamav.net/bytecode/daily/main) through my browser on a PC 
> and then copy them in the appropriate folder on the NAS and launch a scan, it 
> works.
> If I try to "automate" this download with WGET or CURL it does not work 
> either (respectively error 403 or 1020).
> 
> I do not know how to proceed to keep a ClamAV instance update without manual 
> intervention.
> 
> Thanks already for your help,
> 
> Tom
> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAv help

2020-12-31 Thread Eric Tykwinski 
Jay,

MacOS isn’t the optimum, but you can do most of what you want with third party 
software.
So first of all clamdscan is single process and runs linearly for each 
clamdscan you run.

Scheduling is fine and works great, I usually run clamscan for those as I know 
it will run with it’s own process.

Exceptions are made in their clamd.conf or command line for clamscan.
Where to quarantine is also made at the above.

AutoScanning requires a third party application as BSD doesn’t support 
clamonacc, so I would recommend fswatch:
https://github.com/emcrisostomo/fswatch 
<https://github.com/emcrisostomo/fswatch>

So depending on your use case, I personally use a clamdscan plist for each user 
which launches fswatch to run a clamdscan on each user's access to a file on 
login.
You can also schedule a clamscan for specific directories to the whole server 
on a crontab.

My biggest hurdle which I couldn’t figure out was how to notify users when a 
suspect file was quarantined, as macOS has limitations on who can call the 
Notification library, but nothing to do with ClamAV.

My work around was just writing to file in the the Documents directory, which 
also Quarantined to a ~/Documents/Quarantine/ directory so if a file simple 
went missing I would know where it was from and where it went to.

P.S.  Have a good new year everyone...

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Dec 31, 2020, at 6:52 PM, Jay A. Schoon via clamav-users 
>  wrote:
> 
> Joel:
> 
> Thanks so much for responding. As of now I can on run on-demand single 
> processor scans. 
> 
> Here are the things I would like to do:
> 
> Run scans that utilize multiprocessors (I believe I do have clamd installed, 
> I just don’t know how to use it)
> Schedule virus scans (a assume this can be done through a Bash script with 
> Automator)
> Stipulate which volumes and directories to scan/exempt
> Choose to quarantine infected items
> Auto-scan files on access
> 
> There is probably more but that’s the lion’s share of what I’d like. Thanks 
> for responding.
> 
> Happy New Year!
> 
> JS
> 
> 
>> On Dec 31, 2020, at 4:39 PM, Joel Esler (jesler) > <mailto:jes...@cisco.com>> wrote:
>> 
>> What would you like to do other than what you have done?  Seems like you 
>> were able to cover the basics.  
>> 
>> Sent from my  iPhone
>> 
>>> On Dec 31, 2020, at 15:47, Jay A. Schoon via clamav-users 
>>> mailto:clamav-users@lists.clamav.net>> 
>>> wrote:
>>> 
>>>  Hello:
>>> 
>>> I have installed ClamAV on a Mac running Mojave 10.14.6. I have 
>>> successfully updated the package by running freshclam and run a scan. I 
>>> have read the manual and a number of sites’ help for ClamAV. While I 
>>> believe I have also installed clamd I have not been able to run a scan in 
>>> multiprocessor mode and I’m sure there are gaps in my install and execution 
>>> knowledge. Any help I could receive would be great. 
>>> 
>>> Thanks in advance,
>>> JS
>>> 
>>> ___
>>> 
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq 
>>> <https://github.com/vrtadmin/clamav-faq>
>>> 
>>> http://www.clamav.net/contact.html#ml 
>>> <http://www.clamav.net/contact.html#ml>
>> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Services Difference & Memory Utilization

2020-09-14 Thread Eric Tykwinski 
Honestly, I wouldn’t buy a VPS, but I did test out TATA’s CloudStack when I was 
running CloudStack in a lab, and didn’t have any issues.
Given I was just warming up some IPs for testing, and didn’t move anything real 
over there.  I doubt they are even using it still, but that’s my experience on 
VPS.

IMHO at least get a /29 on IPv4 so that the provider can SWIP your IP Space, 
and make sure they do it.
Run all the BCOPs, DKIM, SPF, DMARC, and even MTA-STS since it’s relatively 
easy, if possible add DANE and TLSA records.

First though, look at the reputation of every provider.  Talos is one place, 
MailOps is another: https://www.mailop.org/cgi-bin/mailman/listinfo/mailop 
<https://www.mailop.org/cgi-bin/mailman/listinfo/mailop>
Check out M3AAWG: https://www.m3aawg.org/ <https://www.m3aawg.org/>, though a 
lot of the information is going to be towards bulk senders.

Finally define your acceptable risk, so I’ve got dedicated servers on OVH with 
all BCOPs except for Google’s ARC, never did figure that out on milters,
but it’s RBL’d on a few providers which is fine since I mainly use it for 
incoming and down notifications on monitoring, so I’ve got myself whitelisted.


Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Sep 14, 2020, at 8:17 PM, bobby via clamav-users 
>  wrote:
> 
> What is a good vps provider to use then if not DO? 
> 
> On Mon, Sep 14, 2020 at 7:10 PM Eric Tykwinski  <mailto:eric-l...@truenet.com>> wrote:
> It really does amaze me how many people don’t know the reputations of 
> providers like DO, OVH, Hetzner, AWS and right now SendGrid…
> I personally would love to just put blocks in, but due to customers, I have 
> to rely on RBLs which thankfully are pretty much dumping them all in spam.
> 
> Case in point… Use TalosIntelligence.com <http://talosintelligence.com/> 
> before you purchase a VPS for email, it’ll probably save you a lot of hassle.
> 
> Sincerely,
> 
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
> 
>> On Sep 14, 2020, at 6:50 PM, G.W. Haywood via clamav-users 
>> mailto:clamav-users@lists.clamav.net>> wrote:
>> 
>> Hi there,
>> 
>> On Mon, 14 Sep 2020, bobby via clamav-users wrote:
>> 
>>> Why is AS14061 on your block list?
>> 
>> Truckloads of spam, hacking attempts - why else?
>> 
>> -- 
>> 
>> 73,
>> Ged.
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> <https://github.com/vrtadmin/clamav-faq>
>> 
>> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Services Difference & Memory Utilization

2020-09-14 Thread Eric Tykwinski 
It really does amaze me how many people don’t know the reputations of providers 
like DO, OVH, Hetzner, AWS and right now SendGrid…
I personally would love to just put blocks in, but due to customers, I have to 
rely on RBLs which thankfully are pretty much dumping them all in spam.

Case in point… Use TalosIntelligence.com <http://talosintelligence.com/> before 
you purchase a VPS for email, it’ll probably save you a lot of hassle.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Sep 14, 2020, at 6:50 PM, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
> On Mon, 14 Sep 2020, bobby via clamav-users wrote:
> 
>> Why is AS14061 on your block list?
> 
> Truckloads of spam, hacking attempts - why else?
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.0 release candidate

2020-08-18 Thread Eric Tykwinski 
Congrats guys, non-blocking was a long awaited improvement on my end…

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Aug 18, 2020, at 5:57 PM, Joel Esler (jesler) via clamav-users 
>  wrote:
> 
> 
>> 
>> https://blog.clamav.net/2020/08/clamav-01030-release-candidate.html 
>> <https://blog.clamav.net/2020/08/clamav-01030-release-candidate.html>
>> 
>> ClamAV 0.103.0 release candidate
>> 
>> Today we are pleased to announce the ClamAV 0.103.0 release candidate 
>> <https://www.clamav.net/downloads>!
>> 
>> Please help us validate this release. We need your feedback so let us know 
>> what you find and join us on the clamav mailing list 
>> <https://lists.clamav.net/mailman/listinfo/clamav-users>, in #clamav on 
>> irc.freenode.net <http://irc.freenode.net/>, or on our Discord 
>> <https://discord.gg/sGaxA5Q>, which is bridged with our IRC.
>> 
>> Please submit bugs to on our Bugzilla 
>> <https://bugzilla.clamav.net/enter_bug.cgi?product=ClamAV>. 
>> 
>> ClamAV 0.103.0 includes the following improvements and changes.
>> 
>>  Major changes
>> 
>> clamd can now reload the signature database without blocking scanning. This 
>> multi-threaded database reload improvement was made possible thanks to a 
>> community effort.
>> Non-blocking database reloads are now the default behavior. Some systems 
>> that are more constrained on RAM may need to disable non-blocking reloads as 
>> it will temporarily consume 2x as much memory. For this purpose we have 
>> added a new clamd config option ConcurrentDatabaseReload which may be set to 
>> no.
>> 
>> Special thanks to the following for making this feature a reality:
>> Alberto Wu
>> Alexander Sulfrian
>> Arjen de Korte
>> David Heidelberg
>> Ged Haywood
>> Julius Plenz
>> Michael Orlitzky
>> 
>> Thank you all for your patience waiting for this feature. 
>> 
>> Notable changes
>> 
>> 
>> The DLP module has been enhanced with additional credit card ranges and a 
>> new engine option which allows ClamAV to alert only on credit cards (and 
>> not, for instance, gift cards) when scannning with the DLP module. This 
>> feature enhancement was made by John Schember, with input from Alexander 
>> Sulfrian.
>> 
>> Support for Adobe Reader X PDF encryption, an overhaul of PNG scanning to 
>> detect PNG specific exploits, and a major change to GIF parsing which makes 
>> it more tolerant to problematic files and adds the ability to scan overlays, 
>> all thanks to work and patches submitted by Aldo Mazzeo.
>> 
>> clamdtop.exe now available for Windows users. Functionality is somewhat 
>> limited when compared with clamdtop on Linux. PDCurses is required to build 
>> clamdtop.exe for ClamAV on Windows.
>> 
>> The phishing detection module will now print "Suspicious link found!" along 
>> with the "Real URL" and "Display URL" each time phishing is detected. In a 
>> future version, we would like to print out alert-related metadata like this 
>> at the end of a scan, but for now this detail will help users understand why 
>> a given file is being flagged as phishing.
>> 
>> Added new *experimental* CMake build tooling. CMake is not yet recommended 
>> for production builds. Our team would appreciate any assistance improving 
>> the CMake build tooling so we can one day deprecate Autotools and remove the 
>> Visual Studio solutions.
>> Please see the new CMake installation instructions found in INSTALL.cmake.md 
>> for detailed instructions on how to build ClamAV with CMake.
>> 
>> Added --ping and --wait options to the clamdscan and clamonacc client 
>> applications.
>> The --ping (-p) command will attempt to ping clamd up to a specified maximum 
>> number of attempts at an optional interval. If the interval isn't specified, 
>> a default 1-second interval is used. It will exit with status code `0` when 
>> it receives a PONG from clamd or status code `21` if the timeout expires 
>> before it receives a response.
>> Example:
>> clamdscan -p 120 will attempt to ping clamd 120 at a 1 second interval.
>> The --wait (-w) command will wait up to 30 seconds for clamd to start. This 
>> option may be used in tandem with the --ping option to customize the max # 
>> of attempts and the attempt interval. As with --ping, the scanning client 
>> may exit with status code 21 if the timeout expires before a connection is 
>> made to clamd.
>> Example:
>> clamdscan -p 30:2

Re: [clamav-users] ClamAV Database update issue

2020-07-24 Thread Eric Tykwinski 
Honestly,  It could be like Joel said…

 

Here’s what I’m seeing in some locations currently:

Fri Jul 24 09:18:02 2020 -> main database available for download (remote 
version: 59)

Fri Jul 24 09:18:03 2020 -> ^downloadFile: Unexpected response (525) from 
https://database.clamav.net/main.cvd

Fri Jul 24 09:18:03 2020 -> ^getcvd: Can't download main.cvd from 
https://database.clamav.net/main.cvd

Fri Jul 24 09:18:03 2020 -> Trying again in 5 secs...

Fri Jul 24 09:18:08 2020 -> main database available for download (remote 
version: 59)

Time: 1477.2s, ETA: 2686.8s [==>   ] 39.87MiB/112.40MiB

 

Bad luck could get multiple 5xx errors and fail out.

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Sudhir Kumar Maharjan
Sent: Friday, July 24, 2020 9:40 AM
To: ClamAV users ML
Subject: Re: [clamav-users] ClamAV Database update issue

 

Hi Eric,

 

Thanks for your reply but the ip posted here belongs to San Francisco will 
Issue in LA cause issue in San Francisco as well?

I find this little strange.

 

Thanks,

--


SUDHIR KUMAR MAHARJAN


Associate IT Manager


Deerwalk Services Pvt. Ltd.


p:

+977-1-4485429  m: +977-9851151176


a:

Sifal | Kathmandu | Nepal


w:

 <https://www.deerwalk.com/> www.deerwalk.com  e:  
<mailto:skmahar...@deerwalk.com> skmahar...@deerwalk.com


 <https://www.deerwalk.com/> image host


 <https://www.linkedin.com/company/deerwalk-inc/> LinkedIn |  
<https://twitter.com/deerwalkinc> Twitter |  
<https://www.facebook.com/Deerwalk> Facebook |  
<https://www.youtube.com/channel/UCawrNx5J26lzWs4viyaakRA> YouTube

 

 

On Fri, Jul 24, 2020 at 7:07 PM Eric Tykwinski  wrote:

Check out CloudFlare status: https://www.cloudflarestatus.com/

 

If you are in the LA area, that could be a cause…

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

 

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Sudhir Kumar Maharjan
Sent: Friday, July 24, 2020 9:09 AM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] ClamAV Database update issue

 

Hello All,

 

We are using ClamAV for long time and today suddenly it is failing to update 
the Virus Signature Database with the error " "WARNING: getfile: Error while 
reading database from  <http://database.clamav.net/> database.clamav.net (IP: 
104.16.218.84)"." Is there any changes to the database server or is it down. We 
have checked the firewall setting and it is open for clamav.

 

I have attached the screenshot as well.

 

Please let me know how to resolve this issue.

 

Thanks,

--


SUDHIR KUMAR MAHARJAN


Associate IT Manager


Deerwalk Services Pvt. Ltd.


p:

+977-1-4485429  m: +977-9851151176


a:

Sifal | Kathmandu | Nepal


w:

 <https://www.deerwalk.com/> www.deerwalk.com  e:  
<mailto:skmahar...@deerwalk.com> skmahar...@deerwalk.com


 <https://www.deerwalk.com/> image host


 <https://www.linkedin.com/company/deerwalk-inc/> LinkedIn |  
<https://twitter.com/deerwalkinc> Twitter |  
<https://www.facebook.com/Deerwalk> Facebook |  
<https://www.youtube.com/channel/UCawrNx5J26lzWs4viyaakRA> YouTube

 

DISCLAIMER:
This email message is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized use or 
disclosure is prohibited. If you are not the intended recipient, please contact 
the sender by reply email and destroy all copies of the original message. IRS 
CIRCULAR 230 DISCLOSURE: Any U.S. tax advice contained in this communication 
(including any attachments) is not intended or written to be used, and cannot 
be used, for the purpose of (i) avoiding penalties under the Internal Revenue 
Code or (ii) promoting, marketing or recommending to another party any 
transaction or matter addressed herein.(FR08-i203d)


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml





DISCLAIMER:
This email message is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized use or 
disclosure is prohibited. If you are not the intended recipient, please contact 
the sender by reply email and destroy all copies of the original message. IRS 
CIRCULAR 230 DISCLOSURE: Any U.S. tax advice contained in this communication 
(including any attachments) is not intended or written to be used, and cannot 
be used, for the purpose of (i) avoiding penalties under the Internal Revenue 
Code or (ii) promoting, marketing or recommending to another party any 
transaction or matter addressed herein.(FR08-i203d)

___

clamav-users m

Re: [clamav-users] ClamAV Database update issue

2020-07-24 Thread Eric Tykwinski 
Check out CloudFlare status: https://www.cloudflarestatus.com/

 

If you are in the LA area, that could be a cause…

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

 

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Sudhir Kumar Maharjan
Sent: Friday, July 24, 2020 9:09 AM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] ClamAV Database update issue

 

Hello All,

 

We are using ClamAV for long time and today suddenly it is failing to update 
the Virus Signature Database with the error " "WARNING: getfile: Error while 
reading database from  <http://database.clamav.net/> database.clamav.net (IP: 
104.16.218.84)"." Is there any changes to the database server or is it down. We 
have checked the firewall setting and it is open for clamav.

 

I have attached the screenshot as well.

 

Please let me know how to resolve this issue.

 

Thanks,

--


SUDHIR KUMAR MAHARJAN


Associate IT Manager


Deerwalk Services Pvt. Ltd.


p:

+977-1-4485429  m: +977-9851151176


a:

Sifal | Kathmandu | Nepal


w:

 <https://www.deerwalk.com/> www.deerwalk.com  e:  
<mailto:skmahar...@deerwalk.com> skmahar...@deerwalk.com


 <https://www.deerwalk.com/> image host


 <https://www.linkedin.com/company/deerwalk-inc/> LinkedIn |  
<https://twitter.com/deerwalkinc> Twitter |  
<https://www.facebook.com/Deerwalk> Facebook |  
<https://www.youtube.com/channel/UCawrNx5J26lzWs4viyaakRA> YouTube





DISCLAIMER:
This email message is for the sole use of the intended recipient(s) and may 
contain confidential and privileged information. Any unauthorized use or 
disclosure is prohibited. If you are not the intended recipient, please contact 
the sender by reply email and destroy all copies of the original message. IRS 
CIRCULAR 230 DISCLOSURE: Any U.S. tax advice contained in this communication 
(including any attachments) is not intended or written to be used, and cannot 
be used, for the purpose of (i) avoiding penalties under the Internal Revenue 
Code or (ii) promoting, marketing or recommending to another party any 
transaction or matter addressed herein.(FR08-i203d)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to determine virus database version from behind proxy?

2020-07-09 Thread Eric Tykwinski 
Just as a side note now that I’m back to a desktop, I did run FB’s 
implementation of DoH.  It was strictly test based, so not under load, but it 
did work locally for about 10 PCs: 
https://github.com/facebookexperimental/doh-proxy 
<https://github.com/facebookexperimental/doh-proxy>

Sadly, I don’t know of really any local DoH resolvers that can be used to 
scale, and I honestly don’t think it’ll last as long as I think most people 
think it will.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jul 9, 2020, at 6:20 PM, Eric Tykwinski  wrote:
> 
> Lol,  there is a long thread on mail ops that pretty much says the same.  But 
> he asked about checking through a proxy on http protocol so that’s his choice.
> 
> Sent from my iPhone
> 
>> On Jul 9, 2020, at 5:55 PM, Joel Esler (jesler) via clamav-users 
>>  wrote:
>> 
>> You’re just giving your lookup to someone else.  
>> 
>> Sent from my  iPhone
>> 
>>> On Jul 9, 2020, at 14:11, Richard Graham via clamav-users 
>>>  wrote:
>>> 
>>> 
>>> Or for more advertised privacy:
>>> 
>>> curl -H 'accept: application/dns-json' 
>>> 'https://mozilla.cloudflare-dns.com/dns-query?name=current.cvd.clamav.net=
>>>  
>>> <https://mozilla.cloudflare-dns.com/dns-query?name=current.cvd.clamav.net=>'
>>> 
>>> On Thu, Jul 9, 2020 at 7:58 PM Richard Graham >> <mailto:rickhg1...@gmail.com>> wrote:
>>> There are several DOH severs.
>>> 
>>> You could also try:
>>> 
>>> curl -H 'accept: application/dns-json' 
>>> 'https://dns.google.com/resolve?name=current.cvd.clamav.net=A 
>>> <https://dns.google.com/resolve?name=current.cvd.clamav.net=A>'
>>> 
>>> ... or even just:
>>> 
>>> curl 'https://dns.google.com/resolve?name=current.cvd.clamav.net=A 
>>> <https://dns.google.com/resolve?name=current.cvd.clamav.net=A>'
>>> 
>>> On Thu, Jul 9, 2020 at 3:51 PM Eric Tykwinski >> <mailto:eric-l...@truenet.com>> wrote:
>>> You could query using DoH:
>>> #curl -H 'accept: application/dns-json' 
>>> 'https://cloudflare-dns.com/dns-query?name=current.cvd.clamav.net=TXT 
>>> <https://cloudflare-dns.com/dns-query?name=current.cvd.clamav.net=TXT>'
>>> 
>>> 
>>> > -Original Message-
>>> > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net 
>>> > <mailto:clamav-users-boun...@lists.clamav.net>] On
>>> > Behalf Of André Weidemann
>>> > Sent: Thursday, July 09, 2020 9:45 AM
>>> > To: clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>> > Subject: [clamav-users] How to determine virus database version from 
>>> > behind
>>> > proxy?
>>> > 
>>> > Hi,
>>> > 
>>> > in my current working environment I do not have direct internet access,
>>> > nor is it possible to query public DNS servers.
>>> > Running a command like "host -t txt current.cvd.clamav.net 
>>> > <http://current.cvd.clamav.net/>" yields no
>>> > result.
>>> > The only way out is a proxy.
>>> > I still would like to figure out whether or not my local database is up
>>> > to date.
>>> > Can I retrieve the information contained in the DNS TXT record via a
>>> > http(s) source as well? If so, how?
>>> > 
>>> > Thanks a lot in advance.
>>> > 
>>> >   André
>>> 
>>> 
>>> 
>>> 
>>> ___
>>> 
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq 
>>> <https://github.com/vrtadmin/clamav-faq>
>>> 
>>> http://www.clamav.net/contact.html#ml 
>>> <http://www.clamav.net/contact.html#ml>
>>> 
>>> ___
>>> 
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to determine virus database version from behind proxy?

2020-07-09 Thread Eric Tykwinski 
Lol,  there is a long thread on mail ops that pretty much says the same.  But 
he asked about checking through a proxy on http protocol so that’s his choice.

Sent from my iPhone

> On Jul 9, 2020, at 5:55 PM, Joel Esler (jesler) via clamav-users 
>  wrote:
> 
> You’re just giving your lookup to someone else.  
> 
> Sent from my  iPhone
> 
>>> On Jul 9, 2020, at 14:11, Richard Graham via clamav-users 
>>>  wrote:
>>> 
>> 
>> Or for more advertised privacy:
>> 
>> curl -H 'accept: application/dns-json' 
>> 'https://mozilla.cloudflare-dns.com/dns-query?name=current.cvd.clamav.net='
>> 
>>> On Thu, Jul 9, 2020 at 7:58 PM Richard Graham  wrote:
>>> There are several DOH severs.
>>> 
>>> You could also try:
>>> 
>>> curl -H 'accept: application/dns-json' 
>>> 'https://dns.google.com/resolve?name=current.cvd.clamav.net=A'
>>> 
>>> ... or even just:
>>> 
>>> curl 'https://dns.google.com/resolve?name=current.cvd.clamav.net=A'
>>> 
>>>> On Thu, Jul 9, 2020 at 3:51 PM Eric Tykwinski  
>>>> wrote:
>>>> You could query using DoH:
>>>> #curl -H 'accept: application/dns-json' 
>>>> 'https://cloudflare-dns.com/dns-query?name=current.cvd.clamav.net=TXT'
>>>> 
>>>> 
>>>> > -Original Message-
>>>> > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
>>>> > Behalf Of André Weidemann
>>>> > Sent: Thursday, July 09, 2020 9:45 AM
>>>> > To: clamav-users@lists.clamav.net
>>>> > Subject: [clamav-users] How to determine virus database version from 
>>>> > behind
>>>> > proxy?
>>>> > 
>>>> > Hi,
>>>> > 
>>>> > in my current working environment I do not have direct internet access,
>>>> > nor is it possible to query public DNS servers.
>>>> > Running a command like "host -t txt current.cvd.clamav.net" yields no
>>>> > result.
>>>> > The only way out is a proxy.
>>>> > I still would like to figure out whether or not my local database is up
>>>> > to date.
>>>> > Can I retrieve the information contained in the DNS TXT record via a
>>>> > http(s) source as well? If so, how?
>>>> > 
>>>> > Thanks a lot in advance.
>>>> > 
>>>> >   André
>>>> 
>>>> 
>>>> 
>>>> 
>>>> ___
>>>> 
>>>> clamav-users mailing list
>>>> clamav-users@lists.clamav.net
>>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>>> 
>>>> 
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>> 
>>>> http://www.clamav.net/contact.html#ml
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to determine virus database version from behind proxy?

2020-07-09 Thread Eric Tykwinski 
You could query using DoH:
#curl -H 'accept: application/dns-json' 
'https://cloudflare-dns.com/dns-query?name=current.cvd.clamav.net=TXT'


> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of André Weidemann
> Sent: Thursday, July 09, 2020 9:45 AM
> To: clamav-users@lists.clamav.net
> Subject: [clamav-users] How to determine virus database version from behind
> proxy?
> 
> Hi,
> 
> in my current working environment I do not have direct internet access,
> nor is it possible to query public DNS servers.
> Running a command like "host -t txt current.cvd.clamav.net" yields no
> result.
> The only way out is a proxy.
> I still would like to figure out whether or not my local database is up
> to date.
> Can I retrieve the information contained in the DNS TXT record via a
> http(s) source as well? If so, how?
> 
> Thanks a lot in advance.
> 
>   André




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot install Clam AV on Ubuntu 16.04

2020-03-26 Thread Eric Tykwinski 
Seriously,

Nothing to do with ClamAV specifically, but RH/Cent is know to confuse the hell 
out of everyone with their wonderful retrograde back ports.  So I’ve talked to 
ISC about Bind versions and they basically said ditch it…

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Mar 26, 2020, at 7:07 PM, Reio Remma via clamav-users 
>  wrote:
> 
> Hello!
> 
> Whilst I haven’t used Ubuntu myself, you might want to check (pun intended) 
> if check-dev package exists.
> 
> IIRC -devel extension is specific to CentOS/RHEL.
> 
> Good luck,
> Reio
> 
>> On 27. Mar 2020, at 00:50, Cheney, James via clamav-users 
>>  wrote:
>> 
>> 
>> Good afternoon, 
>>  
>> We have been successfully installing Clam AV on Centos instances in our 
>> environment.
>>  
>> We ran into a problem when we try to install on Ubuntu. We are using these 
>> <https://www.clamav.net/documents/installation-on-debian-and-ubuntu-linux-distributions>
>>  instructions and are able to get developer tools and library dependencies 
>> installed. When I try to install the unit testing dependencies, I get the 
>> following error
>>  
>> sudo: unable to resolve host : Connection timed out
>> Reading package lists... Done
>> Building dependency tree
>> Reading state information... Done
>> E: Unable to locate package check-devel
>>  
>> When I run ./configure –enable-check or sudo ./configure –enable-check after 
>> downloading and unzipping the Clam AV files I get this error
>>  
>> ERROR!  Check was configured, but not found.  Get it from 
>> http://check.sf.net/ <http://check.sf.net/>
>>  
>> Then we run sudo apt-get install check and get this error
>>  
>> sudo: unable to resolve host : Connection timed out
>> Reading package lists... Done
>> Building dependency tree
>> Reading state information... Done
>> check is already the newest version (0.10.0-3).
>> 0 upgraded, 0 newly installed, 0 to remove and 114 not upgraded.
>>  
>> When I run sudo apt-get install check-devel I get this error
>>  
>> sudo: unable to resolve host : Connection timed out
>> Reading package lists... Done
>> Building dependency tree
>> Reading state information... Done
>> E: Unable to locate package check-devel
>>  
>> We were able to resolve the “sudo: unable to resolve host : 
>> Connection timed out” error by adding the line 127.0.0.1  in the 
>> /etc/hosts file
>>  
>> Do you have any suggestions for us for troubleshooting?
>>  
>> Thank you, 
>>  
>> James Cheney
>>  
>> Solutions Analyst | Core Business Operations
>> Deloitte Consulting LLP
>> 310 E. Rivulon Blvd, Gilbert, AZ 85297 
>> 
>> Tel/Direct: +1 480 770 7404
>> jache...@deloitte.com <mailto:jache...@deloitte.com> | www.deloitte.com 
>> <http://www.deloitte.com/>
>>  
>>   
>> <https://www.certmetrics.com/amazon/public/badge.aspx?i=3=c=2019-06-14=AWS00910691>
>>  
>> <https://www.certmetrics.com/amazon/public/badge.aspx?i=3=c=2019-06-14=AWS00910691>
>>  
>> <https://secure-web.cisco.com/1aEYdNKjJzPIE8rcMORznNRYxEeao_n5u0ZRm04UqTnY1HxdrlJCRct5Ha5FtGXHIITQgKTZ4M923F-DHvSXlQVhjkKEb_qa3C5Dy9XoMtK5AiGWMxzgxuGuIecJ1yRtXFK70iNpggN6ywFBBFkkFRPsaeLMDPrJWOeVjyEh7Jik6n5CJtoTxTgB1iXuvakxFQfR0GsOE5YC7nfNaHoDXtddFPfKpce80XGhghDKEYfttJhtQQ4YgFk70JbDp6HQenC0Q8yry3iZSorg0Yucm92y0FIgr5DPDRyxjJfIoh3HImcmWzo_GMegFsXBprYwQWbPaKn7NdxV2pZlGrvK9N4-2x5g6beLrJV1CB4xG9GAePszBPRBEBbBqmvW9q-leQLGVhrb8EZTIAvdyVe8Lpo81v6jy2EYxNbvYSOfLxaMuMzcbdW2LyFbPp2pqKEJXBECeT9z8WUMMrrQ2cUk2VDIbl-BeMWeC2591cJbYwJP7jOx0guvAcpOQhtlD1K4mBqb0ThZNnLEZI9Z7geAM9A/https%3A%2F%2Fwww.certmetrics.com%2Famazon%2Fpublic%2Fbadge.aspx%3Ft%3Dc%26d%3D2019-05-24%26i%3D1%26ci%3DAWS00910691>
>>  
>> <https://www.certmetrics.com/amazon/public/badge.aspx?i=2=c=2019-07-03=AWS00910691>
>>  
>> <https://www.youracclaim.com/badges/6cd8d708-2396-4ec2-bf83-8d9074edb64e>
>>  <https://www.youracclaim.com/badges/6cd8d708-2396-4ec2-bf83-8d9074edb64e>
>> This message (including any attachments) contains confidential information 
>> intended for a specific individual and purpose, and is protected by law. If 
>> you are not the intended recipient, you should delete this message and any 
>> disclosure, copying, or distribution of this message, or the taking of any 
>> action based on it, by you is strictly prohibited.
>> 
>> Deloitte refers to a Deloitte member firm, one of its related entities, or 
>> Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a 
>> separat

Re: [clamav-users] eff.org.xpi false positive ? Mailing Lists/ClaMav/clamav-users x

2020-03-25 Thread Eric Tykwinski 
Marcos,

You can check out the signature for the HTTPS Everywhere extension on their 
page:
https://www.eff.org/https-everywhere <https://www.eff.org/https-everywhere>

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Mar 25, 2020, at 2:50 PM, marcos sr via clamav-users 
>  wrote:
> 
> Hello Everyone,
> 
> According to ClamAV this file possibly contains a virus Status: 
> 
> https-everywh...@eff.org.xpi: PhishTank.Phishing.5435002.UNOFFICIAL FOUND
> 
> The problem is in the
> 
> ./rules/default.rulesets: PhishTank.Phishing.5435002.UNOFFICIAL FOUND
> 
> What sould I do?
> 
> How Can I be sure that is a false positive?
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Email payload in .img container

2020-02-18 Thread Eric Tykwinski 

> On Feb 18, 2020, at 6:10 AM, Steve Basford  
> wrote:
> 
> On 2020-02-18 02:02, Paul Kosinski via clamav-users wrote:
>> How big is the img file? ClamAV has a 4 GB (2**32-1) size limit (alas),
>> maybe others do too.
> Here's 3 samples from a few days ago, so vary in size but not near  4 GB…
> 

Pretty much on par with size, a little bit bigger: 1.19 MB
I’ve decided to just block them by extension for now, as I don’t think many of 
my customers will be emailing out ISOs or disk images directly at least.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Email payload in .img container

2020-02-17 Thread Eric Tykwinski 
This was a new one that I have not seen before.

 

I uploaded the payload inside to VirusTotal, and it's not caught there
either:

https://www.virustotal.com/gui/file/368906d50bd279e9576aaa3d6dea269515410a5f
74cd93112767eb4bac310d1d/detection

 

My question is since this was in a disk image container would it have even
been caught anyways, even if it was detected?

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

 

 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] messages in freshclam.log

2019-12-23 Thread Eric Tykwinski 
This was mentioned here before, and I can't remember what the status was.

For this example:
A dig trace leads to:
ping.clamav.net.86400   IN  NS  ns1a.clamav.net.
;; BAD (HORIZONTAL) REFERRAL
dig: too many lookups

#dig daily.25671.105.1.0.6810DA54.ping.clamav.net @ns1a.clamav.net

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> 
daily.25671.105.1.0.6810DA54.ping.clamav.net @ns1a.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61445
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;daily.25671.105.1.0.6810DA54.ping.clamav.net. IN A

;; AUTHORITY SECTION:
ping.clamav.net.86400   IN  NS  ns1a.clamav.net.

;; ADDITIONAL SECTION:
ns1a.clamav.net.86400   IN  A   198.148.79.38
ns1a.clamav.net.86400   IN  2620:28:c000:0:aba:ca:daba:ee

So it's a continuous loop on ns1a.clamav.net to itself as authoritive for 
ping.clamav.net on NS causing the issue.

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Sohin Vyacheslav via clamav-users
> Sent: Monday, December 23, 2019 10:16 AM
> To: Joel Esler (jesler); ClamAV users ML
> Cc: Sohin Vyacheslav
> Subject: Re: [clamav-users] messages in freshclam.log
> 
> 
> 
> 23.12.2019 16:51, Joel Esler (jesler) пишет:
> > These don’t exist.  All of these addresses simply point at
> database.clamav.net.  So, it makes no sense to point them to anything else.
> 
> Ok, I agree. But what about mentioned message:
> 
> Can't query daily.25671.105.1.0.6810DA54.ping.clamav.net
> 
> 
> --
> Best wishes,
> Chertov Vyacheslav
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Elmedia Player.app detection

2019-12-10 Thread Eric Tykwinski 
Found an article on it:

https://www.intego.com/mac-security-blog/osxproton-malware-is-back-heres-wha
t-mac-users-need-to-know/

 

 

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
Of Al Varnell via clamav-users
Sent: Tuesday, December 10, 2019 11:25 AM
To: ClamAV users ML
Cc: Al Varnell
Subject: Re: [clamav-users] Elmedia Player.app detection

 

That signature has been in the database since Oct 20, 2017 and is a hash
signature, so there's little chance of it being an FP.

[daily.hsb]
17fe5ebacff74bfb6028eb371ceeaf2b:2484384:Osx.Trojan.Proton-6352635-0:73





-Al-

ClamXAV User

 

On Tue, Dec 10, 2019 at 06:02 AM, Douglas Stinnette wrote:

Seems to me that this is a false positive.
/Applications/Elmedia Player.app/Contents/MacOS/Elmedia Player
Osx.Trojan.Proton-6352635-0 FOUND

 

I sent a copy of the file to other vendors to double check it and they
reported it was not malware.

I have submitted false positives to ClamAV before and never received an
update on them:
https://www.clamav.net/reports/fp 

What do others do when they get ClamAV false positives?
Thanks,
Doug

 

 

 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Use ClamAV to scan email in Plesk Ubuntu with Postfix

2019-10-04 Thread Eric Tykwinski 
> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of G.W. Haywood via clamav-users
> Sent: Friday, October 04, 2019 11:52 AM
> To: ClamAV Users Mailing List
> Cc: G.W. Haywood
> Subject: Re: [clamav-users] Use ClamAV to scan email in Plesk Ubuntu with
> Postfix
> 
> Hi there,
> 
> On Fri, 4 Oct 2019, Mail Delivery Subsystem  users wrote:
> 
> > Hi, is it possible to configure ClamAV in Plesk Ubuntu with Postfix?
> 
> Unfortunately I have no idea what Plesk Ubuntu is, but you can
> certainly use clamd to scan mail with Postfix.

I'm in the same agreement, no clue on what the Plesk Control panel actually
does with Postfix, but I would assume you could just edit master.cf and
main.cf.
Here's the Ubuntu instructions for Amavis-new installation for Postfix:
https://help.ubuntu.com/community/PostfixAmavisNew

> 
> --
> 
> 73,
> Ged.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question

2019-10-03 Thread Eric Tykwinski 
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
Behalf Of Wagde Zabit via clamav-users
> Sent: Thursday, October 03, 2019 1:09 PM
> To: ClamAV users ML
> Cc: Wagde Zabit
> Subject: Re: [clamav-users] Question
>
> https://www.clamav.net/downloads/production/clamav-0.102.0.tar.gz
>

Or my preference: https://github.com/Cisco-Talos/clamav-devel

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300





___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0

2019-08-27 Thread Eric Tykwinski 
Brian,

It’s a straight text search for 6 strings.
Can’t send the decode because it will be caught in my outbound.

# sigtool –find-sigs Txt.Coinminer.Generic-7132166-0 | sigtool –decode-sigs

Doesn’t seem extremely likely for a lot of false positives to me, but ymmv.


From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
Of Brian Cole via clamav-users
Sent: Tuesday, August 27, 2019 11:01 AM
To: clamav-users@lists.clamav.net
Cc: Brian Cole
Subject: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0


Has anyone else seen a false positive from ClamAV, as a result of the August
24 signature update when the signature Txt.Coinminer.Generic-7132166-0 was
added ?

Specifically, we are seeing ClamAV think that CoinMiner virus exists in a
cleartext file on Linux, even though CoinMiner is an executable virus
attacking Windows.  The file causing the false positive is the
/var/log/sid_changes.log file, which is the text log file written by
PulledPork when it updates Snort IDS signatures. I would imagine anyone
running Snort, PulledPork and ClamAV on the same Linux machine would see
this false positive.

I submitted a false positive to ClamAV yesterday, but it may be that
whatever pattern that virus signature is looking for is too simplistic.

…Brian




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-users Digest, Vol 174, Issue 2

2019-08-22 Thread Eric Tykwinski 
Dexter,

Something like ansible?
Use ansible's homebrew module to install ClamAV, run a scan, than use the 
module again to uninstall.
With something like Tower or AWX just schedule it out to run whenever you want 
on as many computers as you want.

Problem would be the time to scan as each host will be linear, so I would 
probably just install ansible on each host with localhost as inventory and 
schedule it with launchd.

Hopefully, that's at least an idea to get you started.

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Dexter Rivera via clamav-users
> Sent: Wednesday, August 21, 2019 2:57 PM
> To: clamav-users@lists.clamav.net
> Cc: Dexter Rivera
> Subject: Re: [clamav-users] clamav-users Digest, Vol 174, Issue 2
> 
> My use-case is this:
> 
> I have very good protection via Crowdstrike Falcon Sensor, but that only
> deletes/quarantines files based on known IOCs, high malicious scores, or
> behavior via machine-learning.  Otherwise it still blocks processes considered
> suspicious and/or due custom IOA.  The downside is that some files are left
> behind.  What we have used in the interim to do post-alert cleanup is
> download the trial version of MalwareBytes for Mac, install, scan, then
> remove MalwareBytes.
> 
> I want to automate the scanning of an endpoint using ClamAV but without
> permanently installing ClamAV.  In Windows I can simply copy the ClamAV files
> to a temp location and then initiate the scan command line with the desired
> parameters like Update, Full Scan, Logging, etc.  After the scan completes the
> temp directory is deleted.  I'm sure we can do the same with ClamAV on the
> Mac but I have not seen any references to it being done yet.  In
> documentation it mentions the compiling of the code which I am thinking I can
> leverage to create a single package to accomplish what I need but I am not
> fluent enough in linux/unix to test.  As an example, I was able to 
> successfully
> create a stand-alone MalwareBytes Enterprise scanner but that is not free and
> very expensive so we did not want to purchase to only use it sparingly.
> 
> The permanent installation of a scanner is NOT required and proved out a few
> times.  Does anyone here have an idea, lead, or suggestion of how I can
> accomplish this on a Mac?  Thanks in advance.
> 
> 
> 
> Dexter R. Rivera
> 
> On 5/11/19, 9:01 AM, "clamav-users on behalf of clamav-users-
> requ...@lists.clamav.net"  of clamav-users-requ...@lists.clamav.net> wrote:
> 
> Send clamav-users mailing list submissions to
>   clamav-users@lists.clamav.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 
>   https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2
> Flists.clamav.net%2Fmailman%2Flistinfo%2Fclamav-
> usersdata=02%7C01%7C%7Cf182ecec07f740dba63808d6d629f5db%7
> C84df9e7fe9f640afb435%7C1%7C0%7C636931873058741554
> sdata=nax3EoCsiR6noTsd20e8tdRaWR%2FsexMvyv1wgc%2FmN9g%3D
> reserved=0
> or, via email, send a message with subject or body 'help' to
>   clamav-users-requ...@lists.clamav.net
> 
> You can reach the person managing the list at
>   clamav-users-ow...@lists.clamav.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-users digest..."
> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Linux viruses

2019-06-28 Thread Eric Tykwinski 
Christopher,

 

Run

#sigtool –find-sigs Unix

 

There are quite a few which I think apply to *nix in general.

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Christopher Draper via clamav-users
Sent: Friday, June 28, 2019 3:49 PM
To: clamav-users@lists.clamav.net
Cc: Christopher Draper
Subject: [clamav-users] Linux viruses

 

Does Clam AV detect Linux infections as well as Windows?


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning on Mac without installation

2019-05-10 Thread Eric Tykwinski 
Seriously, I have no idea of what your end goal is?
If you don’t want to do nightly scans, there is fswatch: 
https://github.com/emcrisostomo/fswatch 
<https://github.com/emcrisostomo/fswatch>
It’s a trigger for on-access scanning for OSX and various other POSIX systems.

You can always run a cron job as well for nightly scans, which it sounds like 
you were doing for windows, but it needs to be installed somewhere, and have 
file access.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On May 10, 2019, at 7:42 PM, Dexter Rivera via clamav-users 
>  wrote:
> 
> Hello All,
>  
> Is there a way to run a scan on a Mac without having to install Clam AV?  I 
> was able to scan a Windows machine with Clam AV as a stand-alone scanner and 
> it would be great if I can do the same on my Mac using command line.  Any 
> ideas, leads, or suggestions would be greatly appreciated.  Thank you in 
> advance.
>  
>  
>  
> Dexter R. Rivera 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Security 3310 SSL/TLS

2019-04-10 Thread Eric Tykwinski 
I think most suggest using an SSH tunnel between server and host.

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
Of David Hendrick
Sent: Wednesday, April 10, 2019 1:19 PM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] Security 3310 SSL/TLS

 

Hi there,

 

I was wondering if there's any way to introduce any sort of encryption on
the requests sent to ClamAV using port 3310?

 

Thanks,

David

 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mailman web UI for ClamAV currently inaccessible

2019-03-14 Thread Eric Tykwinski 
Typo in the URL: https://lists.clamav.net/mailman/listinfo/clamav-users

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Ralph Seichter via clamav-users
> Sent: Thursday, March 14, 2019 12:33 PM
> To: clamav-users@lists.clamav.net
> Cc: Ralph Seichter
> Subject: [clamav-users] Mailman web UI for ClamAV currently inaccessible
> 
> https://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users returns
> "403 Forbidden". Could somebody please investigate? Thanks.
> 
> -Ralph
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Testing

2019-02-20 Thread Eric Tykwinski 
> On Feb 20, 2019, at 5:19 PM, Benny Pedersen  wrote:
> 
> Joel Esler (jesler) skrev den 2019-02-20 23:14:
>> Testing!
> 
> DKIM and DMARC still fails
> 
> no news there :(

Yeah, I gave up on that and just whitelisted all cisco’s listservs:

X-Smartermail-Spam: ⁨Reverse DNS Lookup [Passed], Message Sniffer 0 [code:0], 
ISpamAssassin 0 [raw: 0], SPF_Pass, DKIM_Fail⁩
Authentication-Results: ⁨mailmanlists.network; dkim=fail reason="signature 
verification failed" (1024-bit key; unprotected) header.d=cisco.com 
header.i=@cisco.com header.b="eEtpLAtz"; dkim-atps=neutral⁩
X-Smartermail-Totalspamweight: ⁨0 (Trusted Sender - User)⁩


Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Using clamav to test for bad links in incoming emails

2019-02-14 Thread Eric Tykwinski 
> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Alessandro Vesely
> Sent: Thursday, February 14, 2019 11:08 AM
>
> Shouldn't that be done with SA?
> http://uribl.com/usage.shtml
 
It really depends on your goal.  For me I use ClamAV to scan outgoing emails
to catch a slipped compromised account.
The FP rate for Spam Assassin is high to use imho, so I just tweak ClamAV
with third party sigs and custom yara scripts.

> Best
> Ale


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Using clamav to test for bad links in incoming emails

2019-02-08 Thread Eric Tykwinski 
Check out SaneSecurity: https://sanesecurity.com/usage/signatures/ 
<https://sanesecurity.com/usage/signatures/>
Specifically: phish, winnow_phish_complete_url
I’m sure there’s others as well.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Feb 8, 2019, at 6:07 PM, Gene Heskett  wrote:
> 
> Hello all;
> 
> Has anyone rigged clamd to check what looks like questionable links 
> contained in incoming emails? It seems over the last 2 weeks my spam has 
> tripled, and I suspect the real payload is in the urls in the message.
> 
> Or is this so time consuming and bandwidth wasting its not worth it?
> 
> 
> Cheers, Gene Heskett
> -- 
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page <http://geneslinuxbox.net:6309/gene>
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Constant CPU Usage

2019-02-07 Thread Eric Tykwinski 
Have you checked out clamdtop to see what’s being done?

 

I usually see 1 core maxed on clamd.  It’s a 2012 MacPro, so not a worry for me.

Might want to change from fswatch to just a nightly scan if it’s too hard on 
the system.

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Kai Amundsen
Sent: Thursday, February 07, 2019 12:23 PM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] Constant CPU Usage

 

Clamd process seems to be using a lot of CPU. It goes 0% for a few seconds then 
100% (full use of one thread) for a few seconds constantly forever. This seems 
to be eating our users laptop battery noticeably

 

We just rolled out ClamAV to all of our users (running macOS of varying 
versions) using MacPorts and these instructions ( 
https://github.com/essandess/macOS-clamAV ) to all users who are technical 
enough to check CPU usage are reporting this.

 

Is this normal? Any way to change/fix it?


 


 
<https://mavens.com/?utm_source=signature_medium=email_campaign=signature>
 

Kai Amundsen | 312 775 2407


 <https://www.facebook.com/MavensConsulting/> 

 <https://twitter.com/mavens> 

 <https://www.linkedin.com/company/mavens-consulting-inc.> 

 


Medical Information Cloud: The world's most advanced medical information 
solution.  
<https://mavens.com/identity?utm_source=signature_medium=email_campaign=signature>
 Learn More »

 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Eric Tykwinski 
Paul,

Sorry some of this confusion is probably my fault trying to help without going 
back to the whole thread.

> On Dec 10, 2018, at 9:34 PM, Paul Kosinski  wrote:
> 
> We ARE using freshclam to perform the actual update. And always have
> been!
> 
> We've only been using curl (not wget, if that matters) to pull the first
> few bytes of the cvd to see if its version number matches what the DNS
> TXT query said.
> 
> We do this because, after the conversion to Cloudflare, we were getting
> lots of FAILURES where *freshclam* said things were out of sync (and
> eventually disabled all the mirrors).

Have you tried what I did below?  I.E. curl/wget/telnet whatever your flavor of 
the day, and pull the newest cdiff?
If you’re getting a 404, that’s definitely an issue.  

My guess is that it’s actually timing out though, and could be more of an issue 
troubleshooting.
Is it local, ie an IDP getting stuck scanning the files, or remotely freshclam 
itself is timing out on BOS pulling the update from ClamAV and caching it 
before you can download it.

> And we have recently seen that our Web server sometimes can get the new
> updates (from IAD) *hours* before our main LAN does (from BOS).

Those hours before are only checking the CVDs, which can and probably are 
cached on CloudFlare so not up to date.
My guess is that there are just more people in Boston using Clam, so the cache 
last the longest.

> P.S. It's been quite frustrating getting some replies seemingly based on
> assumptions that we are doing things we shouldn't, when we aren't in
> fact doing those things. (Like not using freshclam.)

I would agree, this has gone on a long time from my recollection, which is why 
I jumped in and started looking at it.
Definitely, I did hop on without all the facts and was just trying to figure 
out on the fly what’s going on, so my bad on that.

When in doubt, I usually pull a pcap on a server.  There’s a lot of factors 
that can come into play, but actually with clam only using http, this actually 
makes it a lot easier.

Sincerely,

Eric Tykwinski


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-10 Thread Eric Tykwinski 
Dennis,

> On Dec 10, 2018, at 8:26 PM, Dennis Peterson  wrote:
> 
> Helps too to read the entire thread and the thread that preceded this one. 
> The OP has used combinations of dig and wget in diagnosing his problems.
> 
> dp

Seriously, then he should be just trying to pull the new cdiffs to see if they 
are propagated to the various Cloudflare hosts.

>> 
>> Sigh.
>> 
>> Does no one actually READ THE MESSAGES???
>> 
>> The OP's problem is:
>> 
>> FRESHCLAM FAILS, REPEATEDLY, UNTIL ALL MIRRORS ARE MARKED AS BAD
>> AND NO UPDATES CAN OCCUR.
>> 
>> Pissing up a rope about "you shouldn't do various work-arounds" is a waste 
>> of time and bandwidth.
>> 
>> The OP has shown that different Cloudflare nodes give (him) different 
>> results, someone should be asking CLoudflare about how this can be 
>> addressed, not dismissing the very valid and basic problem.
>> 
>> This sort of behaviour just proves that Dunning-Kruger is alive and involved 
>> in far too many OSS projects.
>> 
>> Cheers,
>> GaryB-)

Gary,

I haven’t really followed the whole thread, but I’ve been seeing it for months 
that I recall, definitely a waste of bandwidth, and probably should be solved 
to some extent.

Looking at his logs, the headers are only for a CVD, so he’s not trying updates.

Example of a cdiff pull from telnet:
telnet database.clamav.net 80
Trying 104.16.186.138...
Connected to database.clamav.net.cdn.cloudflare.net.
Escape character is '^]'.
GET /daily-25195.cdiff HTTP/1.1
host: database.clamav.net

?o??_}??/~?uЯ?|??~?f?l??Ox~??O6/??_?>??Ϸ_7?~??̯???ߢ?ӏ~???B??{}~?[A???7ņ?>???


You don’t get those nice header parts to the file, so you wouldn’t know the 
last update as it’s apart of the file itself.  Looking at manager.c on 
freshclam, he should have been posting something like: "^getfile: %s not found 
on %s (IP: %s)\n" which gets posted to the logs when the file doesn’t exist.

I’m not positive on this so Micah can chime in, but I do believe you get the 
cdiff files from the DNS TXT somehow.

If anything it’s a good lesson on how exactly freshclam works.

Sincerely,

Eric Tykwinski___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Detecting Word docs with macros

2018-12-10 Thread Eric Tykwinski 
Steve.

> Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much
> cover a lot of those... MiscreantPunch099-Low.ldb for additional detection
> but can hit scanning performance.
> 
> ClamAV settings in clamd.conf can also be tweaked to block documents with
> macro and or passwords.


Thanks, just added badmacro.ndb, so hopefully that will help.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Detecting Word docs with macros

2018-12-10 Thread Eric Tykwinski 
Default clam sigs obviously are not catching these, but wondering if anyone
has them included in a third party that rather FP friendly.

I also just tested a yara from here, and it seems to work, but not certain
about FPs from it either.

https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-co
ntaining-macro/

 

Anyone have a suggestion?

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-09 Thread Eric Tykwinski 
Joel,

> On Dec 8, 2018, at 11:21 PM, Joel Esler (jesler)  wrote:
> 
> Not sure what you’re saying here.  Are you saying that the daily on the cache 
> is out of date?
> 

I haven’t really noticed it, but that was Paul Kosinski’s observation from what 
I’m reading in the first email.
So it looks like IAD updated at 14:14:30 GMT, but BOS didn’t update till 
17:09:01 GMT from his email.

From back in archives, I think he’s using wget to just pull the files, but 
freshclam would just pull the cdiffs and keep you up to date on the next check.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-08 Thread Eric Tykwinski 
J.R.

You are falling into the same trap I followed.  The txt record is:
 current.cvd.clamav.net.1749IN  TXT 
"0.101.0:58:25189:1544315340:1:63:48210:327"

But host headers is what he’s looking at:
telnet database.clamav.net 80
Trying 104.16.185.138...
Connected to database.clamav.net.cdn.cloudflare.net.
Escape character is '^]'.
GET /daily.cvd HTTP/1.1
host: database.clamav.net

HTTP/1.1 200 OK
Date: Sun, 09 Dec 2018 01:18:51 GMT
Content-Type: application/octet-stream
Content-Length: 53110330
Connection: keep-alive
Set-Cookie: __cfduid=ddc4d2ab2a13638c99a90bb14c12128971544318331; expires=Mon, 
09-Dec-19 01:18:51 GMT; path=/; domain=.clamav.net; HttpOnly
Last-Modified: Sat, 08 Dec 2018 18:18:00 GMT
ETag: "5c0c0ad8-32a663a"
Expires: Sun, 09 Dec 2018 05:05:51 GMT
Cache-Control: public, max-age=13620
CF-Cache-Status: HIT
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 4863a3a9553bc5d2-EWR

ClamAV-VDB:08 Dec 2018 13-18 
-0500:25189:2177974:63:2e2e28a4556e83e2df68c40fa61566d4:nWqDCF65xA9fMhiKYOtZhH8Up6lAHLrl6VyCrXRAXCB7aMf7WqSPrwMz/YHhdgKSNjxGiL8Z2ORQ2aPm23KwqwyJUpOZv94+soWx+NibPlKBPJ6/ZAt9Z5UrhgDbgz0IVQsHX998ZjBE6NY6xtqfzboOPNKyeFINLeAUL5hSpzj:neo:1544293134

So daily.cvd is being cached on cloudflare for the first update and you might 
need to be running a freshclam right after a new install since it’s out of date 
due to caching on cloudflare’s server.  

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Dec 8, 2018, at 7:30 PM, J.R.  wrote:
> 
> I've kind of been reading this thread about the delay at one location
> vs the other.
> 
> Maybe I missed it, but I don't seem to recall which DNS servers you
> were querying. I remember you saying the one location you were having
> the issues was Comcast as the ISP, but were you always using the
> Comcast DNS or did you try others like 1.1.1.1 or 8.8.8.8 ?
> 
> Or was the DNS saying there was a newer version but when you queried
> cloudflare it was reporting differently?
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-08 Thread Eric Tykwinski 
Paul,

Sorry I got it backwards, I thought you were saying the TXT record was 
different which would be effected by DNS caching.
The CloudFlare cache would definitely effect daily.cvd, but updates are new.

Only way I could see you get around it yourself is to create your own cdiff 
program from the source and use the updates, 
which pretty much is using freshclam.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Dec 8, 2018, at 10:37 AM, Paul Kosinski  wrote:
> 
> Not sure what DNS caching would have to do with this. As I understand
> "anycast", it happens at the IP address level. An anycast IP address
> gets routed differently depending are where you are -- different
> (regional) routers have different "next hops" for the IP address, and
> it eventually ends up at a "nearby" server. This is in addition to the
> fact that database.clamav.net resolves to 5 different IP addresses (all
> of which are anycast IPs, I would guess).
> 
> The Cloudflare servers, although they have the same IP address(es) seem
> to identify themselves by means of an HTTP header that they return:
> 
>  CF-RAY: 4852e02c35ae5a5c-BOS
>  CF-RAY: 48526af5624356c3-IAD
> 
> Finally, AFAIK, I always get the same result for 
> 
>  "dig TXT current.cvd.clamav.net"
> 
> no matter where I 'dig' (or 'host') from.
> 
> 
> 
> On Fri, 7 Dec 2018 19:27:20 -0500
> Eric Tykwinski  wrote:
> 
>> This is getting rather technical, and probably some of CloudFlare’s
>> secret sauce. It sounds like the anycast DNS that cloudflare hosts
>> isn’t really working, or at least I would assume that they are using
>> anycast.
>> 
>> So you query current.cvd.clamav.net <http://current.cvd.clamav.net/>
>> but are getting different results at IAD and BOS.  Now next is the
>> inclusion of Comcast, which may and probably is caching DNS records
>> beyond normal TTLs which could cause the difference.  I personally
>> always run an Unbound cache server on my mailserver networks to cache
>> dns for at least an hour for rbls that I’m not rsyncing, but that
>> could cause an issue with Microsoft’s wonderful 10 second MX
>> records.  So that’s where I’ve run into this issue, but not often
>> enough since I’m just caching for an hour and probably MS expects it.
>> 
>> So my guess, is probably not anycast, but a caching DNS server that
>> is still giving older records.
>> 
>> Sincerely,
>> 
>> Eric Tykwinski
>> TrueNet, Inc.
>> P: 610-429-8300
>> 
>>> On Dec 7, 2018, at 6:20 PM, Paul Kosinski 
>>> wrote:
>>> 
>>> As some of you may be aware, ever since ClamAV began using
>>> Cloudflare, we have seen many occasions when files like daily.cvd
>>> were not available to our LAN until well after the DNS TXT record
>>> implied they should be.
>>> 
>>> However, we discovered that these same files *are* available to our
>>> Web/email server right away. So what is the difference? The first
>>> difference is that our Web server (a VM) is offsite, and is served
>>> by the "IAD" Cloudflare complex, whereas our local setup is served
>>> by the "BOS" Cloudflare complex.
>>> 
>>> The second, and likely explanatory difference, is that our local
>>> setup is connected via Comcast (a dynamic IP and all that), while
>>> our Web server (with its static IP etc.) is almost certainly more
>>> directly connected to the Internet as a whole.
>>> 
>>> The workaround we have adopted is as follows: we installed a
>>> "tinyproxy" server on our offsite VM. To ensure it only proxys for
>>> us, it listens on the encrypted OpenVPN tunnel we already had in
>>> place for FTP uploads etc. Then, instead of directly accessing
>>> database.clamav.net, freshclam uses our remote VM as a proxy,so
>>> that the cvd files are downloaded indirectly from Cloudflare's IAD
>>> server complex (via tinyproxy) rather than directly from
>>> Cloudflare's BOS server complex.
>>> 
>>> Since switching to this workaround a few days ago, we haven't
>>> observed any delays: the cvd files are available right away when
>>> the DNS TXT query says they should be.
>>> 
>>> I strongly suspect that Comcast is the culprit in the delays that
>>> had plagued us. This is especially suggested by the fact that
>>> Cloudflare returns a "Cache-Control:" header similar to:
>>> 
>>> Cache-Control: public, max-age=13672
>>> 
>>> where the max-age value varies, but is often several

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-07 Thread Eric Tykwinski 
This is getting rather technical, and probably some of CloudFlare’s secret 
sauce.
It sounds like the anycast DNS that cloudflare hosts isn’t really working, or 
at least I would assume that they are using anycast.

So you query current.cvd.clamav.net <http://current.cvd.clamav.net/> but are 
getting different results at IAD and BOS.  Now next is the inclusion of 
Comcast, which may and probably is caching DNS records beyond normal TTLs which 
could cause the difference.  I personally always run an Unbound cache server on 
my mailserver networks to cache dns for at least an hour for rbls that I’m not 
rsyncing, but that could cause an issue with Microsoft’s wonderful 10 second MX 
records.  So that’s where I’ve run into this issue, but not often enough since 
I’m just caching for an hour and probably MS expects it.

So my guess, is probably not anycast, but a caching DNS server that is still 
giving older records.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Dec 7, 2018, at 6:20 PM, Paul Kosinski  wrote:
> 
> As some of you may be aware, ever since ClamAV began using Cloudflare,
> we have seen many occasions when files like daily.cvd were not
> available to our LAN until well after the DNS TXT record implied they
> should be.
> 
> However, we discovered that these same files *are* available to our
> Web/email server right away. So what is the difference? The first
> difference is that our Web server (a VM) is offsite, and is served by
> the "IAD" Cloudflare complex, whereas our local setup is served by the
> "BOS" Cloudflare complex.
> 
> The second, and likely explanatory difference, is that our local setup
> is connected via Comcast (a dynamic IP and all that), while our Web
> server (with its static IP etc.) is almost certainly more directly
> connected to the Internet as a whole.
> 
> The workaround we have adopted is as follows: we installed a "tinyproxy"
> server on our offsite VM. To ensure it only proxys for us, it listens on
> the encrypted OpenVPN tunnel we already had in place for FTP uploads
> etc. Then, instead of directly accessing database.clamav.net, freshclam
> uses our remote VM as a proxy,so that the cvd files are downloaded
> indirectly from Cloudflare's IAD server complex (via tinyproxy) rather
> than directly from Cloudflare's BOS server complex.
> 
> Since switching to this workaround a few days ago, we haven't observed
> any delays: the cvd files are available right away when the DNS TXT
> query says they should be.
> 
> I strongly suspect that Comcast is the culprit in the delays that had
> plagued us. This is especially suggested by the fact that Cloudflare
> returns a "Cache-Control:" header similar to:
> 
>  Cache-Control: public, max-age=13672
> 
> where the max-age value varies, but is often several hours.
> 
> In my opinion, for data like ClamAV virus updates, the "Cache-Control:"
> should specify "no-cache". Can Cloudflare do this for ClamAV?
> 
> -
> 
> Below is a pair of recent (pre-workaround) log excerpts. They show a
> delay of over 2.5 hours experienced from BOS (via Comcast) vs no delay
> from IAD.
> 
> Note that the BOS "Date:" timestamp of 16:49:01 GMT *still* shows
> a "Last-Modified:" timestamp of 06:15:18 GMT, while IAD already shows
> the up-to-date "Last-Modified:" timestamp of 14:14:30 GMT at the much
> earlier "Date:" of 14:29:01 GMT!
> 
> 
>  IAD
> 
>Date: Sun, 02 Dec 2018 14:09:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 14:29:01 GMT
>Last-Modified: Sun, 02 Dec 2018 14:14:30 GMT
>ClamAV-VDB:02 Dec 2018 09-13 
> -0500:25173:2167842:63:ba557f61737b9d4b66acc96f7044b524:3nBAOxo97ssSNZb
> 
> 
>  BOS
> 
>Date: Sun, 02 Dec 2018 14:09:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 14:29:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 14:49:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670e3a525c4fd17bf65524ff05fcd:nwPmlNwUbKmexgT
> 
>Date: Sun, 02 Dec 2018 15:09:01 GMT
>Last-Modified: Sun, 02 Dec 2018 06:15:18 GMT
>ClamAV-VDB:02 Dec 2018 01-14 
> -0500:25172:2167574:63:13c670

Re: [clamav-users] freshclam. Service exited with abnormal code: 1

2018-11-07 Thread Eric Tykwinski 
Robert,

Looking at the freshclam return codes, it's not a problem.
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/freshclam/freshclamcodes.h

FC_UPTODATE = 1,

So basically it means there was no changes.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Robert Chalmers
> Sent: Wednesday, November 07, 2018 5:24 AM
> To: clamav-users@lists.clamav.net
> Subject: [clamav-users] freshclam. Service exited with abnormal code: 1
> 
> I’m running freshclam on a Mac with a plist startup file, and although it
> appears to work at the required intervals, it always drops this error in the
> system.log
> "Nov  7 08:46:40 zeus com.apple.xpc.launchd[1]
> (org.homebrew.freshclam[85799]): Service exited with abnormal code: 1"
> 
> The odd thing is, it appears to work each time, but then gives this error when
> it exits.
> 
> I can not find the reason for this.
> 
> Thanks
> Robert
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How do I know when new versions contain .conf file changes?

2018-10-30 Thread Eric Tykwinski 
Brian,

That would be Cisco direct, so the URL would be fine. 
ClamWin has some modifications, though I don’t know how much they differ.

I’ve got an Exchange MTA running Jam software, and I think they use clamwin, 
but I rely on them for updates which are usually several versions behind.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Oct 30, 2018, at 5:31 PM, Brian Fluet  wrote:
> 
> Thanks for the url to the release notes.
> 
> I'm using the Win32 package from clamav.net in conjunction with 
> Mercury Mail Transport System which passes messages to clamd.  
> 
> --
> Brian Fluet
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How do I know when new versions contain .conf file changes?

2018-10-30 Thread Eric Tykwinski 
My suggestion would be to check out the release notes on GitHub for your
specific version:
https://github.com/Cisco-Talos/clamav-devel/commits/rel/0.100

Depends though on if you are running Talos, or ClamWin.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Brian Fluet
> Sent: Tuesday, October 30, 2018 4:23 PM
> To: clamav-users@lists.clamav.net
> Subject: [clamav-users] How do I know when new versions contain .conf file
> changes?
> 
> I use ClamAV for Win32 and am wondering if there is a way to tell
> when an update contains a change to either of the .conf files so as
> to know when it's ok to stay with the existing ones.
> 
> Thanks.
> 
> Brian Fluet
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mac: clamAV vs. Mojave

2018-10-23 Thread Eric Tykwinski 
Well definitely a permissions issue, my guess is that you used a binary 
installation.
Make sure the user that’s running freshclam has permissions to write to 
/private/var/log/freshclam.log

Personally, I usually just use Homebrew, https://brew.sh/ <https://brew.sh/>
That will copy it to /usr/local/var/log/freshclam.log under the user that 
installed.

For multiple users I’ll run clamdscan under root, but that comes with it’s own 
issues for notifying users.
Someone forked my work and just decided to email users which works.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Oct 23, 2018, at 6:26 PM, Michael Newman  wrote:
> 
> After installing Mojave I’ve run into two problems:
> 
> ERROR: Can't open /private/var/log/freshclam.log in append mode (check 
> permissions!).
> ERROR: Problem with internal logger (UpdateLogFile = 
> /private/var/log/freshclam.log).
> 
> What should the ownership and permission be for the log file and the parent 
> directory?
> 
> I have clamav set up to scan my entire home directory. Never received any 
> error messages, but after installing Mojave I get many errors regarding 
> ~/Library, like this:
> 
> /Users/mnewman/Library/Application Support/AddressBook: lstat() failed: 
> Operation not permitted. ERROR
> 
> What does this mean and how do I fix it?
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest report on update "delays"

2018-10-19 Thread Eric Tykwinski 
You could limit with Last-Modified, but it’s dependent on the hosting server 
which CloudFlare can’t control.
Besides, it’s usually just main.cvd that will change mostly and that’s just the 
first download.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Oct 19, 2018, at 5:19 PM, Paul Kosinski  wrote:
> 
> I'm glad modern multi-core / multi-thread CPU's don't operate this way.
> 
> Imagine if, when your code on CPU1 tried to access memory location M,
> your code got what CPU1 happened to have in its cache, instead of what
> CPU2 stored into M a few microseconds ago. Fortunately, with real CPUs,
> CPU2 invalidates the other CPUs' caches, and CPU1 takes  the extra time
> to fetch the new and correct data from memory.
> 
> Thus, what Cloudflare *should* have (if you can't explicitly upload a
> file), is a mechanism to tell it that a file is out of date. This
> mechanism could operate very quickly. Then, what Cloudflare would do is
> either to stall the HTTP response -- I doubt it would have to stall for
> long -- or reply with the appropriate HTTP status code warning the
> requester that something is amiss. (Codes 503, 504 or 409 might be
> applicable.)
> 
> 
> On Thu, 18 Oct 2018 22:34:03 +
> "Joel Esler (jesler)"  wrote:
> 
>> Cloudflare will grab the file from our infrastructure once it's been
>> requested.  (Otherwise it wouldn't know it was there, we can't push
>> into Cloudflare.). But we have discussed a few ideas internally that
>> I think will fix this, let us try a couple things and see if it cuts
>> down on this.
>> 
>> On Oct 18, 2018, at 1:55 PM, Eric Tykwinski
>> mailto:eric-l...@truenet.com>> wrote:
>> 
>> As far as I know you don't upload to cloudflare, it's more of how
>> often does cloudflare check to see if the files have changed.
>> So you setup a TTL on the check frequency on the cloudflare website.
>> 
>> Since updates are new they should just be pulled when you ask from
>> the main clam server.
>> So you ask for daily-25048.cdiff, and Cloudflare will ask Clam's main
>> server for that file and cache it.
>> 
>> So my guess would be same as the TTL on the DNS check:
>> current.cvd.clamav.net<http://current.cvd.clamav.net>. 1800
>> IN  TXT "0.100.2:58:25048:1539883740:1:63:48006:327"
>> I.E. 30 minutes for older files, and new ones are when they come in.
>> 
>> Sound about right Joel, Micah?
>> 
>> Sincerely,
>> 
>> Eric Tykwinski
>> TrueNet, Inc.
>> P: 610-429-8300
>> 
>> -Original Message-
>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
>> Behalf Of Paul Kosinski
>> Sent: Thursday, October 18, 2018 1:23 PM
>> To:
>> clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
>> Subject: Re: [clamav-users] Latest report on update "delays"
>> 
>> How can it take 10, 20 30 or more minutes (and I've seen well over an
>> hour at times) to upload the ClamAV database to Cloudflare? Does it
>> have to be uploaded separately (and maybe sequentially) from Cisco to
>> each Cloudflare mirror? Or is Cloudflare's automatic propagation slow?
>> 
>> 
>> On Thu, 18 Oct 2018 16:07:38 +
>> "Micah Snyder (micasnyd)"
>> mailto:micas...@cisco.com>> wrote:
>> 
>> Hi Paul,
>> 
>> I realize it may look misleading to state that you're up to date when
>> a newer database has been announced.  However, if the newer database
>> is still being uploaded to the CDN, it is more accurate to say that
>> the DNS announcement is premature.
>> 
>> The change to freshclam is an effort to ignore potentially premature
>> database version numbers listed via DNS.
>> 
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest report on update "delays"

2018-10-18 Thread Eric Tykwinski 
As far as I know you don't upload to cloudflare, it's more of how often does
cloudflare check to see if the files have changed.
So you setup a TTL on the check frequency on the cloudflare website.

Since updates are new they should just be pulled when you ask from the main
clam server.
So you ask for daily-25048.cdiff, and Cloudflare will ask Clam's main server
for that file and cache it.

So my guess would be same as the TTL on the DNS check:
current.cvd.clamav.net. 1800IN  TXT
"0.100.2:58:25048:1539883740:1:63:48006:327"
I.E. 30 minutes for older files, and new ones are when they come in.

Sound about right Joel, Micah?

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Paul Kosinski
> Sent: Thursday, October 18, 2018 1:23 PM
> To: clamav-users@lists.clamav.net
> Subject: Re: [clamav-users] Latest report on update "delays"
> 
> How can it take 10, 20 30 or more minutes (and I've seen well over an
> hour at times) to upload the ClamAV database to Cloudflare? Does it have
> to be uploaded separately (and maybe sequentially) from Cisco to each
> Cloudflare mirror? Or is Cloudflare's automatic propagation slow?
> 
> 
> On Thu, 18 Oct 2018 16:07:38 +
> "Micah Snyder (micasnyd)"  wrote:
> 
> > Hi Paul,
> >
> > I realize it may look misleading to state that you're up to date when
> > a newer database has been announced.  However, if the newer database
> > is still being uploaded to the CDN, it is more accurate to say that
> > the DNS announcement is premature.
> >
> > The change to freshclam is an effort to ignore potentially premature
> > database version numbers listed via DNS.
> >
> > Micah Snyder
> > ClamAV Development
> > Talos
> > Cisco Systems, Inc.
> >
> >
> > On Oct 15, 2018, at 2:26 PM, Paul Kosinski
> > mailto:clamav-us...@iment.com>> wrote:
> >
> > I don't have time at the present to try out 0.100.2. I am rebuilding
> > our Web server, which had a disk crash. We have backups, but we need
> > whole new hardware since the old server had an old 32-bit-only CPU.
> > Thus a *supported* Linux version will not run, and so a simple disk
> > replacement was not a viable option. (Unfortunately the new server,
> > although only a VM, still costs almost 50% more per month than the old
> > raw hardware, which was adequate, if clunky.)
> >
> > Back to ClamAV: I don't much like the idea of saying signatures are
> > "up to date" if only 1 version behind the latest version. Most of the
> > time that won't matter, but sometimes a really urgent new  signature
> > comes out and this approach could mislead people into a false sense of
> > security.
> >
> >
> >
> > On Thu, 4 Oct 2018 22:27:14 +
> > "Micah Snyder (micasnyd)"
> > mailto:micas...@cisco.com>> wrote:
> >
> > Hi Paul,
> >
> > Thanks for the update.
> >
> > I am interested to know how freshclam in ClamAV 0.100.2 performs for
> > you.  I have made some tweaks to make it ignore mirrors for less
> > time, but more importantly I implemented a change to have it report
> > "up to date" in the event that the signature version provided by the
> > mirror is 1 behind what was advertised.  My hope is that this
> > alleviates the issue.
> >
> > Respectfully,
> > Micah
> >
> >
> > Micah Snyder
> > ClamAV Development
> > Talos
> > Cisco Systems, Inc.
> >
> >
> > On Oct 4, 2018, at 4:47 PM, Paul Kosinski
> > mailto:clamav-
> us...@iment.com><mailto:clamav-us...@iment.com>>
> > wrote:
> >
> > At Joel's suggestion, i have changed our sampling rate looking for
> > ClamAV cvd updates from 15 minutes down to 1 minute. This gives a
> > more precise  measurement of how long it takes for the cvd file(s) to
> > actually become available from Cloudflare after its presence is
> > "advertised" by the CNS TXT record.
> >
> > Since these measurements are mainly useful for tuning the ClamAV
> > servers, I won't in the future post them to clamav-users unless
> > others besides the ClamAV team find them useful. (Maybe they should
> > go to the clamav-developers list?)
> >
> > In any case, here is the latest log of delays. Note that these more
> > precisely measured delays are not explained as mere 15-minute
> > quantization errors.
> >
> > 2018-10-02 09:18:02  No delay
> > 2018-10-02 17:18:02  No delay
> > 2018-10-03 0

Re: [clamav-users] After 0.100.1 Update, clamd crashes

2018-07-31 Thread Eric Tykwinski 
> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Paul Kosinski
> Sent: Tuesday, July 31, 2018 2:42 PM
> To: clamav-users@lists.clamav.net
> Subject: Re: [clamav-users] After 0.100.1 Update, clamd crashes
<...>
> Software should *never* crash when presented with invalid input,
> especially if the input arrives via the Internet. And it's quite
> conceivable that some especially clever bad guy might attack the source
> of signatures to incapacitate ClamAV, or, in the worst case, to cause it
> to execute arbitrary code instead of "merely" crashing.

Yeah, I think everyone pretty much can agree with that.
And it's not like it's uncommon, Gentoo just got wacked last month.

As far as helping to fix the issue, what yara rule was causing the issue on
100.1?
https://github.com/Yara-Rules/rules/blob/master/Antidebug_AntiVM/antidebug_a
ntivm.yar

This one always fails a few, so I tested this out.
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603
undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614
undefined identifier "pe"
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from
file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.

For loaded sigs:
LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from
file /var/lib/clamav/antidebug_antivm.yar, successfully loaded 92 rules.

If you guys need my config.log for versions of dependencies or anything just
let me know.  
Running 18.04 Ubuntu with OpenSSL 1.1.1, so total dev environment, but looks
like this release is 57 diffs from 100.1 release.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] After 0.100.1 Update, clamd crashes

2018-07-31 Thread Eric Tykwinski 

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar2

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_jar3

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf2

LibClamAV debug: load_oneyara: successfully loaded YARA.phoenix_pdf3

LibClamAV debug: cli_loadyara: loaded 17 of 17 yara signatures from 
/var/lib/clamav/EK_Phoenix.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar

LibClamAV debug: load_oneyara: successfully loaded YARA.sakura_jar2

LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from 
/var/lib/clamav/EK_Sakura.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_css2

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_htm

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js2

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js3

LibClamAV debug: load_oneyara: successfully loaded YARA.zeroaccess_js4

LibClamAV debug: cli_loadyara: loaded 7 of 7 yara signatures from 
/var/lib/clamav/EK_ZeroAcces.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js2

LibClamAV debug: load_oneyara: successfully loaded YARA.zerox88_js3

LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from 
/var/lib/clamav/EK_Zerox88.yar

LibClamAV debug: load_oneyara: successfully loaded YARA.zeus_js

LibClamAV debug: cli_loadyara: loaded 1 of 1 yara signatures from 
/var/lib/clamav/EK_Zeus.yar

LibClamAV debug: load_oneyara: successfully loaded 
YARA.Sanesecurity_TestSig_Type4_Hdr_2

LibClamAV debug: load_oneyara: successfully loaded 
YARA.Sanesecurity_TestSig_Type3_Bdy_4

LibClamAV debug: load_oneyara: successfully loaded 
YARA.Sanesecurity_TestSig_Type4_Bdy_3

LibClamAV debug: load_oneyara: successfully loaded 
YARA.Sanesecurity_PhishingTestSig_1

LibClamAV debug: cli_loadyara: loaded 4 of 4 yara signatures from 
/var/lib/clamav/Sanesecurity_sigtest.yara

LibClamAV debug: /var/lib/clamav/Sanesecurity_sigtest.yara loaded

LibClamAV debug: load_oneyara: successfully loaded YARA.Sanesecurity_Spam_test

LibClamAV debug: load_oneyara: successfully loaded 
YARA.Sanesecurity_Spam_pornspam

LibClamAV debug: cli_loadyara: loaded 2 of 2 yara signatures from 
/var/lib/clamav/Sanesecurity_spam.yara

LibClamAV debug: /var/lib/clamav/Sanesecurity_spam.yara loaded

LibClamAV debug: load_oneyara: successfully loaded YARA.OITC_pdf_with_emb_docm

LibClamAV debug: load_oneyara: successfully loaded YARA.INDICATOR_IMPLANT_Loader

LibClamAV debug: load_oneyara: successfully loaded 
YARA.INDICATOR_Implant_Loader2

LibClamAV debug: load_oneyara: generic string: [File {0} has been uploaded in 
{1}] => [46696c65207b307d20686173206265656e2075706c6f6164656420696e207b317d]

LibClamAV debug: load_oneyara: successfully loaded YARA.IMPLANT2_3

LibClamAV debug: load_oneyara: successfully loaded YARA.CryptoWall_Resume_phish

LibClamAV debug: load_oneyara: successfully loaded YARA.java_JSocket_20151217

LibClamAV debug: load_oneyara: successfully loaded 
YARA.detect_powershell_precursor_downloader

LibClamAV debug: load_oneyara: successfully loaded YARA.kmon_cred_phish

LibClamAV debug: load_oneyara: successfully loaded 
YARA.rtf_phishing_script_lines

LibClamAV debug: cli_loadyara: loaded 9 of 9 yara signatures from 
/var/lib/clamav/winnow_malware.yara

LibClamAV debug: /var/lib/clamav/winnow_malware.yara loaded

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Micah Snyder (micasnyd)
Sent: Tuesday, July 31, 2018 8:51 AM
To: steveb_cla...@sanesecurity.com; ClamAV users ML
Subject: Re: [clamav-users] After 0.100.1 Update, clamd crashes

 

Thanks for the analysis, Steve.  That is a step towards understanding how to 
fix it.   

 

I don't believe it's a new bug in 0.100, but was merely revealed due to 
legitimate improvements in the yara sig loading behavior.   

Copypaste'd from my comments in the ticket you linked:

 

> In 0.99.x some of the rules failed entirely, so the entire database was 
> dropped. In 0.100, some of the rules failed, but it now allows it to 
> partially load the ones that didn't outright fail. However, there appears to 
> be a bug wherein at least one that is getting loaded is causing a crash. 

 

It wouldn't be a good fix to go back and change so it drops the whole ruleset 
because one failed to load.  The correct fix would be to detect signature 
features that aren't supported before we attempt to load them so we can drop 
them. 

 

I welcome any additional research from the community to help find a fix for 
this.  We have a lot on our plates, and don't have any time dedicated to fix 
this one ourselves for 0.101. 

 

Regard

Re: [clamav-users] Create custom cvd file

2018-07-24 Thread Eric Tykwinski 
They have a document on the Github site: 
https://raw.githubusercontent.com/vrtadmin/clamav-devel/master/docs/signatures.pdf

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Arul Raj
Sent: Tuesday, July 24, 2018 10:00 AM
To: ClamAV users ML
Subject: [clamav-users] Create custom cvd file

 

Hi Team,

 

   How can I create a new .cvd / .cld file with some external signature 
database(clamav supported files like .hdb, .mdb).

 

-

Arulraj I

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] contrib code

2018-07-20 Thread Eric Tykwinski 
Personally, I don’t... 

Sent from my iPhone

> On Jul 20, 2018, at 6:29 PM, Micah Snyder (micasnyd)  
> wrote:
> 
> Hello ClamAV users and developers,
> 
> I want to know if there are users out there who actively use, or rely on, the 
> code/features in the "contrib" directory in the ClamAV source repository.
> More bluntly, I am thinking seriously about deleting this entire directory: 
> https://github.com/Cisco-Talos/clamav-devel/tree/dev/0.101/contrib
> 
> At a glance, it appears to me that no one has contributed to it in a 
> meaningful way in at least 6 years:
> https://github.com/Cisco-Talos/clamav-devel/commits/dev/0.101/contrib
> 
> If you desire us to hold on to any of the code in the directory, can you 
> please tell me what code is valuable to you, if why you need us to keep it in 
> the repository.  
> Feel free to email me directly if you want to reply privately.
> 
> 
> Thanks much!
> Micah
>  
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Weird windowsx64 install issues. Unable to install because installer missing +other questions

2018-07-15 Thread Eric Tykwinski 
Make sure you have VC++ 2015 redistributables installed.
https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads
 
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jul 15, 2018, at 7:53 PM,   
> wrote:
> 
> (Forgive me If I'm making a mistake here, but I never received any replies 
> for my message the first time!) Am I supposed to send my questions to
> clamav-users-requ...@lists.clamav.net 
> <mailto:clamav-users-requ...@lists.clamav.net> 
> OR clamav-users-boun...@lists.clamav.net 
> <mailto:clamav-users-boun...@lists.clamav.net>
> OR clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> ??
> Again I apologize. This was not explained very clearly on the instructions 
> sign up page and I only recently noticed the difference when I got some 
> emails from other users asking others for help and noticed it wasn't the same 
> as the "requests" email, Now I'm totally lost here.
> 
> This is my original email asking for help.
> 
> I recently downloaded the Windows64 version but no matter what icon I click 
> after unzipping the package, Windows10 doesn't seem to want to do anything 
> with it. A black window that looks like command prompt quickly flashes the 
> screen and exits itself out again before anything can happen. What is the 
> correct way to install Windows64 Clamav on windows 10? Yes, I read the FAQ.
> 
> ClamAV.msi - base package for clamav, an anti-virus utility for Windows
> How to Install
> 
> simple mode: doubleclick the MSI installer package
> command line (displays only a confirmation dialog at the end): msiexec /i 
> clamAV.msi /qr
> 
> There is no MSI installer package included after downloading 
> clamav-0.100.1-win-x64-portable.zip
> 
> 
> When you download a copy of Clamav (specifically Win64) Does that download 
> contain all the most recent official and unofficial virus signatures? The 
> computer I'm installing it or using it on will likely not be internet capable 
> at any point in the future, if ever. I know this also sounds silly because 
> then what would be the point of an antivirus? But I guess it's just my need 
> to try and be as safe as possible overriding some of my logic there. The 
> thing is that I wont be able to install updates. If Clamav does contain the 
> most recent official and unofficial signatures, should I uninstall and 
> reinstall the newest version every time? Does Clamav offer portable antivirus 
> signature update packages that I can make Clamav "eat"? That's if I ever get 
> it working of course.
> 
> Thank you for reading and Thank you for your help.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-10 Thread Eric Tykwinski 
They have some documentation on their site: 
https://support.cloudflare.com/hc/en-us/articles/115000540888-Load-Balancing-Geographic-Regions
 
<https://support.cloudflare.com/hc/en-us/articles/115000540888-Load-Balancing-Geographic-Regions>
No clue what regions they are using, but hopefully they donated some, it’s a 
pretty solid anycast system.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jul 10, 2018, at 10:03 PM, Freddie Cash  wrote:
> 
> Joel posted pictures (in one of these update thread) of where the mirrors are 
> located along with the relative traffic that each one transfers.
> 
> Cheers,
> Freddie
> 
> Typos courtesy of my phone's keyboard.
> 
> On Tue, Jul 10, 2018, 6:37 PM Paul Kosinski,  <mailto:clamav-us...@iment.com>> wrote:
> I have a question. I presume that there are more physical Cloudflare 
> server instances than implied by database.clamav.net 
> <http://database.clamav.net/>'s 5 IP addresses,
> and that they are geographically distributed, rather than all being
> in/near San Francisco. This suggests that they are Anycast addresses.
> But I don't know how to determine where the server instances are
> located, or which one(s) we reach when trying to download cvds.
> 
> The fact that we have observed a 1 hour delay further suggests that
> there a large number of instances, otherwise they would be brought into
> sync with the DNS TXT record more quickly. Is there any way that you
> people at ClamAV can determine when the various server instances in fact
> get the new cvd files? I would think that a CDN would provide statistics
> on that, especially if expected delays are spelled out in an SLA.
> 
> 
> On Tue, 10 Jul 2018 22:11:46 +
> "Joel Esler (jesler)" mailto:jes...@cisco.com>> wrote:
> 
> > Thanks for this feedback everyone.  This is extremely useful.
> > 
> > 
> > > On Jul 10, 2018, at 11:26 AM, Paul Kosinski
> > > mailto:clamav-us...@iment.com>> wrote:
> > > 
> > > Last night our new method of getting cvd updates showed that it was
> > > *one hour* from the time the DNS TXT record claimed a new cvd was
> > > available to the time when our quick curl said it was really
> > > available!
> > > 
> > > In particular at 1:03 AM (EDT), DNS said version 24739 was
> > > available, but a curl of the first few bytes of the cvd file said
> > > it was still at version 24738. It wasn't until 2:03 AM that curl
> > > reported that version 24739 was really available for download.
> 
> > 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users 
> <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] I thought this was fixed...

2018-06-21 Thread Eric Tykwinski 
> Looks like Eric is running a build from the development branch (dev/0.101) 
> from GitHub (not a beta, but ... a work in progress towards the next 
> version).  

Micah, that's correct.  I was just testing things out on Bash for Windows, and 
it's working good so far.

> Freshclam doesn't actually parse the version string to see if your version 
> number less than the current version, it just checks if it's different.  For 
> both old versions and unreleased versions, you'll get that warning. 

Remember this occurring during testing for the jump to 0.100 and I thought they 
changed the logic, but like I said it's not really important...

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] I thought this was fixed...

2018-06-21 Thread Eric Tykwinski 
Not a big deal, but the version check is still throwing version errors on
beta:

Thu Jun 21 09:59:51 2018 -> ClamAV update process started at Thu Jun 21
09:59:51 2018

Thu Jun 21 09:59:51 2018 -> ^Your ClamAV installation is OUTDATED!

Thu Jun 21 09:59:51 2018 -> ^Local version: 0.101.0 Recommended version:
0.100.0

Thu Jun 21 09:59:51 2018 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] WARNING: Local version: 0.99.4 Recommended version: 0.100.0

2018-06-19 Thread Eric Tykwinski 
It’s always a pima for distro’s to find ones that follow release schedules.
Example:
Homebrew OSX:
/usr/local/Cellar/clamav/0.100.0_1 (84 files, 279.5MB) *
  Built from source on 2018-05-14 at 11:00:09 with: --with-yara --with-json-c

Ubuntu 16.04: Version: 0.99.4+addedllvm-0ubuntu0.16.04.1

CentOS7: Version : 0.99.4

It’s not like cisco has anything to do with it, but each package manager will 
follow it’s own rules.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jun 19, 2018, at 8:06 PM, Philip  wrote:
> 
> Has this been released yet by the major Distros? I'm using Debian 9 and can't 
> get any higher than 0.99.x
> 
> 
> On 20/06/2018 12:00 PM, Jobst Schmalenbach wrote:
>> On Tue, Jun 19, 2018 at 11:20:17AM -0600, Orion Poplawski (or...@nwra.com) 
>> wrote:
>>> On 06/18/2018 08:17 PM, Jobst Schmalenbach wrote:
>>>> Hi
>>> yum --enablerepo=epel-testing upgrade clam\*
>> Thanks!
>> I should have checked this myself ...
>> 
>> Clamav is the *ONLY* repo that has *-testing updates early in the process 
>> for the real stuff - I forget this.
>> 
>> 
>> Jobst
>> 
>> 
>> 
>> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] importing the main.cvd file manually

2018-06-15 Thread Eric Tykwinski 
If I was going to do it, I’d probably run an Ansible playbook to upload the 
file and reload the databases.

To reload the database, it’s just clamdscan –reload –config-file=/….

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Greg Knaddison
Sent: Friday, June 15, 2018 1:57 PM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] importing the main.cvd file manually

 

Hello,

 

I would like to manually import the virus definition file on a set of 
computers. These computers block outbound http requests and I'm not currently 
running an http proxy and I'd rather not set one up just for this purpose. It 
seems straightforward to automate the process of downloading the virus 
definition files and pushing them to these computers, but then I imagine I need 
to configure the computers to import the definition. 

 

Is there a command that needs to be run to import the virus defintions?

 

If you'd like to earn points on askubuntu this question is also at 
https://askubuntu.com/questions/1046700/how-do-i-manually-import-the-clamav-virus-definition-file

 

Thanks,

Greg 




--
http://knaddison.com | http://twitter.com/greggles

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamsubmit missing with homebrew installation

2018-05-13 Thread Eric Tykwinski via clamav-users 
--- Begin Message ---
Strange, I just compiled the source from 
https://www.clamav.net/downloads/production/clamav-0.100.0.tar.gz 
<https://www.clamav.net/downloads/production/clamav-0.100.0.tar.gz>
Which they use 
(https://github.com/Homebrew/homebrew-core/blob/master/Formula/clamav.rb 
<https://github.com/Homebrew/homebrew-core/blob/master/Formula/clamav.rb>), and 
it’s there…

Not a clamav issue at any rate, and probably should be submitted to 
https://discourse.brew.sh/ <https://discourse.brew.sh/>

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On May 13, 2018, at 8:42 PM, Al Varnell via clamav-users 
> <clamav-users@lists.clamav.net> wrote:
> 
> 
> From: Al Varnell <alvarn...@mac.com>
> Subject: Re: [clamav-users] clamsubmit missing with homebrew installation
> Date: May 13, 2018 at 8:42:55 PM EDT
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> 
> 
> Apparently you haven't read 
> <https://blog.clamav.net/2018/03/returning-to-working-form-clamsubmit.html 
> <https://blog.clamav.net/2018/03/returning-to-working-form-clamsubmit.html>>
> 
> "Clamsubmit, at this time, is only available on the *nix systems."
> 
> -Al-
> 
> On Sun, May 13, 2018 at 12:25 PM, Antonis Papathanasiou via clamav-users 
> wrote:
>> 
>> From: Antonis Papathanasiou <anto...@gmx.us <mailto:anto...@gmx.us>>
>> Subject: clamsubmit missing with homebrew installation
>> Date: May 13, 2018 at 12:25:55 PM PDT
>> To: clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> 
>> 
>> Hi All
>> 
>> When installing the latest clamav package via homebrew on a mac , clamsubmit 
>> is not available 
>> 
>> brew list clamav
>> /usr/local/Cellar/clamav/0.100.0_1/.bottle/etc/ (2 files)
>> /usr/local/Cellar/clamav/0.100.0_1/bin/clamav-config
>> /usr/local/Cellar/clamav/0.100.0_1/bin/clambc
>> /usr/local/Cellar/clamav/0.100.0_1/bin/clamconf
>> /usr/local/Cellar/clamav/0.100.0_1/bin/clamdscan
>> /usr/local/Cellar/clamav/0.100.0_1/bin/clamdtop
>> /usr/local/Cellar/clamav/0.100.0_1/bin/clamscan
>> /usr/local/Cellar/clamav/0.100.0_1/bin/freshclam
>> /usr/local/Cellar/clamav/0.100.0_1/bin/sigtool
>> /usr/local/Cellar/clamav/0.100.0_1/include/clamav.h
>> /usr/local/Cellar/clamav/0.100.0_1/lib/libclamav.7.dylib
>> /usr/local/Cellar/clamav/0.100.0_1/lib/libclammspack.0.dylib
>> /usr/local/Cellar/clamav/0.100.0_1/lib/libclamunrar.7.dylib
>> /usr/local/Cellar/clamav/0.100.0_1/lib/pkgconfig/ (2 files)
>> /usr/local/Cellar/clamav/0.100.0_1/lib/ (6 other files)
>> /usr/local/Cellar/clamav/0.100.0_1/sbin/clamd
>> /usr/local/Cellar/clamav/0.100.0_1/share/man/ (12 files)
>> 
>> Brew script points to the latest clamav package though which does have 
>> clamsubmit 
>> 
>> https://github.com/Homebrew/homebrew-core/blob/master/Formula/clamav.rb 
>> <https://github.com/Homebrew/homebrew-core/blob/master/Formula/clamav.rb> 
>> 
>> Can anyone advise?
>> 
>> Thanks
>> Antonis
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

--- End Message ---
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Errors connecting to mirrors

2018-03-28 Thread Eric Tykwinski 
Joel,

I had the same issue at 4:45PM EST, so pasted my logs to the Bugzilla site.
If there’s any more information/help you guys need, please announce on the list.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Mar 28, 2018, at 6:41 PM, Joel Esler (jesler) <jes...@cisco.com> wrote:
> 
> Inline’
> 
> Sent from my iPad
> 
>> On Mar 28, 2018, at 5:34 PM, Alex <mysqlstud...@gmail.com> wrote:
>> 
>> Is there a known current problem?
> 
> Not that I am aware of. Please file a mirror error ticket at 
> bugzilla.clamav.net and I’ll get someone to investigate it?
> 
>> Is there a site where we can go to
>> check mirror status?
> 
> Not yet, we are working on that, as we speak. 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Quick question on submissions to the ClamAV site..

2018-03-08 Thread Eric Tykwinski 
Talos ppl,

 

Is there any sort of guide for information that you guys would like to see
submitted with a False Positives/False Negatives?

IE.  VirusTotal link, local scan virus names and AV that catches it?

 

Thinking more for False Negatives as that's what I just submitted, but
didn't really see anything in the FAQs, so figured I'd ask.

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No updates since Monday 26th - daily 24352 ?

2018-02-28 Thread Eric Tykwinski 
I usually check the virusdb list archives:
http://lists.clamav.net/pipermail/clamav-virusdb/

But yeah looks like that was the last update.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Mark Allan
> Sent: Wednesday, February 28, 2018 7:53 AM
> To: ClamAV users ML
> Subject: [clamav-users] No updates since Monday 26th - daily 24352 ?
> 
> Hi there,
> 
> I just noticed that there don't appear to have been any updates to
daily.cvd
> since v24352 on Monday 26th, which seems unlikely.
> 
> Is this correct or has something gone wrong with the update process?
Could it
> be related to the update of the clamav.net backend that you blogged
> about...on Monday.
> 
> http://blog.clamav.net/2018/02/clamavnet-has-been-upgraded.html
> 
> I note the timestamp in the DNS appears to be correct 1519820940 =
> 2018:02:28 12:29 (UTC) but I'm guessing there's just some automated
process
> which periodically updates the DNS record based on the currently released
> cvd versions?
> 
>   bash$ dig -t txt current.cvd.clamav.net +short
>   "0.99.3:58:24352:1519820940:1:63:47077:319"
> 
> Best regards
> Mark
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] crypto currency miner

2018-01-02 Thread Eric Tykwinski 

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Matthew Molyett
> Sent: Tuesday, January 02, 2018 4:46 PM
> To: ClamAV users ML
> Subject: Re: [clamav-users] crypto currency miner
> 
> L,
> 
> minerd is being detected as tool which has been encountered with malicious
> usage. This specific tool has been observed being dropped and set up
within
> honey pots. As with other tools, it has legitimate usage, but makes sense
> to flag because it is a valid indicator of compromise when located
> unexpectedly.

Exactly, Here was an incident that stung a couple of our customer's at the
DC:
https://www.pcworld.com/article/2364120/hacked-synology-nas-systems-used-in-
highprofit-cryptocurrency-mining-operation.html



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Trouble getting cvd files from private local mirror

2017-12-09 Thread Eric Tykwinski 
John,

Why do you have HSTS in your config?
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains”;

No clue if that’s causing freshclam to break, but it would a normal browser.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Dec 9, 2017, at 12:16 AM, John Kennedy <skeb...@gmail.com> wrote:
> 
> Were you to read my original email - I can download the file with curl and
> wget (even supplied the output) so there is a successful connection to port
> 80 by other means, just NOT with freshclam. That is why I am having a
> difficult time with this.
> 
> 
> John Kennedy  (_8(|)
> 
> If I'm a sarcastic asshole when I talk to you it's either because I really
> like you and feel comfortable teasing you or I really hate you and don't
> care if you know it. Good luck figuring out which one...
> 
> Sometimes it happens, sometimes it doesn't - Pedro Catacora
> 
> The Dunning-Kruger effect occurs when incompetent people not only fail to
> realize their incompetence, but consider themselves much more competent
> than everyone else. Basically - they're too stupid to know that they're
> stupid.
> 
> On Fri, Dec 8, 2017 at 9:21 PM, Reindl Harald <h.rei...@thelounge.net>
> wrote:
> 
>> 
>> 
>> Am 08.12.2017 um 19:34 schrieb John Kennedy:
>> 
>>> connect_error: getsockopt(SO_ERROR): fd=4 error=110: Connection timed out
>>> Can't connect to port 80 of host clamav.trustx.com (IP: 10.10.10.10)
>>> WARNING: Can't download main.cvd from clamav.trustx.com
>>> 
>> and what is difficult to understand that on 10.10.10.10 port 80 does not
>> respond for whatever reason far oustide of freshclam and clamav at all?
>> 
>> why in the world don't you dig that much around until you can make sure
>> that a) the hostname resolves from the client and b) "telnet ip 80" results
>> in a succesful connection?
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Questions about ClamAV

2017-11-20 Thread Eric Tykwinski 
> On Nov 20, 2017, at 6:48 PM, Micah Snyder (micasnyd) <micas...@cisco.com> 
> wrote:
> 
> 3. Is it compatible with both Linux and Windows?
> Yes, however certain features (e.g. on access scanning) are limited to Linux.

I’ve found fswatch to overcome on-access scanning on OSX, and it supposed to 
support more, but I haven’t tested them.
https://github.com/emcrisostomo/fswatch

Don’t know if this will help S3, but may help others.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] PUA.Win.Trojan.EmbeddedPDF-1 false-positives

2017-11-17 Thread Eric Tykwinski 
PUA's tend to have a lot of false positives due to them being Potential.
I wouldn't recommend using them unless you really need a strict scan with
the ability to whitelist when needed.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Alex
> Sent: Friday, November 17, 2017 12:44 PM
> To: ClamAV users ML
> Subject: [clamav-users] PUA.Win.Trojan.EmbeddedPDF-1 false-positives
> 
> Hi,
> 
> We're seeing a large number of false-positives with the above rule. Is
> it particularly prone to false-positives? Would someone explain how it
> works?
> 
> What's perhaps even more strange is that scanning the email again (or
> the files within the email) don't produce the same false-positives.
> 
> Was there a period where this pattern had a problem and has now been
> corrected?
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Quick question...

2017-11-09 Thread Eric Tykwinski 
Ran it through LibreOffice to extract anything, but I’m not an expert.
Only thing I saw was a suspicious macro:
https://pastebin.com/5Mdfjy3m <https://pastebin.com/5Mdfjy3m>

Submitted to Talos, so if they find something more, I hope it helps.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Nov 9, 2017, at 7:26 PM, Al Varnell <alvarn...@mac.com> wrote:
> 
> On Nov 9, 2017, at 3:23 PM, Eric Tykwinski  wrote:
>> Does anyone know if the DDE payloads in Word documents are getting caught?
>> 
>> I had a customer with a very strange virus, basically it downloaded his 
>> inbox and was responding to recipients with an attached Word document.
>> This was coming from a botnet with the "EHLO localhost” signature.  Spam 
>> filters are catching them from SPF, and I haven’t yet analyzed the 
>> attachment, so it might just be junk.
>> 
>> Sincerely,
>> 
>> Eric Tykwinski
> 
> For those who have not seen the warning:
> https://technet.microsoft.com/en-us/library/security/4053440.aspx
> 
> 
> Sent from my iPhone
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Quick question...

2017-11-09 Thread Eric Tykwinski 
Does anyone know if the DDE payloads in Word documents are getting caught?

I had a customer with a very strange virus, basically it downloaded his inbox 
and was responding to recipients with an attached Word document.
This was coming from a botnet with the "EHLO localhost” signature.  Spam 
filters are catching them from SPF, and I haven’t yet analyzed the attachment, 
so it might just be junk.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] fail updates

2017-11-06 Thread Eric Tykwinski 
Sort of weird from personal experience, but OVH seems to update better than 
most.  If anyone on OVH is here, feel free to explain.
Just looking at freshclam logs on my local servers running on links with 
L3/Cogent vs OVH I seem to have less issues on the OVH mirrors.
My personal explanation is that I’m getting just what they are receiving, so I 
don’t see all the failures, and they are probably checking at a higher rate 
then my monitoring servers.  This has nothing to do with Clam, but just the 
distribution of updates amongst caching servers.

I’ve never attempted to mirror a local ClamAV update server, but I wouldn’t be 
opposed, as some of my clients are probably downloading updates as well.  But 
my guess is that you are only getting limited by the local request to the 
server.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Nov 6, 2017, at 4:45 PM, Al Varnell <alvarn...@mac.com> wrote:
> 
> On Mon, Nov 06, 2017 at 01:21 PM, Joel Esler (jesler) wrote:
>> It would be helpful, if, starting now, deleting mirrors.dat and *then* 
>> telling us about failing mirrors…. Cause…. We’ve done many changes in the 
>> past month, it would be good to start from a clean slate.
> 
> 
> You might want to consider adding a feature to freshclam to delete 
> mirrors.dat when called for either by DNS or a code in a .cdiff update. That 
> way you could fix it for everybody after mirror configuration maintenance 
> actions.
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] If anyone can give me a hand...

2017-10-24 Thread Eric Tykwinski 
So I’ve got clamd running as root on a MacPro,  and individual plist files 
running clamdscan with fswatch scanning user directories for threats.
These are running in individuals ~/Library/LaunchAgents/ directories.
The clam part is running fine, and catching things.

My notify script however isn’t defaulting to user’s directories, so I guess I'm 
messing up my bash script.
If I static a filename and run it as root it works, so I’m at a loss.
If you want to check it out: https://pastebin.com/c5fRLyrs 
<https://pastebin.com/c5fRLyrs>

Any help would be appreciated.

If I get the sucker to work, I’ll throw it up on GitHub with my configs.  
Pretty basic install with homebrew and a few plist files and shell scripts, so 
should be easy to use ansible/remotedesktop to configure multiple workstations.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Quick Question on clamd and OSX

2017-10-24 Thread Eric Tykwinski 
Sorry for the noise...
The variables are only available for the duration of the script...

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Quick Question on clamd and OSX

2017-10-24 Thread Eric Tykwinski 
On the VirusEvent section of clamd.conf, it says that it creates two
environment variables.

I've got clamdscan running under my user account on OS X 10.13, but not
showing anything on printenv.

 

Is there something I'm missing?

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Signatur help - php injection

2017-10-24 Thread Eric Tykwinski 
Hajo,

> Hello list,
> 
> Pattern is always the same, including the 5-char comments. In my case the 
> include string decodes to a path and includes an .ico file.
> I dont understand this code to obfuscate the path. I saw some samples and all 
> of the lines look a different way in encoded case. When decoded the strings 
> show some similarities. But unfortunately i can just create a signature to 
> raw text, not the decoded, human readable text.
> What would be best way to create a signature in this way? Currently this is a 
> puzzler for me and i dont find a way to create a clever for most cases 
> fitting signature.
> May be this would be a case for the pros?

If you’ve got the full files, than you can create some yara rules.  
Samples for webshells are located here: 
https://github.com/Yara-Rules/rules/tree/master/Webshells 


I’d be cautious at first and not use move or delete, at least until you’ve got 
the script down pat.  I’ve learned the hard way from my own false positives ;)

Eric

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to find string for a signature?

2017-10-21 Thread Eric Tykwinski 
Kees,

> $ clamscan --detect-pua us-cert-message
> us-cert-message: PUA.Win.Trojan.Xored-1 FOUND
> 
> --- SCAN SUMMARY ---
> Known viruses: 6525318
> Engine version: 0.99
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.16 MB
> Data read: 0.10 MB (ratio 1.68:1)
> Time: 7.986 sec (0 m 7 s)

Good catch, I just did —scan-mail thinking that would catch it.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] scanning mp3-files with clamscan

2017-07-09 Thread Eric Tykwinski 
> On Jul 9, 2017, at 1:21 PM, G.W. Haywood  wrote:
> 
> Hi there,
> 
> On Sun, 9 Jul 2017, Rosika wrote:
> 
>> I want to scan an mp3-file (about 60 MB in size).
>> Yet I get the message: "Data scanned: 0.00 MB"
>> ...
>> Is there any way of scanning mp3-files with clamscan?
> 
> Try compressing the file with gzip first:
> 
> cat file | gzip | clamscan -

I got a bit interested, so decided to write a quick yara script:
rule mp3_test {
meta:
 description = "Find ID3 string at beginning of file"

strings:
 $id3 = {49 44 33 03}

condition:
 $id3 at 0
}

Sort of strange, that yara is catching it, but clamav isn’t.

Erics-Mac-Pro:temp eric$ clamscan -d mp3.yara ./
./.DS_Store: OK
./01 For Fruits Basket - TV Edit.mp3: OK
./01 Prologue-(Apprehension).mp3: OK
./01 The Ultimate -Naked mix -.mp3: OK
./01 Visitor.mp3: OK
./1-01 101_Book I Line 1 'Of Man's First Disobedience & The Fruit'.mp3: OK
./mp3.yara: OK

--- SCAN SUMMARY ---
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 1
Scanned files: 7
Infected files: 0
Data scanned: 0.01 MB
Data read: 31.84 MB (ratio 0.00:1)
Time: 0.092 sec (0 m 0 s)

Erics-Mac-Pro:temp eric$ yara mp3.yara ./
mp3_test .//01 For Fruits Basket - TV Edit.mp3
mp3_test .//01 Visitor.mp3
mp3_test .//01 Prologue-(Apprehension).mp3
mp3_test .//01 The Ultimate -Naked mix -.mp3
mp3_test .//1-01 101_Book I Line 1 'Of Man's First Disobedience & The Fruit’.mp3

Just wondering if this is a limitation of ClamAV, or am I doing something wrong?


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to know if yara rules are being run?

2017-07-01 Thread Eric Tykwinski 


> On Jul 1, 2017, at 1:10 AM, Mark Foley  wrote:
> 
> I've put the expetr.yara rule from Kaspersky for the recent notPetya 
> ransomware
> in my /var/lib/clamav directory.
> 
> I can I tell if clamav is running it? I see nothing in /var/log/clamav.log.
> 
> --Mark


My first suggestion would be make sure Yara rules are enabled in clamav.
So make a couple of files: 
/*** test.yara ***/
rule Test_Yara_Rules : test
{
  meta:
description = "Test Yara"
  strings:
$test = "YaraTest" fullword ascii
  condition:
$test
}
/***/

echo YaraTest > test.txt

clamscan -d ./test.yara test.txt

Should show you:
test.txt: YARA.Test_Yara_Rules.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)

For Ubuntu 16.04, it’s enabled by default, on OSX with homebrew add --with-yara 
to enable them.

PS.  Talos guys, I’m loving the new website, a lot of info in there.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-16 Thread Eric Tykwinski 
I don't think anyone really knows the initial vector, but RDP was an entry
point according to the site I was reading:
Backdooring: The worm loops through every RDP session on a system to run the
ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It
corrupts shadow volumes to make recovery harder. (source: malwarebytes)
It seems more believable to me than everyone with SMB access to the public
internet.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
Of Dennis Peterson
Sent: Tuesday, May 16, 2017 12:25 PM
To: ClamAV users ML
Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
clamav

If not email what is the vector?

dp

On 5/15/17 5:11 PM, Joel Esler (jesler) wrote:
> To be clear let me link to our blog post on the subject:
>
> http://blog.talosintelligence.com/2017/05/wannacry.html
>
> There has been No email vector seen in WannaCry to date.  Almost everyone
that has claimed this, has retracted it. Please read the above blog post for
all the facts as we know them.
>
> This is an ongoing threat.
>
> --
> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Eric Tykwinski 
Just as a side note, normal rules are catching the samples, so I don't know
if it would display both YARA and the others.
Here's what the samples show without YARA:
./CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE:
Win.Ransomware.WannaCry-6313053-0 FOUND
./CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE:
Win.Trojan.Agent-6312832-0 FOUND

I tested with one YARA script I saw on twitter (Florian Roth), but it didn't
catch them, so I can't really help out more.
Don't know if that's my end or not, just a default install with Homebrew on
OSX to test it out.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

2017-05-15 Thread Eric Tykwinski 
Here's links to sample files, ie use at your own risk:
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
Of Mark Foley
Sent: Monday, May 15, 2017 2:58 PM
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
clamav

On Sat May 13 13:25:07 2017 From: Alain Zidouemba
<azidoue...@sourcefire.com> wrote:
>
> Yara rules have been supported by ClamAV since 2015:
> http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
>
> - Alain

I'm following these instructions now.  The instruction say, "just place your
YARA rule files into the ClamAV virus database location." I've copied the
Homland Security yara script to a file, wannaCry.yar, in my /var/lib/clamav
directory. 

Is that it? No clamscan switch or config setting? Is there any way to
confirm this rule is being used?

I also downloaded and looked at the yara repo on github.  There are over 400
rules in the zipfile.  To use some or all of them would I just unzip into my
database location?

The instructions also say, "Regular expressions in both YARA rules and
ClamAV logical signatures require the Perl Compatible Regular Expressions
(PCRE) library." Is there a way to see if my clamAV was built with this?

Thanks, Mark

>
> On Sat, May 13, 2017 at 1:16 PM, Alex <mysqlstud...@gmail.com> wrote:
>
> > Hi,
> >
> > So you've probably heard of the latest ransomware dubbed WannaCry. 
> > I'm wondering if anyone has figured out a way to integrate the yara 
> > signatures for these types of exploits with spamassassin?
> >
> > https://www.us-cert.gov/ncas/alerts/TA17-132A
> >
> > What is the status of development of integration of yara rules into
clamav?
> >
> > [deleted]
> >
> > Thanks,
> > Alex
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Bad signature?

2017-04-20 Thread Eric Tykwinski 
This doesn't seem to be impacting anything, but getting the following error
on ClamAV reload:
LibClamAV Warning: Don't know how to create filter for:
BC.Win.Exploit.CVE_2017_0060-6099223-0.{}
LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie

Freshclam log:
--
ClamAV update process started at Thu Apr 20 08:32:52 2017
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99 Recommended version: 0.99.2
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
Downloading daily-23312.cdiff [100%]
Downloading daily-23313.cdiff [100%]
daily.cld updated (version: 23313, sigs: 2054633, f-level: 63, builder: neo)
Can't query daily.23313.81.1.1.C2BA2F13.ping.clamav.net
bytecode.cld is up to date (version: 292, sigs: 58, f-level: 63, builder:
anvilleg)
Database updated (6273481 signatures) from database.clamav.net (IP:
194.186.47.19)
Clamd successfully notified about the update.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Grizzly Steppe

2017-01-04 Thread Eric Tykwinski 
This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s.  I’m going 
to be beta testing stuff out shortly, but don’t have high hopes besides the 
Snort rules.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jan 4, 2017, at 6:23 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
> 
> 
> 
> Am 04.01.2017 um 23:12 schrieb Al Varnell:
>> Can somebody with access to those samples run them against a virgin ClamAV 
>> signature database to answer the question?  I'd be happy to if there are 
>> samples I can access.
> 
> official, virgin signatures don't and probably will never recognize recent 
> malware and following this list you should know this already
> 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Apologizes if this is a repost, ClamAV on Windows

2016-11-22 Thread Eric Tykwinski 
I’m trying to find out wether this is a bug or not.
So we have ClamAV installed on a SmarterMail email server.  Simple install and 
runs on localhost 3310.
The default version for their installation is .99, but I’ve also tried 
upgrading to .99.2 and still had issues.

So the problem is that when freshclam, or their SaneSecurity batch script runs 
a clamd reload, the clam av process crashes, but only if connections are being 
tried to the localhost server.  If I disable the server from checking on ClamAV 
it will run without issue and reload the databases fine.

Below is an example of the clam.log files, but doesn’t show much:
Tue Nov 22 12:43:43 2016 -> Reading databases from 
C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav
Tue Nov 22 12:44:14 2016 -> Database correctly reloaded (5234894 signatures)
Tue Nov 22 12:44:15 2016 -> Reading databases from 
C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav
Tue Nov 22 12:44:28 2016 -> +++ Started at Tue Nov 22 12:44:28 2016
Tue Nov 22 12:44:28 2016 -> +++ Started at Tue Nov 22 12:44:28 2016
Tue Nov 22 12:44:28 2016 -> clamd daemon 0.99 (OS: win32, ARCH: x86_64, CPU: 
x86_64)
Tue Nov 22 12:44:28 2016 -> Log file size limited to 1048576 bytes.
Tue Nov 22 12:44:28 2016 -> Reading databases from 
C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav
Tue Nov 22 12:44:28 2016 -> Not loading PUA signatures.
Tue Nov 22 12:44:28 2016 -> clamd daemon 0.99 (OS: win32, ARCH: x86_64, CPU: 
x86_64)
Tue Nov 22 12:44:28 2016 -> Bytecode: Security mode set to "TrustSigned".
Tue Nov 22 12:44:28 2016 -> Log file size limited to 1048576 bytes.
Tue Nov 22 12:44:28 2016 -> Reading databases from 
C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav
Tue Nov 22 12:44:28 2016 -> Not loading PUA signatures.
Tue Nov 22 12:44:28 2016 -> Bytecode: Security mode set to "TrustSigned".
Tue Nov 22 12:44:59 2016 -> +++ Started at Tue Nov 22 12:44:59 2016
Tue Nov 22 12:44:59 2016 -> clamd daemon 0.99 (OS: win32, ARCH: x86_64, CPU: 
x86_64)
Tue Nov 22 12:44:59 2016 -> Log file size limited to 1048576 bytes.
Tue Nov 22 12:44:59 2016 -> Reading databases from 
C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav
Tue Nov 22 12:44:59 2016 -> Not loading PUA signatures.
Tue Nov 22 12:44:59 2016 -> Bytecode: Security mode set to "TrustSigned”.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml