Re: [clamav-users] ClamAV 0.105.0 and Solaris no rustup
On Thu, May 05, 2022 at 11:58:32AM +0100, Andrew Watkins wrote: > > Hello, > > Before I start searching or looking at rustup website, has anyone compiled > 0.105.0 on Solaris yet? > > Solaris does have rustc and cargo but the rustup command does not like SunOS. Solaris support for Rust is non-existent. I managed to use the Solaris provided 1.53 version to compile 1.56 (which is required for ClamAV). It was painstakingly long process. I literally had to incrementally compile all versions sequentially up to 1.56, skipping any would result in all sorts of Rust errors. Basically repeated this for each 1.54, 1.55, 1.56 sources: export PATH=/usr/local/rust:$PATH ./configure --prefix=/usr/local/rust --enable-local-rust --enable-extended python x.py build python x.py install # ... as a final slap in the face, of course the installer fails, so have to # manually find and copy bin+lib stuff into /usr/local/rust After that 0.105.1 compiled fine and seems to work. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Solaris users in a bind
On Wed, Nov 03, 2021 at 07:44:21AM +, Liston, Daniel (DLISTON) via clamav-users wrote: > > Can anyone offer a instructions for getting the 103/104 source to compile > on Solaris (preferably 11.3) or work-around (that won't get me fired)? You really should upgrade to Solaris 11.4, atleast it has all required dependencies out of the box. There was already discussion on list: https://marc.info/?l=clamav-users=162815724431511=2 If it's not possible, then you are pretty much doomed to compile all dependencies yourself.. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!
On Thu, Aug 05, 2021 at 12:53:57PM +0300, Henrik K wrote: > > Oracle DOES maintain Solaris, current 11.4 has quite recent GCC (10.2) and > All requirements except libcheck are OS provided, just pkg install them. Never mind, did a bad search before, libcheck IS provided (pkg install test/check). All tests pass: Start 1: libclamav 1/5 Test #1: libclamav Passed 21.18 sec Start 2: clamscan 2/5 Test #2: clamscan . Passed5.68 sec Start 3: clamd 3/5 Test #3: clamd Passed 22.56 sec Start 4: freshclam 4/5 Test #4: freshclam Passed2.75 sec Start 5: sigtool 5/5 Test #5: sigtool .. Passed0.79 sec 100% tests passed, 0 tests failed out of 5 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!
On Sat, Jul 24, 2021 at 08:17:19PM +, Micah Snyder (micasnyd) via clamav-users wrote: > > Sorry no we don't test on Solaris anymore. To be frank, it seems pretty > clear that Oracle isn't maintaining Solaris anymore. All of the packages > are years out of date, even the opencsw ones. It simply wasn't worth the > effort to maintain the solaris 10 and 11 vms we used to test with. Our > list of systems that we test on is > https://docs.clamav.net/#supported-platforms No problems on Solaris 11.4.32.0.1.88.3 (SPARC) here with latest fixes, 0.104 actually works stable and fast so far. Some more ancient versions just kept crashing and were sloow (then again older Solaris versions had ancient gcc etc). Oracle DOES maintain Solaris, current 11.4 has quite recent GCC (10.2) and other libraries (curl 7.71 etc). All requirements except libcheck are OS provided, just pkg install them. Only thing that needed some manual fixing was some curses paths. mkdir build cd build cmake .. \ -D CMAKE_BUILD_TYPE="Release" \ -D ENABLE_TESTS=OFF \ -D PCRE2_INCLUDE_DIR=/usr/include/pcre \ -D NCURSES_INCLUDE_DIR=/usr/include/ncurses \ -D CURSES_LIBRARY=/usr/lib/64/libncurses.so # Seems NCURSES_INCLUDE_DIR isn't used here.. sed -i 's###' clamav-config.h -- Configuration Options Summary -- Package Version:ClamAV 0.104.0-rc libclamav version: 10:0:1 libfreshclam version: 2:2:0 Install prefix: /usr/local Install database dir: /usr/local/share/clamav Install config dir: /usr/local/etc Host system:SunOS-5.11 Target system: SunOS-5.11 Compiler: Build type: Release C compiler: /usr/bin/gcc C++ compiler: /usr/bin/c++ CFLAGS: -O3 CXXFLAGS: -O3 WARNCFLAGS: -Wall -Wextra -Wformat-security Build Options: Build apps: ON Shared library: ON Static library: OFF Enable UnRAR: ON Examples: OFF Tests: OFF Build man pages:ON Build doxygen HTML: OFF Build Extras: Build milter: ON (toggle with -DENABLE_MILTER=ON/OFF) -- Engine Options -- Bytecode Runtime: interpreter -- libclamav Dependencies -- Compression support: bzip2 /usr/include /usr/lib/64/libbz2.so zlib/usr/include /usr/lib/64/libz.so XML support: libxml2 /usr/include/libxml2;/usr/include/libxml2 /usr/lib/64/libxml2.so RegEx support: libpcre2/usr/include/pcre /usr/lib/64/libpcre2-8.so Crypto support: openssl /usr/include /usr/lib/64/libssl.so;/usr/lib/64/libcrypto.so JSON support: json-c /usr/include/json-c /usr/lib/64/libjson-c.so Threading support: pthread Locale support: iconv /usr/include /usr/lib/64/libc.so -- libfreshclam Extra Dependencies -- HTTP support: curl/usr/include /usr/lib/64/libcurl.so -- Application Extra Dependencies -- GUI support: ncurses /usr/include/ncurses /usr/lib/64/libncurses.so Milter Support: libmilter /usr/include /usr/lib/64/libmilter.so ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Squid + ClamAV
On Tue, Apr 07, 2020 at 11:27:50AM +0100, G.W. Haywood via clamav-users wrote: > > I certainly don't subscribe to the view expressed in this thread (if > that's the view that was expressed, and I'm not simply misrepresenting > it) that this has all been done before. Some of it has, sure, but it > still seems that there are issues, and room for some lateral thinking. You are of course correct in that one must carefully choose what signatures to use, the amount of signatures have bloated much in recent years. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Squid + ClamAV
On Thu, Apr 02, 2020 at 08:14:21AM +0200, Andrea Venturoli via clamav-users wrote: > On 2020-04-01 19:38, Henrik K wrote: > > >> But pretty much all > >> websites are SSL encrypted these days, so there's nothing to scan > >> unless you do nasty man-in-the-middle decryption. Everyone has virus > >> scanners on their PC, browsers have all sorts of proctection etc. > >> The days of proxy scanning are long gone, it's just categorizing and > >> blacklisting urls these days.. > > Well, you'll need MITM anyway if you want to see HTTPS URLs and be able to > blacklist them. There's always the request hostname which can be used.. for many organizations that's enough to filter. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Squid + ClamAV
On Wed, Apr 01, 2020 at 04:36:15PM +0100, G.W. Haywood via clamav-users wrote: > Hi there, > > On Wed, 1 Apr 2020, Andrea Venturoli via clamav-users wrote: > > >I'm trying the combination Squid + C-ICAP + SquidClamAV + ClamAV, and I'm > >seeing terrible performance. > >... > >Perhaps someone here is using the same thing or knows how to better > >tweak the engine. > > I'm not surprised that the performance is terrible. :/ > > To me it sounds like this will not be a quick tweak but a project, and > a lot of work, but it might prove to be a valuable contribution to the > security of a large number of users. There's nothing new about HTTP scanning even with ClamAV. I co-maintained HAVP scanner (havp.org / havp.hege.li) for years, it had a very clever method and worked fine. But pretty much all websites are SSL encrypted these days, so there's nothing to scan unless you do nasty man-in-the-middle decryption. Everyone has virus scanners on their PC, browsers have all sorts of proctection etc. The days of proxy scanning are long gone, it's just categorizing and blacklisting urls these days.. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Squid + ClamAV
On Wed, Apr 01, 2020 at 03:47:09PM +0200, Andrea Venturoli via clamav-users wrote: > > The whole thing is working, but page loading times varies a lot: sometimes > they'll load as fast as without virus scanning, but often (the same pages) > will take several seconds to display (with ClamAV eating a lot of CPU). You'll want to atleast apply the reload patch to clamd, or you will get hangs while signatures are loading.. https://bugzilla.clamav.net/show_bug.cgi?id=10979 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Automated submissions to third party databases?
On Tue, Sep 03, 2019 at 01:17:16PM +0200, Arnaud Jacques wrote: > Ged, > > >>Did you try spam_marketing.ndb from securiteinfo.com ? We detect many > >>spams/phishing. > > > >Thanks - no, I don't use that one. It's listed at Sanesecurity as > >having a high false positive rate. > > As far as I know, this review has not been updated since years. > We fight false positives as soons as we discover one. This is our priority. > Anyway, the best choice is to give a try, custom the signatures if > necessary, and make your own opinion, not only rely on 3rd party evaluation > from years ago. > > About my own tests, on several mail servers, spam_marketing.ndb detects a > lot more spam and phishing than SaneSecurity signatures. No offense to > SaneSecurity, it is just my own opinion. spam_marketing.ndb does not pretend > to replace SaneSecurity, but is a complement. General comment: Using any third party rules with ClamAV is a gamble, but they are very good for scoring with Amavisd/Spamassassin etc. In my setup I don't even trust the official signatures, I just score everything along with SA. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
On Sat, Aug 31, 2019 at 12:21:11PM -0400, Scott Kitterman via clamav-users wrote: > > Not to put too fine a point on it, but if you are unhappy with the service > you > are receiving, you should switch to a different vendor. I suspect it's > unlikely you'll get the same value for money elsewhere. Does this worn cliche really need posting? :-) But hey, I'm just participating in the community.. sometimes things just need a bit of nudging. I wouldn't even continue to nag about it, if this was a basic volunteer project. But we are talking about a security company that should be proud of it's code. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
On Sat, Aug 31, 2019 at 04:48:54PM +0100, G.W. Haywood via clamav-users wrote: > > More testing, by people prepared to chip in some effort instead of > complaining about something that they get for free, would be great. The final responsibility of implementing and testing the issue is still that of the ClamAV team. You are really making this much more complex and "scary" issue than it is. New features and major versions have been constantly released these past years. Just because someone in the bug had a random issue with patch that wasn't even analyzed by devs, doesn't mean it will "break millions of systems" - especially if it isn't enabled by default (which is wise, since it would need more memory). It's simply a matter of willing to check and implement it. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
On Sat, Aug 31, 2019 at 11:18:00AM -0400, Michael Orlitzky via clamav-users wrote: > > Micah took the time to answer a question and provide a status update. > It's counterproductive to shame people for being honest. It's perfectly fine to shame a corporation for doing seemingly strange things. Micah etc are paid developers and not volunteers maintaining some stale Open Source thingy. Well atleast I hope they are not.. An existing patch has existed for 5 years, so I'm pretty interested in hearing why such a basic and important feature is still not implemented. Only thing that comes to mind is that the developers don't even actually use ClamAV personally, or the use is so marginal that they don't even encounter this problem. If I encountered a bug like that on some project that I'm maintaining, I would be shamed not to rapidly fix it. But perhaps it's the organization to blame. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
On Sat, Aug 31, 2019 at 03:55:30PM +0100, G.W. Haywood via clamav-users wrote: > > Well not quite nothing, since you can download the source, apply the > patch, and rebuild ClamAV. Sure but it's not reality for majority of users.. While it's good that people try it out, I doubt if would take long for a dev to verify the patch carefully and implement boolean for it's use. But I guess new features pay more than having a robust engine. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
The reload bug has been known for years, even has a ready patch. https://bugzilla.clamav.net/show_bug.cgi?id=10979 But nothing you can do about it, ClamAV devs have a mind of their own. Atleast servers in your scenario will (hopefully) retry sending. On Sat, Aug 31, 2019 at 04:25:05PM +0200, Thomas Barth via clamav-users wrote: > Hallo Mailinglist, > > sometimes I get in Postfix the error messages "451 4.3.0 Error: queue file > write error". There is a warning timeout talking to localhost:10024 (Amavis) > > > Aug 31 14:14:19 mx2 postfix/smtpd[15861]: connect from > unknown[177.37.96.254] > Aug 31 14:14:20 mx2 postfix/smtpd[15861]: NOQUEUE: > client=unknown[177.37.96.254] > Aug 31 14:16:02 mx2 postfix/smtpd[15861]: warning: timeout talking to proxy > localhost:10024 > Aug 31 14:16:02 mx2 postfix/smtpd[15861]: proxy-reject: END-OF-MESSAGE: 451 > 4.3.0 Error: queue file write error; from= > to= proto=ESMTP helo= > Aug 31 14:16:02 mx2 postfix/smtpd[15861]: disconnect from > unknown[177.37.96.254] ehlo=1 mail=1 rcpt=1 data=0/1 commands=3/4 > > (Not hiding the from address, it s used by a spammer :)) > > Normally postfix gets a response after 3 secondes. > > In the clamav.log I see at the same time, that reloading the database takes > up to two minutes. > > /var/log/clamav/clamav.log > Sat Aug 31 14:14:15 2019 -> Database correctly reloaded (10971844 > signatures) > Sat Aug 31 14:14:15 2019 -> Reading databases from /var/lib/clamav > Sat Aug 31 14:14:15 2019 -> > /var/lib/amavis/tmp/amavis-20190831T125532-12347-lWbaS7Ci/parts/p001: > Sanesecurity.Scam.12584.UNOFFICIAL(:6617) > FOUND > Sat Aug 31 14:16:13 2019 -> Database correctly reloaded (10971844 > signatures) > Sat Aug 31 14:16:13 2019 -> > /var/lib/amavis/tmp/amavis-20190831T120830-10930-zSEWR54L/parts/p001: > Sanesecurity.Scam.12559.UNOFFICIAL(:6449) > FOUND > > Is reloading a database blocking the e-Mail scanning? So how can I boost > this process? It's a virtual server with 100% ssd and 6 cores (Intel(R) > Xeon(R) CPU E5-2630 v4 @ 2.20GHz) and Debian Buster. > > > Best regards, > Thomas Barth > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV: Local Private Mirror
On Wed, Jul 31, 2019 at 03:33:59PM +, Joel Esler (jesler) via clamav-users wrote: > > Would not private mirror users be usually a single organization, so in > practise a single "user"? Why do you need to know how many servers they > have? > > > You know how often I get asked how many users we have? > > A lot. There's some difference in talking about users or number of installations. > Private mirror users would be very much minority anyway looking at the big > picture. > > > 2. Out of those users, what versions they are running. > > > Assuming competent admin, they all run the same version. > > > > Your assumptions are proven wrong, by looking at the statistics of the users > we > have today. How do you see statistics from users behind a private mirror? My answer to 2 really referred to those installations (yes I should have said that instead of "users"). You do see the private mirror instance freshclam statistics, so that's what you have to go with. Just assume some of those queries have hundreds of servers behind them. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV: Local Private Mirror
On Wed, Jul 31, 2019 at 02:49:33PM +, Joel Esler (jesler) via clamav-users wrote: > > The only problem with the local mirrors, from our point of view are a couple > things: > > 1. I don't know how many users we have Would not private mirror users be usually a single organization, so in practise a single "user"? Why do you need to know how many servers they have? Private mirror users would be very much minority anyway looking at the big picture. > 2. Out of those users, what versions they are running. Assuming competent admin, they all run the same version. I don't see how you can find these "problem" in the least. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV: Local Private Mirror
Control. Is it really necessary to go over basic IT management practises here? On Tue, Jul 30, 2019 at 05:13:50PM +, Joel Esler (jesler) via clamav-users wrote: > I'm interested as to why people want to do private mirrors? Other than to > save bandwidth going to "the internet"? > > > On Jul 30, 2019, at 9:40 AM, J.R. via clamav-users > > wrote: > > > >> Can you please tell me the H/W and S/W Specification > >> of the Private local Mirror Server as a best practice for CVD?! > > > > https://www.clamav.net/documents/private-local-mirrors > > > > It's going to depend on how many clients you will be serving... > > 10 vs 10,000 is a huge difference in hardware requirements. > > > > Realistically though, no matter which route you take, it is just > > clients downloading static content at various intervals, which is not > > very CPU intensive. You shouldn't need anything *that* powerful to > > serve the files. > > > > ___ > > > > clamav-users mailing list > > clamav-users@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] performance degradation of clamscan
On Tue, Jul 09, 2019 at 03:58:05PM -0400, Andrew Williams wrote: > This translate into a longer signature load time when running clamscan or > when starting/restarting clamd You forgot "reloading" clamd. Perhaps when clamd is hanging for 5 minutes at a time, you will start looking at https://bugzilla.clamav.net/show_bug.cgi?id=10979 more seriously? But I'm sure there's many more important features in queue, than actually letting the scanner do it's job. :-D ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable MaxFileSize and MaxFileSize to scan the whole system
On Tue, Nov 27, 2018 at 05:01:40PM -0500, Albert o wrote: > "sudo clamscan -r --remove=yes /" ClamAV doesn't exactly have a perfect track record regarding false positives (not that any scanner would have). Are you sure you'd want --remove=yes to remove some critical system files/libraries? ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd using up all cpu on certain hosts
On Fri, Nov 16, 2018 at 03:52:44PM +0100, lukn wrote: > > However, in VMs on one host machine, clamd is idling, on the other it's > running at 200-350% CPU (4 vcores) according to top - even when there is > nothing to be scanned. Usually one would investigate something this by running "strace -f -p ". If you see syscalls, that's a clue on what it's doing (perhaps reading files? stuck in some loop?). Of course I assume you have checked logs already.. If you are not seeing any syscalls, debugging the process with gdb could give hints.. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Specify more servers for clamdscan to pass for scanning
On Mon, Nov 05, 2018 at 03:19:44PM +, Micah Snyder (micasnyd) wrote: > > I'd be interested to know if someone has come up with a hack for how to have > clamdscan fail over to a secondary clamd instance - but I'm not aware of a way > to do that. It's called "writing your own clamdscan". Connect socket and stream, not rocket science. No different than needing to write our own custom clamd, since after all these years official STILL can't do a basic job of reloading signatures without hanging the process. :-D ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV performance overhead on RHEL & Solaris
On Sat, Mar 17, 2018 at 09:49:42PM -0400, Paul Kosinski wrote: > 3. With regard to reducing the delay when a new signature set is loaded: > > I don't know the internals of ClamAV, but it seems that it ought to be > possible to restructure it to overlap (in a different thread) the > loading of signatures into memory with the running of the clamd scan > engine. Then, when new signatures have been loaded, a simple pointer > swap or three (mutexed, of course) would cause subsequent scans to use > the new signatures. After the swap, the memory for the old signatures > would be released by the loader thread. This would take more memory > during signature update, but it might be a worthwhile option. Good luck getting it implemented, such patch has been hanging around for 4 years, of course the problem has been apparent for much longer. I guess ClamAV developers consider it's normal for a service to hang for minutes occasionally. https://bugzilla.clamav.net/show_bug.cgi?id=10979 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Use on linux operating systems
On Tue, Jun 13, 2017 at 09:37:36AM +, Paul Moreno wrote: > Hi All, > > I'm in the process of providing a recommendation to a client on the use of > ClamAV. From what I've read in various forums and online material, ClamAV > appears to be better suited for mail systems, such as postfix, and Windows > hosts. Can anyone comment on the reliability and accuracy of using it on > a Linux operating system? I understand Linux "malware" would more or less > be in the form of custom scripts, library exploits, and other > vulnerabilities that lack signatures to detect against. Consider these sigs in addition: http://sanesecurity.com/usage/signatures/ - malwarehash.hsb hackingteam.hsb rogue.hdb winnow_malware.hdb winnow_extended_malware.hdb malware.expert.hdb porcupine.hsb sanesecurity.ftm https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml - securiteinfo.hdb securiteinfoascii.hdb (we just use the basic free one) malware detect sigpack http://cdn.rfxn.com/downloads/maldet-sigpack.tgz - rfxn.hdb rfxn.ndb rfxn.yara yara rules https://github.com/Yara-Rules/rules/archive/master.zip - CVE_Rules Exploit-Kits Webshells rootkit hunter - rkhunter.ldb That what I've come up for a bunch of Linux and Solaris boxes. Some occasional FPs, java stuff etc that you might seem on this list. But no biggies, it's just a report to read through. Obviously we don't block or use realtime scanning. It's ok stuff for zero cost. Well it does use 1GB memory and 1 core all night heh.. and requires doing all the scripts for sig updates and repacking .cud for local mirror, custom yum updated scan scripts for clients that handle per-server exclude-lists etc.. If anyone has hints for more sigs feel free to chime in.. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV UnOfficial Database
On Thu, May 04, 2017 at 08:36:00PM +0300, Henrik K wrote:
> On Thu, May 04, 2017 at 02:57:51PM +0200, Reindl Harald wrote:
> >
> > it's unacceptable having a clamd process which wastes nearly 1 GB of RAM
> > hanging around when he don't catch anything
>
> For once I have to agree..
>
> My stats:
> ClamAV - 10 million sigs (includes most sanesecurity stuff)
> Sophos - 13 million sigs
>
> # /usr/bin/time -f '\t%E real, \t%M kBmem' /usr/local/clamav/bin/clamscan
> /etc/hosts
>
> 0:28.18 real, 1096492 kBmem
>
> # /usr/bin/time -f '\t%E real, \t%M kBmem' /opt/sophos-av/bin/savscan
> /etc/hosts
>
> 0:05.99 real, 231504 kBmem
>
> Perhaps ClamAV devs should start innovating a little on how to handle all
> the sigs, instead of keeping bloating a glorified in-memory hash-database.
> ;-D Jeez one could probably simply precompile a CDB database from all the
> hashes and dramatically reduce memory usage, probably wouldn't even slow
> down much..
Just playing around a bit..
# /usr/bin/time -f '\t%E real, \t%M kBmem' /usr/local/clamav/bin/clamscan -d
/tmp/testsigs /etc/hosts
Known viruses: 10448710
0:25.76 real, 1164396 kBmem
Take out all the "complete file hashes" and we are not left with many sigs..
dramatic drop in memory usage, though it's still very high considering..
# /usr/bin/time -f '\t%E real, \t%M kBmem' /usr/local/clamav/bin/clamscan -d
/tmp/testsigs /etc/hosts
Known viruses: 298188
0:10.67 real, 215048 kBmem
These were separated:
# wc -l *
447753 daily.hdb
54 daily.hdu
1531075 daily.hsb
1 daily.hsu
75620 daily.mdb
1083 daily.mdu
1 daily.msb
1 daily.msu
58464 main.hdb
1 main.hsb
4059433 main.mdb
1 main.msb
428 porcupine.hsb
9636 rfxn.hdb
114 rogue.hdb
3730415 securiteinfo.hdb
94786 securiteinfoandroid.hdb
96084 securiteinfoascii.hdb
36319 securiteinfohtml.hdb
14 spamattach.hdb
71 spamimg.hdb
5894 winnow.attachments.hdb
825 winnow_extended_malware.hdb
3751 winnow_malware.hdb
10151824 total
Chew them into cdb with some lamo perl
===
#!/usr/bin/perl
use CDB_File;
$cdb = new CDB_File ('/tmp/sigs.cdb', "/tmp/sigs.cdb.$$") or die $@;
$keys = 0;
while () {
chomp;
if (/^([a-f0-9]{32,64}):(\d+|\*):([^:]+)/i) {
$hash = lc($1); $size = $2; $sig = $3;
}
elsif (/^(\d+):([a-f0-9]{32,64}):([^:]+)/i) {
$size = $1; $hash = lc($2); $sig = $3;
}
else { die "Barf? $_\n"; }
$cdb->insert(pack("H*", $hash), "$size:$sig");
$keys++;
}
$cdb->finish;
print "$keys keys inserted\n";
===
# cat * | /usr/bin/time -f '\t%E real, \t%M kBmem' /tmp/clamcdb.pl
10151824 keys inserted
0:31.09 real, 160144 kBmem
# du -h /tmp/sigs.cdb
781M/tmp/sigs.cdb
So we traded memory for equal disk. No surprise there, those bazillion
hashes need their space. I guess someone should just serve them up in cloud
somewhere like... Immunet? ^_^
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV UnOfficial Database
On Thu, May 04, 2017 at 02:57:51PM +0200, Reindl Harald wrote: > > it's unacceptable having a clamd process which wastes nearly 1 GB of RAM > hanging around when he don't catch anything For once I have to agree.. My stats: ClamAV - 10 million sigs (includes most sanesecurity stuff) Sophos - 13 million sigs # /usr/bin/time -f '\t%E real, \t%M kBmem' /usr/local/clamav/bin/clamscan /etc/hosts 0:28.18 real, 1096492 kBmem # /usr/bin/time -f '\t%E real, \t%M kBmem' /opt/sophos-av/bin/savscan /etc/hosts 0:05.99 real, 231504 kBmem Perhaps ClamAV devs should start innovating a little on how to handle all the sigs, instead of keeping bloating a glorified in-memory hash-database. ;-D Jeez one could probably simply precompile a CDB database from all the hashes and dramatically reduce memory usage, probably wouldn't even slow down much.. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Java.Malware fps
Whos' flooding crappy samples around, and why is ClamAV making sigs of tiny class files like org/eclipse/aether/impl/RemoteRepositoryManager.class? .m2/repository/org/codehaus/plexus/plexus-interpolation/1.19/plexus-interpolation-1.19.jar: Java.Malware.Agent-6205983-0 FOUND .m2/repository/org/codehaus/plexus/plexus-interpolation/1.21/plexus-interpolation-1.21.jar: Java.Malware.Agent-6205983-0 FOUND .m2/repository/org/eclipse/aether/aether-impl/0.9.0.M2/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6203284-0 FOUND .m2/repository/org/eclipse/aether/aether-impl/0.9.0.M2/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206104-0 FOUND .m2/repository/org/eclipse/aether/aether-impl/0.9.0.M2/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206114-0 FOUND Talend-LogServer/logstash-1.5.0/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6203284-0 FOUND Talend-LogServer/logstash-1.5.0/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206104-0 FOUND Talend-LogServer/logstash-1.5.0/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206114-0 FOUND Talend-LogServer/logstash-1.5.0/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.1.1/lib/plexus-interpolation-1.19.jar: Java.Malware.Agent-6205983-0 FOUND Talend-LogServer/logstash-1.5.0/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6203284-0 FOUND Talend-LogServer/logstash-1.5.0/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206104-0 FOUND Talend-LogServer/logstash-1.5.0/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206114-0 FOUND Talend-LogServer/logstash-1.5.0/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/plexus-interpolation-1.19.jar: Java.Malware.Agent-6205983-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/configuration/.m2/repository/org/codehaus/plexus/plexus-interpolation/1.19/plexus-interpolation-1.19.jar: Java.Malware.Agent-6205983-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/configuration/org.eclipse.osgi/11/0/.cp/aether-impl-1.0.0.v20140518.jar: Java.Malware.Agent-6203284-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/configuration/org.eclipse.osgi/11/0/.cp/aether-impl-1.0.0.v20140518.jar: Java.Malware.Agent-6206104-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/configuration/org.eclipse.osgi/11/0/.cp/aether-impl-1.0.0.v20140518.jar: Java.Malware.Agent-6206114-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/configuration/org.eclipse.osgi/11/0/.cp/aether-spi-1.0.0.v20140518.jar: Java.Malware.Agent-6204790-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/configuration/org.eclipse.osgi/11/0/.cp/plexus-interpolation-1.21.jar: Java.Malware.Agent-6205983-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6203284-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206104-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206114-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/maven-aether-provider-3.2.1.jar: Java.Malware.Agent-6205980-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/maven-model-3.2.1.jar: Java.Malware.Agent-6202827-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/maven-model-3.2.1.jar: Java.Malware.Agent-6203114-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/maven-model-3.2.1.jar: Java.Malware.Agent-6219627-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/maven-model-builder-3.2.1.jar: Java.Malware.Agent-6202656-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/maven-model-builder-3.2.1.jar: Java.Malware.Agent-6202829-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/maven-model-builder-3.2.1.jar: Java.Malware.Agent-6202832-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/maven-model-builder-3.2.1.jar: Java.Malware.Agent-6203116-0 FOUND Talend-Tools-Studio-20160704_1411-V6.2.1/plugins/org.eclipse.m2e.maven.runtime_1.5.0.20140605-2032/jars/maven-model-builder-3.2.1.jar: Java.Malware.Agent-6203119-0 FOUND
Re: [clamav-users] Streaming support in ClamD
Let's say you have a zip file. How do you expect ClamAV to scan it packet by packet? Or any other data really. I think there are very few wild signatures in database that are allowed to match any position anywhere in a file. Only reliable way is to scan a complete file, so it knows the length and can decode it properly etc. The now abandoned HAVP proxy scanner does many tricks (filesystem mandatory locking to pseudo-stream files into clamav, zip header prefetch etc) to achieve near realtime scanning for large files and reduce user hanging to a minimum. I guess this is what you are after, but ICAP can't achieve such trickery. On Thu, Jul 02, 2015 at 12:57:00PM +0530, P K wrote: Hi guys, Waiting for your reply. It should be simpler answer. Does ClamAv support virus checking in stream mode for large files? If i have file size of 10Mb do i have to send all data to clamAv and clamAv will send status ok or it can scan data in each packet and return status for each segment? Thanks On Tue, Jun 30, 2015 at 12:28 PM, P K pkopen...@gmail.com wrote: Hi Guys, I am new to Clamd and was trying to use it for virus scanning. I used squid + icap + clamAv. But i seen once all data is recieved clamAv INSTREAM is called and data is passed to it. Is it issue with icap server or Clamd doesn't support streaming support? Any guidance will be helpful for me and how can we make ClamAv streaming support. Awaiting for reply. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Libclamav :: Issue with version 0.98.4 on FC20 - Can't load /usr/local/share/clamav/daily.cvd: Can't allocate memory
On Fri, Aug 08, 2014 at 11:13:45PM -0400, Paul Kosinski wrote: The problem turned out to be that libclamav's initialization mechanism didn't itself initialize OpenSSL, which ClamAV now (unfortunately) needs. As discussed in earlier threads, that small thing was fixed in 0.98.5 beta which you can already download. http://blog.clamav.net/2014/07/clamav-0985-beta-has-been-posted.html ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files
It's been two mondays now and no news... a new beta is posted but nothing about the issue is mentioned? On Thu, Jun 26, 2014 at 12:52:47PM -0400, Shawn Webb wrote: Hey Paul, The reason for that is likely due to my usage of ctors and dtors with 0.98.3. In that version, I had added a ctors entry in libclamav to call cl_initialize_crypto and a dtors entry to call cl_cleanup_crypto. It turns out that operating systems like AIX, HPUX, and Solaris 10 don't support ctors/dtors. In order to provide support for those OSs, I opted to remove the ctors/dtors entries and call cl_initialize_crypto directly in the applications that we distribute that consume libclamav (clamscan, clamd, clamdscan, freshclam, etc.) That means that we're no longer calling cl_initialize_crypto in the background and third-party applications will need to call cl_initialize_crypto themselves. But that may or may not change with the discussion on Monday. Thanks, Shawn On Thu, Jun 26, 2014 at 12:37 PM, Paul Kosinski cla...@iment.com wrote: Shawn, Yes indeed, HAVP calls into libclamav directly. But then why does this only fail in 0.98.4 but *not* in 0.98.3? Wasn't OpenSSL already being used in 0.98.3? An additional problem is that the HAVP developer seems to have stopped working on it, according to the HAVP forum (http://havp.hege.li/forum/). Of course, since HAVP is Open Source, I could change it for my use (but I don't want to take it over). Thanks for the quick response, Paul Hey Paul, It looks like HAVP is calling into libclamav directly. That means that HAVP will need to either initialize OpenSSL prior to calling the cl_init() function in libclamav, or it will need to call cl_initialize_crypto() prior to calling cl_init(). We have an open bug on our end to track this issue (bugzilla bug 11037). Additionally, a bug report should be opened with HAVP to document the issue on their end. I will be discussing with the team soon potential solutions going forward. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files
Apparently it's fixed... I'm sure someone will try it out. I'm just getting lots of questions and patches about it and was wondering why nothing was announced. So yes it looks like 0.98.4 will be an oddball version and third party software doesn't need to be modified. Thu, 03 Jul 22:14:40 EDT 2014 (swebb) * Call cl_initialize_crypto() in cl_init() On Tue, Jul 08, 2014 at 11:42:54PM -0700, Al Varnell wrote: So you?ve tried the beta and it didn?t fix the issue? One of the reasons for announcing the beta was so folks like you can play in the bug fixing process. There are dozens of changes to each version and only a few of the major items are ever mentioned in the announcements. There are far too many bug fixes for developers to respond to all issues such as yours. It?s likely to be several weeks or even months before 0.98.5 is released. -Al- On Tue, Jul 08, 2014 at 11:32 PM, Henrik K wrote It's been two mondays now and no news... a new beta is posted but nothing about the issue is mentioned? On Thu, Jun 26, 2014 at 12:52:47PM -0400, Shawn Webb wrote: Hey Paul, The reason for that is likely due to my usage of ctors and dtors with 0.98.3. In that version, I had added a ctors entry in libclamav to call cl_initialize_crypto and a dtors entry to call cl_cleanup_crypto. It turns out that operating systems like AIX, HPUX, and Solaris 10 don't support ctors/dtors. In order to provide support for those OSs, I opted to remove the ctors/dtors entries and call cl_initialize_crypto directly in the applications that we distribute that consume libclamav (clamscan, clamd, clamdscan, freshclam, etc.) That means that we're no longer calling cl_initialize_crypto in the background and third-party applications will need to call cl_initialize_crypto themselves. But that may or may not change with the discussion on Monday. Thanks, Shawn On Thu, Jun 26, 2014 at 12:37 PM, Paul Kosinski cla...@iment.com wrote: Shawn, Yes indeed, HAVP calls into libclamav directly. But then why does this only fail in 0.98.4 but *not* in 0.98.3? Wasn't OpenSSL already being used in 0.98.3? An additional problem is that the HAVP developer seems to have stopped working on it, according to the HAVP forum (http://havp.hege.li/forum/). Of course, since HAVP is Open Source, I could change it for my use (but I don't want to take it over). Thanks for the quick response, Paul Hey Paul, It looks like HAVP is calling into libclamav directly. That means that HAVP will need to either initialize OpenSSL prior to calling the cl_init() function in libclamav, or it will need to call cl_initialize_crypto() prior to calling cl_init(). We have an open bug on our end to track this issue (bugzilla bug 11037). Additionally, a bug report should be opened with HAVP to document the issue on their end. I will be discussing with the team soon potential solutions going forward. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files
Hello, HAVP developer here. I'll release a new version if it's required, but I guess that will have to wait on the discussions. Hopefully it's not even necessary and 0.98.4 will remain an unused dark horse version.. Cheers, Henrik On Thu, Jun 26, 2014 at 05:35:08PM +, cla...@it-connect-unix.de wrote: Hello there, I'm Kare from copfilter.org I saw this discussion about failing havp with ClamAV 0.98.4 and we also use havp in our project for a long time. There is a way to get havp working, until an other solution has been found. Go to havp.config and disable clamlib and enabel the socket mode ENABLECLAMLIB false ENABLECLAMD true CLAMDSOCKET /var/log/clamd.socket I planned to contact the developer on weekend Regards Zitat von Shawn Webb sw...@sourcefire.com: Hey Paul, The reason for that is likely due to my usage of ctors and dtors with 0.98.3. In that version, I had added a ctors entry in libclamav to call cl_initialize_crypto and a dtors entry to call cl_cleanup_crypto. It turns out that operating systems like AIX, HPUX, and Solaris 10 don't support ctors/dtors. In order to provide support for those OSs, I opted to remove the ctors/dtors entries and call cl_initialize_crypto directly in the applications that we distribute that consume libclamav (clamscan, clamd, clamdscan, freshclam, etc.) That means that we're no longer calling cl_initialize_crypto in the background and third-party applications will need to call cl_initialize_crypto themselves. But that may or may not change with the discussion on Monday. Thanks, Shawn On Thu, Jun 26, 2014 at 12:37 PM, Paul Kosinski cla...@iment.com wrote: Shawn, Yes indeed, HAVP calls into libclamav directly. But then why does this only fail in 0.98.4 but *not* in 0.98.3? Wasn't OpenSSL already being used in 0.98.3? An additional problem is that the HAVP developer seems to have stopped working on it, according to the HAVP forum (http://havp.hege.li/forum/). Of course, since HAVP is Open Source, I could change it for my use (but I don't want to take it over). Thanks for the quick response, Paul Hey Paul, It looks like HAVP is calling into libclamav directly. That means that HAVP will need to either initialize OpenSSL prior to calling the cl_init() function in libclamav, or it will need to call cl_initialize_crypto() prior to calling cl_init(). We have an open bug on our end to track this issue (bugzilla bug 11037). Additionally, a bug report should be opened with HAVP to document the issue on their end. I will be discussing with the team soon potential solutions going forward. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] how to release 16K FPs from quarantine?
On Thu, Aug 09, 2012 at 02:07:22PM -0400, Alex wrote: Hi, # sigtool --find-sigs MBL_303159 | sigtool --decode-sigs Does anyone know what's going on with this domain? It doesn't look like a domain thousands of my users would be including in their email on Aug 7th, so I don't know whether the emails were really spam... Hi Alex, The problem I think was that the sig was bad and it matching anything www. hence the huge number of FP's I thought the signatures were fixed? In other words, simple pattern matching for a fixed string. I didn't realize it was dynamic and could match an expression, or am I missing something? MBL's signature download (http) is unreliable and sometimes gives out incomplete files. Obviously if the file cuts out in the middle of signature this can happen. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to release 16K FPs from quarantine?
On Thu, Aug 09, 2012 at 07:32:32PM +0100, Anthony Dickinson wrote: Sorry off subject, but... Really? Surely no engine would allow incomplete signatures to load and be used? Well yes you should not make any assumptions. Clamav doesn't care if there isn't any newline at the end of the file, it doesn't even seem to complain if the signature hex isn't complete (even number of characters). ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to release 16K FPs from quarantine?
On Fri, Aug 10, 2012 at 08:08:48AM +0300, Henrik K wrote: On Thu, Aug 09, 2012 at 07:32:32PM +0100, Anthony Dickinson wrote: Sorry off subject, but... Really? Surely no engine would allow incomplete signatures to load and be used? Well yes you should not make any assumptions. Clamav doesn't care if there isn't any newline at the end of the file it doesn't even seem to complain if the signature hex isn't complete (even number of characters). Sorry it's morning, it does complain.. Anyways the facts remain, MBL can send incomplete files because the http server does not report Content-Length (they don't seem to serve static files which is just stupid). Also their signature backend could have any number of problems if they can't even get that right. I've been personally filtering out any signatures less than 7 chars for a long time. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Windows packaging
On Mon, Jun 25, 2012 at 08:13:58AM +0100, Steve Basford wrote: While I can see the MSI installer being useful to some people... I'd prefer to have the .ZIPs back (or have both built), as I've got to run the MSI installer, find where the files have been installed and them copy them out, so I can play with config files/test etc. Lmgtfy.. http://www.tech-recipes.com/rx/2557/vista_how_to_extract_content_from_msi_files/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Spamtrap suggestion
On Tue, May 29, 2012 at 12:33:30PM +0100, Cedric Knight wrote: It seems there's at least new variant every day of Kryptik/Kazy/Zbot worms or Trojan droppers sent zipped through email. These are attached to a type of spam usually headlined something like FedEx delivery problem. Is this actually problem for someone? I don't remember the last time my users reported something like this passing through normal spam filtering stuff.. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV 0.97.4 - 2 notices
On Sat, Mar 17, 2012 at 11:11:29AM -0700, Jim Preston wrote: On 03/16/2012 05:31 PM, Tilman Schmidt wrote: Am 16.03.2012 13:35, schrieb Andreas Schulze: 2. Avira, a german antivirus vendor, may(*) classify the sourcecode tarball as malicious: clamav-0.97.4/test/.split/split.clam-pespin.exeaa PCK/PESpin ; packer ; File has been compressed with an unusual runtime compression tool (PCK/PESpin). Please verify the origin of the file IMHO it is only to be expected that virus scanners identify each others' test files as malicious. You can hardly blame either side for that. After all, both are just doing what they are designed for. Just ignore it. Jm2¢ Tilman And be glad it is able to detect it :-) What's the point of detecting a split broken exe? I assume it's not executable in any way? ClamAV could obfuscate those files better in many other ways than splitting anyway.. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On Sun, Sep 11, 2011 at 04:11:07PM -0400, Dan wrote: At 11:40 PM +0200 9/7/2011, Luca Gibelli wrote: Traffic is around 5TB/month on each mirror. Short of a paid service, which I doubt any of us want, few have such bandwidth available to donate. First of all, I think this whole thread is overreacting. I seriously doubt the mirror capacity is at maximum. Anyways, 5TB comes at 2MB/s average, which is not that much. I can do it with my $15 OVH/Kimsufi box and so do probably thousands of others. Clam needs to leverage the power of the Internet - as it is now, not yesterday. The simple, semi-linear propagate thru a few mirrors design has obviously reached a limit... 5 TB *per mirror* per month!!!??? Just to maintain a tiny 36 MB database? d'oh! It does sound a bit much for all the cdiffs etc, but maybe I'm underestimating the number of ClamAV users.. It may have worked just fine yesterday, but, seriously, just a model that's waiting to fall on its face as Clam becomes more popular. I don't think it can suddenly come _that_ much more popular, since it's already quite popular. So, I'm thinking that leaves two choices: 1) a cloud, a la Amazon S3. 2) p2p. Maybe, someday, when the well-cached cloud services are fully propagated *and* reliable world-wide, using a cloud in leiu of the traditional mirror set-up might be viable. But IMO that's years away and too expensive. There's nothing wrong with the current method. It's simple and cheap. You are underestimating the bandwidth available in the world. Either there really is no problem and ClamAV is just lazily fishing for more mirrors, or then they are just clueless and/or not having the substantial financial and engineering resources of a much larger organization (advertised in faq). Heck, even I could buy few boxes for mirrors, but I'm not going to do that as a private person since there are bazillion commercial entities that have or can get the bandwidth if needed, including Sourcefire itself. Right now, IMO, a p2p set-up would be the most viable. Continue to propagate via mirrors. *ADD* the torrent. Together, we clam users have many times the bandwidth needed! Is there a way to make freshclam grab and verify database files from a local directory? If there is, creating a torrent set-up would be fairly easy, even on an ad-hoc basis. I think it would be interesting to get a test going... WRT the reputation of p2p/torrents... There are quite a few legit uses for p2p. A number of open source products are even distributed via bittorrent. Yes, some ISPs are blocking the protocol -- but when shown that it's a legit use, they're usually willing to fix that. I like the idea of some 3rd party offering torrent service for the p2p-minded. What I don't want to see is freshclam bloated with some torrent libraries and stuff. You do realize that torrents actually need to have central servers for the .torrent files themselves? That's just the first step (freshclam would have already downloaded cdiffs at the same step). Then you actually need to have some trackers also, unless you are relying on DHT. Hopefully it's not the main database you end up downloading from some guys slow ADSL link.. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On Mon, Sep 12, 2011 at 12:41:14PM -0400, Nathan Gibbs wrote: On 9/12/2011 11:05 AM, Dan wrote: At 9:22 AM +0300 9/12/2011, Henrik K wrote: On Sun, Sep 11, 2011 at 04:11:07PM -0400, Dan wrote: At 11:40 PM +0200 9/7/2011, Luca Gibelli wrote: Traffic is around 5TB/month on each mirror. Short of a paid service, which I doubt any of us want, few have such bandwidth available to donate. First of all, I think this whole thread is overreacting. I seriously doubt the mirror capacity is at maximum. Noone has suggested maximum. The issue is that the mirrors are so overloaded that it's often taking freshclam an excessive amount of time to do its thing, because of the time-outs / connection failures. No big deal if it's the update run in the background. But if it's on-demand update preceding a user-driven scan, it's making the user sit there, twiddling its thumbs, for up to a minute or two. Luca's response to the problem is that more mirror capacity is needed. Hence the discussion of alternatives... Anyways, 5TB comes at 2MB/s average, which is not that much. I can do it with my $15 OVH/Kimsufi box and so do probably thousands of others. Perhaps, where you live. Here, in the good'ole USofA, if I set up a server to feed 170 GB/day, my ISP would shut me down and bill me big. HERE HERE! My ISP is pretty cool about letting users do what they want. However, if I started moving 170GB / day they would definitely be chasing me down to have a chat. :-) When they start offering inexpensive 10Mbit links to the net, a mirror would be an option, but not right now. Guys, I'm not talking about some home or office ISP lines. I'm talking about rented dedicated servers that have huge bandwidth by contract. Why do you make pointless arguments? Depending on where you live or want the servers to be located, they can be cheap or amazingly cheap. And Dan, please familiarize yourself first on how torrents work. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On Mon, Sep 12, 2011 at 03:54:44PM -0400, Dan wrote: At 8:58 PM +0300 9/12/2011, Henrik K wrote: Guys, I'm not talking about some home or office ISP lines. I'm talking about rented dedicated servers that have huge bandwidth by contract. Why do you make pointless arguments? Excuse me? Pointless? Is that your way of disagreeing intelligently or just trying to shut the conversation down? In YOUR opinion individuals and even small businesses are incapable of contributing to Clam's strained infrastructure? So OUR suggestions and inquiries on this USER mailing list are ... pointless? I'm sorry but that's the fact. If mirrors need bandwidth, it's not going to work on some slow home connection. Why do you take it so personally? If you want to help, buy a server and host a mirror. And Dan, please familiarize yourself first on how torrents work. I know pretty much how they work. What's your point here? Is there some design issue that invalidates the idea of using a p2p/torrent type distribution method to supplement the mirrors? Obviously you didn't think how you are going to download all those cdiffs. You do realize that all of them need .torrent files also? It's pointless overhead. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On Mon, Sep 12, 2011 at 05:57:24PM -0400, Nathan Gibbs wrote: On 9/12/2011 1:58 PM, Henrik K wrote: Guys, I'm not talking about some home or office ISP lines. I'm talking about rented dedicated servers that have huge bandwidth by contract. OK, but what the rest of us are talking about is taking load off the global clamav mirror infrastructure. Particularly the US section. And I'm not?? But a da*n US server and host a mirror. Even as a individual if you like. Depending on where you live Because it is our section of the infrastructure that is having issues. Please read the thread title. Even I can buy some US servers if I want. There are lots of providers to choose from. or want the servers to be located, they can be cheap or amazingly cheap. I don't care where the servers are as long as I can get the current DBs. Rehash 1. The Clamav Project needs more capacity especially in the US zone. 2. Many of us have gone to a local mirror configuration to use as little of the capacity as possible. 3. The Clamav Project still needs more capacity. 4. Many of us would step up to the plate and provide this capacity if it were within our ability to do so. If you are an individual not able to put $15-$100 a month, then yes, it's not in your capability. 5. Barring that we are asking about torrent because we would step up to the plate and provide what is within our ability to provide. I could easily provide 20MB of transfer a month initially and maybe more. However 5TB / month is definitely out of the question. No one thinks any less of you for trying to help, on the contrary. But if you can't even get any facts straight etc, it's just messing up the thread. Let's not forget that ClamAV is backed by a commercial organization?? If they wanted US bandwidth badly, they can get it. If not by buying, then probably just by asking around or even on the web page? Why do you think it's not mentioned there. Probably very few users read this list. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On Wed, Sep 07, 2011 at 01:13:37PM +0200, Luca Gibelli wrote: Hello Al, error. Since that time each of two updates on 2, 3, 4, 5, 6 Sep have started with that same server and erred with the following: connect_error: getsockopt(SO_ERROR): fd=4 error=61: Connection refused Can't connect to port 80 of host db.US.clamav.net (IP: 88.198.67.125) That status page has shown some issues with that server each day, but nothing like what I am seeing. the admin of akxnet.de has limited the amount of concurrent connections on the mirror. Depending on traffic, you may get a connection refused error, but it's nothing to worry about. freshclam will just try to connect to another mirror in the RR. If anyone can provide a CVD mirror in US, please contact me directly. We definitely need more capacity in the db.us.clamav.net RR. Is Sourceforge so cheap that it can't get few $20 vps for mirrors? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Virus not detected by Clamav
On Wed, Jun 29, 2011 at 12:27:46PM +0300, Mihamina Rakotomandimby wrote: On Wed, 29 Jun 2011 11:24:24 +0200 polloxx poll...@gmail.com wrote: Are there other user with the same problem? Any solution? I have the same problem. I manage a mail server used by a vendor of DHL. Pretty annoying as far as all emails from DHL are sensible and important for the suers :-) Unfortunately, I have found no solution... yet. So your users receive lot of legimate exes? If you are expecting ClamAV to be a 0day magic tool without having lots of other defences (spamassassin etc) and lots of custom rules, then yes, there is no solution. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On Sat, Feb 12, 2011 at 10:06:10PM +1300, Steve Holdoway wrote: On Fri, 2011-02-11 at 21:26 -0700, Jim Preston wrote: On 02/11/2011 12:59 PM, Bowie Bailey wrote: On 2/11/2011 2:17 PM, Jan-Frode Myklebust wrote: We have a strong preference to running only RHEL5+EPEL packages, so we're kind of stuck on 0.95.1 until EPEL updates or we move to RHEL6+EPEL which gives us clamav-0.96.1. I expect you will have quite a few users with the same/similar policy... FWIW, rpmforge has clamav-0.96.5 at the moment. Personally, I would swap repos if epel is going to take over 1.5 years (!) to update an antivirus package. And if you are paying for support or RHEL5, I would start bitching loudly to RH. It should not take long for a junior engineer to run the system through it's paces to validate clamav. Your license and support should be worth something, just MHO. Aren't you completely missing the point of a Release, where functionality is frozen, only security fixes are implemented? In software where most of the functionality comes through updates from 3rd party over the network, there's not much point to miss. If you want frozen and guaranteed stability, only RHEL itself should deliver verified working signatures. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] BC.PDF.Producer.JSHIP
On Wed, Jan 19, 2011 at 04:35:25PM +0200, Török Edwin wrote: Hi, I just published bytecode.cvd version 120. This should fix the long scan times, and FP submission id 20879645 ( 87ac7d7a40d56e9678121ac5aa80c24e). If you still see long scan times or false positives after you updated to version 120 please submit the files. I doubt I'll activate bytecode again in a while. Don't you have a corpus of files you test new signatures against?? Given that I got dozens of FPs in few minutes, it hardly seems you need a special test case. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Signature wildcard usage
On Thu, Dec 30, 2010 at 04:18:40PM -0800, Bill Landry wrote: Still wondering if this support will be added or not? You know the answer already.. open a bug (or reopen the old). Maybe then you will get some answer. Someday. ;-) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Signature wildcard usage
On Thu, Dec 23, 2010 at 11:28:31PM +0200, Török Edwin wrote: On 2010-12-23 23:20, Bill Landry wrote: On 12/20/2010 9:34 AM, Bill Landry wrote: On 12/20/2010 2:04 AM, Tomasz Kojm wrote: On Sun, 19 Dec 2010 10:31:43 -0800 Bill Landryb...@inetmsg.com wrote: I've been doing some testing with some of the new signature wildcards, in particular: ? (B) Match word boundary (including file boundaries). ? (L) Match CR, CRLF or file boundaries. I've found that both of these wildcards work when used singularly in any of the following combinations: SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(B) SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(L) SpamDomain.example_com:4:*:(B)6578616d706c652e636f6d(L) SpamDomain.example_com:4:*:(L)6578616d706c652e636f6d(B) However, I would like to combine them on both sides of the hex signature, but none of the following combinations work without causing errors: SpamDomain.example_com:4:*:(B|L)6578616d706c652e636f6d(B|L) SpamDomain.example_com:4:*:(B)(L)6578616d706c652e636f6d(B)(L) SpamDomain.example_com:4:*:((B)|(L))6578616d706c652e636f6d((B)|(L)) Is there a way to combine these two wildcards into a single hex signature so that it can detect any of the following combinations in an email message: Hi Bill, the word boundary (B) also acts as a line marker (L), so there's no need for using both of them at the same time. Yes, but the (B)...(B) boundary does not work without using the (L)...(B) boundary in these two scenarios: beginning of line CR, CRLF boundary and word boundary (L)...(B): This is example.com test message. beginning and end of line CR, CRLF boundary (L)...(L): == This is example.com test message. === where the domain name starts at the beginning of the line. It would work work great with (B)...(B) if the (B) boundary supported beginning of line detection: ^example.com Can this be added to the (B) boundary detection? (B)6578616d706c652e636f6d Any further thoughts on this? This matches example.com at beginning of line, or at a word boundary: Foo:0:*:(B)6578616d706c652e636f6d = cat test.mail = Return-Path: x Received: x Xxx example.com xxX = Foo:4:*:(B)6578616d706c652e636f6d(B) test.mail: OK Foo:4:*:6578616d706c652e636f6d test.mail: Foo.UNOFFICIAL FOUND Foo:0:*:(B)6578616d706c652e636f6d(B) test.mail: Foo.UNOFFICIAL FOUND Obviously we want to match mail files here, seems there's a bug handling it. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] scan website
On Thu, Aug 26, 2010 at 04:59:04PM +0200, Ben Lambrey wrote: Dear, Is there any script available to scan a website for malware using Clamav? wget -m $SITE clamscan -r $SITE ? Maybe you need to be more speficic. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam consuming 1.5GB RAM
On Mon, Jun 07, 2010 at 09:29:53PM +0200, Jose-Marcio Martins da Cruz wrote: Török Edwin wrote: On 06/07/2010 08:32 PM, Alex wrote: Hi, What conditions could exist for freshclam to consume 1.5GB of RAM on Linux? freshclam tries to load the database each time, and then frees it (in 0.96.1). I don't see anything wrong with the code, but that doesn't mean its bug free. Could you tell me when you started freshclam the first time (date/time, or CVD version when you started), and your clamconf output? I can try to replay the updates and see if any of them causes a memory leak. I had a problem with freshclam today - low memory usage, but high CPU load : 3.2 % on a Sun T2000 (two identical computers with the same load), which is enourmous. I just deleted safebrowsing.cld and restarted freshclam. Everything went back OK. Don't know why... Safebrowsing diff bug has been around for over a year. It's funny it still isn't resolved properly. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Tiered freshclam updates on port443
On Fri, May 14, 2010 at 06:34:33PM -0400, Nathan Gibbs wrote: At our site, the update server hosts clamav DBs, snort rules, some conf files, etc. The ability to protect the other data would be a plus. It would add another layer of defense to our setup. However its not workable if Freshclam cannot speak https. Its redundant as far as ClamAV's data integrity goes. However, I think its worth doing as far as hack value and interoperability go. Using https sounds silly in favor of more robust methods like rsync+ssh. I certainly would trust rsyncing a verified set of signatures more than using freshclam code which has had bugs in past. -1 for adding yet another external library dependency for little purpose. As far as the original poster goes, I don't think https protocol was the issue, only TCP port. Such human generated firewall problems are solvable in many ways if desired and IMHO has nothing to do with ClamAV. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Script updated: clamav-unofficial-sigs.sh (v3.7)
On Mon, Jan 25, 2010 at 06:09:39AM -0800, John Rudd wrote: MSRBL (as it's no longer being updated) And here's the answer from the actual project: http://msrbl.blogspot.com/2010/01/msrbl-status-update-as-some-of-you-have.html It's amazing what information you get when you actually talk to people. Oh they finally woke up. But it's been said that emails were unanswered, signatures had been lacking updates since mid last year. So stop trying to look good. There's a reason to drop pointless signatures that only eat up memory. IF the updates start happening, they can be added back (after checking that they actually perform). ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Script updated: clamav-unofficial-sigs.sh (v3.7)
On Sat, Jan 23, 2010 at 10:12:34PM -0800, John Rudd wrote: removes MSRBL (as it's no longer being updated) Did they declare themselves to be defunct, or are you declaring it for them (without any actual announcement from them)? What part of since July 2009 makes you think they aren't defunct? Does someone actually have to declare this for someone to realize it? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Phishing detection on downloaded pages
On Tue, Dec 15, 2009 at 12:16:52PM +0200, Jari Fredriksson wrote: On 9.12.2009 20:13, Török Edwin wrote: On 2009-12-07 19:21, Sundara Kaku wrote: Hi, I have a special requirement where I want to scan downloaded pages from website for phishing detection, ex: i use httracker to download a website or wget to download a particular website and i want scan that webpage for phishing detection. I am using ClamAV 0.95.1/10117 i have the following files under /var/lib/clamav folder main.cld clamav-0980f9eff474c2c5b63601cd16a87374 daily.cld safebrowsing.cld Safebrowsing is only used for links sent in emails. But since you are scanning webpages, firefox should already check the URL against safebrowsing db. mirrors.dat the following are settings in clamd.conf PhishingSignatures true PhishingScanURLs true PhishingAlwaysBlockSSLMismatch false PhishingAlwaysBlockCloak true The heuristic phishing detector only works on html files inside mails, and most of the phishing signatures too. Right now there isn't any support for detecting a phishing website by scanning it, there is only support for detecting links to phishing websites in emails. The solution would be some web proxy like SafeSquid http://www.safesquid.com/ It's not free, but it is there if needed. How does that exactly help the OP finding phishes? Most of the signatures still only scan emails. Sure, for general http virus scanning you could use HAVP etc. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Assistance needed with custom signature
On Thu, Oct 01, 2009 at 12:22:58PM +0200, Matus UHLAR - fantomas wrote: remove the 0a character(s) as echo introduces them into sigtool. On 30.09.09 13:06, Steve Basford wrote: Sorry, forgot to add... this might be quicker in future... printf word0 | sigtool --hex-dump printf word1 | sigtool --hex-dump printf word2 | sigtool --hex-dump echo -n word should be the same.. Don't be surprised when it fails on Solaris etc.. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] DHL invoices
On Wed, Sep 23, 2009 at 07:07:53PM +0300, Jari Fredriksson wrote: Jari Fredriksson wrote: Then I decided SaneSecurity is not worth it, as SpamAssassin catches those too, and has less false positives. SaneSecurity triggers way too often when some dumb user pastes a spam into his mail, or some robot sends a bounce with an attachment. I do not want to report those cases to SpamCop, Razor, DCC.. Making me writing tons of tests in my scripts. Too risky. If someone pasts a spam into their mail it is not a false positive. It is a post that is indistinguishable from spam. There are consequences for that. Debatable. Anyway, I do not want to punish from that kind of a mistake. I'm not an email nazi, while I indeed am a spam fighter. Ehm, were you scoring SaneSecurity hits like one is supposed to, or just plain rejecting with them? Sounds like the latter. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] DHL invoices
On Wed, Sep 23, 2009 at 08:11:41PM +0300, Jari Fredriksson wrote: Ehm, were you scoring SaneSecurity hits like one is supposed to, or just plain rejecting with them? Sounds like the latter. I don't run ClamAV via SpamAssassin. I have it called by amavisd-new, which does what it does: quarantine. May I suggest you google for amavisd-new feature called virus_name_to_spam_score_maps. You will find many examples on how to do it properly. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] DKIM support in Clamd
On Wed, Sep 09, 2009 at 11:02:14AM +0530, Thiyaga wrote: Hi, We are using Clamd in our organization to scan virus mails and recently we had a requirement to implement DKIM support. We are aware that Clamd currently doesn't verify DKIM. Since Clamd scans each and every byte of a mail, we think, verifying DKIM in Clamd would be the best optimal approach. Do anybody know any tool or plugin which can be integrated with Clamd for DKIM verification? You would be looking at extremely marginal savings if at all trying to optimize using same bytes. Probably it wouldn't be impossible to implement using external library, however I don't see how it has anything to do with ClamAV. It certainly wouldn't make your DKIM implementation any easier/flexible. Look at dkim-milter/opendkim or amavisd-new etc for proper implementation. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Freshclam Stuck ?
On Tue, Jun 16, 2009 at 04:16:29PM +0200, Matus UHLAR - fantomas wrote: On Tue, 16 Jun 2009 14:30:13 +0100 Robert rob...@yardstyle.demon.co.uk wrote: ERROR: /var/log/freshclam.log is locked by another process ERROR: Problem with internal logger (UpdateLogFile = /var/log/ freshclam.log). I have to manually 'kill' freshclam. Is anyone else having this problem ?? On 16.06.09 08:53, Kapp wrote: Yes. Exactly the same problem here. here too. Freshclam was eating 100% of cpu for longer time, after downloading savebrowsing database. After cleaning database directory and re-running freshclam it looks OK again. https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1502 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Script Update Name Change Announcement
On Fri, Apr 24, 2009 at 09:39:48AM -0700, Bill Landry wrote:
I guess I will have to change this to -exec {} \; with my next update,
even though it's much slower than the -exec {} + variant.
So why do you use -exec? Use find | xargs.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[Clamav-users] Safebrowsing db outdated?
No new version in 3 days, what's up? Btw has anyone had actual hits with 0.95.1 (now that it checks plain text urls)? No luck here.. Cheers, Henrik ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] News about 0.95
On Wed, Mar 11, 2009 at 05:07:19PM +, Nigel Horne wrote: Folks, I am pleased to let you know of a major new feature to be added to ClamAV. 0.95RC2 will be released next Monday, 16/3/09, which will include support for Google Safe Browsing. Have you tried this with live servers? Can you tell us the results? There was a SpamAssassin plugin few years ago that checked URLs in Safe Browsing. It seems it was pretty bad at hitting anything. But it might be that things are better now. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Database reload times
On Wed, Mar 04, 2009 at 11:16:18PM +0100, shuttlebox wrote: On Wed, Mar 4, 2009 at 9:54 PM, Jose-Marcio Martins da Cruz jose-marcio.mart...@ensmp.fr wrote: On a Solaris10/sparc box (UltraSPARC-IIi 440Mhz) it takes 18s. Hmmm, a T2000 is slightly better than your sparc box (a 10 years old Ultra 5 or Ultra 10 ?). But it doesn't seems too faster. Those T2000's are not that fast executing a single thread, the main benefit with that platform is the large number of threads they can execute in parallel which of course is of great benefit in many real world cases. But I assume this case is single threaded and so the speed difference is not that impressive. With the use of DTrace you could probably see where it spends its time. It's not just a T2000. The CPU is either T1 or T2. Judging from the info (8core*4threads) it looks like we are talking about the ancient T1 here. I don't find the load time that strange. Some good read: http://en.wikipedia.org/wiki/UltraSPARC_T2#Performance_improvement_versus_T1 http://www.c0t0d0s0.org/archives/4602-About-some-rumours-surrounding-the-UltraSPARC-T1T2.html etc.. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Database reload times
On Fri, Mar 06, 2009 at 03:04:04PM +0100, Jose-Marcio Martins da Cruz wrote: ** checking for gcc bug PR26763-2... ok, bug not present checking for valid code generation of CLI_ISCONTAINED... configure: error: your compiler has a bug that causes clamav bug no. 670, use a different compiler, see http://bugs.clamav.net/bugzilla/show_bug.cgi?id=670 This a test against a gcc bug. But I'm using cc, and configure knows about it, so maybe it shouldn't look for a gcc bug. Where does it say it checks a for gcc bug? These two checks have nothing to do with each other. I reported this bug long time ago to sun: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6683773 It's supposedly fixed, but even while ago it wasn't included in the SS patches. You are limited to -xO2 on Sun Studio. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Database reload times
On Fri, Mar 06, 2009 at 03:26:57PM +0100, Jose-Marcio Martins da Cruz wrote: But if I launch configure with --disable-gcc-vcheck, configure doesn't execute this check, all configure continues. So, it seems that configure considers this as a gcc bug and not a generic bug which can be found also in other compilers. It seems to me that there is some confusion at documentation and/or configure options. If this is the case, you should open up a bug. ;) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Two suggestions
On Sun, Mar 01, 2009 at 04:11:08PM -0500, Nathan Brink wrote: I don't like it when other programs do this because it departs from the normal output of ./configure scripts. What exactly are you doing with the output that it bothers you and where is this standard defined? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Twitter
On Thu, Dec 04, 2008 at 12:45:51PM -0500, Nigel Horne wrote: Folks, We'd like to hear any feedback people have who are following our Twitter channel at http://twitter.com/clamav. If you're finding these updates useful please let us know. Also let us know if there is anything else that you'd like us to put on that channel. I can't help thinking that ClamAV staff might have something better to do than set up such things. Ok, atleast 76 people use it.. How about a blog with some actual content on developing and stuff, instead of these hip services? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Twitter
On Thu, Dec 04, 2008 at 11:52:56AM -0800, Kelson wrote: It doesn't take that long to set up an automatic process that will post without user intervention, or link an RSS feed to the account. It probably took them less time than it took me to write this email. Sure, I'm just having a random rant. It's just that sometimes the stuff ClamAV comes up with feels a bit awkward. Then again, I don't know how awkward the other vendors are because I haven't seen a need for them. That's a compliment. So blogs are okay now? I thought most techies still considered them to be a newfangled self-important fad not worth the neologism. :-P Besides, running a blog with, as you say, actual content takes a *lot* more time than setting up Twitter. I can say that from experience. I have nothing against decend information. Let it be blogs or whatever twitter. As long as the mailing lists work as primary source of information, I'm happy. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Abnormal end
On Wed, Sep 03, 2008 at 10:01:54AM +0300, Török Edwin wrote: On 2008-09-03 04:57, Dennis Peterson wrote: What might have happened here: clamdscan test /test/.split/split.clam.arjaa: Input/Output error ERROR ... There is nothing wrong here, the files in .split are split in half, so clamd sees that it is truncated. Please sanitize your error logic. It's pretty difficult for people to create custom libclamav applications, with random return codes popping here and there. I see no point returning a generic Input/Output error for a completely scanned file that contains no viruses. It makes no difference if it's logically a split archive, data stream is data stream. Why doesn't it return CL_EARJ instead? Why not maybe use bitfields to return multiple values so CL_CLEAN is reported also? Now there is no macro or function to check if an error is serious. When scanning returns for example CL_ETMPFILE, I think it's important - atleast admin should see it so disk space etc can be checked. If I get CL_EIO, I have no clue what it's about - in this case there's no reason for it to be visible to admin or user (say for a http-scanner). There's not even a generic broken archive error, CL_ERAR etc are pointless to return alone, we can't know what new codes future versions come up with. Please make a stable interface. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
On Thu, Aug 21, 2008 at 08:52:30AM +0200, Matus UHLAR - fantomas wrote: Hello, On 2008-08-20 17:31, Henrik K wrote: I guess they are some sort of pseudo-binary-code or whatever. I'd like to see ClamAV use this kind of technology. pseudo-binary code would slow down clamav. Clamav is already slower than e.g. drweb, at least on out systems. Do you want to have slow antivirus? I don't. Who cares if it scans 100ms or 20ms. I prefer features and stability more (which ClamAV might or might not have yet). Are you a talented coder or what makes you think that such thing as pseudo-binary (I invented the word, I don't know if it even means anything) would slow down things if properly designed? I don't care what the method would be. Be innovative. Create a safe method. :) Distributing whole sources to fix smaller (but serious) issues seems a waste. distributing whole sources is not problem, if they could be distributed w/o virus db. Removing database from rc4 changed the .tgz from 20 to 2.7 MiB. Compressed diff (patch) from 0.93.3 to 0.94rc4 is 277k. You don't seem to understand my point at all. Why bother downloading stuff and compiling for such case? Read below. For example, some zip exploit. Just disabling the zip engine and hoping that users upgrade soon is ok, but not very high-tech. It would be wonderful to just get the core zip engine updated together with signatures. I don't think it's safe. If we have the fix, it should be patshed asap. Disabling the zip engine is only a hotfix which may cause viruses to be passed through (yes, workstations should be using different AV than servers). Ofcourse DCONF is only a hotfix. But nothing guarantees that users will update to the new patched version soon!!! A much more sophisticated way would be to distribute the fixed component, instead of making some users on holiday lose zip functionality for a long time. I know, it's just a fantasy. ClamAV does go forward, but not at the speed that dozen well-paid developers could do. :) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Engine updates with signatures
On Thu, Aug 21, 2008 at 10:24:29AM +0300, Henrik K wrote: On Thu, Aug 21, 2008 at 08:52:30AM +0200, Matus UHLAR - fantomas wrote: Hello, On 2008-08-20 17:31, Henrik K wrote: I guess they are some sort of pseudo-binary-code or whatever. I'd like to see ClamAV use this kind of technology. pseudo-binary code would slow down clamav. Clamav is already slower than e.g. drweb, at least on out systems. Do you want to have slow antivirus? I don't. Who cares if it scans 100ms or 20ms. I prefer features and stability more (which ClamAV might or might not have yet). Are you a talented coder or what makes you think that such thing as pseudo-binary (I invented the word, I don't know if it even means anything) would slow down things if properly designed? You could even use something like http://bellard.org/tcc/ to compile the module code on the fly.. I don't know if it's worth continuing this anymore, the idea is out there. But I changed the subject if you want to discuss. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
On Tue, Aug 19, 2008 at 11:00:46PM +1000, Bill Maidment wrote: Perhaps we could have two versions; one with a recent database, and one with an empty database. Then let the user decide which he requires. I agree, Sourceforge mirrors are pretty slow these days. ;) This reminds me, I'd rather not see ClamAV software updates at all unless absolutely necessary. I have a very good example, the last free Bitdefender for Linux: # ./bdc BDC/Linux-Console v7.1 (build 2559) (i386) (Jul 6 2005 16:28:53) The (very small) binary works great even today! The whole engine and components are updated together with signatures! 192205 2008-08-19 22:35 cevakrnl.xmd 45811 2008-06-18 21:35 unpack.xmd 20564 2008-08-04 20:35 zip.xmd ... I guess they are some sort of pseudo-binary-code or whatever. I'd like to see ClamAV use this kind of technology. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
On Wed, Aug 20, 2008 at 05:40:55PM +0300, Török Edwin wrote: On 2008-08-20 17:31, Henrik K wrote: On Tue, Aug 19, 2008 at 11:00:46PM +1000, Bill Maidment wrote: Perhaps we could have two versions; one with a recent database, and one with an empty database. Then let the user decide which he requires. I agree, Sourceforge mirrors are pretty slow these days. ;) This reminds me, I'd rather not see ClamAV software updates at all unless absolutely necessary. I have a very good example, the last free Bitdefender for Linux: # ./bdc BDC/Linux-Console v7.1 (build 2559) (i386) (Jul 6 2005 16:28:53) The (very small) binary works great even today! The whole engine and components are updated together with signatures! 192205 2008-08-19 22:35 cevakrnl.xmd 45811 2008-06-18 21:35 unpack.xmd 20564 2008-08-04 20:35 zip.xmd ... I guess they are some sort of pseudo-binary-code or whatever. I'd like to see ClamAV use this kind of technology. Distributing binary executable code via database updates? I don't think that is a wise idea. Perhaps distributing bytecode would allow you to use older engines for longer time. I don't care what the method would be. Be innovative. Create a safe method. :) Distributing whole sources to fix smaller (but serious) issues seems a waste. For example, some zip exploit. Just disabling the zip engine and hoping that users upgrade soon is ok, but not very high-tech. It would be wonderful to just get the core zip engine updated together with signatures. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [0.0] Re: simplest replacement for ancient amavis-perl
On Tue, Aug 12, 2008 at 01:15:13PM +0100, Paul Whelan wrote: On 12 Aug 2008 at 7:57, Charles Gregory wrote: On Mon, 11 Aug 2008, Dennis Peterson wrote: . A problem I've seen with greylisting is the round-robin MTA pool. Each is told in turn to come back later and if the pool is large it can take a long time to cycle through all of them. I don't suppose anyone has a list of these available for a whitelist or avoid greylisting? Preferably a list of IP's not domains? I use a list at http://www.greylisting.org/whitelisting.shtml with a few additions Well most of the problems are gone if you don't blindly greylist everyone. Be selective. http://hege.li/howto/spam/etc/postfix/in/whitelist_client.pcre http://hege.li/howto/spam/etc/postfix/in/greylist_client.pcre The first one already handles most of the lists that are mentioned. I hate when mail from my server gets greylisted for absolutely no sane reason. Ofcourse add few generic FCrDNS domains like hotmail.com, yahoo.com, amazon.com.. I see no point playing with IP addresses unless there is no PTR. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Havp + Clamav + Email.Trojan-8
On Mon, Aug 11, 2008 at 12:45:51PM +0400, Roman V. Isaev wrote: Your virus database was updated at 9 august 2008, and a lot of sites are recognised as virus threat. For example: ixbt.com, thg.ru, overclockers.ru. Virus is: Submission-ID: 4157162 Sender: Ricardo Added: Email.Trojan-8 I think that this is mistake. Yes!!! rambler.ru and utro.ru are blocked too. That's a huge problem, we use havp+clamav and my phone is ringing all the time, angry users complain about blocked sites, most of russian internet is blocked. How to remove this virus before everything is fixed? Have you checked HAVP configuration? Yes I did. I had to stop freshclam, unpack daily.cld with sigtool, remove daily.cld and remove this string: Email.Trojan-8:3:*:696d67207372633d22687474703a2f2f61642e616472697665722e72752f6367692d62696e After that everything works ok. I gave you example HAVP config to stop it more easily: IGNOREVIRUS Email. There is not much point in searching Email viruses from web. Only marginal benefit is possibly catching something from peoples webmail. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Havp + Clamav + Email.Trojan-8
On Mon, Aug 11, 2008 at 04:04:00PM +0400, Roman V. Isaev wrote: I gave you example HAVP config to stop it more easily: IGNOREVIRUS Email. Yes, thanks, but I saw your letter after I alredy implemented my own solution :) I just don't want to fiddle with clamd any more until 18:00 (end of the workday). IGNOREVIRUS is a good solution. There is not much point in searching Email viruses from web. Only marginal benefit is possibly catching something from peoples webmail. According to my squid logs about 40% of my office users visit various webmail systems (and that's a lot) on regular basis. I'll block exactly the culprit. Unfortunately less than 5% of Email.* signatures match anything else than a real mail (mbox) file. So there is a pretty slim chance of even catching anything from webmails. But if it makes you happy, who am I to tell otherwise. :) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] simplest replacement for ancient amavis-perl
On Thu, Aug 07, 2008 at 04:46:48PM +0100, Rob MacGregor wrote: On Thu, Aug 7, 2008 at 16:40, David F. Skoll [EMAIL PROTECTED] wrote: I recommend MIMEDefang. (Of course, I'm the author, so I would recommend it...) I use both amavisd-new and MIMEDefang. Of those I'd recommend MD over amavisd-new. It's easy to customise the heck out of (I don't know perl and I can manage) and just works. I use both, but MD is IMO more of a hobbyist tool (you could consider it a bare-bones free version of CanIT, which David likes to sell). That's why I use it only on my personal server. You need lots of custom code to get for example all the nice amavisd-new features (penpals, bounce killer etc). So MD if you are able customize the heck out of it, or amavisd-new for a ready, robust, regularly enhanced tool. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.93.2 segfaults on Solaris 8 Sparc
On Mon, Jul 07, 2008 at 01:18:08PM -0400, Christopher X. Candreva wrote: Just built and the resultant clamscan and clamav-milter both segfault when I attempt to run them. built with gcc 4.3.0 on Solaris 8 Sparc The last lines with --debug enabled are LibClamAV debug: Loading databases from /usr/local/share/clamav LibClamAV debug: in cli_cvdload() LibClamAV debug: in cli_tgzload() Segmentation Fault This was run with all third-party databases removed. Remove all signatures and run freshclam? I got a segfault on Linux too, I guess some old signatures are at fault. So much for the improved QA. ;-) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav know virus count reduced.
On Tue, Jul 01, 2008 at 12:09:08PM +0100, G.W. Haywood wrote: Hi there, On Tue, 1 Jul 2008 Tomasz Kojm wrote: G.W. Haywood [EMAIL PROTECTED] wrote: ... is there any reason not to use something like atomic-rsync instead of (or at least as an alternative to) all this messing about with HTTP? The atomic-rsync would have to be used instead of freshclam on all 2M+ clients and this is not an option. Why would all clients be required to use the same method? What's wrong with HTTP? It's very scalable and works everywhere. I have no idea how many concurrent connections can rsync daemon easily support, but I'm sure it much more heavier than sending ready patches through HTTP. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] WARNING: Suspicious recipient address blocked
On Thu, Apr 17, 2008 at 09:10:45PM -0400, David F. Skoll wrote: Eric Rostetter wrote: For all I know, from what _little_ I know, the problem is in the popen() call in the milter, Yikes popen() In a piece of SECURITY software??? I'm very glad I've never used Clam's milter. Not directly meant at David, but could you all please stop this crap and open a bug. Continue there please. Thank you. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] WARNING: Suspicious recipient address blocked
On Mon, Apr 14, 2008 at 11:55:08AM +0100, Rob MacGregor wrote:
On Mon, Apr 14, 2008 at 11:09 AM, Bas van Rooijen
[EMAIL PROTECTED] wrote:
ClamAV is rejecting messages where the recipient address contains a |
(pipe character)..
Why is this? Is | a virus now?
Can this behaviour be disabled?
Are you planning on blocking other random characters from appearing in the
recipient adres?
Are you certain that clamav is behind this? What other software are
you using with your mailserver and exactly what is the error message?
It took 2 seconds to grep ClamAV sources..
clamav-milter.c
if(strchr(|;, *ptr) != NULL) {
smfi_setreply(ctx, 554, 5.7.1, _(Suspicious recipient address blocked));
Yes it seems | and ; are blocked.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
On Wed, Apr 09, 2008 at 03:26:48PM +0200, Alexander Siebnich wrote: Arnaud Jacques schrieb: At the moment, PUA should not be used in production environment. See FAQ (http://www.clamav.org/support/faq/) for details. Thank you for this advice. I just wondered that this problem only occured since the last main.cvd - update, but we can change this. But I have another one, also without PUA ;-) http://www.beta.wetter.com/lib/js/1d7c7a52.js -- Trojan.Downloader.JS.Agent-2 This is also a ajax - jquery - lib from a popular, german - website. I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of legimate sites. Haven't bothered to report since noone has complained that surfing is affected. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
On Wed, Apr 09, 2008 at 03:53:16PM +0200, aCaB wrote: Henrik K wrote: But I have another one, also without PUA ;-) http://www.beta.wetter.com/lib/js/1d7c7a52.js -- Trojan.Downloader.JS.Agent-2 This is also a ajax - jquery - lib from a popular, german - website. I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of legimate sites. Haven't bothered to report since noone has complained that surfing is affected. Guys, You should update your virus db more often. This has been fixed 2 days ago. What makes you think we don't? 08/04/2008 12:08:33 ClamAV: Reloaded 243723 signatures (engine 0.92.1) 08/04/2008 13:08:37 ClamAV: Reloaded 243747 signatures (engine 0.92.1) 08/04/2008 13:38:41 ClamAV: Reloaded 243768 signatures (engine 0.92.1) 08/04/2008 14:08:44 ClamAV: Reloaded 243768 signatures (engine 0.92.1) 08/04/2008 14:38:47 ClamAV: Reloaded 243816 signatures (engine 0.92.1) 08/04/2008 15:38:51 ClamAV: Reloaded 243828 signatures (engine 0.92.1) 08/04/2008 18:08:58 ClamAV: Reloaded 243839 signatures (engine 0.92.1) 08/04/2008 21:39:07 ClamAV: Reloaded 243846 signatures (engine 0.92.1) 09/04/2008 02:39:19 ClamAV: Reloaded 243849 signatures (engine 0.92.1) 09/04/2008 07:09:30 ClamAV: Reloaded 243869 signatures (engine 0.92.1) 09/04/2008 08:09:34 ClamAV: Reloaded 244861 signatures (engine 0.92.1) 09/04/2008 09:39:40 ClamAV: Reloaded 245630 signatures (engine 0.92.1) 09/04/2008 11:09:45 ClamAV: Reloaded 245634 signatures (engine 0.92.1) 09/04/2008 12:09:50 ClamAV: Reloaded 245640 signatures (engine 0.92.1) 09/04/2008 13:09:55 ClamAV: Reloaded 245708 signatures (engine 0.92.1) 09/04/2008 13:39:59 ClamAV: Reloaded 245735 signatures (engine 0.92.1) 09/04/2008 15:10:05 ClamAV: Reloaded 245755 signatures (engine 0.92.1) 09/04/2008 15:40:08 ClamAV: Reloaded 245768 signatures (engine 0.92.1) 09/04/2008 16:40:13 ClamAV: Reloaded 245783 signatures (engine 0.92.1) 08/04/2008 12:28:45 http://www.cec.jyu.fi/portal_javascripts/Jytkk/ploneScripts1448.js 740+93022 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 08/04/2008 13:50:20 http://www.macnews.de/ajax.php? 372+26270 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 08/04/2008 14:55:01 http://acadia.ur.gcion.com/Scripts/GCION.js 324+30161 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 08:35:39 http://www.abstractfonts.com/js.php? 532+26262 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 09:43:22 http://mapstats.blogflux.com/button.js.php? 228+3578 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 11:50:24 http://www.predictad.com/scripts/molosky/combined.js 356+102630 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 12:34:52 http://search.dell.com/scripts/chili-1.7.pack.js 372+7321 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 14:31:24 http://www.cdcovers.cc/server/server.php? 260+88862 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 14:33:55 http://www.oulujarvileader.com/2007/mambots/system/jceutils/jscripts/utils.js 324+8121 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 15:16:14 http://www.panoramio.com/photo/240 484+19258 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 09/04/2008 15:50:33 http://www.csc.fi/portal_javascripts/Plone%20Default/ploneScripts5448.js 452+93027 VIRUS ClamAV: Trojan.Downloader.JS.Agent-2 And no, I'm not going to upload every one of those. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
On Wed, Apr 09, 2008 at 04:49:17PM +0200, aCaB wrote: Henrik K wrote: On Wed, Apr 09, 2008 at 03:53:16PM +0200, aCaB wrote: Henrik K wrote: But I have another one, also without PUA ;-) http://www.beta.wetter.com/lib/js/1d7c7a52.js -- Trojan.Downloader.JS.Agent-2 This is also a ajax - jquery - lib from a popular, german - website. I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of legimate sites. Haven't bothered to report since noone has complained that surfing is affected. Guys, You should update your virus db more often. This has been fixed 2 days ago. What makes you think we don't? Mostly the fact that there's currently no signature for Trojan.Downloader.JS.Agent-2. It was removed 2 days ago? Ah well, bug hunting on the reload code then.. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] libclamav error Input/Output error
On Tue, Apr 01, 2008 at 11:43:27AM +0200, Luis Miguel R. wrote: Hi all, some days ago I installed the latest HAVP compiled with libclamav 0.92.1, apparently it works, but sporadically I get this errors on logs: SCANERROR ClamAV: Unable to create temporary directory SCANERROR ClamAV: Input/Output error. I know this are libclamav errors but doesnt know how to found the problem, the partition isnt filled, there are free inodes, the tmp dir /var/tmp/havp have the correct permissions ..., the previous setup (havp 0.86 linked against libclamav2 (0.90.1), doesnt give me any problems. https://wwws.clamav.net/bugzilla/show_bug.cgi?id=906 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Memory usage for clamd is huge
On Mon, Mar 31, 2008 at 12:38:23PM -0700, Joe Sloan wrote: John Rudd wrote: Joe Sloan wrote: John Rudd wrote: Dennis Peterson wrote: And to follow up on the earlier point about Windows systems not being the sole source of spam/virus distribution, The idea that any platform (windows, unix/linux, etc.) attached to the net cannot be subverted into being a spam/virus zombie is, at best, naive. And a naive sysadmin is a danger to us all. I don't think anybody on this list has ever said windows can't be subverted. The swarms of compromised xp boxes that are rented out in blocks of 1000 or 1 for sending spam are proof enough of that. From reading the quotes, someone was suggesting that they're immune to compromises because they're not running windows. That statement is covered by my assertion of that idea is naive. I don't think they said they were immune to compromises, but that there was no compelling case for the added expense of virus scanning all outgoing mail in a non-windows environment. You have to wonder what kind of environment can't afford outgoing virus scanning? It's much lighter than checking for spam and usually less traffic goes out than comes in. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
