Re: [clamav-users] using older clients to download from internal clam proxy

2021-12-09 Thread Joel Esler (jesler) via clamav-users 
100 is end of life.  101 and 102 will be EOL on Jan 3.  

You need to be on 103 or higher.  The rest will be dead in January. 

— 
Sent from my  iPhone

> On Dec 9, 2021, at 15:25, novpenguincne via clamav-users 
>  wrote:
> 
> Thanks for the feedback and advice.  I understand what you are saying.  
> Sadly, this box can't be upgraded at the moment.  So I may be limited in what 
> I can accomplish.
> 
> J
> 
> Sent with ProtonMail Secure Email.
> 
> ‐‐‐ Original Message ‐‐‐
> 
>> On Thursday, December 9th, 2021 at 12:32 PM, G.W. Haywood 
>>  wrote:
>> 
>> Hi there,
>> 
>>> On Thu, 9 Dec 2021, novpenguincne via clamav-users wrote:
>>> 
>>> Here is where I'm at trying to get clam to run on an older 32-bit O/S.
>> 
>> Whether it's 32 bit or 64 bit shold not be an issue. The age of the OS
>> 
>> is a significant issue which has already been mentioned.
>> 
>>> After testing the install (from source) of every version between 99
>>> 
>>> and 104, the highest level version that I could get to successfully
>>> 
>>> install was 100. Once I try 101 or higher, there are just too many
>>> 
>>> dependency issues to get the configure/make/makeinstall to run
>>> 
>>> successfully.
>>> 
>>> So I've settled on v100. I was able to install 100 and running
>>> 
>>> freshclam successfully downloads current definition files from my
>>> 
>>> proxy. I can run clamscan and scan the entire file system and it
>>> 
>>> does sucessfully find the test files in the test directory of the
>>> 
>>> install package.
>> 
>> 0.100.x has been EOL since October 2021.
>> 
>> See
>> 
>> https://blog.clamav.net/2021/06/
>> 
>> especially the bits about not testing with it, about breaking it, and
>> 
>> about not permitting it to download database updates.
>> 
>>> Now I'm moving on to the on-access/real-time scanning with clamd.
>>> 
>>> After much work on getting the config file set correctly, when I try
>>> 
>>> to start the daemon, I'm back to getting the "malformed database"
>>> 
>>> issue that has forced our upgrade from v98.
>>> 
>>> Is this a case where v100 freshclam CAN use the current databases
>>> 
>>> but clamd CAN'T use the current databases?
>> 
>> I think you're just wasting your time, and the time of everybody else
>> 
>> reading your posts about this subject. Please read the release notes
>> 
>> for later versions, especially the parts which talk about on-access
>> 
>> scanning in which some serious faults have recently been rectified.
>> 
>> The probability that anything useful will come out of your efforts is
>> 
>> IMO small, and the probability that you will create more problems than
>> 
>> you think you are solving is significantly larger - not least because
>> 
>> you are knowingly running unsupported code with known vulnerabilities.
>> 
>> If you really want to scan your filesystems - an activity of dubious
>> 
>> value at the best of times - and you can't build the latest ClamAV on
>> 
>> the OS, then the best you can probably do is scan remotely. You can
>> 
>> do this either by remotely mounting the devices to be scanned on a
>> 
>> scanning device on which you can install the latest ClamaV, or by
>> 
>> running a local clamdscan connected to a remote but up-to-date clamd.
>> 
>> These suggestions have already been made to you. Remote mounts are
>> 
>> straightforward, but, given your difficulties building executables,
>> 
>> running a local clamdscan may not be easy for you. As I've said if
>> 
>> all else fails I could offer a Perl script which could do a similar
>> 
>> job, but I do still think it would be fairly pointless.
>> 
>> The basic advice has to remain the same. You need to upgrade. If you
>> 
>> want reasonably good security, this is not optional.
>> 
>>

Re: [clamav-users] using older clients to download from internal clam proxy

2021-12-02 Thread Joel Esler (jesler) via clamav-users 
The oldest version that is currently supported is the 0.101.x line, but that 
will be EOL in January.  So I would recommend 0.103.x or higher.

— 
Sent from my  iPad

> On Dec 2, 2021, at 13:10, novpenguincne via clamav-users 
>  wrote:
> 
> Thank you for the quick response.  So that would lead into the logical next 
> question.  What would be the earliest client version that would work?  I 
> tried installing the 103.x client on that box but 103.x requires SystemD and 
> this older box is still using SystemV.  So is there a version of the client 
> that is new enough to accept the new definition files but still old enough to 
> install on a SystemV-based o/s?
> 
> James
> 
> Sent with ProtonMail Secure Email.
> 
> ‐‐‐ Original Message ‐‐‐
> 
>> On Thursday, December 2nd, 2021 at 10:49 AM, Joel Esler (jesler) 
>>  wrote:
>> 
>> James,
>> 
>> Thanks for your email. ClamAV definitions won’t even work on those older 
>> versions anymore. The Flevel for the main.cvd and daily.cvd are now set 
>> higher than that, so those systems shouldn’t be able to load the newer 
>> definitions.
>> 
>> —
>> 
>> Sent from my  iPad
>> 
>>>> On Dec 2, 2021, at 11:08, novpenguincne via clamav-users 
>>>> clamav-users@lists.clamav.net wrote:
>>> 
>>> To facilitate bandwidth issues, I've set up an internal clam proxy server 
>>> on SLES15 running the 103.x client. I have successfully connected to it 
>>> using a different SLES15 box also running the 103.x client and downloaded 
>>> updates to it.
>>> 
>>> However, I still have an older SLES11 box running the 98.x client. Due to 
>>> extenuating circumstances, this box is not a candidate for an o/s upgrade. 
>>> I also know from CLAM documentation that clients older than 100.x are no 
>>> longer supported. But I would still like to have some a/v on this box until 
>>> its retirement so I was trying to have it download from the proxy server as 
>>> well.
>>> 
>>> When I first attempted, it failed because it was trying to download 
>>> main.cld which didn't exist on the proxy. So I turned off "scripted 
>>> updates" on both the proxy and the target SLES11 box which is now forcing 
>>> everything to use cvd files only. But now when I run freshclam on the 
>>> SLES11 box, I'm getting different errors. It downloads the daily.cvd 
>>> successfully. Then it tries to load signatures from daily.cvd. And then I 
>>> get a sequence of errors:
>>> 
>>> ERROR: During database Load
>>> 
>>> WARNING: [LibClamAV] cli_ac_addsig: Signature for 
>>> Win.Backdoor.SystemBC-9885562-0 is too short
>>> 
>>> ERROR: Failed to load new database: Malformed database
>>> 
>>> WARNING: Database load exited with status 55
>>> 
>>> ERROR: Failed to load new database
>>> 
>>> Do I need to make a change in the freshclam.conf to get this to work? Or is 
>>> it a matter of the 98.x client unable to read datafiles designed for 103.x 
>>> clients?
>>> 
>>> James
>>> 
>>> clamav-users mailing list
>>> 
>>> clamav-users@lists.clamav.net
>>> 
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> 
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] using older clients to download from internal clam proxy

2021-12-02 Thread Joel Esler (jesler) via clamav-users 
James,

Thanks for your email.  ClamAV definitions won’t even work on those older 
versions anymore.  The Flevel for the main.cvd and daily.cvd are now set higher 
than that, so those systems shouldn’t be able to load the newer definitions.

— 
Sent from my  iPad

> On Dec 2, 2021, at 11:08, novpenguincne via clamav-users 
>  wrote:
> 
> 
> To facilitate bandwidth issues, I've set up an internal clam proxy server on 
> SLES15 running the 103.x client.  I have successfully connected to it using a 
> different SLES15 box also running the 103.x client and downloaded updates to 
> it.  
> 
> However, I still have an older SLES11 box running the 98.x client.  Due to 
> extenuating circumstances, this box is not a candidate for an o/s upgrade.  I 
> also know from CLAM documentation that clients older than 100.x are no longer 
> supported.  But I would still like to have some a/v on this box until its 
> retirement so I was trying to have it download from the proxy server as well.
> 
> When I first attempted, it failed because it was trying to download main.cld 
> which didn't exist on the proxy.  So I turned off "scripted updates" on both 
> the proxy and the target SLES11 box which is now forcing everything to use 
> cvd files only.  But now when I run freshclam on the SLES11 box, I'm getting 
> different errors.  It downloads the daily.cvd successfully.  Then it tries to 
> load signatures from daily.cvd.  And then I get a sequence of errors:
> 
> ERROR: During database Load 
> WARNING: [LibClamAV] cli_ac_addsig: Signature for 
> Win.Backdoor.SystemBC-9885562-0 is too short
> ERROR: Failed to load new database: Malformed database
> WARNING: Database load exited with status 55
> ERROR: Failed to load new database
> 
> Do I need to make a change in the freshclam.conf to get this to work?  Or is 
> it a matter of the 98.x client unable to read datafiles designed for 103.x 
> clients?
> 
> James
> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV detects XMR-Stak as malicious. Is this a false positive?

2021-11-19 Thread Joel Esler (jesler) via clamav-users 
Al is right.

If you don’t want to detect it ignore it.  Using the ignore functions.

—
Sent from my  iPad

On Nov 19, 2021, at 03:49, Al Varnell via clamav-users 
 wrote:

 I suspect that it's because there are several instances of malicious software 
that install xmr-stak unknowingly to the user who then become a miner bot for a 
cybercriminal.

If I were you I would just put it in a clamav.fp file so it will ignore your 
installation while still identifying any other instance that showed up.

Sent from my iPad

-Al-
ClamXAV User

On Nov 18, 2021, at 23:23, happysmash27 via clamav-users 
 wrote:

I decided to scan my entire /usr/ folder recently, as I heard about a 
malicious package in NPM and wanted to be extra sure nothing got into my 
system. I was slightly shocked when it finished, and it said there was 1 
infected file. Unfortunately it did not list exactly what that infected file 
was, so I ran it again this time logging to a file and grepped that file for 
"FOUND", and the result was:

/usr/bin/xmr-stak: Multios.Coinminer.Miner-6781728-2 FOUND

But... XMR-Stak is _supposed_ to be a crypto miner. That is what it does. I 
installed it for that purpose, compiling it from source since I am on Gentoo.

So... is this a false positive then? Or is this saying something else, like, 
that my version of XMR-Stak has malicious code to mine on some bad actor's pool 
instead of the one I tell it to mine in?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Nonsensical noreplies from ClamAV team

2021-11-18 Thread Joel Esler (jesler) via clamav-users 
We’re looking into this.

—
Sent from my  iPhone

On Nov 18, 2021, at 14:56, Maarten Broekman via clamav-users 
 wrote:


"If you provided a description that suggests otherwise..." is a past tense 
conditional referring to the form submission. That phrase is the equivalent to 
this longer "If you put information in the description that suggests the sample 
is not clean..."


On Thu, Nov 18, 2021 at 2:27 PM G.W. Haywood via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:
Hi there,

On Thu, 18 Nov 2021, Alessandro Vesely via clamav-users wrote:

> even though I filter incoming messages with ClamAV, last Monday I received a
> mail with two suspicious attachments.  They were PE32+ executable (DLL) (GUI)
> x86-64, for MS Windows.  I uploaded the samples to 
> virustotal.com, who
> reported they were recognized as troyans.  I saved the viral message and
> uploaded it to https://www.clamav.net/reports/malware.  On Tuesday I received
> the following message:
> ...

The same thing happened here earlier this week IIRC from one or two of
our automated submissions.  As the reply also said

> If you provided a description that suggests otherwise, we will
> further examine the sample & proceed from there.

and we did so provide, I left it there.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] "403: Forbidden" from website

2021-11-18 Thread Joel Esler (jesler) via clamav-users 
Since you’re from Cisco, let’s take this off list so I can understand what 
you’re trying to do?  May not be the proper way to do it internally.

On Nov 18, 2021, at 12:07, John Pfuntner -X (jpfuntne - EASI LLC at Cisco) via 
clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

I’m not sure what the file is.  The URL in which I’m interested is 
http://www.clamav.net/downloads/. I tried to add index.html to the URL but that 
didn’t work but when wget retrieves just http://www.clamav.net/downloads/, the 
filename it uses is index.html.

From: Joel Esler (jesler) mailto:jes...@cisco.com>>
Sent: Thursday, November 18, 2021 11:55 AM
To: ClamAV users ML 
mailto:clamav-users@lists.clamav.net>>
Cc: John Pfuntner -X (jpfuntne - EASI LLC at Cisco) 
mailto:jpfun...@cisco.com>>
Subject: Re: [clamav-users] "403: Forbidden" from website

What files are you attempting to download?


___

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] "403: Forbidden" from website

2021-11-18 Thread Joel Esler (jesler) via clamav-users 
What files are you attempting to download?

On Nov 18, 2021, at 09:33, John Pfuntner -X (jpfuntne - EASI LLC at Cisco) via 
clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

I’m seeing errors trying to access the website programmatically:

$ wget http://www.clamav.net/downloads
URL transformed to HTTPS due to an HSTS policy
--2021-11-18 09:25:20--  https://www.clamav.net/downloads
Resolving www.clamav.net 
(www.clamav.net)... 104.16.218.84, 104.16.219.84, 
2606:4700::6810:db54, ...
Connecting to www.clamav.net 
(www.clamav.net)|104.16.218.84|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2021-11-18 09:25:21 ERROR 403: Forbidden.
$

I see recent posts in the archive similar to this but someone asserted it was 
fixed.

I observed that if I supplied a user agent, it worked:

$ wget --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36" 
http://www.clamav.net/downloads
URL transformed to HTTPS due to an HSTS policy
--2021-11-18 09:27:00--  https://www.clamav.net/downloads
Resolving www.clamav.net 
(www.clamav.net)... 104.16.219.84, 104.16.218.84, 
2606:4700::6810:db54, ...
Connecting to www.clamav.net 
(www.clamav.net)|104.16.219.84|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘downloads’

downloads[ <=>  
] 103.58K  --.-KB/sin 0.03s

2021-11-18 09:27:00 (3.60 MB/s) - ‘downloads’ saved [106062]
$

Is this a problem that can be addressed on the server so a user agent doesn’t 
need to be specified?


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav DOA

2021-11-18 Thread Joel Esler (jesler) via clamav-users 
101 should be fine.  Try deleting your mirrors.dat file and see what happens?

— 
Sent from my  iPad

> On Nov 18, 2021, at 07:32, Cody Allen  wrote:
> 
>  its prepackaged on a mailcleaner appliance, not using any standard 
> locations for the binaries or configs and no updates available from them, an 
> out of date database would have been better than a totally broken AV, which 
> is where im stuck now, its frustrating that we're blaming network 
> connectivity instead of that its too old, meaning that its not a 
> recommendtation to upgrade but a requirement
> 
> 
> 
>>> On Nov 18, 2021, at 7:21 AM, Maarten Broekman via clamav-users 
>>>  wrote:
>>> 
>>> 
>>> CAUTION: This email originated from outside of the organization. Do not 
>>> click links or open attachments unless you recognize the sender and know 
>>> the content is safe.
>>> 
>>> Cody, it looks like you’re running ClamAV 0.101.2. That version is too old. 
>>> If you upgrade to 0.103.4, you should be able to start downloading the db 
>>> files again. 
>>> 
>>> What kind of system are you on? Is ClamAV prepackaged for you or did you 
>>> build from source?
>>> 
>>> -Maarten
>>> Sent from a tiny keyboard
>>> 
 On Nov 18, 2021, at 07:09, Cody Allen  wrote:
 
>>> frustrated, have spent days with a broken clamav nothing seems to work to 
>>> download the db. can someone please shed some light on what is wrong and 
>>> how to address the problem. running on a debian jessie appliance. at this 
>>> point im dead in the water, without the databse the service tanks and will 
>>> not start, freshclam will not download and have found no method to manually 
>>> get or update the db.
>>> 
>>> Using IPv6 aware code
>>> Max retries == 3
>>> Querying current.cvd.clamav.net
>>> TTL: 962
>>> Software version from DNS: 0.103.4
>>> WARNING: Your ClamAV installation is OUTDATED!
>>> WARNING: Local version: 0.101.2 Recommended version: 0.103.4
>>> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
>>> Retrieving http://database.clamav.net/main.cvd
>>> Ignoring mirror 104.16.218.84 (due to previous errors)
>>> Ignoring mirror 104.16.219.84 (due to previous errors)
>>> Ignoring mirror 104.16.218.84 (due to previous errors)
>>> Ignoring mirror 104.16.219.84 (due to previous errors)
>>> WARNING: Can't download main.cvd from database.clamav.net
>>> Trying again in 5 secs...
>>> ___
>>> 
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fail to download source archive with 403 forbitten

2021-11-17 Thread Joel Esler (jesler) via clamav-users 
It has been fixed.  

— 
Sent from my  iPad

> On Nov 17, 2021, at 14:36, Paul Kosinski via clamav-users 
>  wrote:
> 
> On Mon, 15 Nov 2021 13:23:49 +0000
> "Joel Esler \(jesler\) via clamav-users"  
> wrote:
> 
>> On Nov 14, 2021, at 19:11, Yasuhiro Kimura 
>> mailto:y...@utahime.org>> wrote:
>> 
>> These results means server checks User-Agent header of HTTP request
>> and returns 403 forbitten if the value doesn't look like that of web
>> browser.
>> 
>> Then is it intened change?
>> 
>> Yes, and it has been this way for over two years.
>> 
>> --
>> Joel Esler
>> Strategy, Cisco Talos Intelligence Group
> 
> 
> Does anyone do automated updating of ClamAV from source when new fixes become
> available (e.g., www.clamav.net/downloads/production/clamav-0.104.N.tar.gz)?
> 
> This sort of restriction could make it awkward.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fail to download source archive with 403 forbitten

2021-11-15 Thread Joel Esler (jesler) via clamav-users 
As a follow up to this thread, this has been fixed.

— 
Sent from my  iPad

> On Nov 15, 2021, at 10:09, Yasuhiro Kimura  wrote:
> 
> From: "Joel Esler (jesler)" 
> Subject: Re: [clamav-users] Fail to download source archive with 403 forbitten
> Date: Mon, 15 Nov 2021 14:30:06 +
> 
>>>> Yes, and it has been this way for over two years.
>> 
>>> It
>>> sounds strange to me as I could successfully download both
>> 
>>> clamav-0.103.4.tar.gz
>>> and clamav-0.104.1.tar.gz with `fetch` when I
>> 
>>> updated
>>> our ClamAV ports to latest releases on November 4th.
>> 
>> Interesting.  Well, I am sure things have maneuvered around slightly since 
>> then, but nothing material enough
>> to suddenly allow that.  It’s been that way for awhile.
> 
> There is a report from our user that source IP adress seems to matter
> as well.
> 
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259835#c3
> 
> ---
> Yasuhiro Kimura


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fail to download source archive with 403 forbitten

2021-11-15 Thread Joel Esler (jesler) via clamav-users 


On Nov 15, 2021, at 09:30, Joel Esler (jesler) via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:



On Nov 15, 2021, at 08:39, Yasuhiro Kimura 
mailto:y...@utahime.org>> wrote:

From: "Joel Esler \(jesler\) via clamav-users" 
mailto:clamav-users@lists.clamav.net>>
Subject: Re: [clamav-users] Fail to download source archive with 403 forbitten
Date: Mon, 15 Nov 2021 13:23:49 +

These
results means server checks User-Agent header of HTTP request

and
returns 403 forbitten if the value doesn't look like that of web

browser.

Then
is it intened change?

Yes, and it has been this way for over two years.

It sounds strange to me as I could successfully download both
clamav-0.103.4.tar.gz and clamav-0.104.1.tar.gz with `fetch` when I
updated our ClamAV ports to latest releases on November 4th.

Interesting.  Well, I am sure things have maneuvered around slightly since 
then, but nothing material enough to suddenly allow that.  It’s been that way 
for awhile.


Replying to myself:  Try now?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fail to download source archive with 403 forbitten

2021-11-15 Thread Joel Esler (jesler) via clamav-users 


On Nov 15, 2021, at 08:39, Yasuhiro Kimura 
mailto:y...@utahime.org>> wrote:

From: "Joel Esler \(jesler\) via clamav-users" 
mailto:clamav-users@lists.clamav.net>>
Subject: Re: [clamav-users] Fail to download source archive with 403 forbitten
Date: Mon, 15 Nov 2021 13:23:49 +

These
results means server checks User-Agent header of HTTP request

and
returns 403 forbitten if the value doesn't look like that of web

browser.

Then
is it intened change?

Yes, and it has been this way for over two years.

It sounds strange to me as I could successfully download both
clamav-0.103.4.tar.gz and clamav-0.104.1.tar.gz with `fetch` when I
updated our ClamAV ports to latest releases on November 4th.

Interesting.  Well, I am sure things have maneuvered around slightly since 
then, but nothing material enough to suddenly allow that.  It’s been that way 
for awhile.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fail to download source archive with 403 forbitten

2021-11-15 Thread Joel Esler (jesler) via clamav-users 


On Nov 14, 2021, at 19:11, Yasuhiro Kimura 
mailto:y...@utahime.org>> wrote:

These results means server checks User-Agent header of HTTP request
and returns 403 forbitten if the value doesn't look like that of web
browser.

Then is it intened change?

Yes, and it has been this way for over two years.

--
Joel Esler
Strategy, Cisco Talos Intelligence Group

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] stuck at "Starting Clam AntiVirus Daemon" when rebooting.

2021-11-14 Thread Joel Esler (jesler) via clamav-users 
Windows 7 and newer includes windows 7.  Also, is your problem separate from 
the original post about CentOS?  If so, please start a new thread, don’t hijack 
someone else’s.

— 
Sent from my  iPad

> On Nov 14, 2021, at 18:03, RW Jones via clamav-users 
>  wrote:
> 
> 
> I'm on a Win-DOS 10 box writing this, it so happened I'd tried the update on 
> an a Windows 7 box having read this when searching for the Windows install 
> routine section which had been moved:
> 
> https://docs.clamav.net/faq/faq-win32.html
> 
> "ClamAV on Microsoft Windows FAQ
> 
> ClamAV offers a versions of ClamAV for Microsoft Windows compatible with both 
> 32bit and 64bit versions of Windows 7 and newer."
> 
> If it no longer works on Windows 7 the Windows FAQ should be updated.
> 
> 
> Regards,
> 
> 
> 
> Robert Jones
> 
> 
> 
>> On Sun, 14 Nov 2021, G.W. Haywood via clamav-users wrote:
>> 
>> Date: Sun, 14 Nov 2021 09:57:22 + (GMT)
>> From: G.W. Haywood via clamav-users 
>> To: Eric Jin via clamav-users 
>> Cc: G.W. Haywood 
>> Subject: Re: [clamav-users] stuck at "Starting Clam AntiVirus Daemon" when
>>rebooting.
>> Hi there,
>> 
>>> On Sun, 14 Nov 2021, Eric Jin via clamav-users wrote:
>>> 
>>> It stuck at "Starting Clam AntiVirus Daemon" when the cnetos-6 host
>>> rebooted. Please tell me how to resolve it. Thanks.
>> 
>> Upgrade to a supported operating system.
>> 
>> Otherwise you are just a part of the problem.
>> 
>> https://wiki.centos.org/About/Product
>> 
>> -- 
>> 
>> 73,
>> Ged.
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> 
> THIS E-MAIL AND ANY ATTACHED FILES ARE CONFIDENTIAL AND MAY BE LEGALLY
> PRIVILEGED. If you are not the addressee, any disclosure,
> reproduction, copying, distribution or other dissemination or use of
> this communication is strictly prohibited. If you have received this
> transmission in error please notify the sender immediately and then
> delete this e-mail. All liability for viruses is excluded.
> 
> r...@sdf.org
> (r...@freeshell.org)
> SDF Public Access UNIX System - http://SDF.org
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Advertising Options / Sponsored Content Options on clamav.net

2021-11-12 Thread Joel Esler (jesler) via clamav-users 
No.

— 
Sent from my  iPad

> On Nov 11, 2021, at 09:31, Doug Whittemore  wrote:
> 
> 
> Hi,
> 
> Just wanted to follow up on my advertising request?
> 
> We’re interested in publishing content on your website, and I am keen to get 
> pricing/options etc.
> 
> Please revert back with prices to publish content on your website - much 
> appreciated
> 
> Best Regards,
> 
> 
> 
> 
> 
>> On Mon, Nov 8, 2021 at 1:56 AM Doug Whittemore  
>> wrote:
>> Hi there,
>> 
>> We are a Content Placement & Digital Marketing Agency. We have more than 200 
>> clients in different business verticals i.e. Business, Finance, Insurance, 
>> Technology, Health, Real-Estate, Sports, Online Gaming / Casino as well in 
>> other niche markets.
>> 
>> Whilst looking for opportunities, we came across your clamav.net,
>> 
>> Please let us know pricing and options to place sponsored content on your 
>> website.We can provide you with a high-quality piece of content, fitting 
>> your website audience. We’ll include citations and images, so to make the 
>> content naturally resonates with your readers.
>> 
>> Furthermore, if you are interested in publishing sponsored content on 
>> websites / blogs owned by your company,  
>> please send us more details with the below info:
>> 
>> - Website URL
>> 
>> - Pricing
>> 
>> - Linking restrictions (Nofollow etc)
>> 
>> - Any restrictions about content or outgoing links
>> 
>> Let me know and we can get something started.
>> 
>> Kind Regards,
>> 
>> 
>> 


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.103.4 and 0.104.1 patch releases

2021-11-03 Thread Joel Esler (jesler) via clamav-users 


https://blog.clamav.net/2021/11/clamav-01034-and-01041-patch-releases.html

ClamAV 0.103.4 and 0.104.1 patch releases

ClamAV 0.103.4 LTS and 0.104.1 patch versions are out now. Both of these can be 
found on clamav.net/downloads, with 0.104.1 as the 
main release and 0.103.4 under "Previous Stable Releases."


0.103.4

ClamAV 0.103.4 is a critical patch release with the following fixes:

  *   FreshClam:

 *   Add a 24-hour cool-down for FreshClam clients that have received an 
HTTP 403 (Forbidden) response from the CDN. This is to reduce the volume of 
403-response data served to blocked FreshClam clients that are configured with 
a tight update-loop.
 *   Fixed a bug where FreshClam treats an empty CDIFF as an incremental 
update failure instead of as an intentional request to download the whole CVD.
  *   ClamDScan: Fix a scan error when broken symlinks are encountered on macOS 
with "FollowDirectorySymlinks" and "FollowFileSymlinks" options disabled.

  *   Overhauled the scan recursion / nested archive extraction logic and added 
new limits on embedded file-type recognition performed during the "raw" scan of 
each file. This limits embedded file-type misidentification and prevents 
detecting embedded file content that is found/extracted and scanned at other 
layers in the scanning process.

  *   Fix an issue with the FMap module that failed to read from some nested 
files.

  *   Fixed an issue where failing to load some rules from a Yara file 
containing multiple rules may cause a crash.

  *   Fixed assorted compiler warnings.

  *   Fixed assorted Coverity static code analysis issues.

  *   Scan limits:

 *   Added virus-name suffixes to the alerts that trigger when a scan limit 
has been exceeded. Rather than simply Heuristics.Limits.Exceeded, you may now 
see limit-specific virus-names, to include:
*   Heuristics.Limits.Exceeded.MaxFileSize
*   Heuristics.Limits.Exceeded.MaxScanSize
*   Heuristics.Limits.Exceeded.MaxFiles
*   Heuristics.Limits.Exceeded.MaxRecursion
*   Heuristics.Limits.Exceeded.MaxScanTime
 *   Renamed the Heuristics.Email.ExceedsMax.* alerts to align with the 
other limit alerts names. These alerts include:
*   Heuristics.Limits.Exceeded.EmailLineFoldcnt
*   Heuristics.Limits.Exceeded.EmailHeaderBytes
*   Heuristics.Limits.Exceeded.EmailHeaders
*   Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage
*   Heuristics.Limits.Exceeded.EmailMIMEArguments
 *   Fixed an issue where the Email-related scan limits would alert even 
when the "AlertExceedsMax" (--alert-exceeds-max) scan option is not enabled.
 *   Fixes an issue in the Zip parser where exceeding the "MaxFiles" limit 
or the "MaxFileSize" limit would abort the scan but would fail to alert. The 
Zip scan limit issues were independently identified and reported by Aaron 
Leliaert and Max Allan.
  *   Fixed a leak in the Email parser when using the --gen-json scan option.

  *   Fixed an issue where a failure to record metadata in the Email parser 
when using the --gen-json scan option could cause the Email parser to abort the 
scan early and fail to extract and scan additional content.

  *   Fixed a file name memory leak in the Zip parser.

  *   Fixed an issue where certain signature patterns may cause a crash or 
cause unintended matches on some systems when converting characters to 
uppercase if a UTF-8 unicode single-byte grapheme becomes a multi-byte 
grapheme. Patch courtesy of Andrea De Pasquale.

Other fixes backported from 0.104.0:

  *   Fixed a crash in programs that use libclamav when the programs don't set 
a callback for the "virus found" event. Patch courtesy of Markus Strehle.

  *   Added checks to the the SIS archive parser to prevent an SIS file entry 
from pointing to the archive, which would result in a loop. This was not an 
actual infinite loop, as ClamAV's scan recursion limit limits the depth of 
nested archive extraction.

  *   ClamOnAcc: Fixed a socket file descriptor leak that could result in a 
crash when all available file descriptors are exhausted.

  *   FreshClam: Fixed an issue where FreshClam would download a CVD repeatedly 
if a zero-byte CDIFF is downloaded or if the incremental update failed and if 
the CVD downloaded after that is older than advertised. Patch courtesy of 
Andrew Williams.

  *   ClamDScan:

 *   Fixed a memory leak of the scan target filename when using the 
--fdpass or --stream options.
 *   Fixed an issue where ClamDScan would fail to scan any file after 
excluding a file with the "ExcludePath" option when using when using the 
--multiscan (-m) option along with either --fdpass or --stream. Also fixed a 
memory leak of the accidentally-excluded paths in this case.
 *   Fixed a single file path memory leak when using --fdpass.
 *   Fixed an issue where the "ExcludePath" regex may fail to exclude 
absolute paths when

Re: [clamav-users] Missing Mac OS .pkg installer

2021-10-29 Thread Joel Esler (jesler) via clamav-users 
https://www.clamav.net/downloads

Scroll down to “alternate versions of ClamAV” and click on macOS.

—
Sent from my  iPhone

On Oct 28, 2021, at 13:40, Vaughn A. Hart  wrote:


Hi Team Clamav,

In your documentsation you state that there is a pkg installer for Mac OS that 
supports Intel and M1 but I can't find it on your download page.

Sincerely,

-Vaughn

--


Vaughn A. Hart
General Manager
Aegis IT, LLC
646-284-4291
vau...@aegisitnyc.com
https://www.linkedin.com/in/vahart

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clam updates failing

2021-10-23 Thread Joel Esler (jesler) via clamav-users 


> On Oct 23, 2021, at 11:49, Paul Kosinski  wrote:
> 
> On Fri, 22 Oct 2021 18:47:01 +0000
> "Joel Esler (jesler)"  wrote:
> 
>>>> On Oct 22, 2021, at 14:16, Paul Kosinski via clamav-users 
>>>>  wrote:
>>> 
>>> On Fri, 22 Oct 2021 13:27:46 +
>>> "Joel Esler \(jesler\) via clamav-users"  
>>> wrote:
>>> 
>>>>> On Oct 21, 2021, at 18:55, Kenneth Porter  wrote:
>>>>> 
>>>>> On 10/21/2021 10:14 AM, Paul Kosinski via clamav-users wrote:
>>>>>> I've never seen a DNS age warning, but that might be because, for 
>>>>>> several years now, I only run freshclam when the DNS TXT record (which I 
>>>>>> check hourly) says there is a new signature available compared to a 
>>>>>> local file's version number (in its header).
>>>>> 
>>>>> I thought freshclam did the DNS check itself. Why do it again before 
>>>>> running freshclam?
>>>> 
>>>> It does.  No need to do an extra check.  
>>> 
>>> 
>>> Since checking the DNS TXT record costs almost nothing (and is UDP), I 
>>> figure I can do it more often than running freshclam without ever risking 
>>> triggering Cloudflare's bandwidth limits. And, although I currently do it 
>>> only once per hour, if there ever was something like a SANS Threat Level 
>>> RED, I could up the frequency to get the latest sigs ASAP.
>>> 
>>> 
>> 
>> DNS is unrestricted.  That’s why I am saying it’s unnecessary.  The 
>> restrictions are on the files themselves.  
> 
> 
> So you're saying that if -- because I wanted to get an update ASAP in the 
> face of a severe virus alert -- I upped the running of freshclam to every 5 
> minutes on each of my 3 systems, there is no chance that I would be blocked, 
> because freshclam doesn't do any actual (restricted) file access until after 
> it checks the DNS TXT record?

Correct. 
> 
> Even if that's the case, I think it would generate a lot more junk in the log 
> files than my current approach does (since I run freshclam with the "-v" 
> option).

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clam updates failing

2021-10-22 Thread Joel Esler (jesler) via clamav-users 


> On Oct 22, 2021, at 14:16, Paul Kosinski via clamav-users 
>  wrote:
> 
> On Fri, 22 Oct 2021 13:27:46 +0000
> "Joel Esler \(jesler\) via clamav-users"  
> wrote:
> 
>>> On Oct 21, 2021, at 18:55, Kenneth Porter  wrote:
>>> 
>>> On 10/21/2021 10:14 AM, Paul Kosinski via clamav-users wrote:  
>>>> I've never seen a DNS age warning, but that might be because, for several 
>>>> years now, I only run freshclam when the DNS TXT record (which I check 
>>>> hourly) says there is a new signature available compared to a local file's 
>>>> version number (in its header).  
>>> 
>>> I thought freshclam did the DNS check itself. Why do it again before 
>>> running freshclam?  
>> 
>> It does.  No need to do an extra check.
> 
> 
> Since checking the DNS TXT record costs almost nothing (and is UDP), I figure 
> I can do it more often than running freshclam without ever risking triggering 
> Cloudflare's bandwidth limits. And, although I currently do it only once per 
> hour, if there ever was something like a SANS Threat Level RED, I could up 
> the frequency to get the latest sigs ASAP.
> 
> 

DNS is unrestricted.  That’s why I am saying it’s unnecessary.  The 
restrictions are on the files themselves.  

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clam updates failing

2021-10-22 Thread Joel Esler (jesler) via clamav-users 



> On Oct 21, 2021, at 18:55, Kenneth Porter  wrote:
> 
> On 10/21/2021 10:14 AM, Paul Kosinski via clamav-users wrote:
>> I've never seen a DNS age warning, but that might be because, for several 
>> years now, I only run freshclam when the DNS TXT record (which I check 
>> hourly) says there is a new signature available compared to a local file's 
>> version number (in its header).
> 
> I thought freshclam did the DNS check itself. Why do it again before running 
> freshclam?

It does.  No need to do an extra check.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Rate limit for signature

2021-10-07 Thread Joel Esler (jesler) via clamav-users 
Mike

I am the correct person.  Updating requires the use of either cvdupdate (for 
distribution to internal systems) or FreshClam.  Versions 0.103.3 or higher.

— 
Sent from my  iPad

> On Oct 5, 2021, at 20:49, Mike JJ Chen  wrote:
> 
> 
> Hello Team, 
>  
> Could you help suggest appropriate contact windows for us to discuss this 
> issue?
> Thanks. 
>  
>  --
> Mike JJ Chen
> Synology Inc. #8207
> [Phone: +886917633983] [Line: jiajun55]
>  
> On 2021-09-27 10:20, Mike JJ Chen  wrote:
> Include clamav-announce-ow...@lists.clamav.net
>  
> Please help. Thanks.
>  
>  --
> Mike JJ Chen
> Synology Inc. #8207
> [Phone: +886917633983] [Line: jiajun55]
>  
> On 2021-09-23 18:28, Mike JJ Chen  wrote:
> Hi ClamAV team,
>  
> This is PM Mike from Synology.
> We have a AntiVirus tool which leverages your ClamAV service.
> Recently, we received some feedback from users that they reach the rate limit 
> of signature update.
> However, we can not fine the document to mention this limitation.
> Could you help provide the detail for us to check or how we can improve it.
> Thanks. 
>  
>  --
> Mike JJ Chen
> Synology Inc. #8207
> [Phone: +886917633983] [Line: jiajun55]


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Rate limited

2021-10-05 Thread Joel Esler (jesler) via clamav-users 


On Oct 5, 2021, at 4:41 AM, Adam Baliko via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

I have a private VLAN here, but my public IP is granted by my ISP. I'm
assuming this is a dynamic IP but I have no idea how often that
changes (maybe I should start noting the IPs which are banned, if they
are different). And there is only one machine making Clamav updates
within my VLAN, so if there are multiple downloads from the same IP,
then the only explanation I can think of is on the ISP level (I get a
public IP which was banned previously).
BTW, my public IP is 84.189.37.183.

I can't seem to be able to check the versions of Clamav. I have a QNAP
NAS, and as I understand Clamav is somehow baked into the firmware. I
am currently on the latest Firmware release if that is of any help.

Interestingly, today I wanted to try the manual update again to see
what IP is displayed there (should be the same, but who knows), and
instead of the usual Error 1015  successfully downloaded the daily.cvd
file. So currently my virus definitions are up to date, but I have
worries about getting my IP blocked again in the future.

1015 means you are not using Freshclam or cvdupdate to download definitions.

--
Joel Esler
Strategy, Cisco Talos Intelligence Group

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV is not respecting Phishing* settings.

2021-09-22 Thread Joel Esler (jesler) via clamav-users 
I am sure someone will respond about your particular issue, but are you saying 
they are false positives?

— 
Sent from my  iPhone

> On Sep 22, 2021, at 22:04, Jim Popovitch via clamav-users 
>  wrote:
> 
> ClamAV is not respecting Phishing* settings.  
> 
> clamd.conf:
>   ...
>   PhishingSignatures false
>   PhishingScanURLs false
> 
> 
> Sep 20 15:32:35 mx1 postfix/cleanup[9328]: 4HCpSy4JbTzCqpv: milter-
> reject: END-OF-MESSAGE from unknown[103.195.186.145]: 5.7.1 Message
> infected with Email.Phishing.VOF1-6326576-0;
> from= to=
> proto=ESMTP helo=
> 
> Sep 22 15:48:08 mx2 postfix/cleanup[11019]: 4HF2kC6jckz3xWM: milter-
> reject: END-OF-MESSAGE from unknown[134.209.144.58]: 5.7.1 Message
> infected with Email.Phishing.VOF1-6295631-2; from=
> to= proto=ESMTP helo= server.squaregroup.com>
> 
> 
> v0.103.3+dfsg-0+deb11u1
> 
> 
> -Jim P.
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] QNAP Antivirus Updates

2021-09-21 Thread Joel Esler (jesler) via clamav-users 
And… there’s your answer.  Thank you all!  I think this thread is dead.

> On Sep 21, 2021, at 2:42 PM, Liston, Daniel (DLISTON) via clamav-users 
>  wrote:
> 
> I have already forgotten the point, but I did do some DNS 
> queries from our datacenters in LON, TYO, and NYC.  All 
> reported the same results;
> 
> Non-authoritative answer:
> database.clamav.net canonical name = 
> database.clamav.net.cdn.cloudflare.net.
> Name:   database.clamav.net.cdn.cloudflare.net
> Address: 104.16.218.84
> Name:   database.clamav.net.cdn.cloudflare.net
> Address: 104.16.219.84
> 
> It seems it should be safe to specify these 2 IP addresses
> in your firewall for the updates.
> 
> 
> L8r
> Dan
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] QNAP Antivirus Updates

2021-09-21 Thread Joel Esler (jesler) via clamav-users 
Cool 

— 
Sent from my  iPhone

> On Sep 20, 2021, at 20:17, Paul Kosinski  wrote:
> 
> On Mon, 20 Sep 2021 17:17:34 +0000
> "Joel Esler (jesler)"  wrote:
> 
>>>> On Sep 20, 2021, at 13:08, Paul Kosinski via clamav-users 
>>>>  wrote:
>>> 
>>> These two IPs are Anycast addresses, and have been unchanged for well over 
>>> 2 years. (Anycast addresses don't have to change even if the physical 
>>> servers change, that's their point!) They are:
>>> 
>>> 104.16.218.84
>>> 104.16.219.84  
>> That’s what they are for you.  Cloudflare routes you to the closest pop to 
>> your network.  Your mileage may vary
> 
> ===
> 
> I thought the IP addresses, being Anycast, were what are routed to the 
> closest POP.
> 
> No matter, when I resolve "database.clamav.net" via various DNS servers, 
> using TCP to bypass the default local DNS server (as our firewall blocks 
> outbound UDP port 53 otherwise), I always get these same two IP addresses as 
> results (see below) 
> 
> Given that the servers at 1.1.1.1, 8.8.8.8 and 9.9.9.9 are "public", and 
> likely Anycast, while 71.243.0.12 is local Verizon/FIOS, I suppose that the 
> Authoritative server and the public (Anycast) servers could conceivably be 
> distributing different IP addresses depending on who is querying. (BIND/named 
> has become incredibly complicated these days.) But since the two IP addresses 
> are themselves Anycast, what would be the point?
> 
> In any case, does anyone, anywhere, get IP addresses other than
> 
>  104.16.218.84
>  104.16.219.84
> 
> when resolving "database.clamav.net"?
> 
> 
> 
>  $ dig +tcp +all @1.1.1.1 database.clamav.net
> 
>  ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +nocomments +nostats +nocmd +tcp +all 
> @1.1.1.1 database.clamav.net
>  ; (1 server found)
>  ;; global options: +cmd
>  ;; Got answer:
>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5920
>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> 
>  ;; QUESTION SECTION:
>  ;database.clamav.net.INA
> 
>  ;; ANSWER SECTION:
>  database.clamav.net.31INCNAME
> database.clamav.net.cdn.cloudflare.net.
>  database.clamav.net.cdn.cloudflare.net.271 IN A 104.16.219.84
>  database.clamav.net.cdn.cloudflare.net.271 IN A 104.16.218.84
> 
>  ;; Query time: 11 msec
>  ;; SERVER: 1.1.1.1#53(1.1.1.1)
>  ;; WHEN: Mon Sep 20 15:28:17 2021
>  ;; MSG SIZE  rcvd: 118
> 
>  ---
> 
>  $ dig +tcp +all @8.8.8.8 database.clamav.net
> 
>  ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +nocomments +nostats +nocmd +tcp +all 
> @8.8.8.8 database.clamav.net
>  ; (1 server found)
>  ;; global options: +cmd
>  ;; Got answer:
>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49012
>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> 
>  ;; QUESTION SECTION:
>  ;database.clamav.net.INA
> 
>  ;; ANSWER SECTION:
>  database.clamav.net.19INCNAME
> database.clamav.net.cdn.cloudflare.net.
>  database.clamav.net.cdn.cloudflare.net.300 IN A 104.16.218.84
>  database.clamav.net.cdn.cloudflare.net.300 IN A 104.16.219.84
> 
>  ;; Query time: 31 msec
>  ;; SERVER: 8.8.8.8#53(8.8.8.8)
>  ;; WHEN: Mon Sep 20 15:21:13 2021
>  ;; MSG SIZE  rcvd: 118
> 
>  ---
> 
>  $ dig +tcp +all @9.9.9.9 database.clamav.net
> 
>  ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +nocomments +nostats +nocmd +tcp +all 
> @9.9.9.9 database.clamav.net
>  ; (1 server found)
>  ;; global options: +cmd
>  ;; Got answer:
>  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29165
>  ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> 
>  ;; QUESTION SECTION:
>  ;database.clamav.net.INA
> 
>  ;; ANSWER SECTION:
>  database.clamav.net.60INCNAME
> database.clamav.net.cdn.cloudflare.net.
>  database.clamav.net.cdn.cloudflare.net.300 IN A 104.16.218.84
>  database.clamav.net.cdn.cloudflare.net.300 IN A 104.16.219.84
> 
>  ;; Query time: 91 msec
>  ;; SERVER: 9.9.9.9#53(9.9.9.9)
>  ;; WHEN: Mon Sep 20 15:30:17 2021
>  ;; MSG SIZE  rcvd: 118
> 
>  ---
> 
>  $ dig +tcp +all @71.243.0.12 database.clamav.net
> 
>  ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +nocomments +nostats +nocmd +tcp +all 
> @71.243.0.12 database.clamav.net
>  ; (1 server found)
>  ;; global

Re: [clamav-users] QNAP Antivirus Updates

2021-09-20 Thread Joel Esler (jesler) via clamav-users 


> On Sep 20, 2021, at 13:08, Paul Kosinski via clamav-users 
>  wrote:
> 
> These two IPs are Anycast addresses, and have been unchanged for well over 2 
> years. (Anycast addresses don't have to change even if the physical servers 
> change, that's their point!) They are:
> 
>  104.16.218.84
>  104.16.219.84
That’s what they are for you.  Cloudflare routes you to the closest pop to your 
network.  Your mileage may vary


> I don't know if they are appropriate for non-freshclam ways of obtaining the 
> updates, e.g., updating a mirror. (And I don't know if they work world-wide.)

FreshClam or cvdupdate.  That’s what we recommend, that’s what we enforce.  Use 
one of those two or risk being cut off completely in the future.

smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus DB updates?

2021-09-19 Thread Joel Esler (jesler) via clamav-users 
Following up, looks like this has been fixed.  A new daily should ship tonight. 

— 
Sent from my  iPhone

> On Sep 19, 2021, at 17:31, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
>> On Sun, 19 Sep 2021, Paul Kosinski via clamav-users wrote:
>> 
>> I haven't seen any virus database update since the afternoon of Thu
>> 16 Sep 2021, when it was updated to 26297.
> 
> FWIW I see the same thing.  Also, I normally get a daily email with a
> breakdown of the updates.  I haven't seen one of those since Thursday.
> 
> Seems like something's up.
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus DB updates?

2021-09-19 Thread Joel Esler (jesler) via clamav-users 
A new main was built that day and pushed.  The daily may not have been 
re-enabled.  I’ll double check. 

— 
Sent from my  iPhone

> On Sep 19, 2021, at 17:31, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
>> On Sun, 19 Sep 2021, Paul Kosinski via clamav-users wrote:
>> 
>> I haven't seen any virus database update since the afternoon of Thu
>> 16 Sep 2021, when it was updated to 26297.
> 
> FWIW I see the same thing.  Also, I normally get a daily email with a
> breakdown of the updates.  I haven't seen one of those since Thursday.
> 
> Seems like something's up.
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] IP List for Virus Definition Domain

2021-09-15 Thread Joel Esler (jesler) via clamav-users 
It’s dynamic baed on your location in the world. Do a dns lookup for 
database.clamav.net  from your location and you 
should get your answer.

> On Sep 15, 2021, at 12:52 PM, James Freeman  wrote:
> 
> ALCON,
>  
> Is there a list of IPs that the ClamAV domain used to download virus 
> definition resolves to? 
>  
> Thanks,
> James
>  
>  
>  
> James Freeman
> Sec+, CASP+,
> AWS SA-A
> Tech Lead- PAI/OSINT
> National Security & Intelligence
> - - - - - - - - - -
> Mobile (253) 273-3747
> Office (703) 270-1194
>  
>  
>  
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> 
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> 
> 
> http://www.clamav.net/contact.html#ml 


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] error code 429

2021-09-05 Thread Joel Esler (jesler) via clamav-users 
Now?

— 
Sent from my  iPad

> On Sep 5, 2021, at 12:51, Paul Kosinski  wrote:
> 
> On Sun, 5 Sep 2021 02:45:25 +0000
> "Joel Esler \(jesler\) via clamav-users"  
> wrote:
> 
>> We are experimenting with a feature that we’ve been working with Cloudflare 
>> on, trying to isolate violators on a per host basis for the newest versions 
>> of ClamAV, instead of IP.
> 
> -
> 
> Maybe what we have seen  today is the old problem that the "BOS" mirror is 
> wy behind again? We finally got the 26284 update about 17 hours later 
> than the TXT record claimed it was available.
> 
> Is it possible to find out from Cloudflare why "BOS" has this problem? Some 
> time ago, when we were downloading full-blown CVDs (not just CDIFFs), I was 
> able to use another mirror which was up to date on the same day "BOS" was 
> behind. Now even the small CDIFFs are behind?
> 
> Thanks,
> Paul Kosinski
> 
>  --  Saturday 04 September 2021 at 22:05:01  
> --
> 
>  /opt/clamav/bin/testclam-dns
>  -->  UPD   D 26284/26283 M 61/61 B 333/333
> 
>  /opt/clamav/bin/freshclam--stdout --on-update-execute=EXIT_1
>  ClamAV update process started at Sat Sep  4 22:05:04 2021
>  daily database available for update (local version: 26283, remote version: 
> 26284)
>  WARNING: downloadPatch: Can't download daily-26284.cdiff from 
> https://database.clamav.net/daily-26284.cdiff
>  The database server doesn't have the latest patch for the daily database 
> (version 26284). The server will likely have updated if you check again in a 
> few hours.
>  main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, 
> builder: sigmgr)
>  bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, 
> builder: awillia2)
> 
>  --  Saturday 04 September 2021 at 22:05:04  
> --
> 
> 
>  --  Saturday 04 September 2021 at 23:05:01  
> --
> 
>  /opt/clamav/bin/testclam-dns
>  -->  UPD   D 26284/26283 M 61/61 B 333/333
> 
>  /opt/clamav/bin/freshclam--stdout --on-update-execute=EXIT_1
>  ClamAV update process started at Sat Sep  4 23:05:03 2021
>  daily database available for update (local version: 26283, remote version: 
> 26284)
>  Testing database: 
> '/opt/clamav.d/clamav.0.103.3/share/clamav/tmp.d80b44a62a/clamav-8a28103bbb9da5d3289b9e7252001905.tmp-daily.cld'
>  ...
>  Database test passed.
>  daily.cld updated (version: 26284, sigs: 1970546, f-level: 90, builder: 
> raynman)
>  main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, 
> builder: sigmgr)
>  bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, 
> builder: awillia2)
> 
>  --  Saturday 04 September 2021 at 23:05:10  
> --
> 
> 
> 


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav download problems

2021-09-05 Thread Joel Esler (jesler) via clamav-users 
Maybe I’ll ask you to experiment with me when I try again?  Have you modify 
some things?

— 
Sent from my  iPhone

> On Sep 5, 2021, at 12:12, Paul Netpresto  wrote:
> 
> Hi Joel
> 
> I have 4 hosts each on a unique  IP in the net 212.84.90.0/25. They all run 
> the command "/usr/bin/freshclam --quiet --on-update-execute=EXIT_1  " once 
> per hour.
> 
> As far as I am aware this is within limits.
> 
> So why did all 4 of my systems report the same issue for most of yesterday 
> and the first few hours of today that being.
> 
> ClamAV update process started at Sat Sep  4 09:53:55 2021
> daily database available for update (local version: 26283, remote version: 
> 26284
> )
> WARNING: downloadPatch: Can't download daily-26284.cdiff from 
> https://database.c
> lamav.net/daily-26284.cdiff
> The database server doesn't have the latest patch for the daily database 
> (versio
> n 26284). The server will likely have updated if you check again in a few 
> hours.
> main.cvd database is up-to-date (version: 61, sigs: 6607162, f-level: 90, 
> builde
> r: sigmgr)
> bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, 
> builde
> r: awillia2)
> 
> Regards Paul
> 
>> On 05/09/2021 16:08, Joel Esler (jesler) via clamav-users wrote:
>> This is useful.  Thank you.
>> 
>> Each host should have a different rate limit under the new system (I turned 
>> it back off last night, which is why everyone got everything).
>> 
>> Right now, the rate limit is “per IP”. So, if you have several
>> Hosts behind a NAT, so you’ll get blocked.  The new system, you can have as 
>> many hosts behind the same NAT as long as they aren’t using the same config 
>> file.
>> 
>> A new problem being, I am seeing a ton of hosts on Amazon or Microsoft’s 
>> azure that are using the same config, so that’s a new hurdle that those 
>> people will have to overcome. I am sure there are new problems that we’ll 
>> encounter during this transition.
>> 
>> 
>> 
>> —
>> Sent from my  iPhone
>> 
>>>> On Sep 5, 2021, at 09:09, clamav.mbou...@spamgourmet.com wrote:
>>> 
>>> Joel Esler clamav-users@lists.clamav.net wrote:
>>>> We are experimenting with a feature that we’ve been working with 
>>>> Cloudflare on, trying to isolate violators on a per host basis for the 
>>>> newest versions of ClamAV, instead of IP.
>>> I'm guessing you probably already have all the info you need but, in case 
>>> it happens to be any help, this is what I have in my freshclam logs (on a 
>>> home desktop PC, so it's not running 24-7)...
>>> 
>>> Last messages from Friday:
>>>> Fri Sep  3 22:13:18 2021 -> Received signal: wake up
>>>> Fri Sep  3 22:13:18 2021 -> ClamAV update process started at Fri Sep  3 
>>>> 22:13:18 2021
>>>> Fri Sep  3 22:13:18 2021 -> WARNING: Your ClamAV installation is OUTDATED!
>>>> Fri Sep  3 22:13:18 2021 -> WARNING: Local version: 0.103.2 Recommended 
>>>> version: 0.103.3
>>>> Fri Sep  3 22:13:18 2021 -> DON'T PANIC! Read 
>>>> https://www.clamav.net/documents/upgrading-clamav
>>>> Fri Sep  3 22:13:18 2021 -> daily.cld database is up-to-date (version: 
>>>> 26283, sigs: 1970262, f-level: 90, builder: ray
>>>> nman)
>>>> Fri Sep  3 22:13:18 2021 -> main.cvd database is up-to-date (version: 61, 
>>>> sigs: 6607162, f-level: 90, builder: sigmgr)
>>>> Fri Sep  3 22:13:18 2021 -> bytecode.cvd database is up-to-date (version: 
>>>> 333, sigs: 92, f-level: 63, builder: awillia
>>>> 2)
>>>> Fri Sep  3 22:13:18 2021 -> --
>>>> Fri Sep  3 23:06:44 2021 -> Update process terminated
>>> So all was up-to-date then.  Version 0.103.2 is the latest in the Ubuntu 
>>> 20.04 repositories, which is why I'm on that version, hence the warning.
>>> 
>>> First messages from Saturday:
>>>> Sat Sep  4 11:54:21 2021 -> --
>>>> Sat Sep  4 11:54:21 2021 -> freshclam daemon 0.103.2 (OS: linux-gnu, ARCH: 
>>>> x86_64, CPU: x86_64)
>>>> Sat Sep  4 11:54:21 2021 -> ClamAV update process started at Sat Sep  4 
>>>> 11:54:21 2021
>>>> Sat Sep  4 11:54:21 2021 -> WARNING: Your ClamAV installation is OUTDATED!
>>>> Sat Sep  4 11:54:21 2021 -> WARNING: Local version: 0.103.2 Recommended 
>>>> version: 0.103.3
>>>> Sat Sep  4 11:54:21 2021 -> DON'T PANIC!

Re: [clamav-users] error code 429

2021-09-05 Thread Joel Esler (jesler) via clamav-users 
Thank you for being patient while I try some different things to find the 
middle ground. 

— 
Sent from my  iPhone

> On Sep 5, 2021, at 12:16, clamav.mbou...@spamgourmet.com wrote:
> 
> No problem; good to know it was useful.
> 
> In my case, only the one host behind the NAT (physical PC on a home broadband 
> connection) is running freshclam anyway, but it appears I was still being 
> blocked by the rate-limiting.  As I understand it, that shouldn't usually 
> have happened even with the per-IP system.  Not sure if that's an issue with 
> how the new system differentiates between hosts, or perhaps when the download 
> failed (for whatever reason) freshclam was trying several times and getting 
> blocked.
> 
> I'm running Linux Mint 20, which is based on Ubuntu 20.04 and uses a lot of 
> packages from the Ubuntu repositories (upgraded not long after my posts here 
> a few months ago when I had problems with the default receive timeout in 
> Ubuntu 16/18.04's packages).  ClamAV and freshclam are installed from the 
> Ubuntu 20.04 repositories, and I haven't yet needed to change the 
> configuration from the default - so my config will be the same as anyone else 
> who's installed from the Ubuntu 20.04 repo will have by default.  Not sure 
> whether the new system would have treated everyone with this default config 
> as the same host, though I'd have thought IP would still be taken into 
> account as well.
> 
> I'm not complaining - you've clearly had a lot of problems with the CDN being 
> abused (intentionally or otherwise) and need to try these things. Just trying 
> to give you whatever information might be useful :)
> 
> Thanks,
> Mark.
> 
> 
> Joel Esler jesler via clamav-users - clamav-users@lists.clamav.net wrote:
>> This is useful.  Thank you.
>> Each host should have a different rate limit under the new system (I turned 
>> it back off last night, which is why everyone got everything).
>> Right now, the rate limit is “per IP”. So, if you have several
>> Hosts behind a NAT, so you’ll get blocked.  The new system, you can have as 
>> many hosts behind the same NAT as long as they aren’t using the same config 
>> file.
>> A new problem being, I am seeing a ton of hosts on Amazon or Microsoft’s 
>> azure that are using the same config, so that’s a new hurdle that those 
>> people will have to overcome. I am sure there are new problems that we’ll 
>> encounter during this transition.
>> —
>> Sent from my  iPhone
>>>> On Sep 5, 2021, at 09:09, clamav.mbou...@spamgourmet.com wrote:
>>> 
>>> Joel Esler clamav-users@lists.clamav.net wrote:
>>>> We are experimenting with a feature that we’ve been working with 
>>>> Cloudflare on, trying to isolate violators on a per host basis for the 
>>>> newest versions of ClamAV, instead of IP.
>>> 
>>> I'm guessing you probably already have all the info you need but, in case 
>>> it happens to be any help, this is what I have in my freshclam logs (on a 
>>> home desktop PC, so it's not running 24-7)...
>>> 
>>> Last messages from Friday:
>>>> Fri Sep  3 22:13:18 2021 -> Received signal: wake up
>>>> Fri Sep  3 22:13:18 2021 -> ClamAV update process started at Fri Sep  3 
>>>> 22:13:18 2021
>>>> Fri Sep  3 22:13:18 2021 -> WARNING: Your ClamAV installation is OUTDATED!
>>>> Fri Sep  3 22:13:18 2021 -> WARNING: Local version: 0.103.2 Recommended 
>>>> version: 0.103.3
>>>> Fri Sep  3 22:13:18 2021 -> DON'T PANIC! Read 
>>>> https://www.clamav.net/documents/upgrading-clamav
>>>> Fri Sep  3 22:13:18 2021 -> daily.cld database is up-to-date (version: 
>>>> 26283, sigs: 1970262, f-level: 90, builder: ray
>>>> nman)
>>>> Fri Sep  3 22:13:18 2021 -> main.cvd database is up-to-date (version: 61, 
>>>> sigs: 6607162, f-level: 90, builder: sigmgr)
>>>> Fri Sep  3 22:13:18 2021 -> bytecode.cvd database is up-to-date (version: 
>>>> 333, sigs: 92, f-level: 63, builder: awillia
>>>> 2)
>>>> Fri Sep  3 22:13:18 2021 -> --
>>>> Fri Sep  3 23:06:44 2021 -> Update process terminated
>>> 
>>> So all was up-to-date then.  Version 0.103.2 is the latest in the Ubuntu 
>>> 20.04 repositories, which is why I'm on that version, hence the warning.
>>> 
>>> First messages from Saturday:
>>>> Sat Sep  4 11:54:21 2021 -> --
>>>> Sat Sep  4 11:54:21 2021 -> freshclam daemon 0.103.2 (OS: linux-gnu, ARCH: 
>>>

Re: [clamav-users] error code 429

2021-09-05 Thread Joel Esler (jesler) via clamav-users 
This is useful.  Thank you.  

Each host should have a different rate limit under the new system (I turned it 
back off last night, which is why everyone got everything).

Right now, the rate limit is “per IP”. So, if you have several
Hosts behind a NAT, so you’ll get blocked.  The new system, you can have as 
many hosts behind the same NAT as long as they aren’t using the same config 
file. 

A new problem being, I am seeing a ton of hosts on Amazon or Microsoft’s azure 
that are using the same config, so that’s a new hurdle that those people will 
have to overcome. I am sure there are new problems that we’ll encounter during 
this transition.  



— 
Sent from my  iPhone

> On Sep 5, 2021, at 09:09, clamav.mbou...@spamgourmet.com wrote:
> 
> Joel Esler clamav-users@lists.clamav.net wrote:
>> We are experimenting with a feature that we’ve been working with Cloudflare 
>> on, trying to isolate violators on a per host basis for the newest versions 
>> of ClamAV, instead of IP.
> 
> I'm guessing you probably already have all the info you need but, in case it 
> happens to be any help, this is what I have in my freshclam logs (on a home 
> desktop PC, so it's not running 24-7)...
> 
> Last messages from Friday:
>> Fri Sep  3 22:13:18 2021 -> Received signal: wake up
>> Fri Sep  3 22:13:18 2021 -> ClamAV update process started at Fri Sep  3 
>> 22:13:18 2021
>> Fri Sep  3 22:13:18 2021 -> WARNING: Your ClamAV installation is OUTDATED!
>> Fri Sep  3 22:13:18 2021 -> WARNING: Local version: 0.103.2 Recommended 
>> version: 0.103.3
>> Fri Sep  3 22:13:18 2021 -> DON'T PANIC! Read 
>> https://www.clamav.net/documents/upgrading-clamav
>> Fri Sep  3 22:13:18 2021 -> daily.cld database is up-to-date (version: 
>> 26283, sigs: 1970262, f-level: 90, builder: ray
>> nman)
>> Fri Sep  3 22:13:18 2021 -> main.cvd database is up-to-date (version: 61, 
>> sigs: 6607162, f-level: 90, builder: sigmgr)
>> Fri Sep  3 22:13:18 2021 -> bytecode.cvd database is up-to-date (version: 
>> 333, sigs: 92, f-level: 63, builder: awillia
>> 2)
>> Fri Sep  3 22:13:18 2021 -> --
>> Fri Sep  3 23:06:44 2021 -> Update process terminated
> 
> So all was up-to-date then.  Version 0.103.2 is the latest in the Ubuntu 
> 20.04 repositories, which is why I'm on that version, hence the warning.
> 
> First messages from Saturday:
>> Sat Sep  4 11:54:21 2021 -> --
>> Sat Sep  4 11:54:21 2021 -> freshclam daemon 0.103.2 (OS: linux-gnu, ARCH: 
>> x86_64, CPU: x86_64)
>> Sat Sep  4 11:54:21 2021 -> ClamAV update process started at Sat Sep  4 
>> 11:54:21 2021
>> Sat Sep  4 11:54:21 2021 -> WARNING: Your ClamAV installation is OUTDATED!
>> Sat Sep  4 11:54:21 2021 -> WARNING: Local version: 0.103.2 Recommended 
>> version: 0.103.3
>> Sat Sep  4 11:54:21 2021 -> DON'T PANIC! Read 
>> https://www.clamav.net/documents/upgrading-clamav
>> Sat Sep  4 11:54:21 2021 -> daily database available for update (local 
>> version: 26283, remote version: 26284)
>> Sat Sep  4 11:54:23 2021 -> WARNING: downloadPatch: Can't download 
>> daily-26284.cdiff from https://database.clamav.net/daily-26284.cdiff
>> Sat Sep  4 11:54:23 2021 -> The database server doesn't have the latest 
>> patch for the daily database (version 26284). The server will likely have 
>> updated if you check again in a few hours.
>> Sat Sep  4 11:54:23 2021 -> main.cvd database is up-to-date (version: 61, 
>> sigs: 6607162, f-level: 90, builder: sigmgr)
>> Sat Sep  4 11:54:23 2021 -> bytecode.cvd database is up-to-date (version: 
>> 333, sigs: 92, f-level: 63, builder: awillia2)
>> Sat Sep  4 11:54:23 2021 -> --
>> Sat Sep  4 12:54:23 2021 -> Received signal: wake up
>> Sat Sep  4 12:54:23 2021 -> ClamAV update process started at Sat Sep  4 
>> 12:54:23 2021
>> Sat Sep  4 12:54:23 2021 -> WARNING: Your ClamAV installation is OUTDATED!
>> Sat Sep  4 12:54:23 2021 -> WARNING: Local version: 0.103.2 Recommended 
>> version: 0.103.3
>> Sat Sep  4 12:54:23 2021 -> DON'T PANIC! Read 
>> https://www.clamav.net/documents/upgrading-clamav
>> Sat Sep  4 12:54:23 2021 -> WARNING: FreshClam previously received error 
>> code 429 from the ClamAV Content Delivery Network (CDN).
>> Sat Sep  4 12:54:23 2021 -> This means that you have been rate limited by 
>> the CDN.
>> Sat Sep  4 12:54:23 2021 ->  1. Run FreshClam no more than once an hour to 
>> check for updates.
>> Sat Sep  4 12:54:23 2021 -> FreshClam should check DNS first to see if 
>> an update is needed.
>> Sat Sep  4 12:54:23 2021 ->  2. If you have more than 10 hosts on your 
>> network attempting to download,
>> Sat Sep  4 12:54:23 2021 -> it is recommended that you set up a private 
>> mirror on your network using
>> Sat Sep  4 12:54:23 2021 -> cvdupdate 
>> (https://pypi.org/project/cvdupdate/) to save bandwidth on the
>> Sat Sep  4 12:54:23 2021 -> CDN and your own network.
>> Sat Sep  4 12:54:23 2021 ->  3. Please do not open

Re: [clamav-users] error code 429

2021-09-04 Thread Joel Esler (jesler) via clamav-users 
We are experimenting with a feature that we’ve been working with Cloudflare on, 
trying to isolate violators on a per host basis for the newest versions of 
ClamAV, instead of IP.  



— 
Sent from my  iPhone

> On Sep 4, 2021, at 18:52, Jim Popovitch via clamav-users 
>  wrote:
> 
> On Sat, 2021-09-04 at 14:41 -0400, Paul Kosinski wrote:
>> 
>> Not rate limited (as we only check about once per hour, from each of 3 
>> systems), but we're not getting updates.
>> 
> 
> Seeing similar here now that the (3rd) cool-down has expired.  I'm
> starting to suspect this is a CloudFlare issue.   Under the new ClamAV
> CDN parlance, what exactly defines "a network".  Are they expecting
> service providers to setup clamav caches like major hosting providers do
> for OS updates?
> 
> -Jim P.
> 
> 
> Sep  4 22:41:43 mx3 freshclam[1253]: Cool-down expired, ok to try again.
> Sep  4 22:41:45 mx3 freshclam[1253]: downloadPatch: Can't download
> daily-26284.cdiff from https://database.clamav.net/daily-26284.cdiff
> Sep  4 22:41:45 mx3 freshclam[1253]: The database server doesn't have
> the latest patch for the daily database (version 26284). The server will
> likely have updated if you check again in a few hours.
> 
> 
> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: Changes to ClamAV end-of-life policy and a new Long Term Support policy

2021-09-03 Thread Joel Esler (jesler) via clamav-users 

> 
> https://blog.clamav.net/2021/09/changes-to-clamav-end-of-life-policy.html 
> 
> 
> Changes to ClamAV end-of-life policy and a new Long Term Support policy
> 
> Today, we're announcing changes to the ClamAV End-of-Life (EOL) policy to 
> include a new Long Term Support program.
> 
>  <>These are the main points of the updated EOL policy:
> 
> Long Term Support (LTS) Feature Releases
> 
> ClamAV 0.103 is the first Long Term Support (LTS) feature release.
> 
> LTS feature releases will be supported for at least three years from the 
> initial publication date of that LTS feature version. In other words, support 
> for the LTS release "X.Y" starts when version "X.Y.0" is published and ends 
> three years after.
> 
> Each LTS feature release will be supported with critical patch versions and 
> access to download signatures for the duration of the three-year support 
> period.
> 
> A new LTS feature release will be identified approximately every two years.
> 
> Users must stay up-to-date with the latest patch versions for continued 
> support. As of Aug. 28, that means version 0.103.3.
> 
> Regular (non-LTS) Feature Releases
> 
> Non-LTS feature releases will be supported with critical patch versions for 
> at least four months from the initial publication date of the next feature 
> release or until the feature release after that is published.
> 
> Non-LTS feature releases will be allowed access to download signatures until 
> at least four months after the feature release after that is published.
> 
> If the end-of-life for a version has to change due to a compatibility 
> problem, that prohibits the use of new detection technology or affects the 
> stability of ClamAV infrastructure, we will announce the end of life for 
> those versions four months before they become unsupported.
> 
> You can find full details for the updated End-of-Life policy, including a 
> version-support matrix and definitions for the policy terminology in the EOL 
> policy page in our online documentation 
> .


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.104.0 released

2021-09-03 Thread Joel Esler (jesler) via clamav-users 

> 
> https://blog.clamav.net/2021/09/clamav-01040-released.html 
> 
> 
> ClamAV 0.104.0 released
> 
> ClamAV 0.104.0 is available as an official release as of today.
> 
> We are also announcing a new Long Term Support (LTS) program today in an 
> update to our End-of-Life (EOL) policy. The LTS will start retroactively with 
> ClamAV 0.103, the previous feature release. This new LTS policy extends the 
> life of 0.103 up through September 2023 and will facilitate the production of 
> more frequent feature releases while enabling users to rely on a supported 
> version for years to come if they cannot keep pace with the feature release 
> cadence. For full details about the Long Term Support program, you can see 
> the LTS announcement blog post 
>  
> and review the LTS policy in our online documentation 
> .
> 
> We're also introducing new install packages to make it easier for folks to 
> upgrade without having to build ClamAV from source and without having to wait 
> for a community volunteer to package the latest release. You can find the new 
> install packages on the ClamAV.net Downloads Page 
> .
> 
>  <>Today you can find:
> 
> x86_64 and i686 RPM packages compatible with RPM-based Linux distributions 
> running glibc version 2.17 or newer.
> x86_64 and i686 DEB packages compatible with Debian-based Linux distributions 
> running glibc version 2.23 or newer.
> An x86_64/ARM64 macOS installer package is compatible with Intel and Apple M1 
> systems.
> x64 and win32 Windows packages are compatible with Windows 7 and newer.
> In the future, we hope to supplement these with ARM64 Linux DEB and RPM 
> packages and an x86_64 FreeBSD package.
> 
> Please note that you may find installations in this release require more 
> manual configuration than when using a preconfigured package provided by a 
> Linux or Unix distribution. See our installation instructions on clamav.net 
>  for more information.
> 
> ClamAV 0.104.0 includes the following improvements and changes.
> 
> 
> 
> New Requirements
> 
> As of ClamAV 0.104, CMake is required to build ClamAV.
> 
> We have added comprehensive build instructions for using CMake to the new 
> INSTALL.md 
> 
>  file. The online documentation will also be updated to include CMake build 
> instructions.
> 
> The Autotools and the Visual Studio build systems have been removed.
> 
> 
> Major changes
> 
> The built-in LLVM for the bytecode runtime has been removed.
> 
> The bytecode interpreter is the default runtime for bytecode signatures just 
> as it was in ClamAV 0.103.
> 
> We hoped to add support for newer versions of LLVM, but ran out of time. If 
> you're building ClamAV from source and you wish to use LLVM instead of the 
> bytecode interpreter, you will need to supply the development libraries for 
> LLVM version 3.6.2. See the "bytecode runtime" section in INSTALL.md 
> 
>  to learn more.
> 
> There are now official ClamAV images on Docker Hub 
> .
> 
> Docker Hub ClamAV tags:
> 
> clamav/clamav:: A release preloaded with signature databases.
> 
> Using this container will save the ClamAV project some bandwidth. Use this if 
> you will keep the image around so that you don't download the entire database 
> set every time you start a new container. Updating with FreshClam from the 
> existing databases set does not use much data.
> 
> clamav/clamav:_base: A release with no signature databases.
> 
> Use this container only if you mount a volume in your container under 
> /var/lib/clamav to persist your signature database databases. This method is 
> the best option because it will reduce data costs for ClamAV and for the 
> Docker registry, but it does require advanced familiarity with Linux and 
> Docker.
> 
> Caution: Using this image without mounting an existing database directory 
> will cause FreshClam to download the entire database set each time you start 
> a new container.
> 
> You can use the unstable version (i.e. clamav/clamav:unstable or 
> clamav/clamav:unstable_base) to try the latest from our development branch.
> 
> Please, be kind when using 'free' bandwidth, both for the virus databases but 
> also the Docker registry. Try not to download the entire database set or the 
> larger ClamAV database images on a regular basis.
> 
> For more details, see the ClamAV Docker documentation 
> .
> 
> Special thanks to Olliver Schinagl for his excellent work creating ClamAV's 
> new Docker

Re: [clamav-users] Please unsubscribe me from all emails

2021-08-31 Thread Joel Esler (jesler) via clamav-users 
Thank you for writing in.

Go to this URL to change user options or unsubscribe:
https://lists.ClamAV.net/mailman/listinfo/ClamAV-users

or by sending an email to clamav-users-le...@lists.clamav.net

Thanks!

> On Aug 31, 2021, at 10:17 AM, Cândido Sales Gomes via clamav-users 
>  wrote:
> 
> Hi,
> 
> Please unsubscribe me from all emails.
> 
> Thanks
> -- 
> Cândido Sales Gomes  
> +55 (11) 94200-5216
> +1 (306) 880-0349
> 
> candidosales.me 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Authenticity token element not found

2021-08-25 Thread Joel Esler (jesler) via clamav-users 
I think this was fixed in 103.3

— 
Sent from my  iPhone

> On Aug 25, 2021, at 04:26, Philipp Ewald  wrote:
> 
> 
>> 
> clamsubmit -e "philipp.ewald[at]digionline.de" -n 
> "29668235ea685b3e84309b9585dc71e7" -N "DigiOnline"
> 
> Authenticity token element not found.
> 
> This is my command. Did this 100 times before,  then this Error appears.
> 
> 
> 
> 
>> On 8/24/21 5:46 PM, G.W. Haywood via clamav-users wrote:
>> Hello again,
>>> On Tue, 24 Aug 2021, Philipp Ewald wrote:
>>> On 8/24/21 3:17 PM, G.W. Haywood via clamav-users wrote:
 On Tue, 24 Aug 2021, Philipp Ewald wrote:
 
> since some mount we got errors while submitting FN to clamAV.
> 
> clamsubmit -e "EMAIL" -n "$virus" -N "DigiOnline" > /dev/null
> 
> "Authenticity token element not found."
> 
> I have found a patch that should fix this but cant find any update.
 
 What version of ClamaV are you using?
>>> 
>>> we using ClamAV 0.103.2/26273/Tue Aug 24 10:21:17 2021
>> Please cut and paste the command (and the output which it produces) so
>> that we can see exactly what you're doing at the command line.
> 
> -- 
> Philipp Ewald
> Administrator
> 
> DigiOnline GmbH, Probsteigasse 15 - 19, 50670 Köln
> Fax: +49 221 6500-690, E-Mail: philipp.ew...@digionline.de
> 
> AG Köln HRB 27711, St.-Nr. 5215 5811 0640
> Geschäftsführer: Werner Grafenhain
> 
> Informationen zum Datenschutz: www.digionline.de/ds
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!

2021-08-22 Thread Joel Esler (jesler) via clamav-users 
I could worry about the .0001% of the time*

— 
Sent from my  iPhone

> On Aug 22, 2021, at 13:48, Joel Esler (jesler)  wrote:
> 
> I could work about the .0001% or the time that github is inaccessible in 
> a given time, or I could save maintaining the docs in two places.  
> 
> — 
> Sent from my  iPhone
> 
>> On Aug 22, 2021, at 10:55, G.W. Haywood via clamav-users 
>>  wrote:
>> 
>> Hi there,
>> 
>>>> On Sun, 22 Aug 2021, Arjen de Korte via clamav-users wrote:
>>> Citeren "G.W. Haywood via clamav-users" :
>>>> On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote:
>>>>> I’m a fan of the thought of removing the user manual completely from
>>>>> the downloaded packages and including a link to docs.ClamAV.net.
>>>>> Since that’s more dynamic.
>>>> But not so easy to pipe through 'grep'.
>>> 
>>> There is a search button on the website...
>> 
>> And if the site is inaccessible?
>> 
>> -- 
>> 
>> 73,
>> Ged.
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!

2021-08-22 Thread Joel Esler (jesler) via clamav-users 
I could work about the .0001% or the time that github is inaccessible in a 
given time, or I could save maintaining the docs in two places.  

— 
Sent from my  iPhone

> On Aug 22, 2021, at 10:55, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
>> On Sun, 22 Aug 2021, Arjen de Korte via clamav-users wrote:
>> Citeren "G.W. Haywood via clamav-users" :
>>> On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote:
>>>> I’m a fan of the thought of removing the user manual completely from
>>>> the downloaded packages and including a link to docs.ClamAV.net.
>>>> Since that’s more dynamic.
>>> But not so easy to pipe through 'grep'.
>> 
>> There is a search button on the website...
> 
> And if the site is inaccessible?
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!

2021-08-22 Thread Joel Esler (jesler) via clamav-users 
I’m a fan of the thought of removing the user manual completely from the 
downloaded packages and including a link to docs.ClamAV.net.   Since that’s 
more dynamic. 

— 
Sent from my  iPhone

> On Aug 22, 2021, at 04:22, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
>> On Sun, 22 Aug 2021, Mark Pizzolato via clamav-users wrote:
>> 
>> ... Previous portable zip files included a README.md, a NEWS.md and
>> UserManual.html (in addition to what’s in the now html directory
>> which previously was called UserManual).
>> I never worried about what’s in these files or directories ...
> 
> :):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):)
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!

2021-08-19 Thread Joel Esler (jesler) via clamav-users 

https://blog.clamav.net/2021/08/clamav-01040-second-release-candidate.html

ClamAV 0.104.0 Second Release Candidate is here!

Today we are publishing a second release candidate for 0.104.0. Please help us 
verify that 0.104.0-rc2 works on your systems and that we have resolved the 
concerns you reported with the first release candidate. We need your feedback, 
so let us know what you find and join us on the ClamAV mailing 
list, or on our 
Discord.

In particular, we'd love your feedback on the new Debian and RPM packages (see 
below) and on the install documentation on 
docs.clamav.net.

For details about what is new in the 0.104 feature release, please refer to the 
announcement for the first release 
candidate.

What changed since the first release candidate

First and foremost, we are listening to your concerns about the build system 
change from Autotools to CMake, and about changes coming in a future feature 
release when we add the Rust programming language toolchain into our build 
requirements. We can't bring back Autotools, but we hope that the following 
will help.

  1.  We are introducing a Long Term Support (LTS) program that will begin with 
the 0.103 feature release. Users will be required to stay up to date with the 
latest patch versions (e.g., 0.103.3) within the 0.103 feature series, but will 
have the peace-of-mind that the 0.103 feature release will receive critical 
patch versions with a stable ABI up until End-of-Life in September 2023. Stay 
tuned for a separate blog post introducing the full details of our LTS program. 
We will also add a version-support-matrix to our online documentation in tandem 
with the LTS blog post for easy reference.

  2.  We plan to increase our feature release cadence to make it easier to plan 
and to get new features and efficacy improvements into your hands faster. So, 
to make it easier for you to stay up-to-date with the latest stable release, we 
are introducing new package installers for macOS and for RPM-based and 
Debian-based Linux distributions. These new packages will be available for 
download on the clamav.net Downloads page. 
You can find installation instructions for these packages in our online 
documentation.
 Please note that the Linux packages unfortunately do not include clamav-milter 
at this time, and that we are still working on the signing & notarization 
process for the macOS installer, so it may not work for users on the latest 
macOS version.

In addition to the above, we've resolved the following issues identified during 
the first release candidate:

  *   Increased the functionality level (FLEVEL) for the 0.104 release to make 
space for additional 0.103 (LTS) patch versions. See the Version & FLEVEL 
reference.
  *   Improvements installation instructions in INSTALL.md and in the online 
documentation.
  *   Fixed iconv / libiconv detection in the CMake configuration process when 
-Werror=return-type is enabled, such as in the openSUSE packaging environment. 
See PR-233.
  *   Fixed broken CMake build when RAR support is intentionally disabled and 
test-support is enabled. See 
PR-237.
  *   Fixed broken CMake build on systems that do not provide format string 
macros for standard integer types. See 
PR-231.
  *   Improved long file path support on Windows. (Disclaimer: presently 
requires user to opt-in with a registry key change). See 
PR-229.
  *   Fixed a segfault and socket file descriptor leak in ClamOnAcc. See 
PR-227.
  *   Fixed an error reported by ClamD when scanning directories on Windows. 
See PR-230.
  *   Fixed issue with Freshclam support for Universal Naming Convention (UNC) 
paths on Windows. See PR-226.
  *   Added missing environment variable feature documentation to the manpages. 
See PR-254.
  *   Fixed an assortment of issues identified by Coverity static analysis. See 
PR-221.
  *   Tuned the Valgrind suppression rules for the public test suite to resolve 
a false positive that caused intermittent ClamD test failures. See 
PR-238.
  *

Re: [clamav-users] database updates blocked

2021-08-17 Thread Joel Esler (jesler) via clamav-users 
Thank you Eero.

Yes this, isn’t the server blocking you.  You have a problem with your local CA 
store.

— 
Sent from my  iPad

> On Aug 17, 2021, at 09:11, Eero Volotinen  wrote:
> 
> 
> Please note that python uses different ca locations.
> 
> You can see my message on this mailing list some months ago related to same 
> issue
> 
> 
> Eero
> 
>> On Tue 17. Aug 2021 at 15.57, Jona Tallieu  wrote:
>> Dear,
>> 
>>  
>> 
>> Thanks for your answer.
>> 
>> We are using Freshclam, the curl was a test to see what the problem was.
>> 
>>  
>> 
>> The logs show a SSL CA cert problem:
>> 
>>  
>> 
>> 13:26:22.633 5 EXTFILTER(CGPClamAV) inp(059): * ClamAV update process 
>> started at Mon Aug 16 13:26:22 2021
>> 
>> 13:26:22.634 5 EXTFILTER(CGPClamAV) inp(048): * WARNING: Your ClamAV 
>> installation is OUTDATED!
>> 
>> 13:26:22.634 5 EXTFILTER(CGPClamAV) inp(062): * WARNING: Local version: 
>> 0.103.2 Recommended version: 0.103.3
>> 
>> 13:26:22.634 5 EXTFILTER(CGPClamAV) inp(069): * DON'T PANIC! Read 
>> https://www.clamav.net/documents/upgrading-clamav
>> 
>> 13:26:22.634 5 EXTFILTER(CGPClamAV) inp(083): * daily database available for 
>> update (local version: 26231, remote version: 26265)
>> 
>> 13:26:24.644 5 EXTFILTER(CGPClamAV) inp(104): * WARNING: Download failed 
>> (77) * WARNING: Message: Problem with the SSL CA cert (path? access rights?)
>> 
>> 13:26:24.644 5 EXTFILTER(CGPClamAV) inp(109): * WARNING: downloadPatch: 
>> Can't download daily-26232.cdiff from 
>> https://database.clamav.net/daily-26232.cdiff
>> 
>> 13:26:24.646 5 EXTFILTER(CGPClamAV) inp(104): * WARNING: Download failed 
>> (77) * WARNING: Message: Problem with the SSL CA cert (path? access rights?)
>> 
>> 13:26:24.646 5 EXTFILTER(CGPClamAV) inp(109): * WARNING: downloadPatch: 
>> Can't download daily-26232.cdiff from 
>> https://database.clamav.net/daily-26232.cdiff
>> 
>> 13:26:24.651 5 EXTFILTER(CGPClamAV) inp(104): * WARNING: Download failed 
>> (77) * WARNING: Message: Problem with the SSL CA cert (path? access rights?)
>> 
>> 13:26:24.651 5 EXTFILTER(CGPClamAV) inp(109): * WARNING: downloadPatch: 
>> Can't download daily-26232.cdiff from 
>> https://database.clamav.net/daily-26232.cdiff
>> 
>> 13:26:24.651 5 EXTFILTER(CGPClamAV) inp(066): * WARNING: Incremental update 
>> failed, trying to download daily.cvd
>> 
>> 13:26:24.653 5 EXTFILTER(CGPClamAV) inp(104): * WARNING: Download failed 
>> (77) * WARNING: Message: Problem with the SSL CA cert (path? access rights?)
>> 
>> 13:26:24.653 5 EXTFILTER(CGPClamAV) inp(078): * WARNING: Can't download 
>> daily.cvd from https://database.clamav.net/daily.cvd
>> 
>>  
>> 
>> But the ca-certificates package (which contains the CA roots) is the most 
>> recent version. Other Cloudflare hosted url’s (with the same TLS settings) 
>> work fine…
>> 
>>  
>> 
>>  
>> 
>> Best,
>> 
>>  
>> 
>> Jona
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>>  
>> 
>> From: clamav-users  on behalf of 
>> "Joel Esler (jesler) via clamav-users" 
>> Reply-To: ClamAV users ML 
>> Date: Tuesday, 17 August 2021 at 14:45
>> To: ClamAV users ML 
>> Cc: "Joel Esler (jesler)" 
>> Subject: Re: [clamav-users] database updates blocked
>> Resent-From: 
>> Resent-Date: Tuesday, 17 August 2021 at 14:45
>> 
>>  
>> 
>> Curl is not authorized to be used to download updates.  Please use Freshclam 
>> or cvdupdate to download updates. 
>> 
>>  
>> 
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] database updates blocked

2021-08-17 Thread Joel Esler (jesler) via clamav-users 
Curl is not authorized to be used to download updates.  Please use Freshclam or 
cvdupdate to download updates.

—
Sent from my  iPhone

On Aug 17, 2021, at 08:33, Jona Tallieu  wrote:


Dear all,

Since a few days, our database updates are blocked:

HTTP 403 (forbidden)
> Cloudflare Error 1020: Access Denied indicates that you’ve violated a 
> firewall rule and your connection request has been blocked.

mail:~# curl https://database.clamav.net/daily-26232.cdiff -i
HTTP/2 403
date: Thu, 12 Aug 2021 14:43:35 GMT
content-type: text/plain; charset=UTF-8
content-length: 16
x-frame-options: SAMEORIGIN
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, 
post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
expect-ct: max-age=604800, 
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct;
strict-transport-security: max-age=15552000
x-content-type-options: nosniff
server: cloudflare
cf-ray: 67da7a1038b02e50-BRU

error code: 1020

We are using a custom build version of ClamAV, but still using Freshclam for 
all updates (ClamAV engine v0.103.2).
We are updating once every hour.

What can we do to fix this? Or who do we contact? Thank you.


Regards,


Jona




___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Local web server

2021-08-12 Thread Joel Esler (jesler) via clamav-users 
What’s the question?  Can you use ClamAV in a commercial environment?  Sure.  
As long as you adhere to the GPLv2, you’re good to go.

But yes, Ged is right, if you have more than say, two or three hosts behind a 
NAT address?  Set up a private mirror.

> On Aug 12, 2021, at 2:15 PM, Johnson, Tricia  wrote:
> 
> Thank you for the response! I am under the same impression, but I would like 
> confirmation from the ClamAV team that this is the case. Has anyone else 
> asked for this clarification previously or can the ClamAV team respond, 
> please?
> 
> Thanks and best regards
> Tricia
> 
> -Original Message-
> From: clamav-users  On Behalf Of G.W. 
> Haywood via clamav-users
> Sent: Thursday, August 12, 2021 4:56 AM
> To: Johnson, Tricia via clamav-users 
> Cc: G.W. Haywood 
> Subject: Re: [clamav-users] Local web server
> 
> Hi there,
> 
> On Thu, 12 Aug 2021, Johnson, Tricia via clamav-users wrote:
> 
>> I read the instructions regarding how to setup a local web server
>> found here: https://docs.clamav.net/appendix/CvdPrivateMirror.html
>> 
>> Thank you for this, very helpful. Can you confirm that commercial
>> use of the database update service is generally allowed with no
>> restrictions beyond what's outlined in ClamAV documentation?
> 
> For a definitive answer I guess you'd have to define "commercial use"
> but you can certainly use the database update service, (and since you
> seem to be making a distinction, the database(s) and all the software
> which makes use of same) in a commercial setting, such as for example
> might be the case if you installed ClamAV on thousands of workstations
> in a business and provided a local mirror at the business' premises to
> propagate database updates to the workstations.  You might limit the
> number of updates per day performed by the mirror to some small number
> but there would effectively then be no limit on the number of updates
> per day that the workstations could attempt, as the Cloudflare Content
> Delivery Network would not see them.  See the mailing list archives if
> you need to know about the recently imposed abuse mitigation measures.
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Long Term Support (LTS) program proposal

2021-07-30 Thread Joel Esler (jesler) via clamav-users 


> On Jul 30, 2021, at 14:41, Paul Kosinski via clamav-users 
>  wrote:
> 
> (I don't see exactly how a LTS would have helped with the bandwidth issue, 
> but I suppose it wouldn't have made it any more disruptive.)

103.2 and 103.3 are much more respectful to bandwidth than any past version.  
We’ve been working with Cloudflare on the development of a feature that is 
exactly optimized to handle these changes, and they are almost ready to deploy 
it.  We’ve tested it out and it works well, so we’re just waiting on a few more 
updates. 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAVR blog: ClamAV 0.104.0 Release Candidate is here!

2021-07-29 Thread Joel Esler (jesler) via clamav-users 


> On Jul 28, 2021, at 6:09 PM, Rick Cooper  wrote:
> 
>> On Jul 28, 2021, at 7:17 AM, Rick Cooper > > wrote:
>> 
>> total disregard for the user base, not so much as a poll or query on the 
>> lists, enjoy your new cutting edge toys
>>  
>> Corporate BS rears it's ugly head again, First snort, then centos and now 
>> clamav.
> 
> I think this is unfair.  This is the feedback we’re getting.  Sounds like we 
> don’t need a poll or a query.  We’re hearing it now.
>  
> Actually the way it was presented was here is what's going to happen and not 
> what would the community think about going to cmake, here are the advantages 
> to the community if we go this way. It wasn't presented as an option and it 
> took a lot of people off guard. It's like someone on the list said if you are 
> using an old stable enterprise version maybe you just need to switch to 
> something more cutting edge like Fedora, which is not stable and shouldn't be 
> used in an enterprise situation. When I upgrade an OS it's a very big deal 
> because I have to template it, use it in production at one of the sites to 
> make sure everything is stable, keep it out of the other upgrade paths (the 
> older OS's) and image it, go to several (100+es each) cities on a Sunday (to 
> be at console and cannot take it down any other day) and then update the site 
> specific pieces, test everything and drive 100+ back. What might be a small 
> thing for some is a real life's mess for many others.
>  
> I didn't mean to be as offensive as it came out but I was pissed because for 
> my mail servers it's going to be a problem, I've built it on a file server 
> (Centos 7) alright but just to get to correct version of cmake built and all 
> the required dependencies was cumbersome at best. 

I don’t think we took it like that, I certainly didn’t.  I think a productive 
and healthy discussion around on the list is a great thing.  

>  
> 
> I also think it’s unfair to think “big bad Cisco” had anything to do with 
> this at all.  ClamAV is beholden to Cisco in very few ways. In that it’s 
> integrated i 
>  nto a few products, other than that, the ClamAV development team has pretty 
> full autonomy.  No one is coming down to Micah and saying "YOU MUST YOU CMAKE 
> YOU PEON DEVELOPER MUHAHAHAHAHA”.   
>  
> That was , in fact, unfair of me. Perhaps the team isn't part of the culture. 
> I have had issue with Cisco for quite some time, really going back to when 
> they bought Linksys because their hardware was over priced and more and more 
> enterprises was realizing the didn't to pay Cisco for a name... rather than 
> simply build a reasonable priced series of equipment (as they do today) they 
> bought a reasonably prices equipment vendor.

Cisco is a huge company. Security is quite different.


> If you have feedback, this is the perfect use of this list to do so, but 
> we’re also all adults, with jobs, with passions, and we can be professional.
> 
> As far as Snort, I think the same logic applies.  The rewrite of Snort 
> started long before Cisco even entered the picture, it started when we were 
> still Sourcefire back in 2011-2012.  I have the engineering slides! 
>  
> I'd have to think about it, I thought the paid sigs over community sigs began 
> with Cisco but maybe it was Sourcefire.

We transitioned to paid sigs in 2003-2004?  Cisco bought Sourcefire in 2013.  
So, yeah, Cisco had nothing to do with it.  However, I run that program as 
well, so I’m very familiar with why we did it, why we continue to do it, and 
what the pros and cons of it.  

> I am sure you are right it's my bad attitude about Cisco, I am waiting for 
> them to purchase ubiquiti next. and the entire IBM Centos mess just turns up 
> my "big company" hackles.

We purchased Meraki.  :) 




smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Long Term Support (LTS) program proposal

2021-07-29 Thread Joel Esler (jesler) via clamav-users 
To be extremely specific, the LTS version would start with 0.103.3.  So that 
would be the base version we’d support for LTS.



> On Jul 29, 2021, at 10:06 AM, Andrew C Aitchison via clamav-users 
>  wrote:
> 
> 
> Executive Summary:
> An LTS release every two years, supported for three, starting with 0.103
> sound good to me. Thank you.
> 
> 
> On Wed, 28 Jul 2021, Micah Snyder (micasnyd) via clamav-users wrote:
> 
>> For the past couple of months I've been promoting the idea of having
>> Long Term Support (LTS) feature releases for ClamAV within internal
>> Talos communications.
>> For the purposes of this discussion:
>> 
>> * A "feature release" is a version starting with MAJOR.MINOR.0 to
>> include all PATCH versions. I.e. ClamAV 0.103.0, 0.103.1,
>> 0.103.2, and 0.103.3 are all within the same "feature release".
>> * A "patch version" is a specific MAJOR.MINOR.PATCH
>> version. E.g. 0.103.4 would be the next "patch version" in the
>> 0.103 "feature release".
>> My interest in starting an LTS program came about because we have
>> been getting (understandable) pressure from management to have
>> shorter development times for feature versions with more targeted
>> feature sets.  What this means is that you would see more frequent
>> feature releases, possibly as many as ~5 per year.  Some of the
>> features in a given feature release would be things the community
>> cares about, while others may be by request of a different team
>> within Talos or Cisco.
> 
> I don't *think* I want ever more features (though I may say "yes" when
> you suggest X and Y ... and Z ...). What I want is better detection
> (though I don't currently have an SMTP listener, so the number of
> pieces of malware my installation could detect is vanishingly small).
> 
> I can see management wanting you to work on one new feature at a time,
> releasing it and moving on to the next. If that works for your team, fine.
> If you work better by being able to switch between a couple of projects
> and release several at once, that is fine too.
> However, please make a release when it is ready; don't go down the
> Firefox route of a release timetable with features trying to catch the
> release train where they can (not that I think your team is big
> enough to do that).
> 
> 
>> But I couldn't in good conscience start pumping out new feature
>> releases every 2-4 months and expect everyone to keep up. And at
>> that rate it would not be possible for us to make critical patch
>> versions for every feature release within the two years, or even one
>> year.  So in order to get features out faster it became clear to me
>> that we will need to define specific feature release for which we
>> promise to backport security fixes for some amount of time.
>> This raised a few obvious questions:
>> 
>> *   Which feature release do we start with?
>> *   Do we have to continue serving signature database content
>>to every patch version in an LTS release?
>> *   How often should we select a new feature release for LTS?
>> *   How long is "long term support" anyways?
>> We've been talking about this off and on for the past couple of
>> month.  This is what I came up with
>> Which feature version do we start with?
>> We had initially settled on 0.104 as the first LTS version, for
>> basically two reasons:
>> -  Joel really wants to make sure people have the latest
>> -  freshclam features, particularly those found in 0.103.2
>> -  and 0.103.3, to reduce bandwidth cost.
>> -  I don't want to keep fixing glitchy autotools package
>> -  detection issues for years to come.
>> But after seeing the (very much unexpected) reaction to the switch
>> CMake... it's clear to me now that we need to start the LTS program
>> with 0.103.
> 
> Thanks.
> Sorry if that means you have to put up with a build system
> you don't like for another two years.
> 
>> Do we have to continue serving database content to every patch
>> version in an LTS release?
>> No.
>> LTS means that we will promise to continue providing patch versions
>> for a given feature release.  I.e. you will get critical fixes in
>> 0.103.4, 0.103.5, 0.103.6, etc. as needed until End of Life (EOL)
>> for the 0.103 feature release.
>> I need to stress that it doesn't mean people should or will be
>> allowed to continue using vulnerable or otherwise problematic
>> versions such as 0.103.0 and 0.103.1 just because they belong to an
>> LTS feature release. We will reserve the right to at some point
>> begin to block older patch versions like 0.103.0 from downloading
>> databases to force people to use newer patch versions.
>> How often should we select a new feature release for LTS?
>> Some products, like Ubuntu, do a new LTS ever 2 years with support
>> for 5 years.  2 years feels like a long time but, as much as I want
>> to get people using the latest features, our team is pretty small.
>> The more frequently we a release for long term support,

Re: [clamav-users] Freshclam - can't apply latest patch 26246

2021-07-28 Thread Joel Esler (jesler) via clamav-users 


> On Jul 28, 2021, at 12:30 PM, Andrew C Aitchison via clamav-users 
>  wrote:
> 
> This sounds about right.
> A lot of signatures in daily 26231 were removed from daily 26232 or 26233
> and added to main 60. There was a glitch and main 61 was created to flush
> caches on some of the mirrors.
> 
> Not sure whether you sould do something, or wait patiently …
Try deleting all the cvd’s and cld’s, raising your receivetimeout to something 
large, and do it again.



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] can not download updates

2021-07-28 Thread Joel Esler (jesler) via clamav-users 


> On Jul 28, 2021, at 4:04 AM, Matus UHLAR - fantomas  wrote:
> 
> On 27.07.21 18:51, fxkl47BF via clamav-users wrote:
>> for many years it's worked fine with timeout set at 30 seconds
> 
> for many years it worked with people fetching via wget/curl, but it does not
> apply now.
> 

So true.

> 
> ...changing timeout won't help you when you are banned, servers don't know
> about your timeout settings (but will ban you if you repeatedly drop
> connection because of timeout)

No, but a lot of the repeated queries (causing the ban) is because the timeout 
is reached pre-maturely, and extending the download time allows for more time 
to download the file, which cuts down on the repeated queries.



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

2021-07-28 Thread Joel Esler (jesler) via clamav-users 


> On Jul 28, 2021, at 7:17 AM, Rick Cooper  wrote:
> 
> total disregard for the user base, not so much as a poll or query on the 
> lists, enjoy your new cutting edge toys
>  
> Corporate BS rears it's ugly head again, First snort, then centos and now 
> clamav.

I think this is unfair.  This is the feedback we’re getting.  Sounds like we 
don’t need a poll or a query.  We’re hearing it now.

I also think it’s unfair to think “big bad Cisco” had anything to do with this 
at all.  ClamAV is beholden to Cisco in very few ways. In that it’s integrated 
into a few products, other than that, the ClamAV development team has pretty 
full autonomy.  No one is coming down to Micah and saying "YOU MUST YOU CMAKE 
YOU PEON DEVELOPER MUHAHAHAHAHA”.  

If you have feedback, this is the perfect use of this list to do so, but we’re 
also all adults, with jobs, with passions, and we can be professional.

As far as Snort, I think the same logic applies.  The rewrite of Snort started 
long before Cisco even entered the picture, it started when we were still 
Sourcefire back in 2011-2012.  I have the engineering slides!

smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

2021-07-28 Thread Joel Esler (jesler) via clamav-users 
We are planning on making LTS versions for distros again.  

— 
Sent from my  iPad

> On Jul 28, 2021, at 07:45, Andrew C Aitchison via clamav-users 
>  wrote:
> 
> On Wed, 28 Jul 2021, Rick Cooper wrote:
> 
>> total disregard for the user base, not so much as a poll or query on the 
>> lists,
> 
> When ClamAV 0.103 was released in September 2020 CMake was an *experimental* 
> option.
> There will be a 0.103 release in September 2021, but is likely to be the last 
> one.
> 0.104 will only have CMake, no autoconfig.
> That doesn't leave much time for distributions to switch.
> 
> The latest "Long Term" Ubuntu was 2004, released about April 2020,
> the  next will be 2204, due around April 2022,
> so ClamAV will completely switch-over between sucessive Ubuntu LTS releases.
> 
> Between those LTS releases there are 3 standard/fast-track releases,
> Ubuntu2010, Oct 2020, replaced by Ubuntu2104 in April 2021 (with ClamAV 
> 0.103.2) and 2110 due in October.
> I don't see anyone from Ubuntu, Canonical or Debian here talking about
> keeping up with bleeding edge ClamAV.
> 
> Between requiring an uptodate CMake and an obsolete, 6 year old,
> LLVM, I worry that the ClamAV team is spread too thin.
> 
> -- 
> Andrew C. AitchisonKendal, UK
>and...@aitchison.me.uk
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

2021-07-27 Thread Joel Esler (jesler) via clamav-users 


> On Jul 27, 2021, at 11:27 AM, Paul Kosinski via clamav-users 
>  wrote:
> 
> On Mon, 26 Jul 2021 11:35:29 -0400
> "Rick Cooper" mailto:rcoo...@dwford.com>> wrote:
> 
>> And what, exactly, is the reason for moving to cmake? I am sure you know
>> it's going to be problematic for thousands of people so I am curious what
>> tremendous gain of speed, size, memory usage or seciurity the other users
>> get from this change, or if it's just a convenience thing for the
>> developers?
> 
> 
> I get the impression that *all* recent software development (at least in Open 
> Source) has given up any notion of backward compatibility. For example, 
> Firefox (even ESR) has been a disaster in the past few years, changing the UI 
> with every major release, once totally blowing away users' bookmarks, and of 
> course, completely invalidating many, many years of add-on development by 
> many people due to switching from XUL to the less powerful WebExtensions.
> 
> Now I wonder what will happen when I next try to build ClamAV on my three 
> different Debian systems (7, 8 & 10).

You can’t support everything, forever.  You have to push forward with new tools 
and technology that make securing your customers easier and better and provide 
more functionality to us (the authors of the ruleset) to better protect people 
(you).

If you’re using security software to protect yourself, why would you not do the 
most basic things and upgrade the OS of the systems underneath?  I never 
understood this.

smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] can not download updates

2021-07-27 Thread Joel Esler (jesler) via clamav-users 
Maybe try raising your receivetimeout?  
https://blog.clamav.net/2021/07/psa-freshclam-database-download-issue.html 
<https://blog.clamav.net/2021/07/psa-freshclam-database-download-issue.html>



> On Jul 27, 2021, at 11:17 AM, fxkl47BF via clamav-users 
>  wrote:
> 
> ‐‐‐ Original Message ‐‐‐
> 
> On Tuesday, July 27th, 2021 at 9:43 AM, Joel Esler (jesler)  <mailto:jes...@cisco.com>> wrote:
> 
>>> On Jul 27, 2021, at 10:34 AM, fxkl47BF via clamav-users 
>>>  wrote:
>>> 
>>> ‐‐‐ Original Message ‐‐‐
>>> 
>>> On Tuesday, July 27th, 2021 at 9:29 AM, Joel Esler (jesler) 
>>>  wrote:
>>> 
>>>>> On Jul 27, 2021, at 10:22 AM, fxkl47BF via clamav-users 
>>>>>  wrote:
>>>>> 
>>>>> On Tuesday, July 27th, 2021 at 8:56 AM, Matus UHLAR - fantomas 
>>>>>  wrote:
>>>>> 
>>>>>> On 27.07.21 12:47, fxkl47BF via clamav-users wrote:
>>>>>> 
>>>>>>> for a couple of weeks i've not been able to download updates. i get a
>>>>>>> 
>>>>>>> message about on a cool down until a certain future date and time. when
>>>>>>> 
>>>>>>> that date and time expires the next update get a message with a new 
>>>>>>> future
>>>>>>> 
>>>>>>> date and time. should i abandon all hope of getting updates?
>>>>>> 
>>>>>> it's described here:
>>>>>> 
>>>>>> https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html
>>>>>> 
>>>>>> do you have multiple devices behind one IP address?
>>>>>> 
>>>>>> Do any of those devices download clamav database diferently then using
>>>>>> 
>>>>>> freshclam?
>>>>> 
>>>>> i have one device that uses freshclam once per hour
>>>>> 
>>>>> i am using a vpn
>>>>> 
>>>>> it looks like anyone that uses a vpn is probably screwed
>>>>> 
>>>>> it was good while it lasted
>>>> 
>>>> What is your public IP?
>>> 
>>> 199.229.250.132
>> 
>> You’re rate limited because you have one machine behind that IP that has 
>> attempted to download the daily.cvd 50x in the last 24 hours, and the 
>> main.cvd another 50x. Let alone the latest cdiff that it’s attempted to 
>> download 80x.
>> 
>> It’s not more than one machine, it’s a single machine.
> 
> maybe i don't fully understand how this vpn works
> i understood that this would be the ip address for anyone using this exit 
> point
> i have two machines
> one is my work machine and has clamav
> the other runs a cnc mill that hasn't been on for several days
> i can send my whole freshclam log if it helps
> maybe something needs to be changed in my config
> 
> this is /etc/clamav/freshclam.conf
> 
> # Automatically created by the clamav-freshclam postinst
> # Comments will get lost when you reconfigure the clamav-freshclam package
> 
> DatabaseOwner clamav
> UpdateLogFile /var/log/clamav/freshclam.log
> LogVerbose false
> LogSyslog false
> LogFacility LOG_LOCAL6
> LogFileMaxSize 0
> LogRotate true
> LogTime true
> Foreground false
> Debug false
> MaxAttempts 5
> DatabaseDirectory /var/lib/clamav
> DNSDatabaseInfo current.cvd.clamav.net <http://current.cvd.clamav.net/>
> ConnectTimeout 30
> ReceiveTimeout 30
> TestDatabases yes
> ScriptedUpdates yes
> CompressLocalDatabase no
> Bytecode true
> NotifyClamd /etc/clamav/clamd.conf
> # Check for new database 24 times a day
> Checks 24
> DatabaseMirror db.local.clamav.net <http://db.local.clamav.net/>
> DatabaseMirror database.clamav.net <http://database.clamav.net/>
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cooldown much too long

2021-07-27 Thread Joel Esler (jesler) via clamav-users 


> On Jul 26, 2021, at 6:02 PM, Markus Egg via clamav-users 
>  wrote:
> 
> I had that problem with "Incremental update failed, trying to download 
> main.cvd" also in
> version 0.103.2 of clamav on Ubuntu 18.04 .
> 
> So I waited and updated with the hope that 0.103.3 would solve it.
> But still that error is there.
> So I simply cleaned /var/lib/clamav (moved the content to another directory) 
> and now I get the message:
> 
> "This means that you have been rate limited by the CDN"
> 
> Why that?
> Simply because I tried to update several times previously and got no exact 
> information, why my update failed?
> 
> Tried after approx 5 min and got the message:
> "You are still on cool-down until after: 2021-07-27 03:42:35"
> which means more than 24hrs!!
> 
> Why didn't I get that error message about "This means that you have been rate 
> limited by the CDN"
> with version 0.103.2 and some information about how long this "cooldown" was 
> in the beginning.
> 
> This missing error message in 0.103.2 and 0.103.3 is surely a bug that causes 
> uninformed users enlarging their "cooldown"
> phase without knowing it.

The cooldown is 24 hours from the last time you violated the rate limit.

smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] can not download updates

2021-07-27 Thread Joel Esler (jesler) via clamav-users 


> On Jul 27, 2021, at 10:34 AM, fxkl47BF via clamav-users 
>  wrote:
> 
> ‐‐‐ Original Message ‐‐‐
> On Tuesday, July 27th, 2021 at 9:29 AM, Joel Esler (jesler)  <mailto:jes...@cisco.com>> wrote:
> 
>>> On Jul 27, 2021, at 10:22 AM, fxkl47BF via clamav-users 
>>>  wrote:
>>> 
>>> On Tuesday, July 27th, 2021 at 8:56 AM, Matus UHLAR - fantomas 
>>>  wrote:
>>> 
>>>> On 27.07.21 12:47, fxkl47BF via clamav-users wrote:
>>>> 
>>>>> for a couple of weeks i've not been able to download updates. i get a
>>>>> message about on a cool down until a certain future date and time. when
>>>>> that date and time expires the next update get a message with a new future
>>>>> date and time. should i abandon all hope of getting updates?
>>>> 
>>>> it's described here:
>>>> https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html
>>>> do you have multiple devices behind one IP address?
>>>> Do any of those devices download clamav database diferently then using
>>>> freshclam?
>>> 
>>> i have one device that uses freshclam once per hour
>>> i am using a vpn
>>> it looks like anyone that uses a vpn is probably screwed
>>> it was good while it lasted
>> 
>> What is your public IP?
> 
> 199.229.250.132

You’re rate limited because you have one machine behind that IP that has 
attempted to download the daily.cvd 50x in the last 24 hours, and the main.cvd 
another 50x. Let alone the latest cdiff that it’s attempted to download 80x.

It’s not more than one machine, it’s a single machine.

-- 
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net 

smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] can not download updates

2021-07-27 Thread Joel Esler (jesler) via clamav-users 


> On Jul 27, 2021, at 10:22 AM, fxkl47BF via clamav-users 
>  wrote:
> 
> On Tuesday, July 27th, 2021 at 8:56 AM, Matus UHLAR - fantomas 
> mailto:uh...@fantomas.sk>> wrote:
> 
>> On 27.07.21 12:47, fxkl47BF via clamav-users wrote:
>>> for a couple of weeks i've not been able to download updates. i get a
>>> message about on a cool down until a certain future date and time. when
>>> that date and time expires the next update get a message with a new future
>>> date and time. should i abandon all hope of getting updates?
>> 
>> it's described here:
>> https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html 
>> 
>> do you have multiple devices behind one IP address?
>> Do any of those devices download clamav database diferently then using
>> freshclam?
> 
> i have one device that uses freshclam once per hour
> i am using a vpn
> it looks like anyone that uses a vpn is probably screwed
> it was good while it lasted

What is your public IP?

-- 
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net 

smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

2021-07-22 Thread Joel Esler (jesler) via clamav-users 

> 
> https://blog.clamav.net/2021/07/clamav-01040-release-candidate-is-here.html 
> 
> 
> ClamAV 0.104.0 Release Candidate is here!
> 
> We are pleased to announce the ClamAV 0.104.0 release candidate 
> .
> 
> Please help us validate this release. We need your feedback, so let us know 
> what you find and join us on the ClamAV mailing list 
> , or on our Discord 
> , which is bridged with our IRC.
> 
> This release candidate phase is only expected to last about two to four weeks 
> before the 0.104.0 Stable version will be published. Take this opportunity to 
> verify that you 0.104.0 can build and run in your environment. 
> 
>  <>Please submit bug reports to the ClamAV project GitHub Issues 
> .  
> ClamAV 0.104.0 includes the following improvements and changes.
> 
>  
> 
> New Requirements
> 
> As of ClamAV 0.104, CMake is required to build ClamAV.
> 
> We have added comprehensive build instructions for using CMake to the new 
> INSTALL.md file. The online documentation will also be updated to include 
> CMake build instructions.
> The Autotools and the Visual Studio build systems have been removed.
>  
> Major changes
> 
> The built-in LLVM for the bytecode runtime has been removed.
> 
> The bytecode interpreter is the default runtime for bytecode signatures just 
> as it was in ClamAV 0.103.
> We wished to add support for newer versions of LLVM, but ran out of time. If 
> you're building ClamAV from source and you wish to use LLVM instead of the 
> bytecode interpreter, you will need to supply the development libraries for 
> LLVM version 3.6.2. See INSTALL.md to learn more.
> There are now official ClamAV images on Docker Hub.
> 
> Note: Until ClamAV 0.104.0 is released, these images are limited to 
> "unstable" versions, which are updated daily with the latest changes in the 
> default branch on GitHub.
> You can find the images on Docker Hub under clamav 
> .
> 
> Docker Hub ClamAV tags:
> 
> clamav/clamav:: A release preloaded with signature databases.
> 
> Using this container will save the ClamAV project some bandwidth. Use this if 
> you will keep the image around so that you don't download the entire database 
> set every time you start a new container. Updating with FreshClam from the 
> existing databases set does not use much data.
> 
> clamav/clamav:_base: A release with no signature databases.
> 
> Use this container only if you mount a volume in your container under 
> /var/lib/clamav to persist your signature database databases. This method is 
> the best option because it will reduce data costs for ClamAV and for the 
> Docker registry, but it does require advanced familiarity with Linux and 
> Docker.
> 
> Caution: Using this image without mounting an existing database directory 
> will cause FreshClam to download the entire database set each time you start 
> a new container.
> 
> You can use the unstable version (i.e. clamav/clamav:unstable or 
> clamav/clamav:unstable_base) to try the latest from our development branch.
> 
> Please, be kind when using "free" bandwidth for the virus databases and 
> Docker registry. Try not to download the entire database set or the larger 
> ClamAV database images on a regular basis.
> 
> For more details, see the ClamAV Docker documentation 
> .
> 
> Special thanks to Olliver Schinagl for his excellent work creating ClamAV's 
> new Docker files, image database deployment tooling, and user documentation.
> 
> clamd and freshclam are now available as Windows services. To install and run 
> them, use the --install-service option and net start [name] command.
> 
> Special thanks to Gianluigi Tiesi for his original work on this feature.
> 
>  
> 
> Notable changes
> 
> We added these features in 0.103.1 but wanted to re-post them here, as patch 
> versions do not generally introduce new options:
> 
> Added a new scan option to alert on broken media (graphics) file formats. 
> This feature mitigates the risk of malformed media files intended to exploit 
> vulnerabilities in other software. Currently, media validation exists for 
> JPEG, TIFF, PNG, and GIF files. To enable this feature, set AlertBrokenMedia 
> yes in clamd.conf, or use the --alert-broken-media option when using 
> clamscan. These options are disabled by default in this patch, but may be 
> enabled in a subsequent release. Application developers may enable this scan 
> option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the

Re: [clamav-users] problems with freshclam: Incremental update failed

2021-07-15 Thread Joel Esler (jesler) via clamav-users 
Christian,

The below is correct.  We published a new main.cvd and daily.cvd yesterday, and 
in order to make your FreshClam instance force download the new files, we have 
to publish a “blank” file, so that FreshClam sees it as an error, and then 
fails over to pick up the full file.  From that point on, it downloads the 
diffs again regularly.

-- 
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net 

> On Jul 15, 2021, at 10:28 AM, Christian  wrote:
> 
> Hi altogether,
> 
> I´m on Linux/Lubuntu 20.04.2 LTS (kernel 5.4.0-77-generic)
> 
> Clamav and clamav-freshclam are installed and everything was working 
> perfectly - until today.
> 
> All of a sudden a huge download began. It turned out freshclam was 
> downloading something.
> It almost seemed never-ending. I terminated the download process as a 
> UMTS-stick is my sole means of internet connection and I only have 5 GB per 
> 28 days available.
> 
> After "killall freshclam" I invoked "sudo freshclam" manually to see what was 
> going on:
> Here´s the output:
> 
> sudo freshclam
> WARNING: Ignoring deprecated option SafeBrowsing at 
> /etc/clamav/freshclam.conf:22
> Thu Jul 15 14:42:25 2021 -> ClamAV update process started at Thu Jul 15 
> 14:42:25 2021
> Thu Jul 15 14:42:25 2021 -> ^Your ClamAV installation is OUTDATED!
> Thu Jul 15 14:42:25 2021 -> ^Local version: 0.103.2 Recommended version: 
> 0.103.3
> Thu Jul 15 14:42:25 2021 -> DON'T PANIC! Read 
> https://www.clamav.net/documents/upgrading-clamav 
> 
> Thu Jul 15 14:42:25 2021 -> daily database available for update (local 
> version: 26231, remote version: 26233)
> Current database is 2 versions behind.
> Downloading database patch # 26232...
> Thu Jul 15 14:42:47 2021 -> !cdiff_apply: lseek(desc, -350, SEEK_END) failed
> Thu Jul 15 14:42:47 2021 -> !downloadPatch: Can't apply patch
> Thu Jul 15 14:42:47 2021 -> ^Incremental update failed, trying to download 
> daily.cvd
> Time:  3m 44s, ETA:0.0s [>]   54.73MiB/54.73MiB
> Thu Jul 15 14:46:33 2021 -> Testing database: 
> '/var/lib/clamav/tmp.1e4892cb22/clamav-a8cd157a79b0b4419069cca1a5279096.tmp-daily.cvd'
>  ...
> Thu Jul 15 14:46:40 2021 -> Database test passed.
> Thu Jul 15 14:46:40 2021 -> daily.cvd updated (version: 26233, sigs: 1961297, 
> f-level: 90, builder: raynman)
> Thu Jul 15 14:46:40 2021 -> main database available for update (local 
> version: 59, remote version: 61)
> Current database is 2 versions behind.
> Downloading database patch # 60...
> Thu Jul 15 14:46:50 2021 -> !cdiff_apply: lseek(desc, -350, SEEK_END) failed
> Thu Jul 15 14:46:50 2021 -> !downloadPatch: Can't apply patch
> Thu Jul 15 14:46:50 2021 -> ^Incremental update failed, trying to download 
> main.cvd
> Time: 11m 42s, ETA:0.0s [>]  160.41MiB/160.41MiB
> Thu Jul 15 14:58:36 2021 -> Testing database: 
> '/var/lib/clamav/tmp.1e4892cb22/clamav-6ec7f609a7ab14c45568796eeb326bda.tmp-main.cvd'
>  ...
> Thu Jul 15 14:58:45 2021 -> Database test passed.
> Thu Jul 15 14:58:45 2021 -> main.cvd updated (version: 61, sigs: 6607162, 
> f-level: 90, builder: sigmgr)
> Thu Jul 15 14:58:45 2021 -> bytecode.cld database is up-to-date (version: 
> 333, sigs: 92, f-level: 63, builder: awillia2)
> Thu Jul 15 14:58:45 2021 -> !NotifyClamd: Can't find or parse configuration 
> file /etc/clamav/clamd.conf
> 
> So basically I received new files: "daily.cvd" and "main.cvd",  which cost me 
> around 55 MB and 160 MB respectively.
> 
> But what I don´t understand is why I get the messages
> 
>  "!cdiff_apply: lseek(desc, -350, SEEK_END) failed" 
>  
> and the resulting
> 
> "!downloadPatch: Can't apply patch"
> 
> in the first place.
> 
> I never had difficulties with freshclam in the past.
> I surely cannot afford to have the whole of "daily.cvd" and "main.cvd" 
> downloaded every time.
> 
> Can anybody tell me why all that is and what can be done about it?
> 
> Many thanks in advance.
> 
> Greetings from Rosika
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] New Main & Daily CVD's are incoming

2021-07-13 Thread Joel Esler (jesler) via clamav-users 
Technically what we do is publish a zero byte cdiff.  This makes freshclam 
force update and grab the whole cvd.  Then, from that point on, the new daily 
cvd will be much smaller, and updates should apply faster. Ultimately saving on 
bandwidth as the daily.cvd will be much smaller.  Again, like I just said in my 
other email, if you’re not using 0.103.3, you should start that upgrade engine.

— 
Sent from my  iPad

> On Jul 13, 2021, at 19:27, Mark Allan  wrote:
> 
>  According to the man page (and freshclam.conf) "ScriptedUpdates" is what 
> ClamAV calls the mechanism for performing daily incremental updates via cdiff 
> files rather than downloading the whole cvd.
> 
> Are you providing cdiff files for both main.cvd and daily.cvd or just the cvd 
> files?
> 
> Regards
> Mark
> 
>> On 13 Jul 2021, at 3:55 pm, Joel Esler (jesler)  wrote:
>> 
>> I am not sure what you mean by “scripted updates”?  If you are using 
>> FreshClam or cvdupdate, your downloads should happen fine.
>> 
>>>> On Jul 13, 2021, at 10:29 AM, Mark Allan via clamav-users 
>>>>  wrote:
>>>> 
>>>> Hi Joel,
>>>> 
>>>> Will you be posting scripted updates for main.cvd and daily.cvd or just 
>>>> the new cvd files in their entirety? I seem to remember processing the 
>>>> cdiff files caused a lot of problems for people the last time main.cvd was 
>>>> updated.
>>>> 
>>>> Mark
>>>> 
>>>> On 13 Jul 2021, at 3:05 pm, Joel Esler (jesler) via clamav-users 
>>>>  wrote:
>>>> 
>>>> Tomorrow, Wednesday July 14th, we are planning on publishing a brand new 
>>>> main.cvd and daily.cvd, as we do periodically to move more of the long 
>>>> term signatures into the main.cvd and make the daily.cvd smaller again.  
>>>> 
>>>> This will have an impact on your downloads of these files (as every ClamAV 
>>>> instance will have to re-download both files), so you may see a spike in 
>>>> your bandwidth usage.
>>>> 
>>>> We will monitor the situation on the mirror side and make any adjustments 
>>>> necessary, but we anticipate no issues.
>>>> 
>>>> https://blog.clamav.net/2021/07/new-main-daily-cvds-are-incoming.html
>>>> 
> 


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] New Main & Daily CVD's are incoming

2021-07-13 Thread Joel Esler (jesler) via clamav-users 

> On Jul 13, 2021, at 18:08, Paul Kosinski via clamav-users 
>  wrote:
> 
> On Tue, 13 Jul 2021 14:05:53 +0000
> "Joel Esler \(jesler\) via clamav-users"  
> wrote:
> 
>> Tomorrow, Wednesday July 14th, we are planning on publishing a brand new 
>> main.cvd and daily.cvd, as we do periodically to move more of the long term 
>> signatures into the main.cvd and make the daily.cvd smaller again.  
>> 
>> This will have an impact on your downloads of these files (as every ClamAV 
>> instance will have to re-download both files), so you may see a spike in 
>> your bandwidth usage.
>> 
>> We will monitor the situation on the mirror side and make any adjustments 
>> necessary, but we anticipate no issues.
>> 
>> https://blog.clamav.net/2021/07/new-main-daily-cvds-are-incoming.html 
>> <https://blog.clamav.net/2021/07/new-main-daily-cvds-are-incoming.html>
> 
> I wondered when (and if) you would be able to distribute a new main.cvd, 
> given your concerns about Cloudflare bandwidth usage. I assume this means 
> that there is (almost) no one still downloading ClamAV updates every second 
> or so.

Oh there are, but at this point most of them have been blocked outright, and 
then they file a ticket and apologize for doing it, or they are rate limited. 

We are also working with Cloudflare to enact some more specific rate limits 
(we’ve been working with them on the development of the feature) that will 
alleviate a lot of the problems we are having with any newer versions, and then 
slowly we are EOL’ing older versions of ClamAV.  The more people upgrade to 
103.2 or 103.3 (newest) the better the ecosystem will be.  Slowly over the next 
year or so, the ecosystem will normalize and our bandwidth usage will be 
extremely efficient.  

> I also presume that my IP address won't set off any alarms tomorrow by 
> downloading 3 complete copies of main.cvd and daily.cvd (since I gave up 
> trying to run my own mirror many months ago).
> 
I will have to make the rate limits bigger tomorrow for the main and daily




smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] New Main & Daily CVD's are incoming

2021-07-13 Thread Joel Esler (jesler) via clamav-users 
I am not sure what you mean by “scripted updates”?  If you are using FreshClam 
or cvdupdate, your downloads should happen fine.

> On Jul 13, 2021, at 10:29 AM, Mark Allan via clamav-users 
>  wrote:
> 
> Hi Joel,
> 
> Will you be posting scripted updates for main.cvd and daily.cvd or just the 
> new cvd files in their entirety? I seem to remember processing the cdiff 
> files caused a lot of problems for people the last time main.cvd was updated.
> 
> Mark
> 
>> On 13 Jul 2021, at 3:05 pm, Joel Esler (jesler) via clamav-users 
>> mailto:clamav-users@lists.clamav.net>> wrote:
>> 
>> Tomorrow, Wednesday July 14th, we are planning on publishing a brand new 
>> main.cvd and daily.cvd, as we do periodically to move more of the long term 
>> signatures into the main.cvd and make the daily.cvd smaller again.  
>> 
>> This will have an impact on your downloads of these files (as every ClamAV 
>> instance will have to re-download both files), so you may see a spike in 
>> your bandwidth usage.
>> 
>> We will monitor the situation on the mirror side and make any adjustments 
>> necessary, but we anticipate no issues.
>> 
>> https://blog.clamav.net/2021/07/new-main-daily-cvds-are-incoming.html 
>> <https://blog.clamav.net/2021/07/new-main-daily-cvds-are-incoming.html>
>> 
>> -- 
>> Joel Esler
>> Manager, Communities Division
>> Cisco Talos Intelligence Group
>> https://www.talosintelligence.com <https://www.talosintelligence.com/> | 
>> https://www.snort.org <https://www.snort.org/> | https://www.clamav.net 
>> <https://www.clamav.net/> 
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] New Main & Daily CVD's are incoming

2021-07-13 Thread Joel Esler (jesler) via clamav-users 
Tomorrow, Wednesday July 14th, we are planning on publishing a brand new 
main.cvd and daily.cvd, as we do periodically to move more of the long term 
signatures into the main.cvd and make the daily.cvd smaller again.  

This will have an impact on your downloads of these files (as every ClamAV 
instance will have to re-download both files), so you may see a spike in your 
bandwidth usage.

We will monitor the situation on the mirror side and make any adjustments 
necessary, but we anticipate no issues.

https://blog.clamav.net/2021/07/new-main-daily-cvds-are-incoming.html 


-- 
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net 

smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How do I get the last update to 103-3 installed on stretch?

2021-07-07 Thread Joel Esler (jesler) via clamav-users 
Freshclam keeps your definitions up to date, the engine is very much dependent 
on the OS.

> On Jul 6, 2021, at 6:18 AM, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
> On Tue, 6 Jul 2021, Gene Heskett via clamav-users wrote:
> 
>> How do I get the last update to 103-3 installed on stretch?
> 
> If you mean how do you update from the version of ClamAV supplied by
> the Debian packages for Debian 'Stretch', then either you build from
> source, or you wait for Debian's package maintainers to do things.
> 
>> I would think that by now, freshclam could see to this itself.
> 
> No, that's not feasible.  It would mean that freshclam might need to
> update other parts of your operating system - libraries and such - and
> that would very likely break things.
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Not able to communicate on port 443(https) when running freshclam

2021-07-06 Thread Joel Esler (jesler) via clamav-users 
That appears to be a private mirror.  You should check with the administrator 
of your private mirror.

—
Sent from my  iPhone

On Jul 6, 2021, at 18:31, Lopez, Carmelo via clamav-users 
 wrote:


I am trying to communicate over port 443 to download freshclam database from 
the clamav mirror server to the clients, but its failing. See error message 
below:


root@ip-10-64-205-111 bin]# freshclam
ClamAV update process started at Tue Jul  6 20:16:33 2021
WARNING: DNS Update Info disabled. Falling back to HTTP mode.
Trying to retrieve CVD header from http://clamav-mirror.sec.cnqr.tech/daily.cld
WARNING: remote_cvdhead: Download failed (7) WARNING:  Message: Couldn't 
connect to server
Trying to retrieve CVD header from http://clamav-mirror.sec.cnqr.tech/daily.cvd
WARNING: remote_cvdhead: Download failed (7) WARNING:  Message: Couldn't 
connect to server
WARNING: Failed to get daily database version information from server: 
http://clamav-mirror.sec.cnqr.tech
ERROR: check_for_new_database_version: Failed to find daily database using 
server http://clamav-mirror.sec.cnqr.tech.
Trying again in 5 secs...
Trying to retrieve CVD header from http://clamav-mirror.sec.cnqr.tech/daily.cld
WARNING: remote_cvdhead: Download failed (7) WARNING:  Message: Couldn't 
connect to server
Trying to retrieve CVD header from http://clamav-mirror.sec.cnqr.tech/daily.cvd
WARNING: remote_cvdhead: Download failed (7) WARNING:  Message: Couldn't 
connect to server
WARNING: Failed to get daily database version information from server: 
http://clamav-mirror.sec.cnqr.tech
ERROR: check_for_new_database_version: Failed to find daily database using 
server http://clamav-mirror.sec.cnqr.tech.
Trying again in 5 secs...
Trying to retrieve CVD header from http://clamav-mirror.sec.cnqr.tech/daily.cld
ERROR: remote_cvdhead: Download failed (7) ERROR:  Message: Couldn't connect to 
server
Trying to retrieve CVD header from http://clamav-mirror.sec.cnqr.tech/daily.cvd
ERROR: remote_cvdhead: Download failed (7) ERROR:  Message: Couldn't connect to 
server
WARNING: Failed to get daily database version information from server: 
http://clamav-mirror.sec.cnqr.tech
ERROR: check_for_new_database_version: Failed to find daily database using 
server http://clamav-mirror.sec.cnqr.tech.
Giving up on http://clamav-mirror.sec.cnqr.tech...
ERROR: Update failed for database: daily
ERROR: Database update process failed: HTTP GET failed
ERROR: Update failed.

Carmelo Lopez
Access-CL-Concur US
Concur St. Louis Park (MN), 1550 Utica Avenue South, St. Louis Park 55416-5312, 
United States

T   +19529471714, M   +16512602626, 
carmelo.lope...@sap.com

Please consider the impact on the environment before printing this email.





___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning PDF for phishing links

2021-07-01 Thread Joel Esler (jesler) via clamav-users 


> On Jul 1, 2021, at 8:25 AM, Matus UHLAR - fantomas  wrote:
> 
> On 30.06.21 20:41, Joel Esler (jesler) via clamav-users wrote:
>> Yes. I was just addressing everyone
> 
> I have used to forward spam to spamcop, maybe I should start again?
> 
> I'm thinking about phishtank (well, they refuse my seamonkey so...)
> 
> Are you just curious or is there something behind your questions?

Curious, as I said, ClamAV, SpamCop, and Phishtank are all ran by us.  They 
feed the same ecosystem.  Leveraging one to power the other is important.

smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning PDF for phishing links

2021-06-30 Thread Joel Esler (jesler) via clamav-users 
Yes. I was just addressing everyone

— 
Sent from my  iPad

> On Jun 30, 2021, at 00:35, Al Varnell via clamav-users 
>  wrote:
> 
> Joel,
> 
> If that question was addressed to all on this list, then yes, I forward all 
> spam to SpamCop and everything suspected as a phish to phishtank (among 
> others). But it's low volume, just from my wife and my's accounts.
> 
> Sent from my iPad
> 
> -Al-
> 
>>> On Jun 29, 2021, at 12:48, Joel Esler (jesler) via clamav-users 
>>>  wrote:
>>> 
>> How many of you are present members of either phishtank.com or spamcop.net?  
>> Both of which are ran by Talos, and both of which feed the same intel system 
>> that ClamAV can read from?
>> 
>> -- 
>> Joel Esler
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning PDF for phishing links

2021-06-29 Thread Joel Esler (jesler) via clamav-users 
Awesome

— 
Sent from my  iPad

> On Jun 29, 2021, at 18:04, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
>> On Tue, 29 Jun 2021, Joel Esler (jesler) via clamav-users wrote:
>> 
>> How many of you are present members of either phishtank.com or
>> spamcop.net?  Both of which are ran by Talos, and both of which feed
>> the same intel system that ClamAV can read from?
> 
> We send reports to both (and a few others).
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV EOL of 0.100.x versions

2021-06-29 Thread Joel Esler (jesler) via clamav-users 

https://blog.clamav.net/2021/06/clamav-eol-of-0100x-versions.html


Effective Oct. 29, 2021, ClamAV 0.100.0 (and all patch versions) will no longer 
be supported in accordance with ClamAV's EOL 
policy.

End of life (EOL) for ClamAV means:

  *   We will no longer be testing against that version when we write 
signatures.
  *   We may break that version with something with a future release.
  *   Signature updates for that version will be blocked when attempting to 
download from the mirror update system.

Please upgrade to the newest version of ClamAV, currently at 0.103.3, available 
for download now!

As always, thank you for using ClamAV.


—
--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning PDF for phishing links

2021-06-29 Thread Joel Esler (jesler) via clamav-users 
How many of you are present members of either phishtank.com or spamcop.net?  
Both of which are ran by Talos, and both of which feed the same intel system 
that ClamAV can read from?

-- 
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net 

> On Jun 29, 2021, at 3:21 PM, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
> On Tue, 29 Jun 2021, Scott Q. via clamav-users wrote:
> 
>> Lately I am receiving a lot of Spams originating within MS networks
> 
> I feel your pain.  At present I'm seeing 40,000 to 50,000 attempts per
> month by Microsoft servers to send us spam.  It's gone from really bad
> to almost unbelievable in the space of just a few weeks.  When it was
> only a thousand or so I decided we'd live with it, but now the only
> answer has been to blacklist AS8075 entirely and forward it all to the
> spam reporting services.  I'm starting to see some results from that.
> Having said that I'm not seeing the same sorts of thing that you are,
> if you'd like to send me a sample privately I'll happily look at it.
> 
>> with attached PDF's that basically contain an image with a link.
>> 
>> The body of the message is 7-8 random words such as: moka bu fyno da
>> zosi ku xiqy zy
>> These prove particularly difficult to filter and I'm thinking maybe
>> running the PDF's links through the phishing checks might help.
>> 
>> 
>> Is that possible or does anyone have other solutions for these
>> messages ?
> 
> Steve at Sansecurity might be able to come up with something if you
> submit a few samples to him.
> 
> For things like this I don't rely entirely on ClamAV and signatures,
> but on a milter which dismantles the MIME parts and passes them to
> clamd separately with a bit of extra logic.  Without something like
> that you'll probably need to do a bit more work on the matching, as
> you'll have to work with the whole message body and it might be big.
> 
> It should be possible to match the body with Yara rules, you might get
> somewhere with a fairly simple regex along the lines of matching the
> header parts enclosing the short text with one expression and the text
> itself with another expression.  This is just a guess at the sort of
> thing which might work, adjust the character ranges to suit the spam.
> Just put this in a file called something.yar in the ClamAV database
> directory and restart clamd (I'm assuming you're using clamav-milter
> and clamd).
> 
> rule Microsoft_spam
> {
> strings:
>   $body_1 = /content-type.{10,500}content-type.{10,100}application\/pdf/  
> nocase ascii
>   $body_2 = /content-type: text\/plain.{20,70}(([a-z]{1,6})\s){6,8}/  
> nocase ascii
> conditions:
>   all of them
> }
> 
> The first regex matches the bit of the MIME-formatted message which
> contains header of the first part, the first body part, and just the
> header of the second part.  I've assumed that the text precedes the
> PDF part, it's usually that way but you'd have to tweak it if that's
> not the case.  The second regex matches the first header (again) and
> something resembling 6 to 8 space-separated words of 1-6 alphabetic
> characters.  There are 20-70 characters of wiggle-room betweeb the
> content-type field and this group of words to allow for the rest of
> the first header after the content-type field.  Again it might be
> necessary to adjust that, but you'll probably find that the messages
> aren't very creative and once it's set up it will match all of the
> little blighters.
> 
> You could do much the same sort of thing with ClamAV signatures but
> for this kind of thing Yara rules are a lot more readable and much
> easier to tweak when you're experimenting.  The one drawback at the
> moment is that it's fairly easy to crash clamd with bad Yara rules.
> On the bright side it seems OK with complex regexes and it's unlikely
> that a crash would be exploitable, as it seems to crash as soon as it
> tries to parse the bad rules rather than waiting until it comes across
> a malicious bit of data.
> 
> It's important to avoid running into efficiency issues by having the
> regexes attempt (and eventually fail) to match large chunks of what is
> potentially a very large document many times over.  I don't know how
> well the untested attempts above will achieve that.
> 
> HTH
> 
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:

Re: [clamav-users] question about a malware submission

2021-06-23 Thread Joel Esler (jesler) via clamav-users 

You should submit the suspected malware here:

https://www.clamav.net/reports/malware

—
Sent from my  iPhone

On Jun 22, 2021, at 22:01, vze1amckv--- via clamav-users 
 wrote:

Hello,

I recently submitted a suspicious file via the ClamAV website submission form, 
and got a response back saying that "Our initial assessment has verified the 
sample as a threat & we will be publishing signatures for ClamAV."  But when I 
re-submit the file to virusscan.jotti.org or VirusTotal it still does not show 
that ClamAV detects the file.

Is there a way to check the status of a particular submission? (I can e-mail 
the hash privately.)  Or, how long is the usual turnaround time between when a 
submission is accepted and when a signature is made for it?

Thank you.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.103.3 patch release

2021-06-21 Thread Joel Esler (jesler) via clamav-users 

> 
> https://blog.clamav.net/2021/06/clamav-01033-patch-release.html 
> 
> 
> ClamAV 0.103.3 patch release
> 
> ClamAV 0.103.3 is out now. Users can head over to clamav.net/downloads 
>  to download the release materials.
> 
>  
> 0.103.3 includes the following fixes:
> 
> Fixed a scan performance issue when ENGINE_OPTIONS_FORCE_TO_DISK is enabled. 
> This issue did not impacted most users but for those affected it caused every 
> scanned file to be copied to the temp directory before the scan.
> 
> Fix ClamDScan crashes when using the --fdpass --multiscan command-line 
> options in combination with the ClamD ExcludePath config file options.
> 
> Fixed an issue where the mirrors.dat file is owned by root when starting as 
> root (or with sudo) and using daemon-mode. File ownership will be set to the 
> DatabaseOwner just before FreshClam switches to run as that user.
> 
> Renamed the mirrors.dat file to freshclam.dat.
> 
> We used to recommend deleting mirrors.dat if FreshClam failed to update. This 
> is because mirrors.dat used to keep track of offline mirrors and network 
> interruptions were known to cause FreshClam to think that all mirrors were 
> offline. ClamAV now uses a paid CDN instead of a mirror network, and the new 
> FreshClam DAT file no longer stores that kind of information. The UUID used 
> in ClamAV's HTTP User-Agent is stored in the FreshClam DAT file and we want 
> the UUID to persist between runs, even if there was a failure.
> 
> Unfortunately, some users have FreshClam configured to automatically delete 
> mirrors.dat if FreshClam failed. Renaming mirrors.dat to freshclam.dat should 
> make it so those scripts don't delete important FreshClam data.
> 
> Disabled the HTTPUserAgent config option if the DatabaseMirror uses 
> clamav.net. This will prevent users from being inadvertently blocked and will 
> ensure that we can keep better metrics on which ClamAV versions are being 
> used.
> 
> This change effectively deprecates the HTTPUserAgent option for most users.
> 
> Moved the detection for Heuristics.PNG.CVE-2010-1205 behind the ClamScan 
> --alert-broken-media option (ClamD AlertBrokenMedia yes) option. This type of 
> PNG issue appears to be common enough to be an annoyance, and the CVE is old 
> enough that no one should be vulnerable at this point.
> 
> Fix ClamSubmit failures after changes to Cloudflare "__cfduid" cookies. See: 
> https://blog.cloudflare.com/deprecating-cfduid-cookie/ 
> 
> Special thanks to the following for code contributions and bug reports:
> 
> Stephen Agate
> Tom Briden


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV moves to Discord!

2021-06-15 Thread Joel Esler (jesler) via clamav-users 
ClamAV (‪@clamav‬)

6/15/21, 14:23

Since Freenode has decidedly driven off the proverbial cliff, we’ve moved to 
Discord for our chats: discord.gg/DAW9qWqFzt 
Join us!

We realize that there may be many that won’t join Discord, and that’s 
unfortunate, but our IRC channel that was sustained on Freenode for close to 20 
years, with the collapse of the network, has come to an end.  We’ve chosen to 
move it to Discord. Please come join us!
—
Sent from my  iPhone

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] KACE false positive

2021-06-11 Thread Joel Esler (jesler) via clamav-users 
Douglas,

Thank you for your email. Here is a good place to file false positives: 
https://www.clamav.net/reports/fp  for 
future reference.

-- 
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net 

> On Jun 11, 2021, at 10:42 AM, Douglas Stinnette  wrote:
> 
> 
> It has been over a year since there was a wide false positive across ClamAV.
> "/Library/Application Support/Quest/KACE/bin/klog" 
> "Unix.Malware.Macos-9867919-0 FOUND"
> 
> I do not recall how to address this. Any suggestions would be great.
> Thanks,
> Doug
> -- 
> 
> Douglas Stinnette
> VCU Technology Services
> Endpoint Security Specialist
> Virginia Commonwealth University
> 827-0933
>  
> Don't be a phishing victim - VCU and other reputable organizations will never 
> use email to request that you reply with your password, Social Security 
> number or confidential personal information. For more details visit 
> http://go.vcu.edu/phishing  or 
> http://phishing.vcu.edu .
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Running ClamAV for production workloads

2021-06-08 Thread Joel Esler (jesler) via clamav-users 
If you are setting up lots of machines, make sure you set up a private mirror 
using cvdupdate first for all of your machines to pull updates from. 
Have a script/plan for upgrading ClamAV. Super important to keep the engine up 
to date. 
Have a plan for what you are going to do when it detects something.  

Sent from my  iPhone

> On Jun 8, 2021, at 22:40, Karthik Iyer via clamav-users 
>  wrote:
> 
> Hi,
> 
> We are close to choosing ClamAV to run our production workloads and I would 
> like to know what are some things to consider while setting up and using 
> ClamAV for production workloads ?
> 
> We are looking to scan millions of files in parallel and globally too.
> 
> Has anyone had the usecase and experience doing it .
> 
> I would like to know the performance of running scans on upto 2gb files .
> 
> Could you pls advise on the same.
> 
> Karthik 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] since nearly a week unable to update signatures using freshclam ...

2021-06-08 Thread Joel Esler (jesler) via clamav-users 
The problem is your installation is not identifying itself with the server and 
is blocked.  Please see my previous email.

> On Jun 8, 2021, at 12:48 PM, Walter H. via clamav-users 
>  wrote:
> 
> On 08.06.2021 14:57, Richard via clamav-users wrote:
>> 
>>> Date: Tuesday, June 08, 2021 08:00:16 +0200
>>> From: "Walter H.
>>> 
>>> I'm using an old CentOS 6, not migrated to something newer
>>> 
>>> On 06.06.2021 20:04, Walter H. via clamav-users wrote:
 # freshclam
 ClamAV update process started at Sun Jun  6 19:58:06 2021
 Connecting via proxy
 main.cld is up to date (version: 59, sigs: 4564902, f-level: 60,
 builder: sigmgr)
 Connecting via proxy
 WARNING: getfile: Unknown response from db.local.clamav.net:
 HTTP/1.1 403 WARNING: getpatch: Can't download daily-26191.cdiff
 from  db.local.clamav.net
>> I suspect that that means you are still using the freshclam that is
>> part of:
>> 
>>clamav.x86_64  0.98.5-1.el6
>> 
>> which is no longer supported.
> 
> this maybe, but the problem are the 403 replies of the server ...
> 
> even with normal browser for just downloading by hand this is impossible ...
> 
> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> 
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> 
> 
> http://www.clamav.net/contact.html#ml 


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] since nearly a week unable to update signatures using freshclam ...

2021-06-08 Thread Joel Esler (jesler) via clamav-users 
Do you have the uuid library installed on your machine?

> On Jun 8, 2021, at 2:00 AM, Walter H. via clamav-users 
>  wrote:
> 
> I'm using an old CentOS 6, not migrated to something newer
> 
> On 06.06.2021 20:04, Walter H. via clamav-users wrote:
>> # freshclam
>> ClamAV update process started at Sun Jun  6 19:58:06 2021
>> Connecting via proxy
>> main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: 
>> sigmgr)
>> Connecting via proxy
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
>> WARNING: Incremental update failed, trying to download daily.cvd
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: Can't download daily.cvd from db.local.clamav.net
>> Trying again in 5 secs...
>> ClamAV update process started at Sun Jun  6 19:58:13 2021
>> Connecting via proxy
>> main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: 
>> sigmgr)
>> Connecting via proxy
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
>> WARNING: Incremental update failed, trying to download daily.cvd
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: Can't download daily.cvd from db.local.clamav.net
>> Trying again in 5 secs...
>> ClamAV update process started at Sun Jun  6 19:58:19 2021
>> Connecting via proxy
>> main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: 
>> sigmgr)
>> Connecting via proxy
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
>> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
>> ERROR: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> ERROR: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
>> WARNING: Incremental update failed, trying to download daily.cvd
>> ERROR: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
>> ERROR: Can't download daily.cvd from db.local.clamav.net
>> Giving up on db.local.clamav.net...
>> Update failed. Your network may be down or none of the mirrors listed in 
>> /etc/freshclam.conf is working. Check 
>> https://www.clamav.net/documents/official-mirror-faq for possible reasons.
>> #
>> 
>> and the proxy shows the following in its log ...
>> 
>> host - - [06/Jun/2021:19:58:09 +0200] "GET 
>> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4598 "-" 
>> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
>> TCP_MISS:HIER_DIRECT
>> host - - [06/Jun/2021:19:58:09 +0200] "GET 
>> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
>> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
>> TCP_NEGATIVE_HIT:HIER_NONE
>> host - [06/Jun/2021:19:58:09 +0200] "GET 
>> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
>> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
>> TCP_NEGATIVE_HIT:HIER_NONE
>> host - - [06/Jun/2021:19:58:09 +0200] "GET 
>> http://db.local.clamav.net/daily.cvd HTTP/1.1" 403 4598 "-" "ClamAV/0.103.2 
>> (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" TCP_MISS:HIER_DIRECT
>> host - - [06/Jun/2021:19:58:14 +0200] "GET 
>> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
>> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
>> TCP_NEGATIVE_HIT:HIER_NONE
>> host - - [06/Jun/2021:19:58:14 +0200] "GET 
>> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
>> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
>> TCP_NEGATIVE_HIT:HIER_NONE
>> host - - [06/Jun/2021:19:58:14 +0200] "GET 
>> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
>> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
>> TCP_NEGATIVE_HIT:HIER_NONE
>> host - - [06/Jun/2021:19:58:14 +0200] "GET 
>> http://db.local.clamav.net/daily.cvd HTTP/1.1" 403 4612 "-" "ClamAV/0.103.2 
>> (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" TCP_NEGATIVE_HIT:HIER_NONE
>> host - - [06/Jun/2021:19:58:20 +0200] "GET 
>>

Re: [clamav-users] since nearly a week unable to update signatures using freshclam ...

2021-06-08 Thread Joel Esler (jesler) via clamav-users 
Definitely need to compile. 

— 
Sent from my  iPad

> On Jun 8, 2021, at 08:57, Richard via clamav-users 
>  wrote:
> 
> 
> 
>> Date: Tuesday, June 08, 2021 08:00:16 +0200
>> From: "Walter H. 
>> 
>> I'm using an old CentOS 6, not migrated to something newer
>> 
>>> On 06.06.2021 20:04, Walter H. via clamav-users wrote:
>>> # freshclam
>>> ClamAV update process started at Sun Jun  6 19:58:06 2021
>>> Connecting via proxy
>>> main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, 
>>> builder: sigmgr)
>>> Connecting via proxy
>>> WARNING: getfile: Unknown response from db.local.clamav.net:
>>> HTTP/1.1 403 WARNING: getpatch: Can't download daily-26191.cdiff
>>> from  db.local.clamav.net
> 
> I suspect that that means you are still using the freshclam that is
> part of:
> 
>   clamav.x86_64  0.98.5-1.el6
> 
> which is no longer supported. I believe that the currently supported
> release is 0.103.2, which isn't on EPEL for C6 as C6 is EOL. I
> haven't tried, but think you should be able to get it from elsewhere
> (compiling may be necessary).
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clam AV Cost and support for enterprise

2021-06-07 Thread Joel Esler (jesler) via clamav-users 
There’s no cost for use in the Enterprise.  There is no support offering for 
ClamAV other than these mailing lists.

Sent from my  iPhone

On Jun 7, 2021, at 16:30, Karthik Iyer via clamav-users 
 wrote:


Hi ,

We would like to use ClamAV for scanning files in our blob storage and would 
like to know the cost and the kind of support at the enterprise level.

Whom could I reach out for the cost as well as what would be the enterprise 
support for this ?

Is there a phone number I can call to ask ?

Also can you provide me with some samples for running ClamAV on  .NET Core  3.1 
?



Thanks.

Karthik

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] since nearly a week unable to update signatures using freshclam ...

2021-06-07 Thread Joel Esler (jesler) via clamav-users 
What operating system are you using?

Sent from my  iPhone

> On Jun 6, 2021, at 14:06, Walter H. via clamav-users 
>  wrote:
> 
> # freshclam
> ClamAV update process started at Sun Jun  6 19:58:06 2021
> Connecting via proxy
> main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: 
> sigmgr)
> Connecting via proxy
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
> WARNING: Incremental update failed, trying to download daily.cvd
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: Can't download daily.cvd from db.local.clamav.net
> Trying again in 5 secs...
> ClamAV update process started at Sun Jun  6 19:58:13 2021
> Connecting via proxy
> main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: 
> sigmgr)
> Connecting via proxy
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
> WARNING: Incremental update failed, trying to download daily.cvd
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: Can't download daily.cvd from db.local.clamav.net
> Trying again in 5 secs...
> ClamAV update process started at Sun Jun  6 19:58:19 2021
> Connecting via proxy
> main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: 
> sigmgr)
> Connecting via proxy
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
> WARNING: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> WARNING: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
> ERROR: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> ERROR: getpatch: Can't download daily-26191.cdiff from db.local.clamav.net
> WARNING: Incremental update failed, trying to download daily.cvd
> ERROR: getfile: Unknown response from db.local.clamav.net: HTTP/1.1 403
> ERROR: Can't download daily.cvd from db.local.clamav.net
> Giving up on db.local.clamav.net...
> Update failed. Your network may be down or none of the mirrors listed in 
> /etc/freshclam.conf is working. Check 
> https://www.clamav.net/documents/official-mirror-faq for possible reasons.
> #
> 
> and the proxy shows the following in its log ...
> 
> host - - [06/Jun/2021:19:58:09 +0200] "GET 
> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4598 "-" 
> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
> TCP_MISS:HIER_DIRECT
> host - - [06/Jun/2021:19:58:09 +0200] "GET 
> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
> TCP_NEGATIVE_HIT:HIER_NONE
> host - [06/Jun/2021:19:58:09 +0200] "GET 
> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
> TCP_NEGATIVE_HIT:HIER_NONE
> host - - [06/Jun/2021:19:58:09 +0200] "GET 
> http://db.local.clamav.net/daily.cvd HTTP/1.1" 403 4598 "-" "ClamAV/0.103.2 
> (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" TCP_MISS:HIER_DIRECT
> host - - [06/Jun/2021:19:58:14 +0200] "GET 
> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
> TCP_NEGATIVE_HIT:HIER_NONE
> host - - [06/Jun/2021:19:58:14 +0200] "GET 
> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
> TCP_NEGATIVE_HIT:HIER_NONE
> host - - [06/Jun/2021:19:58:14 +0200] "GET 
> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4612 "-" 
> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
> TCP_NEGATIVE_HIT:HIER_NONE
> host - - [06/Jun/2021:19:58:14 +0200] "GET 
> http://db.local.clamav.net/daily.cvd HTTP/1.1" 403 4612 "-" "ClamAV/0.103.2 
> (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" TCP_NEGATIVE_HIT:HIER_NONE
> host - - [06/Jun/2021:19:58:20 +0200] "GET 
> http://db.local.clamav.net/daily-26191.cdiff HTTP/1.1" 403 4613 "-" 
> "ClamAV/0.103.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)" 
> TCP_NEGATIVE_HIT:HIER_NONE
> host - - [06/Jun/2021:19:58:20 +0200] "GET 
>

Re: [clamav-users] ClamWin maintainers?

2021-06-06 Thread Joel Esler (jesler) via clamav-users 
Yeah.  This is unacceptable 

Sent from my  iPhone

> On Jun 6, 2021, at 00:35, Micah Snyder (micasnyd)  wrote:
> 
> I did a little bit of digging -- looks like ClamWin isn't at 0.103.2, it's 
> at 0.103.1 + the 1 commit which changes the version # to "0.103.2". ClamWin 
> missed the rest of the actual 0.103.2 changes, so in reality it's 0.103.1.
> 
> I'll put in a ticket on the ClamWin repo.
> 
>> -Original Message-
>> From: clamav-users  On Behalf Of
>> Joel Esler (jesler) via clamav-users
>> Sent: Saturday, June 5, 2021 11:58 AM
>> To: ClamAV users ML 
>> Cc: Joel Esler (jesler) 
>> Subject: [clamav-users] ClamWin maintainers?
>> 
>> I tried to register an account on the ClamWin forums, but I don’t see where 
>> to
>> create a new account anywhere. I can see where to login, and see where to
>> reset my password.  But I don’t have one, and I don’t see a place to create 
>> one.
>> 
>> That being said.
>> 
>> It seems that ClamWin users have been updated to 0.103.2. That’s great.
>> 
>> What’s not great is that the ClamWin maintainers altered the code for
>> freshclam’s update.  Therefore, you’re still blocked.  If one of the ClamWin
>> maintainers, or someone knows a ClamWin maintainer, please have them reach
>> out to me so I can help them undo what they did that would be great.
>> 
>> Otherwise, ClamWin will continue to be blocked from updating.
>> 
>> Sent from my  iPhone
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamWin maintainers?

2021-06-05 Thread Joel Esler (jesler) via clamav-users 
I tried to register an account on the ClamWin forums, but I don’t see where to 
create a new account anywhere. I can see where to login, and see where to reset 
my password.  But I don’t have one, and I don’t see a place to create one. 

That being said. 

It seems that ClamWin users have been updated to 0.103.2. That’s great.  

What’s not great is that the ClamWin maintainers altered the code for 
freshclam’s update.  Therefore, you’re still blocked.  If one of the ClamWin 
maintainers, or someone knows a ClamWin maintainer, please have them reach out 
to me so I can help them undo what they did that would be great.  

Otherwise, ClamWin will continue to be blocked from updating.  

Sent from my  iPhone

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] To unblock ip addresses for updating clamAV database/definations.

2021-06-03 Thread Joel Esler (jesler) via clamav-users 
Hello Satwant,

Moving off list.

I’m going to need more info than the IPs.  What error are you receiving?



--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

On May 27, 2021, at 5:18 PM, Satwant Singh 
mailto:satw...@thirdstream.ca>> wrote:

Hi,

At thirdstream, we need your help to unblock our listed ip addresses, so that 
we can setup auto updates to clamAV.

20.151.98.120
20.151.98.121
20.151.98.122
20.151.98.123

20.151.98.110
20.151.98.111

20.151.98.130
20.151.98.131

20.151.98.112
20.151.98.113
Please let me know, if you need anything else from us.

Regards,

Satwant Singh
Software Developer
satw...@thirdstream.ca

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.103.0 takes longer

2021-05-21 Thread Joel Esler (jesler) via clamav-users 
Also, upgrading to the current version is smarter.  0.103.2

Sent from my  iPhone

> On May 21, 2021, at 08:45, Uskokovic, Sinisa via clamav-users 
>  wrote:
> 
> Hi Ged,
> 
> Thank you for your answer, it is good enough for my dilemma.
> 
> Best,
> Sinisa 
> 
> -Original Message-
> From: clamav-users  On Behalf Of G.W. 
> Haywood via clamav-users
> Sent: Friday, May 21, 2021 2:14 PM
> To: Uskokovic, Sinisa via clamav-users 
> Cc: G.W. Haywood 
> Subject: Re: [clamav-users] ClamAV 0.103.0 takes longer
> 
> Hi there,
> 
>> On Fri, 21 May 2021, Uskokovic, Sinisa via clamav-users wrote:
>> 
>> Since we did the update to the ClamAV 0.103.0 version on 26.03.2021,
> 
> The release was announced on 14 Sep 2020, it seems that you left it quite a 
> while before updating...
> 
> https://blog.clamav.net/2020/09/clamav-01030-released.html
> 
>> the duration of scanning viruses increased for approximately 50%. I 
>> couldn't find anything related to that change in ClamAV 0.103.0 
>> changelog. It would be great if anyone knows what could be the cause 
>> of this?
> 
> There were numerous fixes and improvements to 0.103.0 - see the above release 
> announcement for more information.  Some of the changes noted would have the 
> effect of scanning some types of files which would not have been scanned at 
> all using earlier versions.  Some of them would result in what might be 
> called 'deeper' scanning.  I imagine all of these could be expected to extend 
> scanning times, although an increase of 50% seems rather high.  I guess it 
> depends on the mix of files that you're scanning.
> 
>> Let me know if you need some additional info.
> 
> It would probably help if you could let us know what you are scanning.
> You're clearly scanning filesystems, but as here we only use ClamAV to scan 
> mail I don't think any statistics I could offer would help you.
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fwd: ClamAV®

2021-05-08 Thread Joel Esler (jesler) via clamav-users 
No, this is the public git repository. Unless I am misunderstanding what you’re 
saying.

Sent from my  iPhone

On May 8, 2021, at 03:38, Frans de Boer  wrote:


On 06/05/2021 01:19, ClamAV® blog wrote:
"clamav-devel" GitHub repository name change to 
"clamav"
Ok, That is thus a misleading phrase since this only applies to the non-public  
Cisco git repository.
The public git as stated on the website is still the correct one.

Clear and correct communication is a skill and should not be left to technical 
or otherwise untrained people.

--- Frans


--
A: Yes, just like thatA: Ja, net zo
Q: Oh, Just like reading a book backwards Q: Oh, net als een boek 
achterstevoren lezen
A: Because it upsets the natural flow of a story  A: Omdat het de natuurlijke 
gang uit het verhaal haalt
Q: Why is top-posting annoying?   Q: Waarom is Top-posting zo 
irritant?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Update on rate limits and downloading

2021-05-06 Thread Joel Esler (jesler) via clamav-users 
Overall — we’re doing much better.

We’ve reduced the amount of bandwidth we’re serving by 4x, so we’ve made 
significant progress.

However, we still have over 700 individual systems downloading the full 
daily.cvd over 200x a day. (This should be once a day, if that.)

If you are not using 0.103.2 and it’s accompanying FreshClam to download these 
updates, and when you do create a NEW FreshClam.conf file and move your 
settings to that.  We’re going to have to start blocking these atrocious 
abusers, as the rate limits are hurting everyone else at this point.

Please help us, stay diligent, keep going keep upgrading.  Upgrade to 0.103.2, 
and keep your mirrors.dat file around, this file contains a snapshot of where 
you are in your update progression so that the next time that FreshClam run, it 
can start where it left off.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Request for guidelines to connect freshclam to Squid proxy

2021-04-30 Thread Joel Esler (jesler) via clamav-users 
If the firewall administrator is that way about AV updates, how are they with 
YouTube?

On Apr 30, 2021, at 12:43 PM, Dave Warren via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

A firewall's job is to regulate unwanted/undesired traffic and to enforce 
policy as defined by the business, not to invent it.

If the business policy is to allow virus definition updates then the firewall 
should be configured to do so. If not, it should be blocked completely. 
Anything else is just a power-trip on the part of the firewall administrator 
and the responsibility should fall to them when their mis-configuration has 
consequences.



On 2021-04-29 05:56, Zvi Kave via clamav-users wrote:
Hi,
The SysAdmin that responsible for Firewall maintenance,  allows to open only 
one IP in the firewall for freshclam use.
I shall check squid definitions again.
Thank you,
Zvi

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] cdn :/

2021-04-28 Thread Joel Esler (jesler) via clamav-users 


> On Apr 28, 2021, at 12:10 PM, Benny Pedersen  wrote:
> 
> On 2021-04-28 17:56, Joel Esler (jesler) wrote:
>> I don’t think that’s a solution.
> 
> https scales only if makeing private mirrors :/
> 
> design of torrents is ther more users the faster speeds all get without 
> needing private mirrors, so yes it does better then cloudflare

We can manage Cloudflare, and BitTorrent is banned in just about every 
corporate environment.

> 
> is it possible to see mailman stops mangle dkim when dmarc policy is p=none;
> 
> while i am on clamav, what about synology antivirus essential ?

What about it?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] cdn :/

2021-04-28 Thread Joel Esler (jesler) via clamav-users 
I don’t think that’s a solution.

> On Apr 28, 2021, at 9:21 AM, Benny Pedersen via clamav-users 
>  wrote:
> 
> On 2021-04-28 14:42, Eero Volotinen wrote:
> 
>> Please upgrade to supported version?
> 
> i have that on gentoo, problem is fidxed now, finaly, how can this take so 
> long without anyone notice it is imho scarry
> 
> consider implement bittorrent protocol into freshclamd, it scales more then 
> claoudflare problem
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't download daily-25402.cdiff from db.local.clamav.net

2021-04-28 Thread Joel Esler (jesler) via clamav-users 
Please upgrade to 103.2, as the error messages are more specific.

Please change your Database settings to fetch from 
database.clamav.net instead of 
“db.local.clamav.net”.

Daily-25402 is very out of date.

On Apr 28, 2021, at 11:43 AM, Will Watters via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

Hello,

I'm unable to download definitions when running freshclam and virus db is older 
than 7 days.

I have disabled ipv6, changed the DatabaseMirror in /etc/freshclam.conf and 
remvoed and reinstalled with the same issue.

Any suggestions as to why it is not downloading please?

root@ip-10-104-3-139 ~]# freshclam
ClamAV update process started at Wed Apr 28 15:34:13 2021
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.3 Recommended version: 0.103.2
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: 
sigmgr)
WARNING: getpatch: Can't download daily-25402.cdiff from 
db.local.clamav.net
WARNING: getpatch: Can't download daily-25402.cdiff from 
db.local.clamav.net
WARNING: getpatch: Can't download daily-25402.cdiff from 
db.local.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
nonblock_connect: connect(): fd=5 errno=101: Network is unreachable
Can't connect to port 80 of host 
db.local.clamav.net (IP: 2606:4700::6810:da54)
Trying host db.local.clamav.net 
(2606:4700::6810:db54)...
nonblock_connect: connect(): fd=5 errno=101: Network is unreachable
Can't connect to port 80 of host 
db.local.clamav.net (IP: 2606:4700::6810:db54)
WARNING: Can't download daily.cvd from 
db.local.clamav.net
Trying again in 5 secs...
ClamAV update process started at Wed Apr 28 15:34:19 2021
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.3 Recommended version: 0.103.2
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: 
sigmgr)
WARNING: getpatch: Can't download daily-25402.cdiff from 
db.local.clamav.net
WARNING: getpatch: Can't download daily-25402.cdiff from 
db.local.clamav.net
WARNING: getpatch: Can't download daily-25402.cdiff from 
db.local.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Trying host db.local.clamav.net 
(2606:4700::6810:db54)...
nonblock_connect: connect(): fd=5 errno=101: Network is unreachable
Can't connect to port 80 of host 
db.local.clamav.net (IP: 2606:4700::6810:db54)
Trying host db.local.clamav.net 
(2606:4700::6810:da54)...
nonblock_connect: connect(): fd=5 errno=101: Network is unreachable
Can't connect to port 80 of host 
db.local.clamav.net (IP: 2606:4700::6810:da54)
WARNING: Can't download daily.cvd from 
db.local.clamav.net
Trying again in 5 secs...
ClamAV update process started at Wed Apr 28 15:34:24 2021
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.3 Recommended version: 0.103.2
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder: 
sigmgr)
WARNING: getpatch: Can't download daily-25402.cdiff from 
db.local.clamav.net
WARNING: getpatch: Can't download daily-25402.cdiff from 
db.local.clamav.net
ERROR: getpatch: Can't download daily-25402.cdiff from 
db.local.clamav.net
WARNING: Incremental update failed, trying to download daily.cvd
Trying host db.local.clamav.net 
(2606:4700::6810:db54)...
nonblock_connect: connect(): fd=5 errno=101: Network is unreachable
Can't connect to port 80 of host 
db.local.clamav.net (IP: 2606:4700::6810:db54)
Trying host db.local.clamav.net 
(2606:4700::6810:da54)...
nonblock_connect: connect(): fd=5 errno=101: Network is unreachable
Can't connect to port 80 of host 
db.local.clamav.net (IP: 2606:4700::6810:da54)
ERROR: Can't download daily.cvd from 
db.local.clamav.net
Giving up on db.local.clamav.net...
ClamAV update process started at Wed Apr 28 15:34:25 2021
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.3 Recommended version: 0.103.2
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 59, sigs: 4564902, f-level: 60, builder:

Re: [clamav-users] Problema antivirus su Nas QNAP

2021-04-26 Thread Joel Esler (jesler) via clamav-users 
Hello Federico,

Thank you for your email.  As a result of events documented in places here 
 and 
here, 
we’ve been forced to take emergency measures to protect the ClamAV environment.

Please read our FAQ page under 
"Error Codes".

Please Immediately switch to using Freshclam or if you using a private 
mirror or want to 
download the updates seperately than Freshclam please use 
cvdupdate to update your AV 
definitions. If you are using Qnap (or another NAS) or ClamWin, it’s likely 
that you are using a version of ClamAV that has been 
EOL’ed.

Sorry for the inconvenience.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

On Apr 26, 2021, at 4:49 PM, Federico Dal Zotto via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:

Buongiorno,

possiedo un Nas QNAP TS-231
firmware 4.3.6.1620

e da quando l'ho comprato 2 anni fa
non sono mai riuscito a fare l'aggiornamento automatico
di Clamav Antivirus ,

solo in modo manuale importando il file nuovo
con le definizioni.

Ho contattato l'assistenza tecnica QNAP
la quale mi ha detto di contattare Clamav perchè
il Nas è ok senza problemi.


In attesa di vostre info,

grazie, cordialità


--
___
Federico Dal Zotto




[https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]
  Mail priva di virus. 
www.avast.com


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV(R) blog: Are you still attempting to download safebrowsing.cvd?

2021-04-22 Thread Joel Esler (jesler) via clamav-users 
Effect:

Traffic surrounding safebrowsing has effectively ground to almost zero.  
FANTASTIC!

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

On Apr 22, 2021, at 12:04 PM, Andrew Williams 
mailto:awill...@sourcefire.com>> wrote:

To give a quick update on this, a new version of safebrowsing.cvd was published 
yesterday that removes all but a minimal number of signatures needed for it to 
be loaded correctly by ClamAV.  The block on safebrowsing.cvd download attempts 
was also lifted, and a corresponding zero-byte CDIFF published, which means 
that existing installations running FreshClam with the SafeBrowsing option set 
should expect a quick update that replaces the prior, 40 MB safebrowsing.cvd 
(if present) with the 1 KB latest one.

-Andrew

On Thu, Apr 8, 2021 at 6:33 PM Micah Snyder (micasnyd) via clamav-users 
mailto:clamav-users@lists.clamav.net>> wrote:
So it's actually kinda funny you should ask that.  In 0.103.2 we deprecated the 
SafeBrowsing option in freshclam.conf which means it will no longer add 
safebrowsing to the list of desired databases.

FreshClam has two options "ExcludeDatabase" and "ExtraDatabase" for 
adding/removing official CVD's to the list of databases to update. In version 
0.102+, FreshClam detects if you have a CVD database in your database directory 
that isn't in the list (eg. because you excluded it, or no longer include an 
"extra" database) and will remove it.

I didn't realize that deprecating the SafeBrowsing option would cause FreshClam 
to remove the old safebrowsing.cld file until I read your question and the 
thought struck me.  I just tested it now.  I found that in 0.103.2 if you used 
to have safebrowsing.cld (or safebrowsing.cvd), FreshClam will automatically 
remove it for you.

-Micah

> -Original Message-
> From: clamav-users 
> mailto:clamav-users-boun...@lists.clamav.net>>
>  On Behalf Of
> Matus UHLAR - fantomas
> Sent: Thursday, April 8, 2021 5:40 AM
> To: clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
> Subject: Re: [clamav-users] ClamAV® blog: Are you still attempting to
> download safebrowsing.cvd?
>
> >Dne středa 7.  dubna 2021 19:41:34 CEST, Joel Esler (jesler) via
> >clamav-users napsal(a):
> >> > Are you still attempting to download safebrowsing.cvd?
> >> >
> >> >  It has come to our attention that a few of you (about 515,000 of
> >> > you, to  be more accurate), are still attempting to download the
> >> > safebrowsing.cvd  file from the official ClamAV mirrors.  This
> >> > tells us that these  attempted downloads are an installation of
> >> > FreshClam (a non-updated  FreshClam.conf or other script) that have
> >> > not been updated to remove the  safebrowsing database.>
>
> On 07.04.21 21:04, Vladislav Kurz via clamav-users wrote:
> >These could be Debian users. The debian package offers to enable
> >safebrowsing.cvd, and there is no indication that it is discontinued.
> >Perhaps, if you talk to Debian Clamav maintainers, they could release
> >an update that disables this option without asking ?
>
> it's disabled by default, but yes, that disabling it unconditionally would be
> good
>
> The question is, if the old safebrowsing.cld has to be removed if it exists.
>
> >Anyway I was one of those, and now disabling it everywhere...
>
> +1
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk<mailto:uh...@fantomas.sk> ; 
> http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 2B|!2B, that's a question!
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Help, we are still seeing issues

2021-04-18 Thread Joel Esler (jesler) via clamav-users 
Correct.  

Sent from my  iPhone

> On Apr 18, 2021, at 13:55, Paul Kosinski via clamav-users 
>  wrote:
> 
> You're comparing daily.CLD with main.CVD: as I understand it, CVDs are 
> compressed, CLDs aren't.
> 
> 
>> On Sat, 17 Apr 2021 21:15:29 +0200 (CEST)
>> "Robert M. Stockmann via clamav-users"  wrote:
>> 
>> Here's the freshclam virus data files which were first downloaded when
>> i upgraded to 0.103.2 :
>> 
>>   [hubble:stock]:(/var/lib/clamav)$ ll 
>>   total 429572
>>   -rw-r--r--  1 clamav clamav293670 Apr  8 02:37 bytecode.cvd
>>   -rw-r--r--  1 clamav clamav 321713152 Apr 17 14:07 daily.cld
>>   -rw-r--r--  1 clamav clamav 117859675 Apr  8 02:37 main.cvd
>>   -rw-r--r--  1 clamav clamav69 Apr  8 02:36 mirrors.dat
>>   [hubble:stock]:(/var/lib/clamav)$ clamdscan --version
>>   ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021
>>   [hubble:stock]:(/var/lib/clamav)$ 
>> 
>> As you can see, the daily.cld is from today, Apr 17, and the others
>> were downloaded on the day of upgrade. However one would expect the
>> daily.cvd to be the smallest file, instead its the biggest
>> with 307M in size. 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Help, we are still seeing issues

2021-04-17 Thread Joel Esler (jesler) via clamav-users 
Please take a few moments to check your ClamAV freshclam installations.  Are 
you removing your mirrors.dat file after every run of Freshclam or cvdupdate?

We are seeing a few IPs, who have upgraded to 103.2 still downloading the 
entire daily.cvd and main.cvd every update.  I am thinking this is because the 
installation has a script that is deleting the mirrors.dat file, or has the 
“OnErrorExecute” command in the Freshclam.conf file set to delete this file, or 
freshclam can’t write the file in the first place (which shouldn’t be possible).

Please double check your installations?  You may need even go so far as to 
create a new freshclam.conf file.

If your downloads were working and now you are getting 403’s from Cloudflare 
and you’re on 103.2, the above situation may be the reason.  Please double 
check the situation and feel free to write me back.  We’ve seen about 34,000 
downloads of the main and daily in the past 24 hours from these couple of IPs.

I can tell the difference between a properly functioning copy of freshclam and 
not, very easily by looking at the files being downloaded.  If an installation 
grabs the cvd and then grabs the cdiffs the next day, it’s properly functioning.

But downloading the entire daily and main every 5 minutes or so indicates to me 
that something is broken.

--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
https://www.talosintelligence.com | https://www.snort.org | 
https://www.clamav.net

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-14 Thread Joel Esler (jesler) via clamav-users 
I understand the request.  The new key is signed with the old key already.

> On Apr 14, 2021, at 9:42 AM, Andrew C Aitchison  
> wrote:
> 
> 
> Joel,
> 
> You can add a direct link to the PGP key now as this is completely independant
> of the released packages.
> 
> Better yet would be to
> 1) Sign the new key with the old one (which doesn't actually expire until 
> Monday)
> 2) Get other (public domain) software people to sign your key.
> This assumes that you can get the key to them and the signature back
> in a way that satisfies both of you that they really came from the person
> they claim to be ...
> 
> 3) Put the key (presumably with the signatures above)
> on some of the public keyservers, eg
>  https://pgp.mit.edu/
>  https://keyserver.ubuntu.com/
> 
> If a software package is signed With an unsigned key and the key and
> the package are put on the same webserver there is no advantage to users
> over just giving an MD5 or SHA checksum - we have no way of measuring
> the trust in the key.
> By getting other know parties (including the old key's owner)
> to sign the new key, we have some idea that the new key can be trusted
> and was not put up by a malicous webmaster - possibly of a spoof website.
> 
> Thanks,
> 
> On Wed, 7 Apr 2021, Joel Esler (jesler) via clamav-users wrote:
> 
>> We’ll look into that for a future update.
>> 
>> Sent from my iPhone
>> 
>>> On Apr 7, 2021, at 16:58, Arjen de Korte via clamav-users 
>>>  wrote:
>>> 
>>> Citeren "Joel Esler (jesler) via clamav-users" 
>>> :
>>> 
>>>> It’s available on the webpage.
>>> 
>>> I already wrote that I know it is available from the website. I need to 
>>> update the stored keyring in openSUSE Factory, which needs a backlink to 
>>> the origin. Rather than downloading https://www.clamav.net/downloads and 
>>> trimming the HTML code, a straight download link for the keyfile would make 
>>> it easier to verify it.
>>> 
>>>>>> On Apr 7, 2021, at 4:29 PM, Arjen de Korte via clamav-users 
>>>>>>  wrote:
>>>>> 
>>>>> Citeren "Joel Esler (jesler) via clamav-users" 
>>>>> :
>>>>> 
>>>>> It seems the package is now signed with a different PGP key. Is there a 
>>>>> location from where I can directly download the public key, rather than 
>>>>> copying it from the webpage?
>>>>> 
>>>>> Best regards, Arjen
> 
> -- 
> Andrew C. Aitchison   Kendal, UK
>   and...@aitchison.me.uk


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav on rhel 6.7 x32

2021-04-13 Thread Joel Esler (jesler) via clamav-users 
I wouldn’t install something that old. I would go ahead and move on.

Sent from my  iPhone

On Apr 13, 2021, at 18:29, Eero Volotinen  wrote:


Hi,

I think that installing following files will fix your problem.

https://archives.fedoraproject.org/pub/archive/epel/6/i386/Packages/c/clamav-0.100.3-1.el6.i686.rpm
https://archives.fedoraproject.org/pub/archive/epel/6/i386/Packages/c/clamav-db-0.100.3-1.el6.i686.rpm

Please test first on your test system. I only tested on centos 6.7 x32

"if it breaks, you can keep both pieces"

Eero

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.103.2 security patch release

2021-04-10 Thread Joel Esler (jesler) via clamav-users 
Thanks for pointing that out. We’ve corrected it with mitre, but obviously, we 
can’t correct the news.md for now. 

— 
Sent from my  iPad

> On Apr 10, 2021, at 08:14, Sergey  wrote:
> 
> On Wednesday 07 April 2021, Joel Esler (jesler) via clamav-users wrote:
> 
>> CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. Affects 
>> 0.103.0 and 0.103.1 only.
>> 
>> CVE-2021-1405: Fix for mail parser NULL-dereference crash. Affects 0.103.1 
>> and prior.
> 
> I seems you got the CVE description mixed between: 1405 about PDF (and in 
> NEWS.md).
> 
> -- 
> Regards,
> Sergey
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

2021-04-10 Thread Joel Esler (jesler) via clamav-users 
This. 

— 
Sent from my  iPad

> On Apr 10, 2021, at 09:15, Gary R. Schmidt  wrote:
> 
> On 10/04/2021 22:59, Matus UHLAR - fantomas wrote:
> [SNIP]
>> it could help if we provided proper reason to upgrade tho.
> Isn't, "It's security software", sufficient?
> 
>Cheers,
>GaryB-)
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam issues

2021-04-09 Thread Joel Esler (jesler) via clamav-users 
Absolutely correct

Sent from my  iPhone

> On Apr 9, 2021, at 10:07, Kris Deugau  wrote:
> 
> Wayne Florence via clamav-users wrote:
>> Hello,
>> I have recently updated my 4 ClamAV private mirrors to 
>> version 0.103.0 to fix issues downloading the cvd files.
>> However I am still having issues  I have the servers setup 
>> to use freshclam via a cron once per day.
>> I am still getting 403 and 429 errors often from them one 
>> last got the update on 4-1,  one of 4-6, one on 4-7  and the final at 4-9.
> 
>> Querying current.cvd.clamav.nfet
>> WARNING: Can't query current.cvd.clamav.net
> 
> Fix this first.
> 
> If DNS lookups like this are breaking you're almost certainly going to 
> continue having trouble.
> 
> -kgd
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 429 when updating database

2021-04-08 Thread Joel Esler (jesler) via clamav-users 
Feel free if you have the ability to do so.  We’re poking in all directions 
already.  

Sent from my  iPhone

> On Apr 8, 2021, at 17:34, Andrew C Aitchison  wrote:
> 
> 
>> On Thu, 8 Apr 2021, Joel Esler (jesler) via clamav-users wrote:
>> Still, 102.4 should work properly, shouldn't it?
>> 
>> It does.  But 103.2 handles the downloads and interactions SO MUCH
>> BETTER (I’ve been watching the updates for 103.2’s FreshClam all
>> morning, and it’s working so much better.
>> 
>> Please.  Please upgrade.
> 
> https://packages.ubuntu.com/search?suite=hirsute=clamav
> suggests that Ubuntu Hirsute, due out this month, will still have ClamAV 
> 0.103.0.
> 
> Is it worth giving them a prod ?
> 
> -- 
> Andrew C. AitchisonKendal, UK
>and...@aitchison.me.uk

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

  1   2   3   4   5   6   7   8   9   10   >