Re: [clamav-users] Unable to download daily.cvd after upgrade to RHEL 8

[Joel Esler via clamav-users]

Looks like you’re trying to connect through a proxy.  Not directly.  — Sent from my iPhoneOn Mar 7, 2024, at 13:34, John Paul Guay via clamav-users  wrote:Hello,We have performed an In-Place upgrade to RHEL 8 on our system that ClamAV resides on and afterwards we are no longer able to download the daily.cvd.Just a little history. The system is in a lab behind a corporate proxy and it requires proxy rules to be able to reach database.clamav.net and clamav.net. Prior to the upgrade there were no issues in downloading the signatures on an hourly basis. We have verified that the rules on the proxy are still valid and the system is able to reach the proxy but it seems like it’s being blocked at database.clamav.net. I’ve included some output below:Thu Mar  7 11:52:47 2024 -> WARNING: Can't download daily.cvd fromhttps://database.clamav.net/daily.cvdThu Mar  7 11:52:47 2024 -> Trying again in 5 secs...Thu Mar  7 11:52:52 2024 -> daily database available for update (local version: 27075, remote version: 27207)Thu Mar  7 11:52:52 2024 -> ERROR: Download failed (35) Thu Mar  7 11:52:52 2024 -> ERROR:  Message: SSL connect errorThu Mar  7 11:52:52 2024 -> ERROR: Can't download daily.cvd fromhttps://database.clamav.net/daily.cvdThu Mar  7 11:52:52 2024 -> Giving up onhttps://database.clamav.net...Thu Mar  7 11:52:52 2024 -> ERROR: Update failed for database: dailyThu Mar  7 11:52:52 2024 -> ERROR: Database update process failed: Connection failedThu Mar  7 11:52:52 2024 -> ERROR: Update failed.Thu Mar  7 11:52:52 2024 -> --Thu Mar  7 11:53:06 2024 -> Update process terminatedThu Mar  7 11:53:08 2024 -> --Thu Mar  7 11:53:08 2024 -> ClamAV update process started at Thu Mar  7 11:53:08 2024Thu Mar  7 11:53:08 2024 -> daily database available for update (local version: 27075, remote version: 27207)Thu Mar  7 11:53:08 2024 -> WARNING: Download failed (35) Thu Mar  7 11:53:08 2024 -> WARNING:  Message: SSL connect error [root@seti026 ~]# wget http://database.clamav.net/URL transformed to HTTPS due to an HSTS policy--2024-03-07 13:26:55--  https://database.clamav.net/Resolving proxy.x.xxx-xxx.net (proxy.x.xxx-xxx.net)... 7.xx.xx.xxConnecting to proxy.x.xxx-xxx.net(proxy.x.xxx-xxx.net)| 7.xx.xx.xx |:8080... connected.Proxy request sent, awaiting response... 403 Forbidden2024-03-07 13:26:55 ERROR 403: Forbidden.Let me know if you require anything else.Thanks,John 

___Manage your clamav-users mailing list subscription / unsubscribe:https://lists.clamav.net/mailman/listinfo/clamav-usersHelp us build a comprehensive ClamAV guide:https://github.com/Cisco-Talos/clamav-documentationhttps://docs.clamav.net/#mailing-lists-and-chat___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Cloudflare block me

[Joel Esler via clamav-users]

You must use fresh clam to download updates. There are no country specific databases anymore.  They all just point at the same db. — Sent from my iPhoneOn Nov 17, 2023, at 02:00, Vedeau Jérôme via clamav-users  wrote:







Hello,
 
Can you help us to resolve this issue : We are blocked by Cloudfare when you try to connect to :
 
http://db.fr.clamav.net/main.cvd
http://db.fr.clamav.net/daily.cvd
http://db.fr.clamav.net/bytecode.cvd
http://db.fr.clamav.net/safebrowsing.cvd
 
Cloudflare Ray ID: 8266a4a8d9d1f0b7 
 
IP :
 212.243.21.99
 
Thanks to you for support
 
Best regards,
 















Jérôme VEDEAU
Externe
Intégration / exploitation
Systèmes d'information
98, rue de Saint-Jean - Case postale - 1211 Genève 3
T  
jerome.ved...@fer-ge.ch

 
 
 
 
 
 


































Avertissement :
 "Ce message peut contenir des informations confidentielles, couvertes par le secret professionnel ou réservées exclusivement à leur destinataire. Toute lecture, utilisation, diffusion ou divulgation sans autorisation expresse est rigoureusement interdite.
 Si vous n'en êtes pas le destinataire, merci de prendre contact avec l'expéditeur et de détruire ce message"






 


 






Disclaimer :
 "This e-mail, and any attachments thereto, is intended only for the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination,
 distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail by error, please notify me immediately by telephone and permanently delete the original and any copy of this."






 
 



___Manage your clamav-users mailing list subscription / unsubscribe:https://lists.clamav.net/mailman/listinfo/clamav-usersHelp us build a comprehensive ClamAV guide:https://github.com/Cisco-Talos/clamav-documentationhttps://docs.clamav.net/#mailing-lists-and-chat___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] freshclam not working

[Joel Esler via clamav-users]

Off the top of my head.  I think database is right.  
— 
Sent from my iPhone

> On Sep 13, 2023, at 02:12, Andrew C Aitchison via clamav-users 
>  wrote:
> 
> On Tue, 12 Sep 2023, Joel Esler via clamav-users wrote:
> 
>> Curl won’t work at all.  
>> But it definitely points to a dns problem. 
>> — Sent from my iPhone
>> 
>>  On Sep 11, 2023, at 13:07, Serge Slivitzky via
>>  clamav-users  wrote:
>> 
>>    Hi all,
>> I'm using clamav on 2 systems built the same way: the
>> first one is behind a firewall and freshclam is not
>> working, the other one is using a proxy to connect to the
>> internet and freshclam is working.
>> For the system not working, I get this in the log:
>> 
>>  Mon Sep 11 09:09:02 2023 -> ^remote_cvdhead:
>>  Download failed (6) Mon Sep 11 09:09:02 2023
>>  -> ^ Message: Couldn't resolve host name
>> Mon Sep 11 09:09:02 2023 -> ^Failed to get daily database version 
>> information from server: https://database.clamav.net
> 
> Joel,
> I was expecting current.cvd.clamav.net to be mentioned here ?
> 
>> Mon Sep 11 09:09:02 2023 -> !check_for_new_database_version: Failed to find 
>> daily database using server https://database.clamav.net. Mon Sep 11 09:09:02 
>> 2023 -> *updatedb: daily database update failed.
>> Mon Sep 11 09:09:02 2023 -> Trying again in 5secs...
> 
> --
> Andrew C. Aitchison  Kendal, UK
>   and...@aitchison.me.uk
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] freshclam not working

[Joel Esler via clamav-users]

Curl won’t work at all.  But it definitely points to a dns problem. — Sent from my iPhoneOn Sep 11, 2023, at 13:07, Serge Slivitzky via clamav-users  wrote:  Hi all,I'm using clamav on 2 systems built the same way: the first one is behind a firewall and freshclam is not working, the other one is using a proxy to connect to the internet and freshclam is working.For the system not working, I get this in the log:Mon Sep 11 09:09:02 2023 -> ^remote_cvdhead: Download failed (6) Mon Sep 11 09:09:02 2023 -> ^ Message: Couldn't resolve host nameMon Sep 11 09:09:02 2023 -> ^Failed to get daily database version information from server: https://database.clamav.netMon Sep 11 09:09:02 2023 -> !check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.Mon Sep 11 09:09:02 2023 -> *updatedb: daily database update failed.Mon Sep 11 09:09:02 2023 -> Trying again in 5 secs...Mon Sep 11 09:09:07 2023 -> *check_for_new_database_version: Local copy of daily found: daily.cld.Mon Sep 11 09:09:07 2023 -> Trying to retrieve CVD header from https://database.clamav.net/daily.cvd* Could not resolve host: database.clamav.net* Closing connection 0Mon Sep 11 09:09:07 2023 -> !remote_cvdhead: Download failed (6) Mon Sep 11 09:09:07 2023 -> ! Message: Couldn't resolve host nameMon Sep 11 09:09:07 2023 -> ^Failed to get daily database version information from server: https://database.clamav.netMon Sep 11 09:09:07 2023 -> !check_for_new_database_version: Failed to find daily database using server https://database.clamav.net.Mon Sep 11 09:09:07 2023 -> *updatedb: daily database update failed.Mon Sep 11 09:09:07 2023 -> Giving up on https://database.clamav.net...Mon Sep 11 09:09:07 2023 -> !Update failed for database: dailyMon Sep 11 09:09:07 2023 -> !Database update process failed: HTTP GET failedMon Sep 11 09:09:07 2023 -> !Update failed.I checked with my firewall guy that port 53 was open udp and tcp and he said yes.I checked with the faq and dns resolution is working and also the dig command:/tmp# nslookup database.clamav.netServer:         8.8.8.8Address:        8.8.8.8#53Non-authoritative answer:database.clamav.net     canonical name = database.clamav.net.cdn.cloudflare.net.Name:   database.clamav.net.cdn.cloudflare.netAddress: 104.16.219.84Name:   database.clamav.net.cdn.cloudflare.netAddress: 104.16.218.84Name:   database.clamav.net.cdn.cloudflare.netAddress: 2606:4700::6810:db54Name:   database.clamav.net.cdn.cloudflare.netAddress: 2606:4700::6810:da54/tmp# dig @ns1.clamav.net db.us.big.clamav.net; <<>> DiG 9.16.1-Ubuntu <<>> @ns1.clamav.net db.us.big.clamav.net; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63233;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;db.us.big.clamav.net.          IN      A;; Query time: 104 msec;; SERVER: 193.28.86.61#53(193.28.86.61);; WHEN: Mon Sep 11 09:19:06 EDT 2023;; MSG SIZE  rcvd: 49With curl, the download is partial:/tmp# curl -O http://database.clamav.net/daily.cvd  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100  4899    0  4899    0     0   199k      0 --:--:-- --:--:-- --:--:--  199kAnyone have an idea on what could be my problem?Thanks in advance,Serge
___Manage your clamav-users mailing list subscription / unsubscribe:https://lists.clamav.net/mailman/listinfo/clamav-usersHelp us build a comprehensive ClamAV guide:https://github.com/Cisco-Talos/clamav-documentationhttps://docs.clamav.net/#mailing-lists-and-chat___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV Issue - 127.0.0.1:3310 Connection refused

[Joel Esler via clamav-users]

Yup.  Looks like your FreshClam can’t reach the internet.  Or DNS is messed up. 
 Or something.

> On Aug 22, 2023, at 3:10 PM, Mona AlRekabi  wrote:
> 
> Kindly, find the attached file
> 

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV Issue - 127.0.0.1:3310 Connection refused

[Joel Esler via clamav-users]

Is perhaps your freshclam update attempting to connect to localhost or something?— Sent from my iPhoneOn Aug 22, 2023, at 03:54, Mona AlRekabi via clamav-users  wrote:Dear,
  Kindly, we installed ClamAV Antivirus on Windows Server and we face the following issue:
  No connection could be made because the target machine actively refused it 127.0.0.1:3310
  Please, provide us with the suggested solutions of this issue.
 
  Thank You, Mona-- Thank you & Best Regards,Mona 
___Manage your clamav-users mailing list subscription / unsubscribe:https://lists.clamav.net/mailman/listinfo/clamav-usersHelp us build a comprehensive ClamAV guide:https://github.com/Cisco-Talos/clamav-documentationhttps://docs.clamav.net/#mailing-lists-and-chat___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Cloudflare ban?

[Joel Esler via clamav-users]

403 is a specific ban.  Maybe by country or an Ip specifically.  

— 
Sent from my iPhone

> On Jul 11, 2023, at 02:50, Łukasz Baniecki via clamav-users 
>  wrote:
> 
> Today I did a clean cvd update, meaning I removed everything in
> /var/lib/clamav, I flushed my fw rules, so it won't block anything, I
> have clamav version 0.103.8 which is LTS, so it shouldn't be banned.
> Here is the full log of freshclam: https://pastebin.com/RbSNnM5C
> It specifically says I get 403 from Cloudflare. I must be banned,
> otherwise I don't know where to look.
> 
>> -- Forwarded message --
>> From: newcomer01 
>> To: "Łukasz Baniecki via clamav-users" 
>> Cc:
>> Bcc:
>> Date: Wed,  5 Jul 2023 08:42:15 +
>> Subject: Re: [clamav-users] Cloudflare ban?
>> Hi,
>> 
>> please check to freshclam.log for more detailed informations whats going on.
>> 
>> kind greetings
>> Marc
>> 
>> Von / From: Clamav User Mailinglist 
>> An / To: Newcomer01 
>> CC / CC: Łukasz Baniecki 
>> Gesendet / Sent: Mittwoch, Juli 05, 2023 um 10:21 (at 10:21 AM) +0200
>> Betreff / Subject: [clamav-users] Cloudflare ban?
>>> Hi,
>>> I already wrote in this topic ealier this year, about my ip
>>> (95.215.234.142) being blocked, so cvdupdate doesn't work. You helped
>>> me, so you are not blocking my ip and suggested that maybe I'm blocked
>>> on cloudflare. I have made more tests and I think that must be it, so
>>> I just did freshclam --verbose and here is my Cloudflare Ray ID:
>>> 7e1e292a4fe60046-WAW. Please check if at some level I am blocked and
>>> if so, why? Note: I'm not from Russia, I am from Poland.
> 
> 
> 
> 
> --
> pozdrawiam,
> Łukasz Baniecki
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How do I get something added to the ignore list

[Joel Esler via clamav-users]

What db do you think you want to add it to?— Sent from my iPhoneOn Jun 8, 2023, at 12:35, Tim McConnell via clamav-users  wrote:Thanks for that AL, now how do I add to the DB?  Two things I'm not is a programmer or DBA :-( -- Tim McConnell On Thu, 2023-06-08 at 05:01 -0700, Al Varnell wrote:First get the file's hash value:sigtool --md5 /home/tmick/.config/libreoffice/4/user/basic/Standard/Module1.xbaThen copy the results to an fp.local file. You will probably have to create such a file and add it to the ClamAV database.-Al-On Jun 7, 2023, at 11:45 AM, Tim McConnell via clamav-users  wrote:Hi all, I get this in my report:/home/tmick/.config/libreoffice/4/user/basic/Standard/Module1.xba:PUA.Doc.Tool.LibreOfficeMacro-2 FOUNDHow do I request the macro be added to the safe list? Thanks! -- Tim McConnell 
___Manage your clamav-users mailing list subscription / unsubscribe:https://lists.clamav.net/mailman/listinfo/clamav-usersHelp us build a comprehensive ClamAV guide:https://github.com/Cisco-Talos/clamav-documentationhttps://docs.clamav.net/#mailing-lists-and-chat___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [EXTERNAL] Re: Off Line Signature updates.

[Joel Esler via clamav-users]

You should use one of these tools to download the packages and keep them up to date.  — Sent from my iPhoneOn Jan 30, 2023, at 11:27, GARLICK, Andy W  wrote:







Thanks Joel,
 
It seems like it is no longer possible to download the signatures directly. If they can be, could you provide the link please?
The CLAMAV web site now states:
FreshClam should perform these updates automatically. Instructions for setting up FreshClam can be found in the documentation section.
If your network is segmented or the end hosts are unable to reach the internet, you should investigate setting up a private
 local mirror using the cvdupdate tool.
 
 
Kind Regards
Andy
 
 
NATS Internal


From: Joel Esler 

Sent: 30 January 2023 15:35
To: ClamAV users ML 
Cc: GARLICK, Andy W 
Subject: [EXTERNAL] Re: [clamav-users] Off Line Signature updates.


 

CAUTION: This email originated from outside of the organisation.
 Do not click links or open attachments unless you recognise the sender and know the content is safe.
 




Andy,

 


You can download them on a standalone machine and move them over via thumb drive.


 


 

 


On Jan 30, 2023, at 10:30 AM, GARLICK, Andy W via clamav-users  wrote:

 


Hi CLAMAV,


 


We only operate an air gapped system but still require anti-malware.


 


Do you provide any options (free or paid) that would enable us to download signature updates without the use of private local mirrors running cdvupdate or freshclam?


 


Many thanks


Andy

 

NATS Internal

 



If you are not the intended recipient, please notify our Help Desk at Email information.soluti...@nats.co.uk immediately.
 You should not copy or use this email or attachment(s) for any purpose nor disclose their contents to any other person. 

NATS computer systems may be monitored and communications carried on them recorded, to secure the effective operation of the system. 

Please note that neither NATS nor the sender accepts any responsibility for viruses or any losses caused as a result of viruses and it is your responsibility to scan or otherwise check this email and any attachments. 

NATS means NATS (En Route) plc (company number: 4129273), NATS (Services) Ltd (company number 4129270), NATSNAV Ltd (company number: 4164590) or NATS Ltd (company number 3155567) or NATS Holdings Ltd (company number 4138218). All companies are registered in
 England and their registered office is at 4000 Parkway, Whiteley, Fareham, Hampshire, PO15 7FL.



___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat



 




___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Off Line Signature updates.

[Joel Esler via clamav-users]

Andy,

You can download them on a standalone machine and move them over via thumb 
drive.



> On Jan 30, 2023, at 10:30 AM, GARLICK, Andy W via clamav-users 
>  wrote:
> 
> Hi CLAMAV,
>  
> We only operate an air gapped system but still require anti-malware.
>  
> Do you provide any options (free or paid) that would enable us to download 
> signature updates without the use of private local mirrors running cdvupdate 
> or freshclam?
>  
> Many thanks
> Andy
> 
> NATS Internal
> 
> 
> If you are not the intended recipient, please notify our Help Desk at Email 
> information.soluti...@nats.co.uk  
> immediately. You should not copy or use this email or attachment(s) for any 
> purpose nor disclose their contents to any other person. 
> 
> NATS computer systems may be monitored and communications carried on them 
> recorded, to secure the effective operation of the system. 
> 
> Please note that neither NATS nor the sender accepts any responsibility for 
> viruses or any losses caused as a result of viruses and it is your 
> responsibility to scan or otherwise check this email and any attachments. 
> 
> NATS means NATS (En Route) plc (company number: 4129273), NATS (Services) Ltd 
> (company number 4129270), NATSNAV Ltd (company number: 4164590) or NATS Ltd 
> (company number 3155567) or NATS Holdings Ltd (company number 4138218). All 
> companies are registered in England and their registered office is at 4000 
> Parkway, Whiteley, Fareham, Hampshire, PO15 7FL.
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Errors after using clamdscan

[Joel Esler via clamav-users]

> On Jan 12, 2023, at 11:19, Matus UHLAR - fantomas  wrote:
> 
> On 12.01.23 18:34, Antonio Galdieri via clamav-users wrote:
>> We are trying to use the clamdscan command with a scripts that sends us the
>> results of the scan via mail, problem is, whenever we try to use the script
>> we get the errors that you can see in the picture i attached.
> 
> So, you get error in textual form and do a screenshot?
> even if the errors are in e-mail you could copy and paste from?

Here you go:

/sys/fs/xfs/dm-5/error/metadata/EIO/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-5/error/metadata/EIO/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-5/error/metadata/ENOSPC/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-5/error/metadata/ENOSPC/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-5/error/metadata/ENODEV/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-5/error/metadata/ENODEV/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-5/log/log head Isn: Can't read file ERROR 
/sys/fs/xfs/dm-5/10g/log tail Isn: Can't read file ERROR 
/sys/fs/xfs/dm-5/log/reserve grant head: Can't read file ERROR 
/sys/fs/xfs/dm-5/log/write grant head: Can't read file ERROR 
/sys/fs/xfs/dn-2/stats/stats: Can't read file ERROR 
/sys/fs/xfs/dm-2/stats/stats clear: Failed to open file 
/sys/fs/xfs/dm-2/error/fail at unmount: Can't read file ERROR 
/sys/fs/xfs/dm-2/error/metadata/default/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-2/error/metadata/default/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-2/error/metadata/EIO/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-2/error/metadata/EIO/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-2/error/metadata/ENOSPC/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-2/error/metadata/ENOSPC/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-2/error/metadata/ENODEV/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-2/error/metadata/ENODEV/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-2/10g/log head Isn: Can't read file ERROR 
/sys/fs/xfs/dm-2/log/log tail lsn: Can't read file ERROR 
/sys/fs/xfs/dm-2/log/reserve _grant head: Can't read file ERROR 
/sys/fs/xfs/dm-2/log/write grant head: Can't read file ERROR 
/sys/fs/xfs/dm-4/stats/stats: Can't read file ERROR 
/sys/fs/xfs/dm-4/stats/stats clear: Failed to open file 
/sys/fs/xfs/dm-4/error/fail at unmount: Can't read file ERROR 
/sys/fs/xfs/dm-4/error/metadata/default/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-4/error/metadata/default/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-4/error/metadata/EIO/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-4/error/metadata/EIO/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-4/error/metadata/ENOSPC/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-4/error/metadata/ENOSPC/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-4/error/metadata/ENODEV/max retries: Can't read file ERROR 
/sys/fs/xfs/dm-4/error/metadata/ENODEV/retry timeout seconds: Can't read file 
ERROR /sys/fs/xfs/dm-4/log/log head Isn: Can't read file ERROR 
/sys/fs/xfs/dm-4/10g/log tail Isn: Can't read file ERROR 
/sys/fs/xfs/dm-4/log/reserve grant head: Can't read file ERROR 
/sys/fs/xfs/dm-4/log/write grant head: Can't read file ERROR 
/sys/fs/nfs/net/nfs client/identifier:
Can't read file ERROR___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Anyone else having trouble reaching the ClamAV website?

[Joel Esler via clamav-users]

The system is probably set up that way on purpose to discourage automated bots 
from pounding on the site constantly, and ensure that the browser visiting the 
site is actually a human.

— 
Sent from my  iPad

> On Jan 6, 2023, at 14:55, Paul Kosinski via clamav-users 
>  wrote:
> 
> I occasionally see a similar message from sites other than clamav.net saying 
> something equivalent to Cloudflare's "review the security of your connection".
> 
> The phrasing is pure gaslighting. It isn't for *connection* security -- HTTPS 
> provides *that*. What it really means is that the site is trying to search 
> your computer by running some Javascript (which I block by default via 
> NoScript, thus causing the message). They assume, probably correctly, that 
> most visitors will think it's for *their* benefit  After all, security is 
> good, isn't it? 
> 
> Why can't Cloudflare et al be honest and say that they're trying to avoid 
> Denial of Service attacks and other bandwidth overload?
> 
> 
> 
>> On Thu, 5 Jan 2023 10:18:38 -0500
>> Kris Deugau  wrote:
>> 
>> I went to load a semi-bookmarked page for signature writing 
>> (https://docs.clamav.net/manual/Signatures.html), but it failed and kept 
>> reloading Cloudflare's "security check" voodoo.
>> 
>> (Side question to pass up the chain at Cisco/Talos - is there a knob 
>> that can be twisted somewhere to force that check to run exactly once, 
>> then stop?  I can't imagine any scenario where running it over and over 
>> and over has any benefit to anyone.  [And for bonus points, display an 
>> error message that gives some sliver of a hint what 
>> beyond-the-bleeding-edge headacheware the site or its security provider 
>> insist on relying on this week.])
>> 
>> I then tried to load the main site, https://www.clamav.net, which also 
>> went into the same loop.
>> 
>> I usually use Seamonkey (all-in-one Mozilla suite).  I tried Konqueror 
>> which seemed to load things up fine.
>> 
>> Since starting to write this and putting it aside, I've come across a 
>> small handful of other sites with the same issue, including one case 
>> where the base site triggered the issue but a directory under the base 
>> site did not.  Since I'm *not* seeing it across a large number of sites, 
>> it's pretty clearly some specific security option in Cloudflare causing 
>> the failure.
>> 
>> -kgd
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How many viruses/malware is clamav protecting us from?

[Joel Esler via clamav-users]

Technically speaking, this is an impossible question to answer.

Since there are millions of pieces of detection in ClamAV, but one piece of 
detection can cover millions of pieces of malware.

> On Dec 15, 2022, at 9:09 AM, Michael Kyriacou via clamav-users 
>  wrote:
> 
> Hello, is there a way to see how viruses/malware clamav current protects us 
> from. Additionally, is there a way to see the amount of added virus 
> definitions/signatures per update if clamav? 
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Information about the signature database

[Joel Esler via clamav-users]

The Talos team should be able to tell you, I’d you give them the name of the 
detection, they can look it up.  

— 
Sent from my iPhone

> On Dec 9, 2022, at 07:10, Al Varnell via clamav-users 
>  wrote:
> 
> Yes I simply search the daily's. If you give me the signature name I can do 
> that for you tomorrow.
> 
> Sent from my iPad
> 
> -Al-
> 
>>> On Dec 9, 2022, at 02:59, Mark Allan via clamav-users 
>>>  wrote:
>>> 
>> Al will probably be along shortly to correct me (he's quite good at 
>> tracking down when items were added to the DB), but as far as I know, the 
>> only way is to search the archive of posts to the clamav-virusdb mailing 
>> list.
>> 
>>  https://lists.clamav.net/pipermail/clamav-virusdb/
>> 
>> Mark
>> 
>>> On 9 Dec 2022, at 9:37 am, Alessandro Cortina  wrote:
>>> 
>>> Hello,
>>> 
>>> is there a mean which I can see when a specific signature has been insert 
>>> in the signature database?
>>> I'm doing a forensics digital investigation and I'm trying to discover for 
>>> how long the malware was known to the ClamAV Database.
>>> 
>>> Thanks for support.
>>> 
>>> Alessandro
>>> .
>>> Alessandro Cortina 
>>> 
>>>  .
>>> ___
>>> 
>>> Manage your clamav-users mailing list subscription / unsubscribe:
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/Cisco-Talos/clamav-documentation
>>> 
>>> https://docs.clamav.net/#mailing-lists-and-chat
>> 
>> ___
>> 
>> Manage your clamav-users mailing list subscription / unsubscribe:
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>> 
>> https://docs.clamav.net/#mailing-lists-and-chat
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.0.0 release candidate now available

[Joel Esler via clamav-users]

You wouldn’t download the cld from the server.  Or am I reading this thread 
wrong. 

— 
Sent from my iPhone

> On Oct 28, 2022, at 04:15, Ralf Hildebrandt via clamav-users 
>  wrote:
> 
> * Yasuhiro Kimura :
> 
>> I experienced same problem while I'm working to update FreeBSD ClamAV
>> port to 1.0.0-rc. It happens if ClamAV is built with external
>> TomsFastMath library (that is, ENABLE_EXTERNAL_TOMSFASTMATH option is
>> ON).
>> 
>> See issue #736 for more detail.
>> 
>> https://github.com/Cisco-Talos/clamav/issues/736
> 
> Ah, interesting. I'm using the *.deb from
> http://www.clamav.net/downloads/production/clamav-1.0.0-rc.linux.x86_64.deb
> 
> -- 
> Ralf Hildebrandt
> Charité - Universitätsmedizin Berlin
> Geschäftsbereich IT | Abteilung Netzwerk
> 
> Campus Benjamin Franklin (CBF)
> Haus I | 1. OG | Raum 105
> Hindenburgdamm 30 | D-12203 Berlin
> 
> Tel. +49 30 450 570 155
> ralf.hildebra...@charite.de
> https://www.charite.de
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] on my microsoft windows with both edited freshclam.conf and clamd.conf unfornately i can't update and i can't scan

[Joel Esler via clamav-users]

Please read the first five lines of the FreshClam.conf file.  You have to at 
least try do configure Dorian.  The mailing lists are not place for us to do 
your work for you.

> On Oct 17, 2022, at 10:24 AM, Dorian ROSSE  wrote:
> 
> Joel you answer aside the problems ...
> 
> I understand the problems went by a bad configuration of file but I don't 
> know where are the errors thus I need your help because I have did as on 
> Linux by launch freshclam with both rights unfortunately this isn't the 
> problems,
> 
> Thanks you in advance to bring a real help,
> 
> Regards.
> 
> 
> Dorian Rosse.
> From: Joel Esler 
> Sent: Monday, October 17, 2022 1:04:50 PM
> To: ClamAV users ML 
> Cc: Dorian ROSSE 
> Subject: Re: [clamav-users] on my microsoft windows with both edited 
> freshclam.conf and clamd.conf unfornately i can't update and i can't scan
>  
> Dorian it looks like all your errors are below.  Read the output. 
> 
> — 
> Sent from my iPhone
> 
>> On Oct 16, 2022, at 03:21, Dorian ROSSE via clamav-users 
>>  wrote:
>> 
>> 
>> 
>> ‘’’
>> PS C:\Program Files\ClamAV> ./freshclam.exe
>> ERROR: Please edit the example config file C:\Program 
>> Files\ClamAV\freshclam.conf
>> ERROR: Can't open/parse the config file C:\Program 
>> Files\ClamAV\freshclam.conf
>> ‘’’
>>  
>> ‘’’
>> PS C:\Program Files\ClamAV> ./clamscan.exe -r --remove /
>> LibClamAV Error: cli_loaddbdir: No supported database files found in 
>> C:\Program Files\ClamAV\database
>> ERROR: Can't open file or directory

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] on my microsoft windows with both edited freshclam.conf and clamd.conf unfornately i can't update and i can't scan

[Joel Esler via clamav-users]

Dorian it looks like all your errors are below.  Read the output. 

— 
Sent from my iPhone

> On Oct 16, 2022, at 03:21, Dorian ROSSE via clamav-users 
>  wrote:
> 
> 
> 
> ‘’’
> PS C:\Program Files\ClamAV> ./freshclam.exe
> ERROR: Please edit the example config file C:\Program 
> Files\ClamAV\freshclam.conf
> ERROR: Can't open/parse the config file C:\Program Files\ClamAV\freshclam.conf
> ‘’’
>  
> ‘’’
> PS C:\Program Files\ClamAV> ./clamscan.exe -r --remove /
> LibClamAV Error: cli_loaddbdir: No supported database files found in 
> C:\Program Files\ClamAV\database
> ERROR: Can't open file or directory
> 
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV Action is not working on WHM/cPanel

[Joel Esler via clamav-users]

I am betting that Inmotion is running an old version of ClamAV that can’t 
update anymore.  

I’d bet money on that.

> On Oct 13, 2022, at 1:43 PM, Javier Camacho via clamav-users 
>  wrote:
> 
> Hi there, I am not sure if this the correct channel to request help. We have 
> a dedicated WHM/cPanel server at Inmotion Hosting. We have been using ClamAV 
> for years and it still working well to detect email infected and delete/move 
> them using a cronjob at cPanel level, but not sure since what version of 
> WHM/cPanel, ClamAV stopped executing an action (delete of move email 
> infected). Inmotion hosting support said that they cannot help us with a 3er 
> party application, so, I was wondering if somebody can point me to the right 
> direction to this problem. Thanks.
>  
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Are there test results for ClamAV and which malware is supported

[Joel Esler via clamav-users]

Some tidbits from me.  I do not speak for Cisco.

> On Oct 6, 2022, at 5:21 PM, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
> On Thu, 6 Oct 2022, Julia - via clamav-users wrote:
> 
>> I have a general question to ClamAV regarding how good ClamAV is.
> 
> It's a good question.  Most people seem not to ask it.

It’s because AV Comparative tests want to charge the vendors to do the test.  
That’s how they make their money, off of selling the test to the vendors for 
the vendors to prove how good they are, and then they charge YOU the public for 
the results of the test.  ClamAV doesn’t participate in said tests because of 
that.  Well, speaking from when I was in charge of the project, which I haven’t 
been in quite some time now.


>> In the internet there are lot of tests with other known products but
>> I cannot find any for ClamAV.  So, are there any tests or reviews?
> 
> I'm slightly surprised you can't find any reviews.  I've seen a few
> which I wasn't really looking for, and just now when I ran the search
> "ClamAV review" there were at least dozens of hits, too many to count.
> 
> There are Wikipedia articles, for example
> 
> 
https://en.wikipedia.org/wiki/Comparison_of_antivirus_software

Unfortunately, I see some errors in this already, not only for ClamAV, but for 
other vendors as well.  Alas, the problem with crowd sorted encyclopedias.  

> 
> which might help your research.
> 
> For any individual ClamAV user the value of reviews is debatable for
> several reasons.  For example there are many options in the ClamAV
> configuration; a reviewer might choose options which are different
> from those which you choose; a reviewer might have an axe to grind
> which you don't; you might be interested in only particular kinds of
> threats.  Every installation is different.  I only scan mail, I never
> scan filesystems; others only scan filesystems and never mail.  Some
> people run Windows boxes, I (usually) don't.
> 
> I'd say it's better to make your own assessment of the effectiveness
> in real use.  You can find some of my own assessments in the mailing
> list archives.

 this assessment is ultimately correct, and spoken by someone who has 
obviously spent some time in the industry.  Effectiveness is different for 
everyone.  What is effective for you, may not be effective for someone else who 
has a completely different OS and security posture make up.


> 
>> My second question is: Which malwares are in ClamAVs database, only
>> for Linux or also for Windows and Android, etc.?
> 
> Any and every kind of malware is a candidate for inclusion in the
> 'Official' ClamAV signature database.  ClamAV relies a great deal on
> signatures; although it has other ways of detecting threats it can
> never really be very much better than the signature database that it's
> using but anyone can submit samples of malware to the ClamAV malware
> team - indeed everyone is encouraged to do that.  There are numerous
> what we call "third-party" signature databases, each of which has its
> own set of guidelines.  Currently there are 81 files in our ClamAV
> database and only three of them are the ClamAV 'official' files.

Correct.  ClamAV covers all kinds of malware, OS independent.


> 
>> Is there a list where you can see all "supported" malwares?
> 
> Be careful what you wish for, there are around ten million of them.
> 
> Most files in the signature databases are plain text, and most of them
> have one signature per line.  Many of the lines contain the "name" of
> the malware or threat or whatever it is.  They aren't all malware, and
> the name won't mean very much, it's more or less just an identifier.
> It isn't going to be very educational but you can just read them, or
> you can for example run 'grep' on a file to count the numbers of some
> words contained in it such as 'Win.' (not 'Windows'):
> 
> $ grep -a 'Win\.' daily.cld | wc -l
> 323501
> 
> Try also for example 'Pdf' and 'Doc'.
> 
> Naming of threats is a perennial problem, there are usually several
> names for each threat, some of which are used by several anti-virus
> vendors and some by only one or two.

Largely the system that creates the names for ClamAV detection is automated and 
is based off of the most prevalent names that other vendors give it, from what 
I understand.___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] remove me

[Joel Esler via clamav-users]

> On Sep 9, 2022, at 12:40 PM, Matus UHLAR - fantomas  wrote:
> 
> On 09.09.22 12:29, Marc wrote:
>> What about doing some sort of IQ test before users subscribe something like 
>> 2+2=?
> 
> making unsubscribe easier would spare us from solving problems like these.
> 
> unfortunately, subscribing is often easaier than unsubscribing which is not 
> good.

Subscribing and unsubscribing is the same amount of steps, from the same 
webpage.  I don’t understand why people are able to join a technical command 
line driven antivirus client email list, but can’t remove themselves.___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] remove me

[Joel Esler via clamav-users]

Check the bottom of every email sent to the list. 

— 
Sent from my  iPhone

> On Sep 8, 2022, at 14:16, Michael Piziak via clamav-users 
>  wrote:
> 
> remove me
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Best practices when using caching http proxy as cvd private mirror

[Joel Esler via clamav-users]

What I don’t understand about threads like this:

During my time at Cisco, Micah literally built multiple tools to correctly 
handle the CDN framework.  CVDUPATE and Freshclam itself, and people are going 
out of their way to try and fake CVDUPDATE to create a local mirror.  Which is 
literally what cvdupdate was invented for.  

> On Sep 8, 2022, at 3:59 AM, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
> On Thu, 8 Sep 2022, Aaron Leliaert via clamav-users wrote:
> 
>> On https://docs.clamav.net/appendix/CvdPrivateMirror.html#use-an-http-proxy
>> Am looking for best practices on how an http proxy should be
>> configured in this scenario.  Some questions:
>> 1) What mechanism should a proxy use to detect a stale cached file?
>>  Want to avoid stale files obviously, but also reduce load to the
>> public mirrors and chance of rate limiting.
> 
> There are no public mirrors any more, it's a Content Delivery Network
> provided by Cloudflare which also provides some protection against
> Denial of Service attacks - which have been part of the landscape for
> some time now.  You probably don't need to worry about stale files, it
> happens occasionally but the signatures aren't updated much more often
> than daily and you could e.g. set up a cron job to mail you if nothing
> changes in your copy of the official signature database for 48 hours.
> I've been using ClamAV for about two decades and I can't remember the
> last time I had to do *anything* about it.  It Just Works.  Whether it
> will then find what you're looking for is another question entirely...
> 
>> 2) I see that curl requests to database.clamav.net fail unless I
>> override the User-Agent header to have a value similar to what
>> freshclam does, such as "CVDUPDATE/0".  If I have to manually set
>> this in a proxy, is there guidance on what a good future-proof value
>> is?  It feels weird to lie in the request.
> 
> Using curl and lying in the requests is likely to get the requesting
> IP banned.  My understanding is that you have two choices, you either
> use (preferably) freshclam or (if necessary) cvdupdate, and that the
> use of curl and similar is essentially forbidden.  You will see notes
> to this effect in the mailing list, many from Joel, if you search it.
> 
>> 3) Happy to hear any dissenting opinions on the HTTP proxy idea.
> 
> Now that the files are distributed by a Content Delivery Network, I
> think the need for local caching proxies is much reduced (the CDN can
> cope with much more traffic) but you will certainly want to avoid the
> appearance of being abusive.  That isn't too difficult unless you're
> managing a large number of clients on your network.  For a few dozen
> machines I haven't used a proxy for years.  What sort of numbers are
> you dealing with?
> 
> Please note that replies direct to my clamav@ address are rejected,
> it accepts mail only from the mailing list.
> 
> -- 
> 
> 73,
> Ged.
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] False Positive?

[Joel Esler via clamav-users]

Exactly the only answer that is correct to this email.  :) 

> On Aug 11, 2022, at 2:15 PM, Al Varnell via clamav-users 
>  wrote:
> 
> Did you submit to ?
> 
> -Al-
> -- 
> ClamXAV user
> 
> On Aug 11, 2022, at 11:01 AM, David Laxer  > wrote:
>> Clamav 0.105.1
>> 
>> Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND
>> 
>> /Applications/Keynote.app/Contents/SharedSupport/Templates/New_Template9/Wide.kth:
>>  Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND
>> /Applications/Keynote.app/Contents/SharedSupport/Templates/New_Template9_RTL/Wide.kth:
>>  Xls.Downloader.Emotet-fe81817e7e81807e-9951541-0 FOUND
> 
>  
> Powered by Mailbutler 
> 
>  - still your inbox, but smarter.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Inquire about clamav latest stable version -

[Joel Esler via clamav-users]

 

> On Aug 1, 2022, at 15:36, Paul Kosinski  wrote:
> 
> On Thu, 28 Jul 2022 17:38:20 -0400
> Joel Esler  wrote:
> 
>> ClamAV is a Cisco project.  There’s no arguing that.
>> All of the original team are observed here: https://www.clamav.net/about
>> So, not sure what you’re getting at.  
> 
> The phrase "*the* authors of the software" rather implies that Cisco's Talos 
> are the only authors of the software. And G.W. Haywood seems to have agreed 
> with me on this that the phrasing could be misinterpreted.
> 
> 
> Cisco's Talos has indeed made ClamAV a lot better than it was years ago, but 
> they have kept much of the basic structure and, I would guess, some of the 
> original code.

Well of course.  When ClamAV was acquired by Sourcefire, Sourcefire hired the 
original developers until they all left to start another company.  ClamAV has 
continued to live on through the Cisco acquisition, and is continued to be 
developed by Cisco. All code must pass through Cisco employees to be committed 
to the code base. Occasionally open source contributions are made to ClamAV, 
but even when that happens, it must pass through Cisco’s QA tests.  
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Inquire about clamav latest stable version -

[Joel Esler via clamav-users]

ClamAV is a Cisco project.  There’s no arguing that. 

All of the original team are observed here: https://www.clamav.net/about

So, not sure what you’re getting at.  

— 
Sent from my  iPhone

> On Jul 28, 2022, at 16:56, Paul Kosinski via clamav-users 
>  wrote:
> 
> 
>> 
>> At the moment three versions are officially supported by Cisco's Talos, the 
>> authors of the software.
> 
> Cisco's Talos are the *current* authors of the software.
> 
> ClamAV was started in 2001 by Tomasz Kojm and a group of Open Source 
> enthusiasts. In 2007, they sold the software to Sourcefire (of Snort fame), 
> and the principal developers joined Sourcefire as employees.
> 
> Cisco acquired Sourcefire in 2013. Since the original software was covered by 
> the GPLv2 license, Cisco has kept the source code open (as they must), 
> including the many improvements they have made.
> 
> 
> The Wikipedia article on ClamAV barely mentions its origin, but it does have 
> two links:
> 
>  
> https://web.archive.org/web/20120206053729/http://www.emailbattles.com/2005/08/31/virus_aabejfhaib_ag/
>  
>  (Tomasz Kojm interview)
> 
>  https://web.archive.org/web/20080828173858/http://www.clamav.net/about/
> 
> The latter in turn links to the original developer team:
> 
>  https://web.archive.org/web/20080828173858/http://www.clamav.net/about/team/
> 
> 
> Disclaimer: I have never been associated with the development of ClamAV, but 
> I have used it since well before the Sourcefire acquisition. (I even have a 
> copy of the 0.88.4 source code from 2006!) 
> 
> In any case, I think the originators of ClamAV should get proper credit.
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Permanently banned from clamav

[Joel Esler via clamav-users]

Freshclam and cvdupdate can be ran as often as you want.  They check DNS to see 
if an update is needed before it attempts to download from the CDN, so knock 
yourself out.  

That being said, ClamAV only publishes updates once a day.  So hourly is PLENTY 
of time to run the check.  

— 
Sent from my  iPhone

> On Jul 3, 2022, at 12:51, Grant Taylor via clamav-users 
>  wrote:
> 
> On 7/3/22 1:07 AM, G.W. Haywood via clamav-users wrote:
>> Hi Grant,
> 
> Hi Ged,
> 
>> No.  My "Yes, it does." was in agreement with your "implies a cadence" but
>> I can see how it might be open to misinterpretation, for which I apologize.
> 
> Ah.  :-)  Thank you for the clarification.
> 
>> It was not my intention to make such a meal of this.
> 
> Sometimes these types of meals do more to feed (inform) people than one 
> realizes.  They tend to be shallower and wider than some other discussions.  
> As such they have the possibility to provide information to answer other 
> people's questions without knowing that such happens.
> 
>> Perhaps, but I think it accounts for millions of people all doing the
>> same thing, so now, it isn't allowed at all:
>> https://lists.clamav.net/pipermail/clamav-users/2021-March/010685.html
> 
> That's an informative message.
> 
> I'm sorry that there are so many abusers.  :-(
> 
>> I don't think anyone said that.
> Maybe it wasn't said directly, that that's what I took away from the spirit 
> of the discussion.  :-/
> 
> Calogero's response seems to be an example of someone that needs to use a web 
> browser to do the download for a technical reason.
> 
> 
> 
> -- 
> Grant. . . .
> unix || die
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Permanently banned from clamav

[Joel Esler via clamav-users]

This is correct.  

— 
Sent from my  iPhone

> On Jul 2, 2022, at 11:50, Maarten Broekman via clamav-users 
>  wrote:
> 
> Downloading the entire databases unnecessarily (using web browsers, etc) is 
> banned because it results in higher volumes of data transfer which, in turn, 
> costs more money. As such, using things other than freshclam or cvdupdate 
> were explicitly banned. 
> 
> There’s not much else to say.  
> 
> Maarten 
> 
> 
>>> On Jul 2, 2022, at 11:33, Grant Taylor via clamav-users 
>>>  wrote:
>>> 
>>> On 7/2/22 9:09 AM, Matus UHLAR - fantomas wrote:
>>> this (downloading using chrome or other http clients) has caused problem to 
>>> delivery network and was blocked:
>>> https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html
>> 
>> That message doesn't elaborate on what problem(s) was (were) caused.
>> 
>> The message does call out that people were downloading files too many times 
>> a day when the file would change nominally once a day.
>> 
>>> Use freshclam or cvdupdate: https://github.com/Cisco-Talos/cvdupdate
>> 
>> I understand that freshclam / cvupdate have some optimizations to determine 
>> if an update is needed or not.
>> 
>> I fail to see how using chrome, et al., or anything other than freshclam / 
>> cvupdate, with a weekly cadence will cause any problems for any server, much 
>> less reputable CDN.
>> 
>> What am I not understanding?  Please clarify what problem(s) was (were) 
>> caused.
>> 
>> 
>> 
>> -- 
>> Grant. . . .
>> unix || die
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/Cisco-Talos/clamav-documentation
>> 
>> https://docs.clamav.net/#mailing-lists-and-chat
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Off topic question...

[Joel Esler via clamav-users]

Talosintelligence.com/support

— 
Sent from my  iPhone

> On Jun 29, 2022, at 10:59, Eric Tykwinski via clamav-users 
>  wrote:
> 
> 
> Any one have an abuse contact for Cisco IronPorts hosted service?
>  
> Customer of ours received a phishing email from a Cisco client but wasn’t 
> sent by them, at least that what I’m being told.
>  
> Sincerely,
>  
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>  
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Version .105

[Joel Esler via clamav-users]

https://www.clamav.net/downloads

Seems to have what you need.

> On Jun 29, 2022, at 10:02 AM, West, Hunter D [US] (ES) via clamav-users 
>  wrote:
> 
> Hello,
>  
> I am unsure if I've come to the right place, but I need to install ClamAV 
> version .105. I work in a SAP environment with no internet connection to our 
> machines. The current version of ClamAV is .99 - I went to 
> https://dl.fedoraproject.org/pub/epel/7Server/x86_64/Packages/ to download 
> ClamAV and all the dependencies, but the only version I could find is .103. I 
> also tried looking for ClamAV .105 and all dependencies on the ClamAV website 
> but could not find them. Does anyone know where I can find ClamAV .105 
> dependencies?
>  
> v/r,
> Hunter West | Linux Systems Administrator E2
> Northrop Grumman Corporation  |  Enterprise Services
> (O) 321-586-8803   |   hunter.w...@ngc.com 
>  
> 
> Submit a Ticket here 
> 
>  
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Scan reports

[Joel Esler via clamav-users]

Is it not updating?  Or not scanning?

— 
Sent from my  iPhone

> On May 31, 2022, at 07:09, John Paul Guay via clamav-users 
>  wrote:
> 
> Hello,
> 
> I’m new to ClamAV and I need help to fix our master server so it will scan 
> each agent daily. I work in a federal department in government and I’ve been 
> working in our lab environment. We had a consultant who had setup our ClamAV 
> to scan all of our Linux VM’s and he left good documentation but nothing on 
> the issue we’ve encountered now. Everything was working fine, which I 
> thought, but something “broke” and now it doesn’t do the daily scans of each 
> agent and send the report to the master. It was working until January 1st, 
> 2022. I’m not sure if anything changed between last year and this year and 
> this year but I need to get this fixed ASAP. I realize this doesn’t provide 
> much details but I can provide anything you need. If I can get a conversation 
> opened with someone who knows what they’re doing when it comes to ClamAV, 
> that would be great!
> 
> Thanks,
> JP
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How to stop receive messages.

[Joel Esler via clamav-users]

https://lists.clamav.net/mailman/listinfo/clamav-users 



> On May 4, 2022, at 7:43 PM, Eric Jin via clamav-users 
>  wrote:
> 
> Dear Sir,
> I don't want to receive any posted messages. Please tell me how to stop it. 
> Thanks.
> 
> Best regards,
> Eric.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav/safebrowsing updates?

[Joel Esler via clamav-users]

> On Apr 26, 2022, at 4:08 PM, Alex via clamav-users 
>  wrote:
> 
> Hi,
> 
>>> Is the clamav-safebrowsing repository still maintained?
>> 
>> https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html
> 
> Yes, that's exactly what I'm referring to - your link directs the user
> to the new repo, but that has problems, and itself doesn't appear to
> be developed any longer.
> 
> It directs to here:
> https://github.com/Cisco-Talos/clamav-safebrowsing
> 

Just because a repo hasn’t been updated in 
$your_random_determined_amount_of_time_that_is_entirely_up_to_you doesn’t mean 
that it’s no longer developed.

If there is an issue with it, then file an issue in the GitHub repo.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] DoD/IL4/Federal use case

[Joel Esler via clamav-users]

Thanks.  

> On Apr 19, 2022, at 4:31 PM, Ivan Zanoth via clamav-users 
>  wrote:
> 
> Do what you need.
> 
> Em ter., 19 de abr. de 2022 às 17:29, Joel Esler via clamav-users 
> mailto:clamav-users@lists.clamav.net>> 
> escreveu:
> I’m pretty sure there should be an internal resource to the DoD to answer 
> this question.
> 
> > On Apr 19, 2022, at 2:27 PM, Enver Bahar via clamav-users 
> > mailto:clamav-users@lists.clamav.net>> 
> > wrote:
> > 
> > Hi,
> > 
> > I tried before but didn't get a response, any directions would be great:
> > 
> > I read on some forums that ClamAV is approved for federal use and
> > approved by DoD for IL4 - is that correct? If so, where can I find
> > such information?
> > 
> > Best
> > 
> > ___
> > 
> > clamav-users mailing list
> > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> > https://lists.clamav.net/mailman/listinfo/clamav-users 
> > <https://lists.clamav.net/mailman/listinfo/clamav-users>
> > 
> > 
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq 
> > <https://github.com/vrtadmin/clamav-faq>
> > 
> > http://www.clamav.net/contact.html#ml 
> > <http://www.clamav.net/contact.html#ml>
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] DoD/IL4/Federal use case

[Joel Esler via clamav-users]

I’m pretty sure there should be an internal resource to the DoD to answer this 
question.

> On Apr 19, 2022, at 2:27 PM, Enver Bahar via clamav-users 
>  wrote:
> 
> Hi,
> 
> I tried before but didn't get a response, any directions would be great:
> 
> I read on some forums that ClamAV is approved for federal use and
> approved by DoD for IL4 - is that correct? If so, where can I find
> such information?
> 
> Best
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] DoD/IL4/Federal use case

[Joel Esler via clamav-users]

https://lists.clamav.net/mailman/listinfo/clamav-users

Look for unsubscribe at the bottom. 

— 
Sent from my  iPhone

> On Apr 13, 2022, at 12:58, Eliya Voldman via clamav-users 
>  wrote:
> 
> Folks,
> I unsubscribed my email from this list but still continue to receive email.
> Is it my fault?
> 
> Thanks
> 
>> On Apr 13, 2022, at 12:50 PM, Enver Bahar via clamav-users 
>>  wrote:
>> 
>> Hi,
>> 
>> I read on some forums that ClamAV is approved for federal use and
>> approved by DoD for IL4 - is that correct?
>> 
>> If so, where can I find such information?
>> 
>> Regards
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Inquiry about ClamAV's usage within sandbox

[Joel Esler via clamav-users]

If the purpose of doing all of this is to detect if malware is present, I would 
do it outside of the sandbox.  The point of a sandbox is to let malware execute 
and NOT stop it.

> On Mar 30, 2022, at 11:48 AM, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
> On Wed, 30 Mar 2022, Yang, Jiayi via clamav-users wrote:
> 
>> ... what will happen if ClamAV is compromised?  I'm guessing ...
> 
> It doesn't help to guess.  If *anything* is compromised then you
> should probably treat the entire computer to be under the control of
> criminals and act accordingly.  At the very least disconnect it from
> the network so that it does not pose a threat to other systems.
> 
>> ... it will give wrong detection result for the malware and also for
>> other files to be scanned, or the scanner will crash then cannot
>> work any more.
> 
> Nothing is certain.  If it is compromised then the malicious actor may
> 'fix' ClamAV (and the rest of the things that he has damaged) to make
> them look like they are working properly when they are not.  I have
> seen modified system command binaries like 'ps' and 'ls' which appear
> to produce process or directory listings but which in fact hide some
> processes and directories or files from the lists which they produce.
> To an unobservant system administrator everything appears normal, but
> someone who looks carefully would see that the system was being used
> for malicious purposes.
> 
> It's very likely a crash which enables the compromise.  If the Bad
> Actor knows what he's doing, after gaining access he might modify the
> scanner to make it appear to be operating normally, but despite the
> appearance fail to detect the Bad Actor's intrusion.  The timestamps
> on binaries are easily faked.  It's not easy to fake a hash, so you
> can use something like 'tripwire' to spot unexpected modifications.
> 
>> Is there also a probability that when it's compromised, it could
>> also infect other files when scanning them?
> 
> If ClamAV (or anything else on your system) is compromised it does not
> matter whether or not ClamAV is scanning files.  The game is over, and
> you lost.  It's likely time to wipe discs, look for backups, reinstall.
> 
>> I totally believe it's unlikely to happen.
> 
> There's a big difference between 'unlikely' and 'impossible'.
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 1020 when pulling 104.2.tar.gz

[Joel Esler via clamav-users]

Should clear automatically after awhile. 

— 
Sent from my  iPhone

> On Mar 16, 2022, at 13:09, Schneider, Arthur (A.V.) via clamav-users 
>  wrote:
> 
> Hello,
> 
>Looks like we’re getting a 1020 when our automation is pulling the 
> 104.2.tar.gz. We’re currently in the process of compiling and building for 
> our environment and looks like we were auto banned. I was going a little 
> build crazy with trying to get it working within our automation suite. The 
> external IP that is hitting your site is 19.12.76.185, please note this is 
> the same IP our cvdupdate tool is using. 
> 
> Regards,
>   Arthur 
> 
> |Arthur Schneider | aschn...@ford.com | 
> |Dev Sec Ops Engineer | Cyber Security Essential Tools & ​Server Protection​ 
> Team | 
> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.105 release candidate

[Joel Esler via clamav-users]

I think you vastly overestimate the size of the audience that has that problem.

— 
Sent from my  iPad

> On Mar 16, 2022, at 16:23, Bowie Bailey via clamav-users 
>  wrote:
> 
> On 3/16/2022 12:35 PM, G.W. Haywood via clamav-users wrote:
>> Hi there,
>> 
>>> On Wed, 16 Mar 2022, Bowie Bailey via clamav-users wrote:
>>> On 3/16/2022 10:09 AM, Joel Esler via clamav-users wrote:
>>>> On Mar 16, 2022, at 5:35 AM, Gary R. Schmidt  wrote:
>>>>> On 16/03/2022 20:19, Christoph Moench-Tegeder via clamav-users wrote:
>>>>>> ## Joel Esler via clamav-users (clamav-users@lists.clamav.net):
>>>>>>> 
>>>>>>> Can’t use wget.
>>>>>> 
>>>>>> Looks like "can't use anything which doesn't look like a web browser",
>>>>>> as BSD fetch hits the 403, too.
>>>>>> That's a major PITA on the BSD side (just like openSuse), but it
>>>>>> was working just fine at the time of the 0.104.2 release (and all
>>>>>> the time prior to that). Is there any reason behind making the source
>>>>>> (not talking about the database files) inaccessible like that?
>>>>> 
>>>>> Hanlon's Razor: "Never attribute to malice what can be adequately 
>>>>> explained by neglect, ignorance, or incompetence."
>>>>> 
>>>>> With the added FLOSS variant, "or trying to show just how much smarter 
>>>>> they are than everybody else.”
>>>> 
>>>> It was done because there are people that download the entire ClamAV 
>>>> package from the same every every 1 minute and do a complete reinstall.
>>> 
>>> Why not simply block the IP addresses that are doing excessive downloads?
>>> There can't be that many people who are doing constant rebuilds.
>>> 
>>> The system I use for building ClamAV has no GUI.  I download the files by 
>>> grabbing the URL from my desktop and then pasting it into a wget on the 
>>> build machine.  Am I going to have to make wget spoof its user-agent every 
>>> time I need to update ClamAV? ...
>> 
>> I don't see much in the way of sympathy for a company that spends good
>> money on a content delivery network in order to provide a FREE service
>> to the community, only then to take flak from that same community when
>> they are obliged to prevent literally hundreds of thousands of what I
>> can only describe as scrotes from flagrantly abusing the service.
> 
> That was my point.  They are inconveniencing their users with a change that 
> is unlikely to slow down these abusers for any length of time.
> 
>> Before grumbling about the implementation of the solutions, would it
>> not at least be reasonable to find out what the problems are?
> 
> I understand the problem.  I just don't see this as a good solution.
> 
>> How often do you update ClamAV?  It must be all of a thirty-second job
>> to write a user agent string, and e.g. pop it in a 'bash' alias.
> 
> And all of the people who are doing excessive downloads will spend the same 
> 30 seconds and then be back in business.  So what has been gained?  A few 
> days or weeks of reduced server load until they all update their scripts and 
> then you are right back where you started.
> 
> At the same time, every ClamAV user (new or existing) that wants to download 
> from the command line will have to spend time figuring out why they are 
> getting errors trying to download from the published links.  Since this 
> software is designed to be used on a server, that will probably be a decent 
> percentage of the user base who are all going to have to figure out this 
> undocumented issue (since documenting the work-around would kind of defeat 
> the point).  I would bet that quite a few prospective new users will simply 
> give up on ClamAV and assume the website is broken when they keep getting 
> "403 forbidden" on the downloads.
> 
> -- 
> Bowie
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.105 release candidate

[Joel Esler via clamav-users]

> On Mar 16, 2022, at 11:25 AM, Bowie Bailey via clamav-users 
>  wrote:
> 
> On 3/16/2022 10:09 AM, Joel Esler via clamav-users wrote:
>> 
>>> On Mar 16, 2022, at 5:35 AM, Gary R. Schmidt  wrote:
>>> 
>>> On 16/03/2022 20:19, Christoph Moench-Tegeder via clamav-users wrote:
>>>> ## Joel Esler via clamav-users (clamav-users@lists.clamav.net):
>>>>> Can’t use wget.
>>>> Looks like "can't use anything which doesn't look like a web browser",
>>>> as BSD fetch hits the 403, too.
>>>> That's a major PITA on the BSD side (just like openSuse), but it
>>>> was working just fine at the time of the 0.104.2 release (and all
>>>> the time prior to that). Is there any reason behind making the source
>>>> (not talking about the database files) inaccessible like that?
>>> Hanlon's Razor: "Never attribute to malice what can be adequately explained 
>>> by neglect, ignorance, or incompetence."
>>> 
>>> With the added FLOSS variant, "or trying to show just how much smarter they 
>>> are than everybody else.”
>> 
>> 
>> 
>> It was done because there are people that download the entire ClamAV package 
>> from the same every every 1 minute and do a complete reinstall.
> 
> Why not simply block the IP addresses that are doing excessive downloads?  
> There can't be that many people who are doing constant rebuilds.

We did that for awhile.  Didn’t scale.  Dynamic IPs as well.

> 
> The system I use for building ClamAV has no GUI.  I download the files by 
> grabbing the URL from my desktop and then pasting it into a wget on the build 
> machine.  Am I going to have to make wget spoof its user-agent every time I 
> need to update ClamAV?  What happens when the people you were complaining 
> about start doing the same thing?

Excessive downloaders get blocked.  Simple as that.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] wget blocks - was Re: ClamAV 0.105 release candidate

[Joel Esler via clamav-users]

> On Mar 16, 2022, at 10:55 AM, Andrew C Aitchison  
> wrote:
> 
> On Wed, 16 Mar 2022, Joel Esler via clamav-users wrote:
>>> On Mar 16, 2022, at 5:35 AM, Gary R. Schmidt >> <mailto:grschm...@acm.org>> wrote:
>>> 
>>> On 16/03/2022 20:19, Christoph Moench-Tegeder via clamav-users wrote:
>>>> ## Joel Esler via clamav-users (clamav-users@lists.clamav.net 
>>>> <mailto:clamav-users@lists.clamav.net>):
>>>>> Can’t use wget.
>>>> Looks like "can't use anything which doesn't look like a web browser",
>>>> as BSD fetch hits the 403, too.
>>>> That's a major PITA on the BSD side (just like openSuse), but it
>>>> was working just fine at the time of the 0.104.2 release (and all
>>>> the time prior to that). Is there any reason behind making the source
>>>> (not talking about the database files) inaccessible like that?
>>> 
>>> Hanlon's Razor: "Never attribute to malice what can be adequately explained 
>>> by neglect, ignorance, or incompetence."
>>> 
>>> With the added FLOSS variant, "or trying to show just how much smarter they 
>>> are than everybody else.”
>> 
>> It was done because there are people that download the entire ClamAV package 
>> from the same every every 1 minute and do a complete reinstall.
> 
> I still do not understand why rate limiting failed to solve this issue.
> Was the problem technical or did policy mean it couldn't be used ?

Rate limiting mitigated it.  It didn’t stop it.  Data transfer is expensive.  
ClamAV is funded out of a larger budget, so expenses must be minded.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.105 release candidate

[Joel Esler via clamav-users]

> On Mar 16, 2022, at 5:35 AM, Gary R. Schmidt  wrote:
> 
> On 16/03/2022 20:19, Christoph Moench-Tegeder via clamav-users wrote:
>> ## Joel Esler via clamav-users (clamav-users@lists.clamav.net):
>>> Can’t use wget.
>> Looks like "can't use anything which doesn't look like a web browser",
>> as BSD fetch hits the 403, too.
>> That's a major PITA on the BSD side (just like openSuse), but it
>> was working just fine at the time of the 0.104.2 release (and all
>> the time prior to that). Is there any reason behind making the source
>> (not talking about the database files) inaccessible like that?
> 
> Hanlon's Razor: "Never attribute to malice what can be adequately explained 
> by neglect, ignorance, or incompetence."
> 
> With the added FLOSS variant, "or trying to show just how much smarter they 
> are than everybody else.”




It was done because there are people that download the entire ClamAV package 
from the same every every 1 minute and do a complete reinstall.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.105 release candidate

[Joel Esler via clamav-users]

Can’t use wget.  

— 
Sent from my  iPhone

> On Mar 14, 2022, at 20:28, Yasuhiro Kimura  wrote:
> 
> From: "Micah Snyder \(micasnyd\) via clamav-users" 
> 
> Subject: [clamav-users] ClamAV 0.105 release candidate
> Date: Mon, 14 Mar 2022 20:14:18 +
> 
>> Read this announcement online at 
>> https://blog.clamav.net/2022/03/clamav-01050-release-candidate-now.html
>> 
>> We are excited to announce the ClamAV 0.105.0 release candidate.
>> 
>> Please help us validate this release. We need your feedback, so let us know 
>> what you find and join us on the
>> ClamAV mailing list, or on our Discord.
>> 
>> This release candidate phase is only expected to last about two to four 
>> weeks before the 0.105.0 Stable
>> version will be published. Take this opportunity to verify that you 0.105.0 
>> can build and run in your
>> environment.
>> 
>> There is one known issue:
>> 
>>  • Yara rules containing regex strings will fail to load. The fix for this 
>> issue will be in the final
>>release or next release candidate.
>> 
>> Please submit bug reports to the ClamAV project GitHub Issues.
> 
> I tried to download source archive of 0.105.0-rc but it fails with 403
> forbitten.
> 
> yasu@rolling-vm-freebsd2[1373]% wget 
> https://www.clamav.net/downloads/release_candidate/clamav-0.105.0-rc.tar.gz
> 
> --2022-03-15 09:25:16--  
> https://www.clamav.net/downloads/release_candidate/clamav-0.105.0-rc.tar.gz
> Resolving www.clamav.net (www.clamav.net)... 2606:4700::6810:db54, 
> 2606:4700::6810:da54, 104.16.218.84, ...
> Connecting to www.clamav.net (www.clamav.net)|2606:4700::6810:db54|:443... 
> connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 2022-03-15 09:25:17 ERROR 403: Forbidden.
> 
> yasu@rolling-vm-freebsd2[1374]%
> 
> ---
> Yasuhiro KIMURA
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus database not updated since 14th July 2021

[Joel Esler via clamav-users]

https://blog.clamav.net/2021/07/psa-freshclam-database-download-issue.html

— 
Sent from my  iPhone

> On Mar 9, 2022, at 16:25, clamav.mbou...@spamgourmet.com wrote:
> 
> ReceiveTimeout=30 is probably the one causing you problems.  I was bitten by 
> that when installing ClamAV on an Ubuntu-based system last year.  For me, on 
> a ~16Mpbs downlink home broadband connection, it took longer than that to 
> download the signatures, so would repeatedly time out and retry.  I think in 
> that case the retries occur every 5 seconds, regardless of other settings 
> specifying the frequency of update checks, since it hadn't actually 
> successfully updated.  As I understand it, checking every hour shouldn't 
> usually be a problem - its the retries triggered by the timeout that cause 
> the rate-limiting to kick in.
> 
> Having mentioned it here myself almost a year ago myself, it turns out that 
> the default built into ClamAV sets ReceiveTimeout=0, which means no timeout.  
> However, the Ubuntu 16.04 and 18.04 packages create an initial configuration 
> with it to 30.  I think the Ubuntu 20.04 packages now set it to 0, the same 
> as ClamAV's default, but it may be that you've inherited a configuration from 
> an older installation - or perhaps KDE Neon provide their own packages with 
> the default still set to 30.  So it seems that 30s default isn't actually the 
> ClamAV team's fault.
> 
> What does seem to exacerbate the problem is that, when the download times 
> out, it retries after 5 seconds so you quickly get blocked by the 
> rate-limiting and have to wait for that to reset before trying again after 
> fixing the config.  But, as was explained to me, there are some cases where 
> retrying immediately makes sense and freshclam can't necessary determine 
> that, so always waiting a longer period (or until the next update check is 
> due) isn't necessarily the right thing to do either (and in its default 
> configuration a timeout wouldn't happen anyway).
> 
> Mark.
> 
> 
> Jerzy Witwinowski via clamav-users wrote:
>> @ Maarten Broekman - I'm using the version 0.103.5 which, I think, is the 
>> current version in KDE Neon repos (KDE Neon being based on Ubuntu 20). But 
>> what I did yesterday (manual tuning of the configuration file, lowering the 
>> number of times per day the updates are fetched and increasing the receive 
>> timeout) helped. This evening, when I started my computer after returning 
>> from work, I checked the version of the virus database and saw that ClamAV 
>> had managed to update it.
>> @ G.W. Haywood - Hopefully after manual tweaking of the config file 
>> everything works again as it should (as I explained in my answer to Maarten 
>> Broekman above). And it's not that I've been neglecting the security... It's 
>> just that as everything had been working smooth and fine since I've 
>> installed ClamAV many years ago, I've stopped manually checking if 
>> everything was still OK (because why would it stop working after all those 
>> years?)... My bad.
>> Anyway, three things:
>> 1. I would like to apologize for writing BEFORE I could verify if the manual 
>> tweaks would work once my cool-down period lifted.
>> 2. Thank you all for your patience and your help.
>> 3. There is still one question that puzzles me: why the default 
>> configuration of ClamAV (checking for updates every hour, Retrieve Timeout 
>> set to 30) is designed in a way that leads directly to the ban by the CDN 
>> and renders the software useless?
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> http://www.clamav.net/contact.html#ml
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Minor bug or working as intended?

[Joel Esler via clamav-users]

Pretty sure you can write what you’re trying to look for with an ldb signature 
anyway. 

— 
Sent from my  iPhone

> On Feb 24, 2022, at 18:53, G.W. Haywood via clamav-users 
>  wrote:
> 
> Hi there,
> 
>> On Thu, 24 Feb 2022, Kris Deugau wrote:
>> 
>> After chasing docs back and forth and trying small variations, I think I've 
>> found what's arguably a bug in Clam's YARA implementation.
>> ...
> 
> You too, huh?
> 
> In my experience ClamAV's Yara implementation is absolutely riddled.
> It's so bad (and *years* out of date) that I don't think it would be
> worth the effort of trying to fix it.  I'd say start again from
> scratch.
> 
> I've eventually settled on a way of living with it which is basically
> "don't try anything fancy".  If you're not careful it crashes clamd.
> Most of the time it seems to manage simple regexes reasonably well,
> but one example of fancy things not to try would be leaving out the
> case-insensitive match modifier 'nocase'.
> 
> Having said that when you get it settled it does do good work.  Here,
> with a few hundred well-chosen strings in a couple of dozen rules, it
> catches far more spam than anything else.  We don't see much malware
> in our mail, so I haven't spent much time on non-text matching and
> can't offer much insight into how well it might do there.
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scan log parsing

[Joel Esler via clamav-users]

I think the word “FOUND” is used. 

— 
Sent from my  iPhone

> On Feb 20, 2022, at 20:16, Eliya Voldman via clamav-users 
>  wrote:
> 
> 
> 
> Hello, 
> I'm completely new to ClamAV 
> I am setting up ClamAV on one laptop located behind VLAN and I don't have the 
> option to monitor result. 
> Still I need to know the result of the scan hence I decided to parse the log. 
> My question: what string should I expect if the scan revealed any suspicious 
> activity ... like 'error' or 'fail' or 'infected' or etc. 
> Any suggestion what gets into the log in case of infection? 
> 
> Thanks
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error 403 downloading virus updates

[Joel Esler via clamav-users]

You’ll definitely need to upgrade.  I imagine the minimum fLevel for the cvd 
files will have been moved as well, and if so, won’t work on older 
installations at all.

> On Feb 10, 2022, at 10:55 AM, David Copeland via clamav-users 
>  wrote:
> 
> Hi Paul,
> 
> According to https://docs.clamav.net/faq/faq-eol.html 
>  , version 102 reached EOL Jan 3, 
> with database downloads no longer permitted.
> 
> Dave.
> 
> On 2022-02-10 10:25, Paul Furnival via clamav-users wrote:
>> I am running CLAMAV on a number of servers running different linux 
>> distributions and, therefore, different versions of the clamav engine.  2 of 
>> the servers have started to give errors when trying to upload the definition 
>> files.  These errors came to light as emails I received,
>> 
>> In following this through, it would appear that cloudfare is returning an 
>> "Error 1020" which ripples down to CLAMAV as a 403 error.
>> 
>> Cloudfare say that this error is because the client has contravened a 
>> firewall rule but, as the client, I cannot see what this is so have no idea 
>> how to fix it.
>> 
>> One test I have carried out is to download the file from another computer on 
>> the same network using the same firewall fro NAT (so the same ip address to 
>> the remote servers) using a web browser and the file downloads OK.  This 
>> would suggest that I am not being blocked due to a limit on how many 
>> requests can be delivered from a given IP address
>> 
>> I have tried to update Clamav but there is no newer package for the 
>> distribution.  It is possible (although I can't prove ite) that cloudfare is 
>> checking the user agent and seeing my installation is too old?
>> 
>> This is the email that warned me of the problem:
>> ===
>> ERROR: downloadFile: Unexpected response (403) from 
>> database.clamav.net/daily-26440.cdiff
>> ERROR: getpatch: Can't download daily-26440.cdiff from 
>> database.clamav.net/daily-26440.cdiff
>> ERROR: downloadFile: Unexpected response (403) from 
>> database.clamav.net/daily.cvd
>> ERROR: getcvd: Can't download daily.cvd from database.clamav.net/daily.cvd
>> ERROR: Update failed for database: daily
>> ERROR: Database update process failed: HTTP GET failed (11)
>> ERROR: Update failed.
>> ===
>> 
>> 
>> 
>> and this is the output from  freshclam --debug --verbose
>> ===
>> ClamAV update process started at Thu Feb 10 15:21:42 2022
>> Current working dir is /var/lib/clamav/
>> Querying current.cvd.clamav.net
>> TTL: 587
>> fc_dns_query_update_info: Software version from DNS: 0.103.5
>> WARNING: Your ClamAV installation is OUTDATED!
>> WARNING: Local version: 0.102.4 Recommended version: 0.103.5
>> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav 
>> 
>> Current working dir is /var/lib/clamav/
>> check_for_new_database_version: No local copy of "daily" database.
>> query_remote_database_version: daily.cvd version from DNS: 26449
>> daily database available for download (remote version: 26449)
>> Retrieving https://database.clamav.net/daily.cvd 
>> 
>> downloadFile: Download source:  https://database.clamav.net/daily.cvd 
>> 
>> downloadFile: Download destination: 
>> /var/lib/clamav/tmp.d974a/clamav-57c27d81b66a259b02e9dc00177a1f51.tmp
>> * About to connect() to database.clamav.net port 443 (#0)
>> *   Trying 104.16.218.84...
>> * Connected to database.clamav.net (104.16.218.84) port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>>   CApath: none
>> * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>> * Server certificate:
>> *   subject: CN=sni.cloudflaressl.com,O="Cloudflare, Inc.",L=San 
>> Francisco,ST=California,C=US
>> *   start date: Jul 15 00:00:00 2021 GMT
>> *   expire date: Jul 14 23:59:59 2022 GMT
>> *   common name: sni.cloudflaressl.com
>> *   issuer: CN=Cloudflare Inc ECC CA-3,O="Cloudflare, Inc.",C=US
>>> GET /daily.cvd HTTP/1.1
>> User-Agent: ClamAV/0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
>> Host: database.clamav.net
>> Accept: */*
>> Connection: close
>> 
>> < HTTP/1.1 403 Forbidden
>> < Date: Thu, 10 Feb 2022 15:21:42 GMT
>> < Content-Type: text/plain; charset=UTF-8
>> < Content-Length: 16
>> < Connection: close
>> < X-Frame-Options: SAMEORIGIN
>> < Referrer-Policy: same-origin
>> < Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, 
>> post-check=0, pre-check=0
>> < Expires: Thu, 01 Jan 1970 00:00:01 GMT
>> < Expect-CT: max-age=604800, 
>> report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct; 
>> 

Re: [clamav-users] Unable to mirror ClamAV database

[Joel Esler via clamav-users]

Cvdupdate is where it’s at for what you’re trying to do.  Clammirror was one of 
our problems, and why we had to put a stop to it. 

— 
Sent from my  iPhone

> On Feb 9, 2022, at 05:08, Roy Cohen via clamav-users 
>  wrote:
> 
> Sorry, I (wringly) assumed clammirror was a clamav provided tool hence 
> assumed it is known.
> 
> It’s ok will follow the recommended approaches in the other mail thread.
> 
> Thanks for your help.
> 
> On 9 Feb 2022, at 10:04, G.W. Haywood  wrote:
> 
> Hi there,
> 
>> On 9 Feb 2022, at 00:45, Roy Cohen  wrote:
>> 
>> This is my first post ...
> 
> Welcome. :)
> 
>> ... ClamAV 0.103.0/26063 ... mirror updates using ...
>> 
>> /usr/local/bin/clamavmirror ...
> 
> Well, you might have told us what 'clamavmirror' is, and from where
> you got it. :)
> 
>> The problem I have that the incremental updates aren’t being
>> downloaded as I’m getting 403 on any update older than 28.1.2021
>> (see example output below).
>> Any idea why is my server blocked from receiving updates please ?
> 
> You seem to have found out for yourself.  You could have done that
> first of course. :)
> 
>> On Wed, 9 Feb 2022, Roy Cohen via clamav-users wrote:
>> 
>> Amy chance clammirror is no longer a supported method to download
>> the database and I need to switch to another script as per:
>> https://www.mail-archive.com/clamav-users@lists.clamav.net/msg50017.html
> 
> For almost any reasonably big project there will be any number of what
> I like to call 'Me Too' offerings 'Out There'.  With many of them you
> will be taking big security risks.  I wouldn't touch most of them with
> a bargepole.  Things are bad enough even when you're careful.  In the
> case of ClamAV there have also been some very serious problems for the
> infrastructure caused by mindlessly or maliciously scripted downloads.
> Check out the archives of this list and the blog for more.
> 
> -- 
> 
> 73,
> Ged.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] help with my system please hybrid os does not update signatures

[Joel Esler via clamav-users]

Side comment about the below though:

— 
Sent from my  iPhone

> On Jan 21, 2022, at 18:16, G.W. Haywood via clamav-users 
>  wrote:
> 
> Since you're running Linux, and most of the published signatures are
> intended to detect threats to Windows and other Microsoft products

Only because of the predominance of the threat.  Elf binary signatures are 
written constantly, as well as for OS X binaries.  

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Where can I download daily.cvd, bytecode.cvd and main.cvd from?

[Joel Esler via clamav-users]

> On Jan 17, 2022, at 2:03 PM, Matus UHLAR - fantomas  wrote:
> 
> On 17.01.22 16:30, Nick Howitt via clamav-users wrote:
>> I give up. This is like pushing water up hill. There is no sensible way of 
>> building the packages in one pass which allows me to package the sigs 
>> automatically. It looks like Cisco will block you if you try to down load 
>> anything and fighting Cisco or trying to get them to change is a total waste 
>> of effort.
> 
> cisco does that because of multiple times explained reason.
> you are supposed to download with freshclam or use cvdupdate.
> that's the only optimisation cisco gives us. all other used to overload the
> mirrors.

This.  X 1000.  Cisco provides two tools to do this.  Both tools work perfectly 
fine.  There is actually no other reason to reinvent the wheel, Cisco has done 
it twice for you already.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Where can I download daily.cvd, bytecode.cvd and main.cvd from?

[Joel Esler via clamav-users]

> On Jan 17, 2022, at 10:17, Maarten Broekman via clamav-users 
>  wrote:
> 
> And, after 7 days, you'll see warning messages about outdated definitions 
> when clam starts up.

And Freshclam and cvdupdate will still download the right files.  

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Where can I download daily.cvd, bytecode.cvd and main.cvd from?

[Joel Esler via clamav-users]

No. It would not.  Wget and curl create disasters for the ClamAV team on the 
server side, which is why it was stopped. There are still people abusing that 
system, and when I was at cisco I would block people for doing it.  If people 
would use the tools they are supposed to, that are designed to be network 
friendly, the problems wouldn’t exist. 

— 
Sent from my  iPhone

> On Jan 17, 2022, at 09:39, Nick Howitt via clamav-users 
>  wrote:
> 
> Isn't that a bit messy? It would be so much easier to be able to use curl, 
> wget or any browser to get the sigs so we can package them directly - not 
> have to install some uncommon download package and then download them. That 
> is making people jump through unnecessary hoops. I am not trying use a 
> segmented network and hosts can generally reach the internet. I just want to 
> be able to package the sigs in a v0.103.5 rpm for my distro in the same way 
> as EPEL does.
> 
>> On 17/01/2022 14:17, Joel Esler wrote:
>> This is what cvdupdate was designed for.  Please use that.
>> —
>> Sent from my  iPhone
 On Jan 17, 2022, at 09:12, Nick Howitt via clamav-users 
  wrote:
>>> 
>>> Please tell that to EPEL as well. We want to be able to distribute a 
>>> package which, in emergency, can be transferred to a standalone (read 
>>> compromised device removed from the network) and have the rpm install 
>>> something which can directly virus scan. Without the three files, it can't. 
>>> I presume that is similar logic to EPEL.
>>> 
>>> Anyway, I've managed to get the files through a VPN so changing my IP, but 
>>> this is messy. There must be a better way to do it.
>>> 
>>> Nick
>>> 
 On 17/01/2022 14:01, Maarten Broekman via clamav-users wrote:
 Running freshclam after the package is installed should pull any/all of 
 the files that are missing. That is probably the best way to do it.
 --Maarten
 On Mon, Jan 17, 2022 at 8:32 AM Nick Howitt via clamav-users 
 mailto:clamav-users@lists.clamav.net>> 
 wrote:
Hi,
I am trying to package ClamAV 0.103.5 for ClearOS. Normally they
package the latest three signature files listed above with their
distributable rpm in the same way that EPEL do so they have a
working package on installation rather than requiring freshclam to
run first. Unfortunately it looks like the links to the three files
have been removed from https://www.clamav.net/downloads
 and I would like to get the
latest signatures so I can update the package. How can I get hold of
the files?
Looking at the EPEL Sources, they download from:
https://database.clamav.net/main.cvd

https://database.clamav.net/daily.cvd

https://database.clamav.net/bytecode.cvd

But I am being blocked by cloudflare:
  Error 1015
Ray ID: 6cefeaa67bc1549a • 2022-01-17 13:26:40 UTC
You are being rate limited
What happened?
The owner of this website (database.clamav.net
) has banned you temporarily from
accessing this website.
How can I proceed as I would like to get an updated package built
for ClearOS
Thanks,
Nick
___
clamav-users mailing list
clamav-users@lists.clamav.net 
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

 ___
 clamav-users mailing list
 clamav-users@lists.clamav.net
 https://lists.clamav.net/mailman/listinfo/clamav-users
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 http://www.clamav.net/contact.html#ml
>>> 
>>> ___
>>> 
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

Re: [clamav-users] Where can I download daily.cvd, bytecode.cvd and main.cvd from?

[Joel Esler via clamav-users]

This is what cvdupdate was designed for.  Please use that.  

— 
Sent from my  iPhone

> On Jan 17, 2022, at 09:12, Nick Howitt via clamav-users 
>  wrote:
> 
> Please tell that to EPEL as well. We want to be able to distribute a package 
> which, in emergency, can be transferred to a standalone (read compromised 
> device removed from the network) and have the rpm install something which can 
> directly virus scan. Without the three files, it can't. I presume that is 
> similar logic to EPEL.
> 
> Anyway, I've managed to get the files through a VPN so changing my IP, but 
> this is messy. There must be a better way to do it.
> 
> Nick
> 
>> On 17/01/2022 14:01, Maarten Broekman via clamav-users wrote:
>> Running freshclam after the package is installed should pull any/all of the 
>> files that are missing. That is probably the best way to do it.
>> --Maarten
>> On Mon, Jan 17, 2022 at 8:32 AM Nick Howitt via clamav-users 
>> mailto:clamav-users@lists.clamav.net>> wrote:
>>Hi,
>>I am trying to package ClamAV 0.103.5 for ClearOS. Normally they
>>package the latest three signature files listed above with their
>>distributable rpm in the same way that EPEL do so they have a
>>working package on installation rather than requiring freshclam to
>>run first. Unfortunately it looks like the links to the three files
>>have been removed from https://www.clamav.net/downloads
>> and I would like to get the
>>latest signatures so I can update the package. How can I get hold of
>>the files?
>>Looking at the EPEL Sources, they download from:
>>https://database.clamav.net/main.cvd
>>
>>https://database.clamav.net/daily.cvd
>>
>>https://database.clamav.net/bytecode.cvd
>>
>>But I am being blocked by cloudflare:
>>  Error 1015
>>Ray ID: 6cefeaa67bc1549a • 2022-01-17 13:26:40 UTC
>>You are being rate limited
>>What happened?
>>The owner of this website (database.clamav.net
>>) has banned you temporarily from
>>accessing this website.
>>How can I proceed as I would like to get an updated package built
>>for ClearOS
>>Thanks,
>>Nick
>>___
>>clamav-users mailing list
>>clamav-users@lists.clamav.net 
>>https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>Help us build a comprehensive ClamAV guide:
>>https://github.com/vrtadmin/clamav-faq
>>
>>http://www.clamav.net/contact.html#ml
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] main.cvd update schedule

[Joel Esler via clamav-users]

Correct.  It’s about once a quarter.  However, if you are using FreshClam or 
cvdupdate, (as you should be), those tools will download the correct files when 
the correct files need to be downloaded.



> On Dec 21, 2021, at 3:21 PM, Kris Deugau  wrote:
> 
> Vu, Hong-Duc V. via clamav-users wrote:
>> Hello,
>> How often does the main.cvd file get updated? According to this old post 
>> they have seven changes in two years.
>> https://lists.clamav.net/pipermail/clamav-users/2014-September/000916.html
>> This will help me troubleshoot any issues with my freshclam configuration if 
>> the file isn’t getting updated in a reasonable time frame.
> 
> Recent updates have been "when daily.cvd gets too big", and have been 
> announced on this list as well IIRC.  Check the list archives.
> 
> -kgd
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV Community, it's been an honor!

[Joel Esler via clamav-users]

ClamAV Community, 
 
It has a been a great honor to be your community manager for the past 11 years 
or so, through several website transitions, engine upgrades and tens of 
thousands of people joining our community, I’ve decided to move on to a new 
position outside of Cisco. Together we’ve grown the community in spite of some 
very unique situations in our industry. 
 
Don’t worry, you’re in good hands, as managing the day-to-day community 
management will be transitioning to Micah Snyder, effectively immediately.  I 
have already transitioned my community manager responsibilities to him, but 
will remain on the mailing lists with my personal email address (this one) and 
I will continue to help out where needed.   
 
Working with you all has been fantastic over the years, and I wish you all 
continued success. 

-- 
Joel Esler
Open Source & Strategy, Cisco Talos Intelligence Group
 
 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] using older clients to download from internal clam proxy

[Joel Esler via clamav-users]

Good luck!

> On Dec 2, 2021, at 13:31, novpenguincne via clamav-users 
>  wrote:
> 
> OK. It might be difficult to get the new client to run on the old o/s but 
> I'll see what I can do.
> 
> Thanks for the input!
> 
> James
> 
> Sent with ProtonMail Secure Email.
> 
> ‐‐‐ Original Message ‐‐‐
> 
> On Thursday, December 2nd, 2021 at 12:14 PM, Joel Esler (jesler) 
>  wrote:
> 
>> The oldest version that is currently supported is the 0.101.x line, but that 
>> will be EOL in January. So I would recommend 0.103.x or higher.
>> 
>> —
>> 
>> Sent from my  iPad
>> 
>>> On Dec 2, 2021, at 13:10, novpenguincne via clamav-users 
>>> clamav-users@lists.clamav.net wrote:
>>> 
>>> Thank you for the quick response. So that would lead into the logical next 
>>> question. What would be the earliest client version that would work? I 
>>> tried installing the 103.x client on that box but 103.x requires SystemD 
>>> and this older box is still using SystemV. So is there a version of the 
>>> client that is new enough to accept the new definition files but still old 
>>> enough to install on a SystemV-based o/s?
>>> 
>>> James
>>> 
>>> Sent with ProtonMail Secure Email.
>>> 
>>> ‐‐‐ Original Message ‐‐‐
>>> 
 On Thursday, December 2nd, 2021 at 10:49 AM, Joel Esler (jesler) 
 jes...@cisco.com wrote:
 
 James,
 
 Thanks for your email. ClamAV definitions won’t even work on those older 
 versions anymore. The Flevel for the main.cvd and daily.cvd are now set 
 higher than that, so those systems shouldn’t be able to load the newer 
 definitions.
 
 —
 
 Sent from my  iPad
 
>> On Dec 2, 2021, at 11:08, novpenguincne via clamav-users 
>> clamav-users@lists.clamav.net wrote:
> 
> To facilitate bandwidth issues, I've set up an internal clam proxy server 
> on SLES15 running the 103.x client. I have successfully connected to it 
> using a different SLES15 box also running the 103.x client and downloaded 
> updates to it.
> 
> However, I still have an older SLES11 box running the 98.x client. Due to 
> extenuating circumstances, this box is not a candidate for an o/s 
> upgrade. I also know from CLAM documentation that clients older than 
> 100.x are no longer supported. But I would still like to have some a/v on 
> this box until its retirement so I was trying to have it download from 
> the proxy server as well.
> 
> When I first attempted, it failed because it was trying to download 
> main.cld which didn't exist on the proxy. So I turned off "scripted 
> updates" on both the proxy and the target SLES11 box which is now forcing 
> everything to use cvd files only. But now when I run freshclam on the 
> SLES11 box, I'm getting different errors. It downloads the daily.cvd 
> successfully. Then it tries to load signatures from daily.cvd. And then I 
> get a sequence of errors:
> 
> ERROR: During database Load
> 
> WARNING: [LibClamAV] cli_ac_addsig: Signature for 
> Win.Backdoor.SystemBC-9885562-0 is too short
> 
> ERROR: Failed to load new database: Malformed database
> 
> WARNING: Database load exited with status 55
> 
> ERROR: Failed to load new database
> 
> Do I need to make a change in the freshclam.conf to get this to work? Or 
> is it a matter of the 98.x client unable to read datafiles designed for 
> 103.x clients?
> 
> James
> 
> clamav-users mailing list
> 
> clamav-users@lists.clamav.net
> 
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> Help us build a comprehensive ClamAV guide:
> 
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
>>> 
>>> clamav-users mailing list
>>> 
>>> clamav-users@lists.clamav.net
>>> 
>>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> 
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml