Your best bet would be to have freshclam running on one machine and have the
rest use the Ansible playbook to pull from that “freshclam machine”.
Or, if you want to keep it all Ansible, have the playbook pull the definitions
vis freshclam on one machine and then copy to all the others.
-Maart
> So how does Kaiji-10003917-0 to Kaiji-10003916-0 ? Does
> Kaiji-10003916-0 get thrown out, or does it get updated to
> Kaiji-10003917-0 ?
The way it was explained to me (years ago) is that they are separate
signatures, unrelated expect in that they are related to Kaiji. If 10003916-0
was upd
gt;
> 6b8627f0b1327ffee606314125862e27 node-v18.7.0-darwin-arm64/bin/node
>
> so I wonder what's up there. As it isn't the same file that you have
> I didn't bother to scan it, but see below for 'strings' etc.
>
> On Tue, 2 Aug 2022, Maarten Broekm
That's the only thing I can think of. I had node 18.6.0 and I'm running
ClamAV 0.105.0. That detected the node binary as having the same virus.
However, when I upload and scan the binary with VirusTotal, their install
of ClamAV does not detect it.
Similarly, after I upgraded to node 18.7.0, my loc
is sender, while keeping PUA
> checks still enabled for other cases.
>
> In the past I've not had great success searching entirely on my own.
>
> joe a.
>
> On 7/15/2022 4:34 PM, Maarten Broekman via clamav-users wrote:
> > A "PUA" is a "potentially
A "PUA" is a "potentially unwanted application", not necessarily malicious.
You can disable PUA checks by ensuring that your clamd configuration has
"DetectPUA" set to no.
For reference, the signature is looking for bitwise math on CharCodeAt()
operations in HTML files.
VIRUS NAME: PUA.Win.Trojan
Downloading the entire databases unnecessarily (using web browsers, etc) is
banned because it results in higher volumes of data transfer which, in turn,
costs more money. As such, using things other than freshclam or cvdupdate were
explicitly banned.
There’s not much else to say.
Maarten
It's 100% a bad signature and should get removed.
I just checked the current version of the akismet plugin (
https://wordpress.org/plugins/akismet/) from WordPress and it is detected
by this signature but by nothing else:
https://virusscan.jotti.org/en-US/filescanjob/00ecsxf7es
https://www.virusto
This is a new signature that was added today. It's rather complicated and,
with the "Test" in the name, I'm not sure it's meant to be published. We'll
have to wait to hear from the ClamAV folks on that matter, but you can
submit it as a false positive (for those Wordpress zips) using the False
posi
What version of ClamAV are you using?
What do the logs show?
If you are before 0.103, then your version is too old.
https://docs.clamav.net/faq/faq-eol.html
Maarten
Sent from a tiny keyboard
> On Jun 22, 2022, at 05:08, Kachare, Ganesh, Vodafone (External) via
> clamav-users wrote:
>
>
>
https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format
There are examples of the wdb format a bit lower on the page. Essentially,
you would create a file "good_urls.wdb" in the same directory as the
existing ClamAV database files and put in an appropriate line to handle the
domains t
I'm not sure if this IS the answer, but my guess would be that ClamAV needs
to access files in /usr/lib64... And it has to scan (and come back with an
OK result) before access is allowed... resulting in scans being blocked
which, in turn, results in ALL processes being blocked while waiting on the
rting at / and recursing so it should get to /home, see it is still
> on the same filesystem and scan it.
>
> No ?
>
>
> On Friday, 8 April 2022, 19:02:42 BST, Maarten Broekman <
> maarten.broek...@gmail.com> wrote:
>
>
> As Ged pointed out, the fact that /hom
As Ged pointed out, the fact that /home is mounted as a separate
mount-point (even though it's the same device), leads the system to see
them as different filesystems (you can umount /home without umount'ing /)
As a result, your use of cross-fs=no tells clamscan to not cross filesystem
boundaries
The accepted way would be to supply a link to the VirusTotal scan that
didn't detect it.
--Maarten
On Mon, Mar 21, 2022 at 4:36 PM Jorge Bastos wrote:
> It's just the link :P
> How would you be able to test then? ;)
>
> ok won't send again.. but the default virus db doesn't seems to be
> enough
That's indicating that there is a link in the email that's displaying "
www.americanexpress.com" but is actually going to "www.amazonbusiness.com".
It's hard to help without seeing the original email code.
On Thu, Mar 17, 2022 at 12:55 PM Alex via clamav-users <
clamav-users@lists.clamav.net> wrot
On Tue, Mar 15, 2022 at 1:53 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi there,
>
> On Tue, 15 Mar 2022, Laurent S. via clamav-users wrote:
> >> using Yara's engine in clamav directly is something that has been
> >> brought up time and again. It is possible. My un
1. You’re excluding root in the config so you won’t be able to prevent from
accessing malicious files.
1A. You shouldn’t run clamd as root. run it as another user (like “clamav” or
“clamd”)
2. You are limiting it to only scan files in /home on-access
2A. You would likely want it to scan the enti
What version of ClamAV are you using? July of last year sounds about when
EOL versions of ClamAV were blocked wholesale and the 'acceptable version'
was moved up and all prior versions were blocked. EOL has moved several
times since then as well. Currently, the current stable version 0.104 and I
do
I would double-check to make sure python3 is using the correct CA bundle.
On recent python3 versions, that should be the certifi bundle.
$ which python3
/opt/homebrew/bin/python3
$ /opt/homebrew/bin/python3 --version
Python 3.9.10
$ python3 -m certifi
/opt/homebrew/lib/python3.9/site-packages/certi
There's not a lot that you can do in Yara rules that you can't do in LDB
sigs... for what it's worth, here's a logical sig that detects the same
thing as the Yara rules...
mbroekman@lothlorien:~$ grep MJB.JS.SendEmail clamdb/javascript_sigs.ldb|
sigtool --decode-sigs
VIRUS NAME: MJB.JS.SendEmailFu
Looks like the signature was dropped already because sigtool doesn't find
it anymore after I updated the databases through freshclam.
--Maarten
On Mon, Jan 31, 2022 at 7:58 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Well yes, the fact that it was the only scanner wo
On Mon, Jan 17, 2022 at 9:53 AM Andrew C Aitchison via clamav-users <
clamav-users@lists.clamav.net> wrote:
> On Mon, 17 Jan 2022, Nick Howitt via clamav-users wrote:
>
> > - not
> > have to install some uncommon download package and then download them.
> That
> > is making people jump through unn
Running freshclam after the package is installed should pull any/all of the
files that are missing. That is probably the best way to do it.
--Maarten
On Mon, Jan 17, 2022 at 8:32 AM Nick Howitt via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi,
> I am trying to package ClamAV 0.103.5
I've opened https://github.com/Cisco-Talos/clamav/issues/389 for this
issue. The issue *shouldn't* be causing problems with scanning (it wasn't
causing a problem for me), but if it is please add a comment to the issue
to that effect.
--Maarten
On Wed, Nov 24, 2021 at 11:19 AM M
On Wed, Nov 24, 2021 at 10:42 AM Maarten Broekman <
maarten.broek...@gmail.com> wrote:
>
>
> On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> * Arnaud Jacques via clamav-users :
>&g
On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <
clamav-users@lists.clamav.net> wrote:
> * Arnaud Jacques via clamav-users :
> > Is it just me, or?
>
> Same here:
>
> # clamdscan -V
> ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021
>
> # sigtool -l|tail
> Doc.Malware.Valyria-6923
"If you provided a description that suggests otherwise..." is a past tense
conditional referring to the form submission. That phrase is the equivalent
to this longer "If you put information in the description that suggests the
sample is not clean..."
On Thu, Nov 18, 2021 at 2:27 PM G.W. Haywood v
Cody, it looks like you’re running ClamAV 0.101.2. That version is too old. If
you upgrade to 0.103.4, you should be able to start downloading the db files
again.
What kind of system are you on? Is ClamAV prepackaged for you or did you build
from source?
-Maarten
Sent from a tiny keyboard
>
All versions of ClamAV prior to 0.103 are essentially EOL at this point.
The only options for Solaris 10 are likely to build from source, along with
all the prerequisites.
--Maarten
On Sat, Nov 6, 2021 at 7:54 AM Sunhux G via clamav-users <
clamav-users@lists.clamav.net> wrote:
>
> We're still o
Hi Jeff,
You would want to add those .snapshot paths to "ExcludePath" directives
in your clamd.conf file for clamd / clamdscan or use the "--exclude-dir"
option for clamscan.
You'll probably want to write a wrapper script for clamscan to build up
the list of .snapshot directories to ignore at t
To further Ged's point, these signatures that are hitting are extended
logical signatures. Phishing signatures have a very specific format that
are either solely looking at hostnames, host prefixes, link destinations
and alternate text, and displayed hostnames (
https://docs.clamav.net/manual/Signa
It depends on the OS, but if you have something like AppArmor or
GrSecurity, you may need to grant the appropriate permissions there to
allow access even for root.
--Maarten
On Thu, Sep 9, 2021 at 2:34 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi!
>
>
Use homebrew unless you absolutely need the release candidate version.
I installed ClamAV 0.103.3 via homebrew on my M1 Mac and it runs pretty
well.
On Wed, Sep 1, 2021 at 3:33 PM Vaughn A. Hart wrote:
> Hi Folks,
>
> So I figured out the issue. It looks like during the install/upgrade that
> n
In all likelihood, it means that a GET or POST payload contained the
signature. Whether or not the request containing the signature was
successful in injecting it into your site is a question that only you will
be able to answer.
You can use sigtool to find the signature and again to decode the si
While verbose (-v) is helpful in some cases, you probably want to use the debug
option to get the large volume of LibClamAV messages. I find debug is far more
useful than verbose most times.
Maarten
Sent from a tiny keyboard
> On Apr 5, 2021, at 04:17, Vivek Patil via clamav-users
> wrote:
>
Chances are you are using a version of ClamAV older than 0.100 and/or using
wget/curl to get the updates rather than using the approved methods
(freshclam / cvdupdate).
https://www.clamav.net/documents/end-of-life-policy-eol
https://www.clamav.net/documents/freshclam-faq
Additionally, there are m
You can pipe that to sigtool --decode-sigs to see what it is.
What I usually use is:
$ sigtool --find-sigs BAD_RULE | awk '{ print $NF }' | sigtool --decode-sigs
On Thu, Sep 10, 2020 at 9:55 PM Olivier via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi,
>
> I have a virus signature th
> On Mar 5, 2020, at 05:09, Ashish Poddar via clamav-users
> wrote:
>
>
> Hi all,
>
> We have a situation where we run a clamav daemon to scan files on a system.
> However, in the process, we only use about 10% CPU in the system. We would
> naturally like to increase this number. We were
This signature is hitting false positives. It seems to be a relatively old
signature, but the subsignatures seem to be rather generic so it's
difficult to know why this is supposed to be malicious.
VIRUS NAME: Doc.Downloader.Emotet-7196349-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2&3&
For my install, I had multiple instances of clamd running (in order to have
different databases loaded for different purposes) and the systemd sockets
were throwing errors about other processes using them, which in turn caused
the additional instances of clamd service units to fail. However, the cl
That's a hash signature. My guess is that there's 315 byte file inside the
jar that was marked. The 2.4 version of fop has a 315 byte class file
(PDFColorSpace.class) in it with a different MD5 hash. You might want to
unpack the fop.jar and see if any of the files there match. Chances are
some piec
I'd have to agree. Bandwidth is the least of the concern. Control is
paramount.
On Tue, Jul 30, 2019 at 7:26 AM Henrik K wrote:
>
> Control. Is it really necessary to go over basic IT management practises
> here?
>
> On Tue, Jul 30, 2019 at 05:13:50PM +, Joel Esler (jesler) via
> clamav-user
I think the PUA version are just potentially unwanted things that exhibit
trojan-like behavior but aren't confirmed trojans.
As for the original question, it looks like it's only using the first part
of that to determine the group of PUAs to ignore.
These are the 'PUA' families (and associated si
One problem that we're running into is that we encounter web pages and cgi
scripts that are "inconsistently" normalized. I put "inconsistently" in
quotes because without fully knowing the way ClamAV normalizes files, it is
sometimes difficult to understand why two similar files might be normalized
7:03 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> There are still 2515 "Phish.Phishing.REPHISH_ID_" signatures in
> daily.ldb
>
> -Al-
>
> On Apr 17, 2019, at 03:36, Maarten Broekman
> wrote:
>
> Are the "Phish&quo
Are the "Phish" REPHISH signatures still in the daily or were they removed
as well? Those were causing part of the issue.
--Maarten
On Wed, Apr 17, 2019 at 5:24 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:
> An additional 3968 Phishtank.Phishing.PHISH_ID_??? signat
et type 0,
> whereas we’d split the Phishtank.Phishing signatures up by target type to
> reduce scan times of files where the signatures won’t apply. It should
> also speed things up quite a bit for other file types to split those up by
> Target types.
>
>
>
> Further research
Clearly the latest daily.cvd is performing better, but the remaining
"Phishtank" sigs are *not* a majority of the slowness.
I unpacked the current (?) cvd (ClamAV-VDB:09 Apr 2019 03-53
-0400:25414:1548262:63:X:X:raynman:1554796413) and then ran a test scan
with each part to see what the load times
Having the Phishtank sigs as an additional optional database would be great
and, from my perspective, well worth the effort since we don't use them.
On Sun, Apr 7, 2019 at 9:44 AM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Tim,
>
>
>
> There are a couple of
Given that the PhishTank signatures, specifically, have been causing the
performance issues, no. It's not unreasonable to want to pull them, and
only them, out. Having them in a separate db file would be highly
beneficial to those of us that don't want or need them at all. Barring
that, having a co
ime) is unclear.
--Maarten Broekman
Full scans without the daily cvd/cld: Scan time ~60seconds
Full scans with the daily from March 11th: Scan time: 84seconds
Full scans with the daily from March 17th: Scan time: 109seconds
~/clamav# ls -larth /tmp/clamdtest*/daily.cld
-rw-r--r-- 1 clamav clamav
google
> MD5: 70c61f41e52b5a2134ff7e272f5a6df1
>
> SHA256 (safebrowsing.gdb) =
> 7f6645b8d865de3992be1ad5de215afd848acee4c021eed4818fdb760f76b57e
>
> Something must be different.
>
> Dave R.
>
> On Wed, Mar 6, 2019 at 5:39 PM Maarten Broekman via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> The
The new safebrowsing cvd (starting with version 48473) seems to be sorted
in a way that increases the load time of that file by several orders of
magnitude.
I have a previous version from February where the entries in the gdb
section are sorted like this:
S2:F:917787cff7b0993917209809ff3d94be
te:
> Maarten,
>
> Thanks for reporting that. There is an ordering difference of the content
> in the latest GDB file which is affecting the load time, and we will be
> fixing that in the next safebrowsing CVD version.
>
> Dave R.
>
> On Wed, Mar 6, 2019 at 10:42 AM Maa
I'm not sure if the safebrowsing.cld is included in the daily cdiff, but
the current safebrowsing.cld takes between 50 and 70 seconds to *load* into
clamscan, where a copy from February loads in <5 seconds.
safebrowsing data:
Old (fast): ClamAV-VDB:13 Feb 2019 13-16
-0500:48472:3041760:63:X:X:goo
Or, I don't know, recipients that are enforcing DMARC could simply follow
the steps from the previous section. The mailing list doesn't own the
messages sent to it (we don't see "From: clamav-users").
Recipients should whitelist the mailing list per:
https://dmarc.org/wiki/FAQ#Is_there_special_han
Forbidden
> 2018-08-28 13:37:49 ERROR 403: Forbidden.
>
>
> ------
> *From:* clamav-users on behalf of
> Maarten Broekman
> *Sent:* 28 August 2018 13:16
> *To:* ClamAV users ML
> *Subject:* Re: [clamav-users] ERROR 403: Forbidden
>
> Gotcha. Yeah, the error is
nt error/response as I'm, having to use the normal update method
> to ensure it uses the correct IP)
>
>
>
> ------
> *From:* clamav-users on behalf of
> Maarten Broekman
> *Sent:* 28 August 2018 11:24
> *To:* ClamAV users ML
> *Subject:*
> On Aug 28, 2018, at 06:17, Jon Roberts wrote:
>
> From the troubled server:
>
> wget http://database.clamav.net/main-55.cdiff
> --2018-08-28 11:14:43-- http://database.clamav.net/main-55.cdiff
> Resolving database.clamav.net... 104.16.189.138, 104.16.187.138,
> 104.16.188.138, ...
> Connect
Yep. That's fine. /tmp or /var/tmp (or /run) is usually where it goes
anyway. Welcome to the ClamAV club :)
On Mon, Aug 20, 2018 at 7:45 PM Michael Newman wrote:
>
> On Aug 20, 2018, at 23:00, *Maarten Broekman* wrote:
>
>
> For clamdscan to work you need to enable Loc
For clamdscan to work you need to enable LocalSocket at the very least.
On Mon, Aug 20, 2018 at 5:32 PM Michael Newman wrote:
>
> On Aug 20, 2018, at 23:00, Al Varnell wrote:
>
>
> Please post the results of the following Terminal Command:
>
> sudo clamconf
>
>
> MrMuscle:~ mnewman$ sudo clamc
Check the logs and config files.
Clamscan loads the databases itself before running. It does not need clamd to
be running in order to work.
Clamdscan attempts to use a socket to talk with clamd for the scanning of
files. If there is an error, one of two things is happening:
Either the permission
JAR files can be unpacked like tarballs so it is likely that there is a common
file in each that matches those hashes.
Maarten
Sent from a tiny keyboard
> On Aug 7, 2018, at 04:54, Albrecht, Peter wrote:
>
> Hi,
>
>> I don't see how that is even remotely possibly. They are three completely
>
hat signature is defined, ie. what content
> it considers malicious.
>
> In order to decide on an appropriate course of action I'd like to know
> what the perceived threat is, ie. *why* someone thought that a file
> matching that particular signature would be malicious.
> Th
Answered
TL;Dr
Use sigtool to find and decode the signature.
Sent from a tiny keyboard
> On Jun 28, 2018, at 06:57, Nikita Yerenkov-Scott
> wrote:
>
> Hello,
>
> A question on this matter exists on this Linux site:
> https://askubuntu.com/questions/571342/clamav-virus-detections-documentat
ClamAV can scan any type of file. That said, it can unpack certain kinds of
archives and scan the files inside. Also, ClamAV signatures can be written for
specific kinds of files (PE files, text, etc) and they will only be used for
those types.
I haven’t tried increasing the size beyond that so
29, 2018 at 8:10 AM, Régis Houssin
wrote:
> yes but for this IP this not a clamav website !
>
> dev.lepartidegauche.fr (178.33.105.132)
>
>
> thank you
>
>
> Le 29/03/2018 à 13:11, Maarten Broekman a écrit :
> > Régis,
> > This is a feature of DNS wh
only found the standard signature set.
>
> Also - in case I do get a hold of extra signatures - would I have to merge
> them into the existing definition set or simply run these in a separate
> scan ?
>
> Thanks.
>
> Peter
>
>
> On Thu, Mar 29, 2018 at 4:04 AM, Maa
Régis,
This is a feature of DNS where a name can resolve to multiple IPs for load
balancing and resiliency. Depending on what serves ‘database.clamav.net’ it may
just be a round-robin response or it may resolve to an IP based on which one is
responding faster to requests or simply which one ha
Hi Peter,
Given the name of that virus, I would guess that your hosting provider is
using some extra virus definitions that aren’t part of the standard ClamAV
distribution. It doesn’t have to do with the engine in this case.
You should get in touch with them about that.
Maarten Broekman
You might be able to open the socket that clamd is listening on and attempt
to ping it. I forget if it replies with PONG while it's in the middle of
reloading. It's been a while since I tried to do that.
On Thu, Mar 22, 2018 at 6:40 AM, Ralf Hildebrandt <
ralf.hildebra...@charite.de> wrote:
> O
fter the swap, the memory for the old signatures
> would be released by the loader thread. This would take more memory
> during signature update, but it might be a worthwhile option.
>
>
> On Sat, 17 Mar 2018 17:17:17 -0400
> Maarten Broekman wrote:
>
>> Some considerati
Some considerations:
- the longest “delay” will occur when reloading signature databases. If
reducing the delay is important, run multiple instances with smaller signatures
in each. ESPECIALLY, if you’re going to writing your own story signatures or
using databases that change often.
- scanning
There are far more than 31 signatures that have the potential to impact
Linux systems. There are, in truth, over 23,000 signatures that are able to
detect malware on Linux and Unix systems. Most "Linux" signatures only
contain the word Unix, however. Additionally, keep in mind that these are
only f
VIRUS NAME: Html.Trojan.Iframe-6390207-0
TDB: Engine:51-255,FileSize:16384-65536,Target:3
LOGICAL EXPRESSION: 0
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
h
204.130.133.50 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
*--- 207.57.106.31 ping statistics ---*
*1 packets transmitted, 0 received, 100% packet loss, time 0ms*
On Wed, Aug 23, 2017 at 1:26 PM, Maarten Broekman <
maarten.broek...@gmail.com> wrote:
>
For me, 3 of the 5 db.local.clamav.net addresses have 100% packet loss:
$ host db.local.clamav.net
db.local.clamav.net is an alias for db.us.rr.clamav.net.
db.us.rr.clamav.net has address 200.236.31.1
db.us.rr.clamav.net has address 208.72.56.53
db.us.rr.clamav.net has address 69.12.162.28
db.us.r
Sorry for the double reply...
You can also use sigtool --find-sigs to find the signature that it's
reporting and isolate it.
On Wed, Jul 12, 2017 at 8:59 AM, Maarten Broekman <
maarten.broek...@gmail.com> wrote:
> If the tarball doesn't match the MD5 hash then it's lik
If the tarball doesn't match the MD5 hash then it's likely that a file
within the tarball matches the malicious MD5. ClamAV looks at all the files
within tarballs and zip files individually as well as the tarball as a
whole.
--Maarten
On Wed, Jul 12, 2017 at 8:44 AM, Srinivasreddy R <
srinivasred
The functionality to do it on OS X is OS X related, not ClamAV related.
Your best option would be to ask around on Mac OS X developer forums.
On Mon, Jul 10, 2017 at 6:07 AM, crazy thinker
wrote:
> I want to do it on teriminal. Could you explain core logic that would
> be used in this featur
Crazy,
the 'users' mailing list is what you are sending this questions to. You
keep addressing this list as 'developers'. There is a separate mailing list
where developers who write the internals of ClamAV talk. That is the
appropriate forum for ALL of your questions. You really haven't had a
s
Your understanding of scanning techniques is flawed at best (I believe this
has been pointed out multiple times). Both techniques have issues with
false positive and false negative matches. The only significant difference
is how they perform against unknown threats. In that regard, heuristic
scanni
Is anyone able to speak to whether allowing 'allmatch' to work with streams
is on the map? 'allmatch' was one of the features that I was really
looking forward to, but the fact that it doesn't work when you are scanning
streams is a major letdown.
--Maarten
___
I am seeing these mostly on files that comprise the OpenLayers library in
phpMyAdmin 4.
On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler)
wrote:
> Mark,
>
> Thanks for the feedback, you are right, I am experiencing some high counts
> in the Txt.Malware.Agent family.
>
> I’ve disabled this eng
You would probably want to set up a private mirror on your laptop and then
use that to sync your desktop. That way you can update your laptop
whenever you want and when you're connected to you home network, you can
update your desktop.
https://www.clamav.net/documents/private-local-mirrors
--Maa
If you don't want to wait, you can also whitelist the files in your own
database files.
Run either of the following:
sigtool --sha256
sigtool --md5
Put the output into a '.fp' file in your db directory and that should
whitelist that specific file so it's not reported.
--Maarten
On Mon, F
s build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
Maarten Broekman
Endurance International Group
vDeck Senior Linux Systems Administrator / PCI ISA
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
What are the permissions on the clamd socket file? You might also try
setting up clamd to listen on an IP/port and connect to it that way if the
unix socket doesn't work.
--Maarten
On 12/3/13, 10:23 AM, "mcmurchy1917-cla...@yahoo.co.uk"
wrote:
>Hello Henri
>
>Results below -
>
>ls -la nw1700.
gt; Try now?
>
> On Fri, Nov 16, 2012 at 11:41 AM, Maarten Broekman
> wrote:
> > I have a bugzilla account but I don't have the right permissions to
> > see that bug.
> > You are not authorized to access bug #6139.
> >
> > --Maar
bugzilla account, you can zip it
> up, password protect it and then send it to me.
>
> Matt
>
> On Fri, Nov 16, 2012 at 11:30 AM, Maarten Broekman
> wrote:
> > Yep. I have a .js file that triggers the Bytecode 37 error. I've
> > filed a bug against th
do you have a sample that triggers
> this behavior?
>
> Matt
>
> On Fri, Nov 16, 2012 at 11:04 AM, Maarten Broekman
> wrote:
> >> -Original Message-
> >> LibClamAV Warning: Bytecode run timed out in interpreter after
> 765000
> >> opcodes
> -Original Message-
> LibClamAV Warning: Bytecode run timed out in interpreter after 765000
> opcodes LibClamAV Warning: Bytcode 16 failed to run: Unknown error
code
> LibClamAV Warning: Bytecode runtime error at line 95, col 13 LibClamAV
> Error: Opcode 45 of type 0 is not implemented yet
t; Maarten, can you help us track this by adding a bug at
> https://bugzilla.clamav.net/?
>
> Thanks,
>
> Matt
Done. Bug 5978.
Thanks,
Maarten
>
> On Tue, Oct 23, 2012 at 2:18 PM, Maarten Broekman
> wrote:
> > One thing I'm seeing more and more of is mal
One thing I'm seeing more and more of is malware code (be it PHP or ASP)
embedded after GIF headers. ClamAV sees the GIF header and treats it
like an image (properly), but then ClamAV sees an HTML signature later
in the file. However, it doesn't do any normalization on that HTML
data. Would it b
0.97.6 is available from the SourceForge download page.
> -Original Message-
> From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-
> boun...@lists.clamav.net] On Behalf Of Frank Chan
> Sent: Monday, September 17, 2012 2:41 PM
> To: clamav-users@lists.clamav.net >> ClamAV use
> -Original Message-
> > Some of the phishing content that I'm finding is resulting in hex
> > dumps in the 10k+ character range and I think it's more dangerous to
> > replace sections with '*' than to replace certain substrings with
> > specific length wildcards.
>
> Please would someone
> -Original Message-
> > > The rate of false positives is wholly dependent on the strings
that
> > > you are replacing with wildcards.
> > >
> > > As an example, when generating signatures to identify phishing
> > > content (say, content targeting bank customers), I wanted to be
> able
> >
> -Original Message-
> Despite the statement of your objective it isn't clear to me what you
> think you're going to achieve. My expectation would be a very large
> increase in the false positive rates if you attempt to use signatures
> modified in the way you describe. Can you be more sp
Does anyone know of a tool that would take strings in a hex signature
and turn them into appropriate wildcards? For instance, I want to strip
out all the "http://"; and "https://"; and replace them with {7-8} to
reduce the size of the signature and get more 'useful' strings in the
signature? Ther
1 - 100 of 107 matches
Mail list logo
