Re: [clamav-users] Why is the Eicar-Signature not recognized in some files?
On 3/15/2024 4:49 AM, Dr Rainer Woitok wrote: Noel, On Wednesday, 2024-03-13 11:59:16 -0500, you wrote: ... To test email, include the EICAR as an attachment, and make sure your email software is able to scan attachments. Good idea, thanks :-) I wrote another mail specific virus test script involving a "tar" ar- chive containing one file which in turn contains the Eicar line. This directly leads to another question: Command "clamscan" has the nice option "--archive-verbose" which causes both, the name of the "tar" ar- chive and the name of the infected file to be output. How does this translate to a configuration specification in file "/etc/clamav/clamav. conf"? Since running "clamscan" on my laptop takes 20+ seconds just to process the virus database, I'd prefer running "clamdscan", provided it could also be tricked into revealing this useful bit of information. clamdscan and clamscan are separate programs and don't have 1-1 functionality. If you're scanning dozens or hundreds of files, such as a directory, the performance difference is small. If you're scanning incoming email - lots of individual scans of one file at a time - the performance difference is very large. Use the tool that suits the job. And one more question: "clamdscan" provides the option "--config-file". Does the file specified here globally and permanently change the "clamd" daemon configuration and does it replace or just amend file "/etc/clam- av/clamav.conf"? I believe it changes it just for that instance of clamdscan, and does not affect the clamd daemon or other clamdscan runs. -- Noel Jones ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Why is the Eicar-Signature not recognized in some files?
On 3/13/2024 5:05 AM, Dr Rainer Woitok wrote: Noel, On Tuesday, 2024-03-12 12:24:48 -0500, you wrote: ... You can read about it here for clues about why your test didn't work. https://www.eicar.org/ https://en.wikipedia.org/wiki/EICAR_test_file Thanks for these pointers :-) You're asking the wrong questions... The proper question is if clamav is installed and working and able to detect viruses, and your answer is yes. To test email, include the EICAR as an attachment, and make sure your email software is able to scan attachments. Since you already verified that clamav is working and able to detect test viruses, any failure scanning email is in your email scanning method or software and not clamav. -- Noel Jones ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Now i know what is the problem!
> On May 6, 2023, at 11:14 AM, newcomer01 via clamav-users > wrote: > > > For whatever reason, this happens when a mail is only a few kb in size but > has absolutely no content, I opened the affected mail with every text editor, > and it was empty in all of them. > This needs further explanation. A file that’s a few kb can’t also be empty. Please provide the file somewhere - pastebin or such. > Why this mail is empty from yesterday to today I don't know. This suggests a file system or disk problem. What is the file system? Maybe clamscan is hung waiting on broken disk io Clamav, nor anything, can be expected to work normally and reliably if there are underlying system problems. — Noel Jones ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] main.cvd update schedule
On 12/21/2021 11:58 AM, Vu, Hong-Duc V. via clamav-users wrote: Hello, How often does the main.cvd file get updated? According to this old post they have seven changes in two years. https://lists.clamav.net/pipermail/clamav-users/2014-September/000916.html <https://lists.clamav.net/pipermail/clamav-users/2014-September/000916.html> That's very old information. There is no schedule I'm aware of, and recent updates have been many many months apart. This will help me troubleshoot any issues with my freshclam configuration if the file isn’t getting updated in a reasonable time frame. I wouldn't bother monitoring the main.cvd since the time frame is months and there is no schedule. I think daily is updated once a day currently (usually). If daily is more than a few days old you should investigate. It might be more productive to monitor the freshclam log for errors. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV Community, it's been an honor!
On 12/6/2021 12:56 PM, Joel Esler via clamav-users wrote: ClamAV Community, It has a been a great honor to be your community manager for the past 11 years or so, through several website transitions, engine upgrades and tens of thousands of people joining our community, I’ve decided to move on to a new position outside of Cisco. Together we’ve grown the community in spite of some very unique situations in our industry. Don’t worry, you’re in good hands, as managing the day-to-day community management will be transitioning to Micah Snyder, effectively immediately. I have already transitioned my community manager responsibilities to him, but will remain on the mailing lists with my personal email address (this one) and I will continue to help out where needed. Working with you all has been fantastic over the years, and I wish you all continued success. Joel, Thanks for your help, support, and kind words all these years. I wish you all the best in your new position. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Quarantine option when using command line
On 9/19/2021 5:00 PM, Anthony via clamav-users wrote: Hi. I don't think there's an option for quarantine when using the command line--only removing or moving. What's wrong with quarantine? The files are separated and functional, aren't they? Quarantine is an MTA function. For the command line, use move or delete. Or better, just get the report and then decide what to do. Never use move or delete when scanning system files since a false positive could be disastrous. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] .cvd Downloads?
On 8/30/2021 3:32 PM, Skylar Orr via clamav-users wrote: Hello, all. I'm wondering where the main.cvd, bytecode.cvd, and daily.cvd files went off to. It's been some time since I've seen them, and I utilize a private server for which a private local mirror is not feasible. Is there a way to get one's hands on these? I apologize if this has been asked, before, but I searched and didn't come up with anything, so I figured it was worth a shot. Thanks in advance. The databases are no longer available as a separate download due to massive abuse of the download system. Use freshclam from a supported version of clamav to get database updates. The "virus database" section on https://www.clamav.net/downloads has details for how to get a copy for a machine with no or limited internet access. For more info, see the discussion in the list archive. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] More info on Win.Trojan.Generic-9847134-0 please
The clamav project doesn't publish malware analysis. Upload the offending file to VirusTotal and see what other scanners say. They will probably show a different name you can try looking up, or of nothing else hits on it maybe it's a false positive. -- Noel Jones On 3/29/2021 10:28 AM, Trung Hoang via clamav-users wrote: Hello, I am using ClamAV with Exim in Cpanel v94. Today, doing scanning found couple of email files infected with "Win.Trojan.Generic-9847134-0". I could not find any additional information on this malware anywhere. Please any one share me with more info of it. Thank you. Best Regards, Trung Hoang ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] unexplainable tar behaviour
On 10/29/2019 3:06 AM, Steffen Sledz wrote: We've a really unexplainable behaviour related to clamdscan and tar. There's a tree of subdirs and files. If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'. If I tar all subdirs of the first level in separate tars and scan them, all of them are reported OK. Same if I scan all files one by one. So where's the infected file report is coming from? Any ideas? There is no virus. You're creating a false positive from scanning a large blob of data where the signature picks up random bits from different files. {random data}{part of signature}{random data}{other part of signature}...{repeat as needed} ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How do you add specific files to white list ?
On 8/20/2019 11:51 AM, Asok Kumar via clamav-users wrote: i am using ClamAV version 0.101.3 and using the parameters below and Heuristics.Limits.Exceeded FOUND because i have enabled it in scanning. how do i add specific files to the whitelist ? This should probably be documented better on the website. To whitelist a specific file, add its SHA1 fingerprint to local.sfp in the clam database directory (any file that ends with .sfp will work) To get the fingerprint, use the "sigtool" program included with clam. sigtool --sha1 filename this will return a string containing SHA1:FileSize:filename paste the whole string into local.sfp. You'll probably need to create the local.sfp file the first time you do this as it's not present by default. clamscan will pick up the change immediately. If you use clamdscan, you'll need to reload clamd. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable MaxFileSize and MaxFileSize to scan the whole system
What kind of giant files are you scanning? Many big files, such as hard drive/DVD images or "raw" database files, are likely to generate random false positives. -- Noel Jones On 12/3/2018 3:59 AM, Albert o wrote: > Alright thank you. Is there a way to make clamscan do the same? > > On Mon, Dec 3, 2018, 09:18 Al Varnell <mailto:alvarn...@mac.com> wrote: > > MaxFileSize 0 disables limiting, but that only applies to > clamdscan scanning. > > Sent from my iPad > > -Al- > > On Dec 2, 2018, at 23:18, Albert o rote: > >> What do I need to use in clamd.conf to scan the maximum >> possible size? >> MaxFileSize 3M >> MaxFileSize 3999M >> Is this syntax correct? >> >> On Mon, Dec 3, 2018, 00:06 Dennis Peterson >> mailto:denni...@inetnw.com> wrote: >> >> I wonder how many signature writers bother to match >> content at the end of files. Hopefully, none, in which >> case full file scanning is pointless. >> >> dp >> >> On 12/2/18 3:02 PM, Al Varnell wrote: >>> Trial and error, depending on your setup. >>> >>> Must not exceed the amount of RAM you have installed less >>> what is needed to run your system and whatever else you >>> have running at the time. >>> >>> Best advice would be to set it to the size of the largest >>> file you need to scan. >>> >>> -Al- >>> >>> On Sun, Dec 02, 2018 at 09:35 AM, Albert o wrote: >>>> I removed that option. >>>> So what is the right way to make clamAV scan the maximum >>>> possible size? >>>> On Wed, Nov 28, 2018 at 7:31 AM Henrik K >>> <mailto:h...@hege.li>> wrote: >>>>> >>>>> On Tue, Nov 27, 2018 at 05:01:40PM -0500, Albert o wrote: >>>>>> "sudo clamscan -r --remove=yes /" >>>>> >>>>> ClamAV doesn't exactly have a perfect track record >>>>> regarding false positives >>>>> (not that any scanner would have). Are you sure you'd >>>>> want --remove=yes to >>>>> remove some critical system files/libraries? >>> >>> ___ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> >> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> <mailto:clamav-users@lists.clamav.net> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> <mailto:clamav-users@lists.clamav.net> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > ___ > clamav-users mailing list > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Secure download/verification of clamav database?
Baked in. On 10/24/2018 12:10 PM, Luke Massa wrote: > But what are they signed *by*? If it’s using a public/private keypair, where > is the public key? Is it baked into freshclam/clamd/clamscan somewhere? > > - Luke > >> On Oct 24, 2018, at 11:59 AM, Noel Jones wrote: >> >> On 10/23/2018 2:17 PM, Luke Massa wrote: >>> >>> In short, is there any way I can setup clamav/freshclam and be >>> confident that a malicious user isn’t adding/removing signatures >>> from the upstream mirrors? >> >> The .cvd files have an internal cryptographic signature that's >> checked by freshclam and clamd/clamscan. If freshclam and/or clamd >> accepts the files, you can be assured they are official and >> unmodified. This is built into clam; no external tools are called. >> >> >> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=4z3Dmbis3lgzZCwuTZLvD73r3WkvhFQDX5PNfriNroU= >> >> >> Help us build a comprehensive ClamAV guide: >> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=mKsCe7GnAu-_iumtzjklXt4uvxURW8H8jZPNpv1EgFg= >> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=gyItpqPZCd_ddSzi93tJXOU6DbhXlZZECSjFSpkF38s= > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Secure download/verification of clamav database?
On 10/23/2018 2:17 PM, Luke Massa wrote: > > In short, is there any way I can setup clamav/freshclam and be > confident that a malicious user isn’t adding/removing signatures > from the upstream mirrors? The .cvd files have an internal cryptographic signature that's checked by freshclam and clamd/clamscan. If freshclam and/or clamd accepts the files, you can be assured they are official and unmodified. This is built into clam; no external tools are called. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Syncing only CustomDatabaseURLs with freshclam
On 9/7/2018 9:42 AM, Sven Bartscher wrote: > Greetings, > > I'm running ClamAV with an additional third party virus database. That > database is kept up to date by specifying the files shipped by it as > DatabaseCustomURL entries in freshclam.conf like this: > ... > > Is there some way to get freshclam to do what I want here or maybe some > other way (without freshclam) to update only the third-party database? > Perhaps the freshclam option "--update-db=DBNAME" is what you're looking for. See "man freshclam" for details. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] freshclam works for me
I just wanted to chime in and say that freshclam continues to work fine for me. I have great sympathy for those having trouble, but I strongly suspect they are the vocal minority. I'd complain too if it seemed unreliable, but it works fine here. Before any changes are made to freshclam or the procedure to check for updates, it's important to understand why some sites are failing, so the right problem can be fixed. This is a ipv4 site, and I occasionally get ipv6 error messages -- maybe 4 a week. They don't seem to cause any particular problem. A freshclam.config option to disable ipv6 would fix that. Or maybe a "protocol {ipv4|ipv6|any}" option. There are 6 servers here, running various versions of FreeBSD with clam 0.100.0. All are set to run freshclam as a daemon (not from cron) with "checks 15" and "DatabaseMirror db.us.clamav.net". I don't mess with freshclam except to check the logs once in a while for errors, which are rare. These servers are at various sites with various internet providers, but all in US/Tennessee. Maybe my geographic region just happens to point to a good mirror. Using Cloudflare changes the dynamics of updates. I wonder if it might be better if everyone pointed to db.clamav.net and all the direct mirrors are dropped. Let Cloudflare decide what is the closest POP, that's kinda their job. Seems like the DNS record is still needed to announce what update is supposed to be available. Anyway, thanks for continuing to look at ways to improve this, and thanks for listening. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Win.Exploit.Unicode_Mixed-1 false positives
On 5/23/2018 4:43 AM, Tilman Schmidt wrote: > We're getting frequent false positives from ClamAV for > Win.Exploit.Unicode_Mixed-1 in tcpdump files from our IDS. > Googling that virus name only turns up a few hits on virscan.org which > seem to be indicating a tendency of that signature to trigger on > logfiles and the like, but no actual information about the threat. > > What is that signature trying to detect? > Is this a Known Problem? > What's the best way handle it? > This signature looks for a string of binary characters. It's not generally useful to run clamscan on pseudo-random data such as a tcpdumps, logfiles, raw disk images, etc. False positives can be expected from signatures that look for strings of binary characters. You can tell clam to ignore this particular signature by adding the name to a text file named local.ign2 (or any name ending in .ign2) in the same directory where the clam databases live. # local.ign2 Win.Exploit.Unicode_Mixed-1 However, I wouldn't be surprised if the dump starts hitting some other binary signature if you ignore this one. I think the best way to handle this is "don't scan pseudo-random files" -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] freshclam error - need your expertise as soon as possible please.
On 4/18/2018 12:59 PM, Manavi-Pour, Gazelle wrote: > Hello folks, > > Just wondering what does "previous errors" mean in here. > I have verified from my server, I can download download > http://db.CA.clamav.net/main-58.cdiff using wget. No issues, but when I run > freshclam I get error. Please advise. Thanks freshclam records download errors in a file "mirrors.dat" so it won't keep retrying a bad server. Those servers are ignored for a time, and eventually retried (after few days I think). It's safe to remove the mirrors.dat file to reset the download history. rm /var/lib/clamav/mirrors.dat then run freshclam again. -- Noel Jones > > # freshclam --stdout --verbose -v > Current working dir is /var/lib/clamav > Max retries == 3 > ClamAV update process started at Wed Apr 18 13:09:36 2018 > Using IPv6 aware code > Querying current.cvd.clamav.net > TTL: 1800 > Software version from DNS: 0.100.0 > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Local version: 0.99.2 Recommended version: 0.100.0 > DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav > main.cvd version from DNS: 58 > Retrieving http://db.CA.clamav.net/main-58.cdiff > Ignoring mirror 10.247.231.155 (due to previous errors) ==> this is the IP > of my proxy server(on datapower). Which points to the mirror in Canada. > Ignoring mirror 10.247.231.155 (due to previous errors) ==> what does this > previous error mean? I do not have errors , I see just warnings. > WARNING: getpatch: Can't download main-58.cdiff from db.CA.clamav.net > Retrieving http://db.CA.clamav.net/main-58.cdiff > Ignoring mirror 10.247.231.155 (due to previous errors) > WARNING: getpatch: Can't download main-58.cdiff from db.CA.clamav.net > Retrieving http://db.CA.clamav.net/main-58.cdiff > Ignoring mirror 10.247.231.155 (due to previous errors) > WARNING: getpatch: Can't download main-58.cdiff from db.CA.clamav.net > WARNING: Incremental update failed, trying to download main.cvd > Whitelisting short-term blacklisted mirrors > Retrieving http://db.CA.clamav.net/main.cvd > Ignoring mirror 10.247.231.155 (due to previous errors) > Ignoring mirror 10.247.231.155 (due to previous errors) > WARNING: Can't download main.cvd from db.CA.clamav.net > Trying again in 5 secs... > > As I mentioned from the server I can download the file, so the server and > proxy server(datapower) are communication well. > > wget http://db.CA.clamav.net/main-58.cdiff > --2018-04-18 13:22:36-- http://db.ca.clamav.net/main-58.cdiff > Resolving db.ca.clamav.net (db.ca.clamav.net)... 10.247.231.155 > Connecting to db.ca.clamav.net (db.ca.clamav.net)|10.247.231.155|:80... > connected. > HTTP request sent, awaiting response... Read error (Connection reset by peer) > in headers. > Retrying. > > --2018-04-18 13:22:37-- (try: 2) http://db.ca.clamav.net/main-58.cdiff > Connecting to db.ca.clamav.net (db.ca.clamav.net)|10.247.231.155|:80... > connected. > HTTP request sent, awaiting response... 200 OK > Length: 8808462 (8.4M) > Saving to: 'main-58.cdiff' > > 100%[=>] > 8,808,462 2.77MB/s in 3.0s > > 2018-04-18 13:22:41 (2.77 MB/s) - 'main-58.cdiff' saved [8808462/8808462] > > > Regards, > > Gazelle Manavi-pour > Digital Health Delivery Platform (DHDP)| eHealth Ontario > 415 Yonge Street / 10th floor, Toronto, ON, M5G 2C8 > Office: 416.586.4353 Mobile: 647.632.8909 > gazelle.manavi-p...@ehealthontario.on.ca<mailto:gazelle.manavi-p...@ehealthontario.on.ca> > > Vacation Alert: Aug 19th - Sept 1 - 2018 > > > > > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question regarding freshclam log entry
On 2/22/2018 8:29 AM, J Doe wrote: > >> Hello, >> >> I recently installed ClamAV 0.99.3 on a Ubuntu 16.04.03 LTS server and >> utilize it as a milter for Postfix v. 3.1.0. >> >> When freshclam runs according to its’ cron job and successfully downloads an >> update, it leaves the following note in the freshclam log: >> >> WARNING: clamd was NOT notified: Can’t connect to clamd through >> /var/spool/postfix/var/run/clamav/clamd.sock >> >> My initial thought was a simple permissions error, so I checked the >> permissions to the clamd.sock socket: >> >> drwxr-xr-xclamav clamav/var/spool/postfix/var/run/clamav >> srw-rw-rwclamav clamav/var/spool/postfix/var/run/clamd.sock This path doesn't match the error message above. >> >> $ sudo -u clamav namei -m /var/spool/postfix/var/run/clamav/clamd.sock Yet this path does. >> I’m pretty sure this is a minor mistake on my part; can anyone suggest a >> solution ? Check your paths in clamd.conf and freshclam.conf carefully. It's likely they don't match. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question about Clamav compressed file support
Clamav has no support for unpacking and scanning inside the Acronis .tib backup images. I wouldn't bother scanning it. -- Noel Jones On 1/11/2018 9:41 AM, botnec wrote: > Hello, > > I'm using a QNAP NAS server as destination for Acronis Tue Image > backup files. > The extension of these files is .tib. I did not find anything in the > clam doc file about it. > > Now my question is, how does ClamAV deal with these files ? Will > they be uncompressed > and the contents checked anyway? I hope so because it takes some > hours if ClamAV > checks the whole backup folder (2.5 TB). If this would be not the > case, I possible do not > need to start the virus check procedure at all. > (btw. I'm using another virus checker on my PC anyway, I just > thought to use CalmAV > additionally) > > Can anybody answer please ? > > Thank you. > Regards > > Rob > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav and sanesecurity.com databases
On 11/27/2017 6:50 PM, Jobst Schmalenbach wrote: > Hi > > I just read in another thread about sanesecurity.com. > So I went to the website and read about the downloading scripts, the > configuration etc. > > I cannot seem to find the link between the extra databases on the system > downloaded into a direcotry > "/var/log/clamav-unofficial-sigs/" and how to make clamd aware of these > signatures. > > Now I have a question: How do I tell clamd that there is another data base > directory? > > Jobst > > All the virus databases go in the same directory. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FreshClam - DNS issues since October 31st
Getting errors off-and-on since about 3am CDT today. But working right now. Obviously something still not right. -- Noel Jones On 11/8/2017 2:51 PM, Noel Jones wrote: > It's working now. The last error in the log was about 30 minutes > after the report below. > > Thanks. > > Location is US central time zone with local DNS resolver FWIW. > > > -- Noel Jones > > > > On 11/8/2017 1:47 PM, David Raynor wrote: >> The DNS records are being updated at the source properly now. If you are >> still seeing an error, then the proper record is not reaching the server >> you are contacting for DNS or not propagating correctly to your area or >> something like that. >> >> If you are still seeing those errors, let us know what the value of the DNS >> TXT record you are seeing for current.cvd.clamav.net. You can use "host" or >> "dig" or another command to check it. >> >> Example (with current value): >> >> $ host -t txt current.cvd.clamav.net >> current.cvd.clamav.net descriptive text >> "0.99.2:58:24025:1510165084:1:63:46630:318" >> >> Dave R. >> >> On Wed, Nov 8, 2017 at 11:34 AM, Noel Jones <njo...@megan.vbhcs.org> wrote: >> >>> I'm still getting these errors too. :\ >>> >>> >>> >>> >>> -- Noel Jones >>> >>> >>> On 11/8/2017 9:50 AM, Joel Esler (jesler) wrote: >>>> The team working on these issues is seeing these emails, so it’s good >>> that you are writing in, if you are still experiencing issues. >>>> >>> ___ >>> clamav-users mailing list >>> clamav-users@lists.clamav.net >>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>> >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> >> > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FreshClam - DNS issues since October 31st
It's working now. The last error in the log was about 30 minutes after the report below. Thanks. Location is US central time zone with local DNS resolver FWIW. -- Noel Jones On 11/8/2017 1:47 PM, David Raynor wrote: > The DNS records are being updated at the source properly now. If you are > still seeing an error, then the proper record is not reaching the server > you are contacting for DNS or not propagating correctly to your area or > something like that. > > If you are still seeing those errors, let us know what the value of the DNS > TXT record you are seeing for current.cvd.clamav.net. You can use "host" or > "dig" or another command to check it. > > Example (with current value): > > $ host -t txt current.cvd.clamav.net > current.cvd.clamav.net descriptive text > "0.99.2:58:24025:1510165084:1:63:46630:318" > > Dave R. > > On Wed, Nov 8, 2017 at 11:34 AM, Noel Jones <njo...@megan.vbhcs.org> wrote: > >> I'm still getting these errors too. :\ >> >> >> >> >> -- Noel Jones >> >> >> On 11/8/2017 9:50 AM, Joel Esler (jesler) wrote: >>> The team working on these issues is seeing these emails, so it’s good >> that you are writing in, if you are still experiencing issues. >>> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > > > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FreshClam - DNS issues since October 31st
I'm still getting these errors too. :\ -- Noel Jones On 11/8/2017 9:50 AM, Joel Esler (jesler) wrote: > The team working on these issues is seeing these emails, so it’s good that > you are writing in, if you are still experiencing issues. > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] issues with mirror - 194.186.47.19
Some mail systems such as gmail, outlook.com, and probably others, don't display the list copy of your own posts as a duplicate. But your posts really do make it to the list. You can check one of the online archives if you want to verify. Hopefully you would get a non-delivery notice if the post didn't go through. -- Noel Jones On 6/15/2017 12:36 PM, Orrick, Diana wrote: > Appreciate the prompt response Joel. > > I did not get a list copy of my own reply (below, sent at 1:12 pm) > > > On 6/15/2017 1:32 PM, Joel Esler (jesler) wrote: >> I got your post just fine. Maybe just that one recipient. >> -- >> Joel Esler | Talos: Manager | >> jes...@cisco.com<mailto:jes...@cisco.com> >> >> >> >> >> >> >> On Jun 15, 2017, at 1:12 PM, Orrick, Diana >> <orr...@fsu.edu<mailto:orr...@fsu.edu>> wrote: >> >> I don't know why my post failed fraud detection? >> >> I don't post often... >> >> >> On 6/15/2017 12:54 PM, Orrick, Diana wrote: >> [This sender failed our fraud detection checks and may not be who >> they appear to be. Learn about spoofing at >> http://aka.ms/LearnAboutSpoofing] >> >> -- >> >> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamscan output
On 4/23/2017 10:20 AM, Lyle Holmes wrote: > Probably simple to resolve. Clamscan sends the results of the daily scan > in an email. Results similar to the one below for each directory in > /home. Unfortunately clamscan is appending the new results to the prior > day's results; making a ridiculously long email. I would like to > overwrite the prior day's results. Not sure how/where to do this. > Thanks. > > --- SCAN SUMMARY --- > Known viruses: 6258909 > Engine version: 0.99.2 > Scanned directories: 324 > Scanned files: 3414 > Infected files: 0 > Data scanned: 152.86 MB > Data read: 159.49 MB (ratio 0.96:1) > Time: 128.806 sec (2 m 8 s) > clamscan does not do daily scans, nor does clamscan send email. Whatever custom script you're using for those functions is not part of clam. If you don't remember what you did to get this daily scan, start with looking at your crontab to see what runs daily. After you find your offending script, fix the script so it creates a new file every day rather than appending to a file. The fix is probably as easy as changing a '>>' to a single '>', but finding it is the challenge. We can't help with that. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Daily 23161 broke Clam
On 3/5/2017 6:51 AM, Joel Esler (jesler) wrote: > The question here is, do we strive to make a package that is installable on > more machines, (even ones that are going EOL?), or do we strive to make a > package that is the best for security? > It's my understanding that the new features in pcre7 are mostly about shortcuts and convenience for the programmer, not about pcre6 inability to match particular content. So this isn't really about security, it's about writing the same signatures so they work with older pcre. This is about not alienating that portion of your user base that for whatever reason is unable to upgrade to a new incompatible requirement. Once you lose such a customer, you're probably lost them for a long time -- not just until they upgrade, but maybe forever. I see clamav slowly sliding towards irrelevance. Progressively less effective, slower to respond to new threats, and now considering a decision to reduce their user base. This makes me sad. My systems all meet the proposed requirements, so this doesn't affect me directly. But I feel this reflects a deeper problem within the project -- a lack of consideration for the end user. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Any way to force scan as mail?
On 2/28/2017 11:35 AM, Carlos Velasco wrote: > > Anyway, the main question remains unanswered... is there any way to force the > scan as mail (overriding the magic for the first recursion)? > Clam uses the daily.ftm file to decide what type of scanning to use. Generally, clam looks for a Received: line or a few other common mail headers in the first few bytes of the file. Apparently those common headers are too far into your file. You can create a local.ftm with your unusual headers in it to cause these files to be detected as an email. I don't see my notes for the .ftm file syntax at the moment, but I'm sure you can find something on google. Alternately, you can get the sanesecurity.ftm file from sanesecurity.com, which includes a wide variety of mail formats and will likely recognize your file. You don't need to use any the sanesecurity add-on signatures for this, but I recommend them. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Build ClamAV from Source for Android
Looks as if somebody does... # sigtool -l | grep -i '^Andr' | wc -l 204132 I doubt running clam on an android device would be useful due to the resources required. Maybe a fun time-waster though, just to see what happens. There's several free and apparently competent antivirus programs better suited for a mobile device. On 11/22/2016 3:46 PM, Al Varnell wrote: > Does anybody even provide signatures for android malware? > > -Al- > > On Tue, Nov 22, 2016 at 07:50 AM, crazy thinker wrote: >> >> Hi all, >> >> I am Planning to build ClamAV from Source for Android Phone. can anyone of >> you please let me know the steps to build it? >> >> how exactly mobile antivrus differ with desktop anti-virus? >> >> >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamscan (NOT clamdscan) log file setup in *.conf file?
On 11/18/2016 8:39 AM, Fouts, Christopher wrote: > Thanks. Yes I understand that clamscan is independent from clamdscan > (hence, clamd), but I was hoping for a more consistent behavior between > the two applications. I clamdscan can read the log path from some *.conf > file, why can¹t clamscan do the same? I have no issue using the -l option. > > Chris Clamscan has no config file. I see no inconsistency here; these are different tools for different purposes. Perhaps it would be useful for clamscan to read (some?) options from a config file, or even better from environment variables. Feel free to open a bug report/feature request and make your case. -- Noel Jones ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Eicar.com: OK
On 10/27/2016 7:22 AM, wojtunieczek wrote: > Hi all, > I've got a problem with a test file detection. I was testing ClamAV on > Raspbian, it was detecting EICAR(http://www.eicar.com/download/eicar.com.txt) > and removing it with no problem until I quarantined and restored it via > ClamTK. Now EICAR files are indicated OK by scanner. I tried to reinstall > ClamAV but it didn't help.However, strange thing is that it still founds and > removes EICAR files downloaded from secure > protocol(https://www.eicar.com/download/eicar.com.txt). > What might be a reason of this strange behaviour? Is it that quarantine or > the secure source of download? > Thanks for any help > Wojtek If I understand your description correctly, clamav still detects freshly downloaded EICAR, but not longer detects the one previously quarantined and then released. Sounds as if the quarantined copy was somehow corrupted. Maybe check with the ClamTk folks. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 1:39 PM, Alex wrote: > Hi, > >>> When this option is set to Yes, the >>> emails are tagged, but even emails with macro virus attachments are >>> forwarded on, not blocked >> >> problem is that you don't understand your mailsystem, clamd itself only >> hives back with signatures are hit and then the glue (amavis oder >> clamav-milter or something like that) makes decisions what happens with the >> message > > No, I understand my mail system. You are assuming I don't understand > the mail system because it's easy for you to answer in that way rather > than look at the whole context of the post. I never said that I > expected clamav to actually block the viruses itself. Of course I > understand amavisd is responsible for that. In case there was some > confusion before, let it be known I understand clamav is not > responsible for the destiny of the email. > > I'm talking about the clamav option OLE2BlockMacros option. This is a > clamav option, not an amavis option. > > Maybe I should have stated my question more simply: > > What is the purpose of the OLE2BlockMacros option? What happens when > it's set to "Yes"? What happens when it's set to "No"? > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > Perhaps you missed this setting: # Allow heuristic match to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU # scan-time. # When disabled, virus/phish detected by heuristic scans will be reported only at # the end of a scan. If an archive contains both a heuristically detected # virus/phish, and a real malware, the real malware will be reported # # Keep this disabled if you intend to handle "*.Heuristics.*" viruses # differently from "real" malware. # If a non-heuristically-detected virus (signature-based) is found first, # the scan is interrupted immediately, regardless of this config option. # # Default: no #HeuristicScanPrecedence yes ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1
Known malware will still be detected, even if you ignore the troublesome PUA sigs. These aren't really false positives since the .pdf really does contain javascript. So the sigs are working as intended. The alternative is to communicate to your users that .pdf files containing javascript are not allowed in email. Unfortunately, *many* legit .pdf files contain javascript. This is more of a local policy decision than a tech decision. -- Noel Jones On 3/31/2016 9:25 AM, polloxx wrote: > That's known to me Steve. > I'm afraid malware will not be detected in that case. > > P. > > On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford < > steveb_cla...@sanesecurity.com> wrote: > >> >> On Thu, March 31, 2016 2:33 pm, polloxx wrote: >>> Since the new Clamav database we have a lot more false positives for >>> PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1. >>> What can we do about this, except disabling PUA? >> >> Create a local.ign2 with the following lines: >> >> PUA.Pdf.Trojan.EmbeddedJS-1 >> PUA.Win.Trojan.EmbeddedPDF-1 >> >> Place in ClamAV database folder and restart clamd >> >> Cheers, >> >> Steve >> Web : sanesecurity.com >> Blog: sanesecurity.blogspot.com >> Twitter: @sanesecurity >> >> ___ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter reject and quarantine?
On 2/18/2016 7:25 PM, Gene Heskett wrote: > On Thursday 18 February 2016 12:48:42 Michael Grant wrote: > >> Then let me be more clear... >> >> I want to reject the message. I do not want the message arriving at >> the recipient. However, the message that is passed to clamd, if this >> is discovered to contain a virus, I want to save that into a file in a >> directory so that I can come back later and look at it. >> >> Ignore anything about delivering it. That is not pertinent. For all >> intents and purposes, the message with a virus is rejected at the SMTP >> level before the SMTP connection goes away. > > You simply can not do both. Of course you can reject and quarantine for inspection, but it must happen at the internet-facing MTA during the initial SMTP, not later. The only change required is the infected message is saved to quarantine for inspection rather than discarded. The sender still receives a 5xx reject notice. Other software can do this already, but clamav-milter doesn't offer this feature yet, other than the option to save (all) temporary files. > What you can do is quaranteen it for later > inspection so here, I use a procmail recipe to run it thru clamscand, Right, it's not possible to reject & quarantine with procmail since the message has already been received and it's too late to reject it. Reject & quarantine can only be done at the internet facing MTA during the initial SMTP, where it's trivial. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Filename Regex
You may have more luck with the POSIX character class [[:space:]] rather than shorthand \s. -- Noel Jones On 2/18/2016 5:22 PM, Dennis Peterson wrote: > ^New\ Doc.* (<- that is from the below example but is actually a > poorly constructed regex because it will search to end of > line/string) should work to escape the space char but that is one of > the oddities of regex - knowing which implementation is being used. > > dp > > On 2/18/16 3:13 PM, Steven Morgan wrote: >> >> Looks like ClamAV uses what is called the "old library." I don't >> think this >> is POSIX compliant with regard to regular expressions. >> >> Hope this helps, >> Steve >> >> On Thu, Feb 18, 2016 at 3:12 PM, Mehmet Avcioglu >> <meh...@activecom.net> >> wrote: >> >>>> On Feb 18, 2016, at 8:14 PM, Steven Morgan <smor...@sourcefire.com> >>> wrote: >>>> cdb signatures use a regex library known as "Henry Spencer's >>>> regular >>>> expressions." Googling documentation for that should give what >>>> you want. >>> Thank you for the information. I searched out for that and found >>> documentation, but am not able to get the desired outcome. Henry >>> Spencer’s >>> regular expressions are supposed to be POSIX compliment and "\s" >>> is valid >>> for space but I cannot get it to work. >>> >>> For example I am able to use "^New.Doc.*" to match for "New >>> Doc.xls" but >>> "^New\sDoc.*" or "^New Doc.*" does not. >>> >>> Thanks >>> >>> -- >>> Mehmet Avcioglu >>> meh...@activecom.net >>> >>> ___ >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> ___ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter reject and quarantine?
It is not a violation of protocol to reject a message during SMTP, and save a copy for forensic inspection. Be aware it is likely to cause confusion if you later deliver that message. clamav-milter does not currently have a reject+inspect option, but it probably wouldn't be much effort to add. Open a bug/feature request. -- Noel Jones On 2/18/2016 11:21 AM, Michael Grant wrote: > I don't want to deliver the message, I want to quarantine it (like put it > in a directory somewhere), and then refuse it at the milter/smtp level. > There is not a violation of the protocol here. > > On 18 February 2016 at 17:59, Dennis Peterson <denni...@inetnw.com> wrote: > >> What you want to do is best done using the local mailer and not SMTP. >> Technically and literally you have accepted the message in your scheme and >> are therefore responsible for delivery. You can't both send a reject and >> deliver the mail - it violates the protocol and integrity of the messaging >> system. >> >> dp >> >> >> On 2/18/16 5:14 AM, Michael Grant wrote: >> >>> Using clamav-milter, is there anyway to reject virus infected messages AND >>> put them into a quarantine directory? >>> >>> The reason I want to do this is that I want to reject virus messages while >>> the smtp connection is still alive, but after the fact, if there was a >>> false positive, I'd like to be able to send the message on through anyway >>> after the fact. >>> ___ >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >>> >> >> ___ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?
On 2/17/2016 10:40 AM, Joel Esler (jesler) wrote: > Okay, so this is a long email, let me respond inline: > > > -- > Joel Esler > Manager, Talos Group > Unfortunately, due to lack of quoting it's impossible to tell which parts are yours. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770
On 7/23/2015 1:15 PM, JD Ackle wrote: On Wed, 7/22/15, G.W. Haywood cla...@jubileegroup.co.uk wrote: Subject: Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770 To: clamav-users@lists.clamav.net Date: Wednesday, July 22, 2015, 5:45 PM Hi there, On Wed, 22 Jul 2015, JD Ackle wrote: I would like to know how can I remove Docx.Exploit.CVE_2015_1770 from Windows/System32/config/SOFTWARE As others have said, you might have found a false positive. You need to find out if that is the case or not before you do anything else. If it is not a false positive but a real infection, then the ClamAV users' mailing list cannot really help you with your question. ClamAV tells you if it thinks that it has found something. It is up to you to decide what to do about it. You *can* choose to delete files if they are flagged by ClamAV, but in general that is not recommended; and as /Windows/System32/config/SOFTWARE is one of Windows' registry files, it will certainly damage your Windows installation if you delete it. There are many Internet help sites and similar which can help you with your question. Reading the rest of your message tells me that you need something. :) For self-help I personally recommend MalwareBytes Anti-Malware (MBAM). If you download it, be careful where you get it from. Some Websites have been seen to include malicious software with the download. Thank you for your advice, GW. I tried MBAM and it reported NO infections. However, the first run did crash the program, so I then used another tool provided by MBAM that stated that sometimes the main program may be prevented from running by viruses and that's what the other tool was meant to solve - it did run alright and reported no threats but... I then had Norton doing a scan and it found some tracking cookies in Firefox which is a tad odd on two accounts: 1) Norton had never complained about these before (but it might just be a new setting included with later updates...?) and 2) I have Firefox configured to Keep cookies until I close Firefox (which doesn't necessantly mean they are removed from the hard disk, maybe they'll just no longer be used again by Firefox after the program quits...?). Finally, I thought I might as well install the latest security update from Microsoft (which I was postponing for a couple days to have it installed on a clean(er) system). And then... the latest results from ClamAV run from Linux: - /Windows/System32/config/ (where the previouly infected SOFTWARE file's located) is now CLEAN! - /pagefile.sys however is now clean of Docx.Exploit.CVE_2015_1770 but is reportedly infected by Exploit.Countdown on every Remove-said-file-from-within-Linux-Reboot_to_Windows-Reboot-to-Linux-and-run-ClamAV-again. I had actually forgotten about this report when I told the full story earlier. This positive was detected at the time I had the Tenga virus and it was after removing the Tenga virus that the Docx.Exploit.CVE_2015_1770 started being detected. I am currently doing a new full ClamAV scan of my Windows partition to try and check if something new comes up. Thus far only pagefile.sys was reported with said Exploit.Countdown and ... a few warning messages that don't reference any particular file have come up as well: LibClamAV Warning: cli_scanicon: found 1 invalid icon entries of 1 total (eight times thus far on the current scan, all of them before the pagefile.sys detection) I have no idea what that means but I've noticed it happens every time I run a scan on a Windows folder (i.e. on more than one file at a time) and never when scanning a Linux folder. Just telling all this on this list because I'm not that sure these are false positives at the moment - hence no point in submiting anything to that list... I will look for help elsewhere, probably will start off at Microsoft Answers. If something comes up which I think might be relevant to ClamAV, I'll reply back on this thread. Thanks to all that replied. J.D. Ackle ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Tracking cookies are exactly what they sound like, and are not an indicator of malware. You can remove them for privacy reasons. pagefile.sys is basically a dump of random memory pages. The chance of a false positive when scanning random data is very high. It's likely safe to ignore anything reported here if there are no other indications of a problem. I don't see any clear sign of infection here. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to clean infection by Docx.Exploit.CVE_2015_1770
On 7/22/2015 7:23 AM, JD Ackle wrote: Hello, Currently, ClamAV run from Linux reports Docx.Exploit.CVE_2015_1770 in my Windows 8.1 install, in files: - pageFile.sys - Windows/System32/config/SOFTWARE (a piece of the Windows registry) If I understand it correctly, pageFile.sys works much like a Linux swap, hence basically containing RAM dumps. After removing the file from the Windows system and booting to it I noticed Windows just made a new one when needed, as I expected. Thus I am actually using that file as a checkpoint to track whether the system is clean or not - whether the virus appears in the volatile memory when Windows is run. When I first noticed the infection, pageFile.sys did not get infected upon a Windows startup without logging on a user (it would however otherwise, regardless of whether the user was and administrator or a regular one). I noticed the infection on Windows/System32/config/SOFTWARE later and moved it to Linux to try and fix it - even though I was not really sure how to do it. Upon giving up on the later plan I simply tried booting onto Windows which failed. Since copying the SOFTWARE file back in, pageFile.sys now becomes infected even if I don't logon any user. I presume the reason for this may be that the file lost its Windows permission upon being copied to my Linux install and is now world-accessible, thus being run by the system even before an allowed user is logged on...? On another hand, I am hesitant to consider this a false positive as ClamAV did detect another virus in my Windows system: - Program Files (x86)/Hewlett-Packard/Shared/WizLink.exe: Win.Worm.Tenga-113 FOUND I don't need that file at all, so I simply deleted and no further infections of that virus have been detected since. My Windows install was running considerably slow (specially network-related tasks) before removing that file and seems to have picked back up on its speed, so I am assuming the said virus was indeed, at least for the most common use of that system, been removed. However, I'm not sure whether this worm and the Docx.Exploit.CVE_2015_1770 are not related...? No other infections were detected by ClamAV on the affected system and Norton Internet Security, which I have installed and running on Windows, doesn't seem to have ever noticed anything. So that's basically the full story. At this moment, I would like to know how can I remove Docx.Exploit.CVE_2015_1770 from Windows/System32/config/SOFTWARE (any particular key or value I should be looking for?), so that I'm sure it's not its loading into RAM at startup that's making its signature appear on /pageFile.sys. Thanks in advance, JD Ackle ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml I would suspect a false positive if a MS Office document virus is reported in anything other than an MS Office document. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Using clamscan with multiple cores
On 6/22/2015 2:50 PM, MarkusGMX wrote: Am 20/06/15 um 19:15 schrieb Markus Egg: Hello, how can I use clamscan on multicore CPUs ? I found clamdscan with --multiscan but for some reasons --multiscan does not work with clamscan. Thank you for any pointer. ME Bump. Any pointers ? Run multiple clamscan processes in parallel. A careful reading of the xargs man page might help. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Hey there...is there any cleaning-type function in CLAMav?
On 5/30/2015 5:48 AM, Janko Jt stimac wrote: Hey there All! :-) Also,...I was wondering if there is any other way than command-line to start Clamav (ie, something other than clamscan - to start the ClamAV program)? I heard about there being a front-end for Linux for ClamAV, but, never found anything. Thanks, in advance... Sincerely,... Jt ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml No, clam does not have a feature to clean or disinfect files. Despite what commercial AV may tell you, there is seldom a reliable way to perform cleaning. If a (formerly good) file is infected, the best course of action is to restore it from a trusted backup. Clam does have options to automatically delete or quarantine infected files. Be careful with these; a false positive can ruin your day. No, there is no pretty clicky interface for clam. It wouldn't be hard to write one if someone felt it was needed... ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
On 4/30/2015 10:06 AM, John McGowan wrote: clamdscan scanning is made by clamd, this process use to run with non-root privileges Knowing that I wanted clamd to be able to scan any part of the file system, I did reconfigure clamd to run as root by commenting out the config param that change the user that clamd ran as. So I don't think this issue is permissions related. But I could still be wrong. I tried it without changing who clamd was running as and got completely different permissions errors than what I'm seeing now. /John I strongly suggest using clamscan rather than clamdscan for system scanning. The performance advantage of clamd and its pre-loaded databases is largely irrelevant when scanning a large number of files and you won't have permission problems. You also avoid running clamd with root permissions, which is potentially unsafe. In some cases, using clamscan may actually be faster than clamdscan. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 2/22/2015 12:18 AM, Benny Pedersen wrote: Daniel Spies skrev den 2015-02-22 03:19: Yes, but I have (still) enabled sending e-mail to port 25. This would only work for submission (see my other e-mail). yes i remember that problem here aswell, so far i think postfix does not honner it to disable smtp auth on port 25 while have it enabled on other ports :( It's easy to offer AUTH on selected ports in postfix. # main.cf smtpd_sasl_auth_enable = no # master.cf submission ... ... smtpd_sasl_auth_enable=yes But this is OT here. For further details, feel free to ask on the postfix-users list. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)
On 2/21/2015 7:28 PM, Daniel Spies wrote: On 02/22/2015 01:54 AM, Benny Pedersen wrote: LocalNet localdomain This gives no error, but clamav-milter is still scanning/tagging outgoing e-mail. I'm sending e-mail from port 587 (smtp/submission, postfix). The originating client is the system connecting to submission, not localhost. Anyway, if your goal is to disable scanning on submission, it's probably best to edit the master.cf submission service to not call clamav-milter at all. (I would strongly recommend scanning all mail, but that's a local policy decision) # master.cf ... submission smtpd ... other stuff smtpd_milters= ie. set smtpd_milters empty for that service. If you need to do this in clamav-milter, such as if you need to do this for port 25 as well as submission, you should probably look at the SkipAuthenticated option. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [SUSPECTED SPAM] Re: Calamav cannot scan tar file and gzip files?
On 2/17/2015 12:11 AM, Manoj Ramakrishnan wrote: Hi Al, Thanks for replying. It is exactly what I thought. But why is it different from ZIP file? I added extra characters in the beginning of the ZIP file but no issues in scanning that and finding eicar signature. zip and gzip are very different formats. I suppose you added your random character at a point where unzip ignored it. Also curious to see why is it not working in case #4 and #6? Either broke the eicar file with leading or trailing characters, or maybe the squid plugin didn't recognize the file as a gzip. Use the clam debug tools to examine the files extracted and scanned. The eicar signature is *very* specific, anchored at both the beginning and end allowing only for a few extra spaces at the end of the payload, no other extra characters. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV®: ClamAV 0.98 has been released!
On 9/19/2013 2:04 PM, Joel Esler wrote: http://blog.clamav.net/2013/09/clamav-098-has-been-released.html ClamAV 0.98 has been released! Upgraded successfully. Thanks for your hard work on this new release. # freshclam -v ... Software version from DNS: 0.97.8 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.98 Recommended version: 0.97.8 DON'T PANIC! Read http://www.clamav.net/support/faq ... Maybe in the future clamav won't complain when the local version is newer than the published version. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Why is clamscan ignoring signatures?
On 3/10/2013 4:25 PM, Sean Brown wrote: I have installed ClamAV 0.97.6 and ran freshclam to update the signatures. I ran clamscan with the following options: --debug --bytecode=yes --bytecode-unsigned=yes --algorithmic-detection=yes --detect-broken=yes --detect-pua=yes --phishing-sigs=yes --scan-pe=yes --scan-ole2=yes --scan-archive=yes against a test file (Windows 8 trial ISO) to see what it would do. I'm running it on Slackware 14.0 Looking at the debug output I see clam ignoring a lot of signatures LibClamAV debug: Ignoring signature Trojan.SubSeven.14 (Clam) LibClamAV debug: Ignoring signature VBS.CrazyWorm.C ... These are signatures intentionally turned off due to false positives. In most cases they are replaced with better signatures. All is well. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Database Mirror Issues
Two choices: - wait. It will eventually sort itself out. - remove mirrors.dat and run freshclam manually. Might have to do this more than once. -- Noel Jones On 2/14/2013 12:59 PM, Ryan Goode wrote: Is that the only solution? We have to hit a ton of servers as none of our servers using clam have been able to update for a few hours. -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Dan Schwartz Sent: Thursday, February 14, 2013 11:30 AM To: ClamAV users ML Subject: Re: [clamav-users] Database Mirror Issues I had a similar problem. I found if I removed the old main.cld and daily.cvd, and then ran freshclam, it re-downloaded everything and seems to be working fine. My main.cld was from 2011 (pretty old). Dan On Thu, Feb 14, 2013 at 11:00 AM, Clayton Keller inetad...@ruraltel.netwrote: Within the past hour we have started seeing the following errors reported when running freshclam: ERROR: getpatch: Can't download daily-16682.cdiff from db.us.clamav.net ERROR: Can't download daily.cvd from db.us.clamav.net ERROR: getpatch: Can't download daily-16682.cdiff from database.clamav.net ERROR: Can't download daily.cvd from database.clamav.net Our last successful download was at 07:39:52 CST. A colleague has indicated to me that they are seeing a similar issue with the EU mirror. Any assistance would be appreciated. Please let me know if we can provide you with any additional debug info, etc. Clay __**_ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/**ml http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How to pick / specify the correct mirror
On 1/28/2013 2:27 PM, Benny Pedersen wrote: if you used freshclam as a deamon it will update when dns is showing new versions, not wait one hour or more in cron to get the newest updates Incorrect. When you run freshclam as a daemon, the freshclam.conf specifies how many times per day to check for updates. There's not a lot of practical difference between a daemonized freshclam with Checks 24 and a once-an-hour cron job. The default is Checks 12 which means {check for an update 12 times per day}. Regardless whether you're using cron or daemonized, the default behavior is to check DNS for the current version to decide if a download is needed. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] How to pick / specify the correct mirror
On 1/25/2013 8:39 PM, Jim Preston wrote: On 01/25/2013 10:03 AM, Benny Pedersen wrote: Jim Preston skrev den 24-01-2013 23:53: You may also want to change the update frequency. I am running freshclam as a cron task and set it to not be on the hour, e.g. I update at 5 minutes after the hour to try and hit the mirrors at a low load time. freshclam use dns to check if there is new updates, using cron you loose this functionality so configure freshclam.conf to use 24 updates pr day, this will try to keep updates hourly, but if some mirror is down freshclam will not wait one hour to try another show freshclam --list-mirrors if there is problems with some mirrors Hi Benny, I do not understand your comment freshclam use dns to check if there is new updates, using cron you loose this functionality I am using freshclam but NOT running it as a daemon. Here is my cron task: 10 * * * * /usr/local/bin/freshclam /dev/null 21 So as far as I understand, I am using freshclam. If I am wrong or loose some functionality with the cron task, can you elaborate or point me to the relevant documentation? Thanks, Jim As long as you don't specify the --no-dns option, freshclam will use DNS to compare the current published version before attempting to download anything, regardless whether it's run by hand, a cronjob, or daemonized. At some point in the distant past, the freshclam daemon had a tendency to misbehave/hang/crash/whatever, prompting some folks to run it as a cron job. This has been long fixed, and the background daemon is the recommended method now, as it somewhat randomizes the checking time to spread load on the download servers. But you don't lose anything by running it under cron. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] creating own virus database
On 10/30/2012 6:01 AM, Zoltan Gyula Beck wrote: Dear list members, for various reasons I've to mark some mime type files as virus/infected. It is possible this? If yes, how can I do this? For example all EXE, BAT, BIN (linux binaries), etc... Best Regards, Zoltan Beck Yes, this is possible for windows and linux executable files. BAT files are just text files, so reliable detection is not possible. Docs on writing signatures can be found here http://www.clamav.net/doc/latest/signatures.pdf As for what to use for a signature, executable files have a few bytes near the beginning of the file that identify it as executable to the OS. Look at the file utility included with linux and the magic database that file uses for what to use for a clamav signature. Have fun! -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Help to download ClamAV 0.97.6 tar.gz source code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/1/2012 9:24 AM, Tom Judge wrote: On 9/30/12 12:43 PM, Jesper Dybdal wrote: On Wed, 19 Sep 2012 08:54:38 +0800, Michael Wu chmichae...@gmail.com wrote: We try to download ClamAV 0.97.6 official source code from http://www.clamav.net/lang/en/download/sources/ , but only get the download Setup-x64.msi. Please help to check where we can download the tar.gz source code. Thank you. That just happened to me too. Perhaps it is because I'm downloading using a browser on a Windows machine. But surely that should be possible? This is correct. The link takes you to the latest release for your detected platform. I'm guessing that you are using a 64bit windows machine to do the download? Tom This makes getting source code unnecessarily complicated; lots of folks do not use a browser on their production server. Please remove the offending web code immediately. -- Noel Jones -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQaamfAAoJEJGRUHb5Oh6gW00H/3UVVXkFz4yAymQDLUKUE7mK ylyXW1aXdWODHE8A0/uevNH02O/8uiRpo5LVi+PHhNjpVKWbYZ6TgqurrQeC/63q jCZv2oXfY2ZMEDO4TJdJU2FeSMPW5glC/BBf3KL279CjLhZlX8RBG0FAbRLZLyhM lAXYSbWjEJciNAHE0+JVhLzrfkOvGeiqJONx7rH464G1WzeOr08KfSVmG9XAgcI5 2WdoasNZihkEOBcZIPc0MHoLuygTsLB/eTv/02AoF2QaZJ5249GypgdmN2JUqNlb HHD/We+sJ4+zxx058Ejw+sI0CH7GORC2yHJcshUV8rp9ManGgvFrVzDKUIE3X6k= =xlGG -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Help to download ClamAV 0.97.6 tar.gz source code
On 10/1/2012 11:18 AM, Shawn Webb wrote: On Mon, Oct 1, 2012 at 10:33 AM, Noel Jones njo...@megan.vbhcs.org wrote: This makes getting source code unnecessarily complicated; lots of folks do not use a browser on their production server. Please remove the offending web code immediately. I'm a little confused. From what page would you like the browser detection removed? If it's a page on SourceForge, you'll need to take that issue up with them. Please also refrain from using language that infers what ClamAV developer's priorities should be. We work hard to bring you a quality free, opensource product and already know where our priorities lie. Looks as if this was fixed sometime today. Thanks! -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] how to release 16K FPs from quarantine?
On 8/8/2012 11:22 AM, Len Conrad wrote: What software put the mail in quarantine? What's in the mail log? Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamd[60202]: /var/virus/clamsmtpd.qIdg8l: MBL_303159.UNOFFICIAL FOUND Aug 7 08:13:22 mx1.hctc.net/mx1.hctc.net clamsmtpd: 3EA221: from=bounce-tjmhmbzlppwckzzhcljkpcrdpjjmllrjbhsppztjsplchbptz...@email.carepackages.com, to=x...@xxx.net, status=VIRUS:MBL_303159.UNOFFICIAL which file the msg is quarantined as is not logged. the quarantined msgs are stored to /var/virus/ and the filenames are like: -rwxrwxrwx 1 vscan vscan 12180 Aug 7 13:58 virus.Ywa18d OK, so the quarantine file is created by clamsmtp. in trying to get amavisd-release to work, I changed permissions and owner:group, brutally. in amavisd-release, there is a file name filtering which rejects: amavisd-release expects the message to be in the specific quarantine format used by amavisd-new. I would expect it to fail spectacularly on foreign files. Stef of clamsmtpd said it would take custom software to release quarantine msgs. That sounds grim. I wonder about the purpose of a quarantine that can't be released. Regardless, since clamsmtp created the quarantine, it seems that's the place to start looking for a release mechanism. Surely someone else has encountered this. As a last-ditch effort, if you put a couple of quarantine files in a pastebin, *maybe* someone here (or clamsmtp, or postfix-users, since this is getting OT for this list) can give a hand. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] send false positive with postfix
On 5/15/2012 5:00 AM, Philippe Camps wrote: Hi, Last friday, we had a few false positive email with BC.Exploit.CVE_2012_0184. The message have been quarantined as: virus-deDamcLb32uD in /var/spool/amavis/virusmails We use Postfix. If I scan the directory with clamdscan, no virus are found now. How can I say to Postfix to send these messages again ? clamav has no quarantine, so this is the wrong list. It appears you're using amavisd-new for quarantine management, so release the message through amavisd-new. Typically the command would be # amavisd-release virus-deDamcLb32uD If you have further questions about amavisd-new, consult the amavisd-new documentation, or ask on the amavis users mail list. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Inegrating with spamassassin
On 10/19/2011 10:00 PM, Alex wrote: Hi, I have a fedora15 system with spamassassin-3.3.2 and clamav-0.97.2, and also using the clamav-unofficial-sigs. and I've just realized the score for catching one of the listed domains is only 0.2. X-Spam-Status: No, score=3.444 tagged_above=-100 required=5 tests=[AV:INetMsg.SpamDomain-2w.t67f_com.UNOFFICIAL=0.1, BAYES_50=0.8, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, RELAYCOUNTRY_LOW=0.5, RP_MATCHES_RCVD=-0.504, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Is that typical? Can you recommend a more suitable score? Spamassassin scores are quie optimized. But you can fine tune the scores based on your own requirements after observing the trend for a few days I think I assumed that you knew too much about my level of understanding. I'm familiar with local.cf and building my own SA rules. However, I don't know where the original definition of the clamav rules are listed. Where is that 0.1 actually defined? Those look like scores from amavisd-new, which has special code to turn a clamav spam detection into a SpamAssassin score. (Normally, clamav is separate from SA; any detection results in a reject.) In amavisd-new, the score added (or whether to just go straight to quarantine) is controlled in the amavisd.conf file. See the amavisd-users list or docs for details. There are likely other filters or milters that do similar things. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/14/2011 2:29 AM, sys...@ra-schaal.de wrote: i made some changes to the firewall. if it works be now, please mail me as soon as possible. I started getting successful updates from 88.198.67.125 a couple hours after you posted this, and port 80 no longer shows closed from here. Thanks! -- Noel Jones -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOcKGiAAoJEJGRUHb5Oh6gLoMH/RnRPHpNfxpm8PTlkqh5sAtJ 6U9//hlV2Qinyq9zPjAX4RGUfMwXYWlTX3QnguWIsVkhEtfPC+kkdjq2S8KVNnpa VOQ1n0Ci5KaXifYK916jGjNKJ/AX6pAHcr6+I5jlzB5MO0IIfWTh7thPgaUfgIeK 49xd9gaMgwa+wW9VH96Qn18VYOLVbKdiRtUFBLdKdCzZt74HDdLw88e7nyWZJy0e NieuRTCsu0ib66ashU2uSgzoUpdDf84i874sQVGNFdNS6HRj4NyhgbeTTlSPsQ7j rcMXudLnwCHU/8rbQhWn2l+aT4idYrlWjyknZUVdBh16fqDmc/QF/kJYI/UVx7k= =qNDc -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On 9/13/2011 9:03 PM, Bryan Burke wrote: My logs show successful update sources in the last line, but not when there is no update. Ok, well I did check the output of the grep before posting the number of lines on this list, and all log entries mentioning that IP were failures. So there's still *technically* some gray area, in that, if it happened to query that IP successfully, and there was no update, we'd never know, but I'm guessing that would reveal a similar outcome. There is no grey area. All connections are logged, both successful and unsuccessful. When DNS reports there is no update available, no connection is attempted and consequently there is no IP to log. From a well-connected host near Nashville TN USA: # tcping 88.198.67.125 80 88.198.67.125 port 80 closed. I get identical port 80 closed results from several hosts on various major USA ISPs. Logs going back a couple weeks show several failures each day and zero successful downloads from this host for us. While I certainly appreciate the donation of hardware and bandwidth by the owners of 88.198.67.125, a host that is consistently unavailable should be removed from the pool until it can be reliably accessed. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] PUA.PDF.OpenActionObject FOUND
On 4/30/2011 3:57 PM, Gary Roach wrote: While I received an email saying that this problem was fixed, as of today (30 April) I still have the same problem. The list just keeps getting longer and longer. I am now getting over 60 hits. I am using the Debian Squeeze distribution and it is up to date. Any suggestions? The PUA detections are by definition not a virus, but rather informative to alert the admin about Potentially Unwanted Applications that may need further investigation. I would suggest either turning PUA detection back off or whitelisting the offending signature. PUA detection is turned off by default. To turn it back off edit your clamd.conf and find the line DetectPUA yes and change it to no, then restart clamd. Whitelisting is easy. In your clam DatabaseDirectory (as listed in clamd.conf) create a file named local.ign2 with the contents PUA.PDF.OpenActionObject and the restart clamd. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-users] Tracking false positives
On 3/6/2011 3:43 PM, Alex wrote: Hi, $ sigtool --find-sigs MBL_144360 | sigtool --decode-sigs VIRUS NAME: MBL_144360 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE: update.multivaccine.co.kr/setupa Is that the correct way? I looked at the email itself, and not only is it from a trusted sender, but it doesn't contain that URL in the message. Am I missing something? There was some discussion about this particular signature on the Sanesecurity list. Archives here: http://news.gmane.org/gmane.comp.security.virus.clamav.sanesecurity This signature is provided by Malware Patrol. Apparently, originally the signature matched the string updat, which understandably caused quite a number of false positives. Later, the signature was replaced with it's current value. Don't spend too much time trying to debug it now, because the signature has changed. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Custom db with 70,000+ names
On 8/5/2010 2:35 PM, Matthew Kitchin (public/usenet) wrote: I asked this on the Spamassassin list, and was advised I would have better luck with ClamAV. I do have ClamAV running in several setups, but have never done anything exactly like this. My typical setup would be Postfix - Amavisd - ClamAV. I work for a healthcare company. I have been asked to implement something to block all outbound emails that contain patient names. We have roughly 35,000 names. I need to look for them in the format John Smith and Smith, John. These would be for outbound emails only. I would like to bounce them back to the internal sender with a custom message (I can handle that in Amavisd). I realize this would be a totally oddball setup, so I have no problem dedicating 1 or 2 servers to it. We would script an export of patient names from our Patient DB every night. So, I basically need to know if it would be practical to build a ClamAV DB file with 70,000+ names to be used to search an email for a match? If all this is practical, would it be possible to allow for a text string in the email to flag it so it would be allowed to have one of the forbidden names in the email? I figured this may be an Amavisd question, but I don't see an option for anything like that there. I figured I would try here. We would want users to be able to put a code such as (override) in the subject to bypass this restriction. I'm not saying this is the most brilliant idea in the world. It is just what I have been asked to do. Any tips would be greatly appreciated. Thanks, Matthew Creating banned word signatures is pretty straightforward. Convert the names to hex, add the clamav stuff and save it in a foo.ndb file in the clamav directory. A sig for John Doe would look something like (completely untested): Client.Data.John.Doe:0:*:4a6f686e20446f65 You would need a separate sig for Doe, John, but clam matches are very fast. There is unlikely to be much difference in scanning speed with 70,000 vs. 140,000 body sigs. See section 3.3 Body-based signatures http://www.clamav.net/doc/latest/signatures.pdf Test your signatures with something like clamscan --database=/path/to/foo.ndb testfile I don't know of any secret code bypass mechanism in either amavisd-new or clamav. Such a feature would give the security folks nightmares. It is possible to whitelist a specific recipient. But it would be easy enough to bypass by changing the cASE of the name or using J. Doe etc. (you might be able to use wildcards to ignore case in the sig) But just because this might partially work doesn't mean it's a good idea. The main problem I see is that it gives a false sense of security because there are too many ways to intentionally or accidentally bypass it. This isn't something to bet the farm on working 100%, because it can't. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Feedback on clamav + sanesecurity experience
On 7/20/2010 1:35 PM, Laurence MOINDROT wrote: Hi Everyone, We are currently using clamav (0.96.1), spamassassin (3.3.1), greylisting (4.2.5) and sendmail (8.14.4) on our mailserver's cluster (OS : freeBSD 8.0) at the University of Strasbourg. This antispam and antivirus solution was quiet sure until last month. We've been having intensive phishing's issues for one month and we are considering using sanesecurity'signatures to improve the situation. We would appreciate any feedback on your experience using clamav with sanesecurity. I've been using the sanesecurity lists since shortly after they became publicly available. I've found them to be safe and very effective. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusEvent and ClamDScan
On 7/6/2010 12:35 PM, Russ Tyndall wrote: On Jul 6, 2010, at 12:35 PM, Nathan Gibbs wrote: Usually all that I see are log entries like this Jul 6 05:11:32 host clamd[30362]: /path/to/infected/file/infectedfile: VirusName FOUND or this Jul 6 05:12:26 host clamd[30362]: stream: VirusName FOUND Nothing is logged about the VirusEvent Script. There may be a way to get that out of clamd, but I'm not sure. So (if I understand correctly), the VirusEvent should be firing. What is a suitable command I could use to test that this is firing? I've tried a few things with ECHO but nothing shows up. echo won't work. The event script is run by the clamd daemon, which isn't attached to a terminal. Maybe some kind've of command to drop some data into a text file or something like that? Yes, that should work. A typical use of the event script would be to trigger an email message to the admin. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusEvent and ClamDScan
On 7/6/2010 3:07 PM, Russ Tyndall wrote: On Jul 6, 2010, at 3:12 PM, Török Edwin wrote: Interesting, I made my VirusEvent line look like this in clamd.conf: VirusEvent /bin/cp /Library/mytestfile.txt /Library/mytestfile2.txt Does the 'clamav' user have the right to create files in /Library? Note that even if you run clamd as root, a 'User clamav' directive in clamd.conf it will drop privileges. Try copying a file to /tmp, or even simpler just 'touch /tmp/foo'. The run as another user directive in my clamd.conf file looks like this: # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges #User clamav So, I am interpreting this to mean that clamd will retain its privileges (i.e., run as root). Is that a correct interpretation? In Activity Monitor, the User owning clamd is described as root. Sounds as if clamd is running as root. I have tried both of these commands on the VirusEvent line: VirusEvent /bin/cp /tmp/mytestfile.txt /tmp/mytestfile2.txt and VirusEvent touch /tmp/mytestfile.txt Unfortunately, it does not seem that either event fires, even though the scan does find EICAR. I just tried VirsuEvent touch /tmp/foo and verified that it works. What is the most sensible way to verify that clamd is looking at the correct config file? This is the one that I am updating: /usr/local/ClamXav/etc/clamd.conf clamconf find / -name clamd.conf -ls Make sure you restart clamd after editing clamd.conf. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] FW: [clamav-virusdb] Update (daily: 10917) --about Virus.MSExcel.Agent.c
On 5/4/2010 10:32 PM, eric wrote: I send email attached .xls file which infected X97M.Escape, but clamd didn`t find it. My server : postfix+MailScanner+clamd Eric Please submit missed samples here. http://www.clamav.net/lang/en/sendvirus/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
On 4/22/2010 10:51 AM, Thomas Herzog wrote: Török Edwin wrote: On 04/22/2010 10:24 AM, Török Edwin wrote: lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners \ask_daemon, [CONTSCAN {}\n, /var/run/clamav/clamd.ctl], You need to tell amavis to pass the entire message to ClamAV, try: $bypass_decode_parts = 1; I think your amavis tried to decode the message, and pass only parts of it to ClamAV. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Hello, this solution seems to lever my banned_filename_re-filter out. Perhaps, there's another solution? Find the @keep_decoded_original_maps section and uncomment the line with: # qr'^MAIL$', # retain full original message The side effect of this is that the mail will be virus scanned twice; once for the whole message, and again each decoded part. On my machine clam is fast enough that this doesn't make a significant difference in processing time. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
On 4/22/2010 12:30 PM, aCaB wrote: Paul Whelan wrote: I think your amavis tried to decode the message, and pass only parts of it to ClamAV. In general then, clamav may only recognise some malware when it is still attached to a mail message and not after it has been separately stored. Is that correct? It may or may not, depending on the message and the signature that catches it. Since clamav internally process the mail message and all its attachments anyway, having this done twice (by amavis and by clamav) is probably pointless... ---acab For amavisd-new to block attachments by file(1) type, it must unpack the mail. Clam must scan the whole email message because (as you know) some signatures only trigger on files that look like a mail message. To have both attachment blocking and full email scanning, the mail ends up being scanned twice. Maybe I'll put in a request for a don't scan decoded parts feature ... -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] 0.96rc1 LibClamAV Warning: JIT not compiled in
I installed clam 0.96rc1 on a FreeBSD 5.3 test server. make seemed to run normally. When I scan any file with clamscan, I get: # clamscan /etc/motd LibClamAV Warning: JIT not compiled in /etc/motd: OK --- SCAN SUMMARY --- Known viruses: 727277 Engine version: 0.96rc1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 7.176 sec (0 m 7 s) What am I missing? -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.96rc1 LibClamAV Warning: JIT not compiled in
On 3/11/2010 11:49 AM, Török Edwin wrote: On 03/11/2010 07:42 PM, Noel Jones wrote: I installed clam 0.96rc1 on a FreeBSD 5.3 test server. make seemed to run normally. When I scan any file with clamscan, I get: # clamscan /etc/motd LibClamAV Warning: JIT not compiled in /etc/motd: OK --- SCAN SUMMARY --- Known viruses: 727277 Engine version: 0.96rc1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 7.176 sec (0 m 7 s) What am I missing? See the optional requirements in clamdoc.pdf, make sure you have at least g++ 4.2 installed. config.log in libclamav/c++ should tell you exactly why JIT support was not compiled in. I see no mention of JIT in that log, but I expect it's because of my older g++ 3.4.2. I'll investigate upgrading. Best regards, --Edwin Thanks. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How Do You Integrate ClamAV?
On 3/8/2010 8:56 AM, Carlos Mennens wrote: I was curious of what most of everyone on the list uses to integrate ClamAV into their MTA (specifically Postfix)? I was under the impression that I had to use Amavisd-new which allows me to integrate 'SpamAssassin' ' ClamAV'. Do you guys have any recommendations for a simple method of integrating virus scanning into Postfix? Thanks for any info! -Carlos The clamav-milter works fine with postfix version 2.5 and newer (for best results, use the most recent patch level of postfix). If all you need is virus scanning, the milter works well and is easy to set up. If you want more features, such as SpamAssassin integration, DKIM signing/verifying, etc., amavisd-new is robust, flexible and well supported. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Getting ***UNCHECKED*** on some emails I send out.
On 2/24/2010 8:06 AM, Jason (spot) Brower wrote: It seems that some emails couldn't be checked. Encrypted Zip files in particular. It seems that when I try to send them from Evolution (Ubuntu 9.10) I get this message sent to my recipients. Is there any way to no show this information as it sometimes confuses and scares Clamav doesn't add this, looks like something added by amavisd-new. check your amavisd.conf for $undecipherable_subject_tag and set it to $undecipherable_subject_tag = undef; If you're not using amavisd-new, then it's added by some other filtering software you're using. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Problem downloading 0.95.3 from website
Try opening a terminal window and pasting (all one line): wget 'http://downloads.sourceforge.net/project/clamav/clamav/0.95.3/clamav-0.95.3.tar.gz?use_mirror=softlayer' are you running out of space on your filesystem or wherever tmp files are stored on your system? -- Noel Jones Kaplan, Andrew H. wrote: Hi there -- I bring up a web browser, firefox or konqueror, and connect to the www.clamav.com website. Once I am there, I click on the lastest ClamAV release hyperlink, and on the next page I click on the ClamAV 0.95.3 link located under the Production Quality Releases section. When I am prompted, I click on the save file option, and I specify the location on the local system. The download commences, but then fails just as it reaches the 100 percent mark. The error message that I see is the following: clamav-0.95.3.tar.gz.part could not be saved, because the source file could not be read. Any thoughts? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] load issues due to sanesecurity signatures
On 11/2/2009 1:42 PM, Avinash wrote: Hi everyone, We are using Sanesecurity signatures in clamd for scanning mails. Recently we are seeing some load issues on clamd server due to sanesecurity signatures (load is automatically decreasing when the sanesecurity sigs are removed) Does anyone face this issue before? Sanesecurity sigs are much needed to catch spam, is these anyway that i can fix this issue? Please help me. Likely just one of the signature files is causing problems. Try disabling them one at a time until load comes down to an acceptable level. I'd start with winnow.complex.patterns.ldb. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] format/location/use of .wdb for Phishing.Heuristics.Email.SpoofedDomain
On 8/26/2009 10:18 AM, Robert Lopez wrote: I see an email (2009-08-15 02:51 -600; Török Edwin to Len Conrad) in archives which says Whitelisting heuristic phishing signatures is done using a .wdb file. I have not found any information on how to use such a file (format, location, compiling, etc.) and I would like a pointer to the information location. The Phishing.Heuristics.Email.SpoofedDomain is wonderful at blocking real phishing attempts at our college. We do NOT want to turn it off. However, it is also blocking a lot of news letters and social networking site emails leading to too many help desk complaints. The documentation is here: http://www.clamav.net/doc/latest/phishsigs_howto.pdf -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How-to for postfix + clamav without amavisd/SA
Len Conrad wrote: We need to check for viruses at the point of submission rather than only at the outbound gateway. Is there a how-to around? thanks Len Hi Len, Use clamav-milter (or any other milter/proxy with clam support, such as clamsmtp) on your postfix submission interface. This does not require changes to your amavisd-new configuration. http://www.postfix.org/MILTER_README.html -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [clamu] [clamu] Freshclam Stuck ?
Charles Gregory wrote: On Tue, 16 Jun 2009, Matus UHLAR - fantomas wrote: You apparently don't have SafeBrowsing yes in freshclam.conf. Had a look at the relevant FAQ's I like the idea, but naturally I'm a bit worried about potential false positives. What has the track-record of this add-on been like? Can I safely treat a 'found' Safebrowsing link as a virus and REJECT the mail at my SMTP gateway same as with regular viruses? - Charles I get close to zero hits from the safebrowsing database on incoming email. The handful of hits over the last several months appeared to be spam. YMMV and all that. I disabled it earlier this morning (Safebrowsing no in freshclam.conf) because the updates appeared to be hanging freshclam. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Freshclam Stuck ?
Robert wrote: Freshclam exited normally and clamd reloaded as expected but I'm confused as to the difference in the 'safebrowsing.xxx' file types AND size. *.cvd is compressed, *.cld is plain-text. Both contain a cryptographic signature. A .cvd is converted to a .cld when a *.cdiff incremental update is applied by freshclam. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [ClamAV-users] HELP! unrecognized option `--pidfile=/var/run/clamav-milter/clamav-milter.pid'
Gomes, Rich wrote: Line referring to the pid has been removed from the conf file but it still throws the same error Root owns the files, (same as the old mail server) Do NOT use the --pidfile *command line* option when starting clamav-milter! Please read the clamav-milter man page. You may need to change your init script. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Can anybody direct me to the correct postfix/amavis-new clamav configuration
Goodman, William wrote: I'm running postfix and amavisd-new, spamassassin and clamav. I have all the daemons running and mail is getting filtered through amavisd-new (as per the header), I'm trying to get spammassassin and clamav configured with postfix. I don't know if my mail is being filtered. Could someone point me in the right direction, Google is wearing me out. Amavisd-new controls spamassassin and clamav filtering, no extra configuration is needed in postfix. Activate these features in the amavisd.conf file. See the INSTALL, RELAEASE_NOTES, and README.postfix included with amavisd-new for detailed instructions. http://www.ijs.si/software/amavisd/#doc -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] FRESHCLAN: setting update time
Charles Gregory wrote: You can do it with cron; there's no point in reinventing the wheel and implementing a scheduler within freshclam Obviously; however, that adds a different level of complexity. IMHO, having the ability to configure it from within the freshclam.conf file seems easier. If the issue is FreshClam conflicting with another script/process which is updating 'unofficial' configuration files, why not put the onus onto that other script/process? You must be running some sort of cron job in order to 'regularly' download the updates for those 'unofficial' files? So why not run freshclam as part of that same procedure/job? - Charles Freshclam-cron update conflicts do not appear to be the issue; ie. avoiding conflicts does not appear to prevent the problem, forcing conflicts does not reproduce the problem. Duplicating cron functions in freshclam will complicate freshclam without addressing the problem the OP is trying to solve. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Steve Basford wrote: Alex Davidson wrote: send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. I tried to send the 7 tests to my main address... only 3 arrived (the clean one - and 2 of the password protected one) I received the same thing. My ISP probably filtered out the others. My ISP does no filtering; either the test messages were blocked at the source (ISP/webhost egress filtering) or they were never sent. As for the encrypted files, nothing can check inside an encrypted zip, but they can be blocked based on a file name inside the zip, or clamd can mark all encrypted zips by setting ArchiveBlockEncrypted yes in clamd.conf At any rate, this test appears useless. Find another one. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Alex Davidson wrote: Interesting...if I create a plain text email with the eicar text in it, ClamAV detects it successfully. Can anyone suggest another way to send myself a non-password-protected/encrypted attachment that ClamAV might have a chance at detecting? There is a test tool at http://tools.declude.com/ under the Virus Test heading. There are a bizillioin options for sending the virus. The only tests that really count are the Plain base64 MIME encoded and Zip file. Clam should detect those. The rest appear to be mostly marketing fluff; don't be too concerned if clam doesn't detect them. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Mandriva 2009 and ClamAv
Chris wrote: I'm working on updating my old Mandrake 10.1 system to Mandriva 2009, what a pain, anyway, using urpmi I installed 94.2. When trying to start it I got a 'command not found' and noticed that in /usr/bin there is no clamd file. There is a clamdscan and a freshclam which in fact is getting updates. Is there any reason why there would be no clamd executable included with a Mandriva package? There was always one when I rolled my own for 10.1. clamd is probably in /usr/sbin -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Problem running virus scanner: code=999
Richard J. Kieran wrote: I can't believe I got not a single response to this, so I'm trying again: I'm running clamd with MIMEDefang on a CentOS machine. Once in a while there will be a day when there are many Problem running virus scanner: code=999 errors, anywhere from 1 or 2 (who cares?) to 4486 (now I'm concerned...), like yesterday. The next day, all will be back to normal until it happens again. Here is a maillog entry: Dec 1 00:03:15 fdr mimedefang.pl[4798]: mB153Ere005745: Could not connect to clamd daemon at /var/spool/MIMEDefang/clamd.sock This is the real problem, mimedefang can't connect to clamd. Maybe clamd isn't running, or maybe there are too many connections. If clamd is running, check the settings of MaxConnectionQueueLength and MaxThreads in clamd.conf. Dec 1 00:03:15 fdr mimedefang.pl[4798]: Problem running virus scanner: code=999, category=cannot-execute, action=tempfail Dec 1 00:03:15 fdr mimedefang.pl[4798]: filter: mB153Ere005745: tempfail=1 Dec 1 00:03:15 fdr mimedefang[4793]: mB153Ere005745: Tempfailing because filter instructed us to Dec 1 00:03:15 fdr sm-mta[5745]: mB153Ere005745: Milter: data, reject=451 4.3.0 Problem running virus-scanner These four entries are mimedefang errors and not really useful beyond they tell us that the message was tempfailed because mimedefang couldn't talk to clamd. I found this entry in the clamd.log: Mon Dec 1 11:02:11 2008 - ERROR: LOCAL: Socket file /var/spool/MIMEDefang/clamd.sock is in use by another process. Something tried to (re)start clamd but the socket already existed and something was using the socket. My assumption is that clamd is already running and something/someone tried to start it again. Occurrences of the first error seem to be vaguely accompanied by the second, but I have seen the second when restarting clamd manually, and I have a script that restarts clamd when it sees virus scanner errors in the maillog, so that may explain the relationship. If that is a separate problem, I'd like to solve it also, but the tempfails are more of a concern at the moment. Richard It's not clear what you mean by first and second error. I expect the mimedefang.pl could not connect error to always be followed by one or more of the code=999 friends error sequence. The clamd clamd.sock is in use error will only occur when you start clamd when it's already running. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
Jon Milliren wrote: David Shrimpton wrote: I'm getting a run of what appear to be false positives on W97M.Static in word docs, since this signature was updated on 18/10/2008. AOLMe too./AOL Is there a way of disabling it ? I would like to know as well. jon Submit false positives to the clamav team for analysis. http://www.clamav.net/sendvirus/ It appears this has already been fixed - I can't find a signature named W97M.Static in the current clam database. For future reference, whitelisting a specific file or disabling a specific signature is described in signatures.pdf section 2.5: http://www.clamav.net/doc/latest/signatures.pdf -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
David Shrimpton wrote: This suggests creating a local.ign file eg daily.ndb:319:W97M.Static where 319 is line number in daily.ndb of W97M.Static signature. Yes, assuming the unwanted signature is in daily.ndb I tried this earlier but it did not work altough clamscan appear to indicate it was loading the file. Sounds as if you did it correctly, I have no insight into why it didn't work for you. Only thing I would add is the local.ign file should have the same owner, group and permissions as the other clam signature files. There is a daily.ign in the daily.cld and I was wondering if I need to pack local.ign into daily.cld somehow. No, the .cld format is signed and unmodifiable by end-users. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False Positive W97M.Static
David Shrimpton wrote: On Wed, 29 Oct 2008, Noel Jones wrote: David Shrimpton wrote: This suggests creating a local.ign file eg daily.ndb:319:W97M.Static clamscan appear to indicate it was loading the file. Sounds as if you did it correctly, I have no insight into why it didn't work for you. Only thing I would add is the local.ign file should have the same owner, group and permissions as the other clam signature files. I tried testing with another signature now that W97M.Static is gone . eg main.ndb:2541:W97M.Marker Doesn't work even if local.ign has same permissions and ownership. clamscan appears to load the file still: LibClamAV debug: Loading databases from /opt/mailhub9/clamav/share/clamav LibClamAV debug: /opt/mailhub9/clamav/share/clamav/local.ign loaded LibClamAV debug: in cli_cvdload() David Hmm... I can't get it to work either :\ -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav 0.94
Jose Julian Buda wrote: Hi , I have a mail server with : Debian etch Postfix Mailscanner Clamav Yesterday it work fine catching virus, but todat i've made an upgrade from clamav 0.93 to 0.94 and then the process stop catching mail with virus, i mean , the mails are stoped anyway by No programs allowed with mailscanner because of the extensions file, but there is not any message or report from ClamAv. I have a txt file with eicar string , if i run on server: cat filewitheicar.txt | mail [EMAIL PROTECTED] Try using clamscan filewitheicar.txt If clamscan detects the virus, then the problem is with your mailscanner config. If clamscan by itself _does_not_ detect the test file, then something is terribly wrong with your clamscan, and your problem has nothing to do with mailscanner. the mail pass through the mailscanner and the workstation's antivirus alert me abourt the eicar strings. Why the mailscanner stop using clamav? First make sure clamscan by itself works as expected. Then you know it's a mailscanner problem. Maybe clamscan installed to a different path than mailscanner expects. Maybe mailscanner is configured to use some no-longer-valid command line switch. Check your mailscanner logs and/or ask on a mailscanner support forum. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav 0.94
Jose Julian Buda wrote: proxymails:~# clamscan filewitheicar.txt filewitheicar.txt: Eicar-Test-Signature FOUND --- SCAN SUMMARY --- Known viruses: 416228 Engine version: 0.94 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 2.187 sec (0 m 2 s) proxymails:~# I do not change anything in the mailscanner config file, i just upgrade the clamav. How can i debug this error? OK, it appears that clamscan is working correctly; mailscanner isn't. Check your mailscanner logs and/or ask on a mailscanner support forum. Maybe clamscan installed to a different path than mailscanner expects. Maybe mailscanner is configured to use some no-longer-valid command line switch. Hopefully mailscanner will log any errors returned by clamscan. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav 0.94
Jose Julian Buda wrote: you mean it`s a mailscanner problem? Thank you Jose Jlian Buda Yes, it's a mailscanner problem. I suspect that mailscanner is using some no-longer-valid command line switch with clamscan, but that's just a wild guess. Mailscanner does not use clamd or clamdscan unless you've altered it to do so. Check your mailscanner logs or ask for help on a mailscanner support forum. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] RESOLVED (was Re: Freshclam to ClamAV sig parity count mismatch
Oscar Usifer wrote: clamd freshclam signature counts now *match* after changing /etc/freshclam.conf setting to CompressDatabase off . Thank you! :D Well, it then seems there is a problem with CompressDatabase, at least on your platform. Now might be a good time to open a bugreport on bugs.clamav.net. Show the evidence you have gathered. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Freshclam to ClamAV sig parity count mismatch
Oscar Usifer wrote: Folks, I am seeing freshclam report more signatures than clamav is reloading in the logs files. For example freshclam says, 'Database updated (413786 signatures)...' and 'Clamd successfully notified about the update.', but clamd says, 'Database correctly reloaded (312304 signatures)'. Why does it do that? Thanks, -OSC == /var/log/clamav/freshclam.log == Thu Sep 4 09:34:07 2008 - Received signal: wake up Thu Sep 4 09:34:07 2008 - ClamAV update process started at Thu Sep 4 09:34:07 2008 Thu Sep 4 09:34:07 2008 - main.cvd is up to date (version: 47, sigs: 312304, f-level: 31, builder: sven) Thu Sep 4 09:34:07 2008 - Trying host db.us.clamav.net (208.67.80.27)... Thu Sep 4 09:34:07 2008 - Downloading daily-8161.cdiff [100%] Thu Sep 4 09:34:08 2008 - daily.cld updated (version: 8161, sigs: 101482, f-level: 35, builder: arnaud) Thu Sep 4 09:34:08 2008 - Database updated (413786 signatures) from db.us.clamav.net (IP: 208.67.80.27) Thu Sep 4 09:34:08 2008 - Clamd successfully notified about the update. Thu Sep 4 09:34:08 2008 - -- == /var/log/clamav/clamd.log == Thu Sep 4 09:47:02 2008 - SelfCheck: Database modification detected. Forcing reload. Thu Sep 4 09:47:02 2008 - Reading databases from /var/lib/clamav Thu Sep 4 09:47:05 2008 - Database correctly reloaded (312304 signatures) Probably the DatabaseDirectory directives in clamd.conf and freshclam.conf don't match. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Freshclam to ClamAV sig parity count mismatch
Oscar Usifer wrote: - Original Message - From: Noel Jones [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Subject: Re: [Clamav-users] Freshclam to ClamAV sig parity count mismatch Date: Thu, 04 Sep 2008 12:45:41 -0500 Oscar Usifer wrote: Folks, I am seeing freshclam report more signatures than clamav is reloading in the logs files. For example freshclam says, 'Database updated (413786 signatures)...' and 'Clamd successfully notified about the update.', but clamd says, 'Database correctly reloaded (312304 signatures)'. Why does it do that? == /var/log/clamav/freshclam.log == Thu Sep 4 09:34:07 2008 - Received signal: wake up Thu Sep 4 09:34:07 2008 - ClamAV update process started at Thu Sep 4 09:34:07 2008 Thu Sep 4 09:34:07 2008 - main.cvd is up to date (version: 47, sigs: 312304, f-level: 31, builder: sven) Thu Sep 4 09:34:07 2008 - Trying host db.us.clamav.net (208.67.80.27)... Thu Sep 4 09:34:07 2008 - Downloading daily-8161.cdiff [100%] Thu Sep 4 09:34:08 2008 - daily.cld updated (version: 8161, sigs: 101482, f-level: 35, builder: arnaud) Thu Sep 4 09:34:08 2008 - Database updated (413786 signatures) from db.us.clamav.net (IP: 208.67.80.27) Thu Sep 4 09:34:08 2008 - Clamd successfully notified about the update. Thu Sep 4 09:34:08 2008 - -- == /var/log/clamav/clamd.log == Thu Sep 4 09:47:02 2008 - SelfCheck: Database modification detected. Forcing reload. Thu Sep 4 09:47:02 2008 - Reading databases from /var/lib/clamav Thu Sep 4 09:47:05 2008 - Database correctly reloaded (312304 signatures) Probably the DatabaseDirectory directives in clamd.conf and freshclam.conf don't match. I don't see this is the case. [EMAIL PROTECTED] ~]$ clamconf -n /etc/clamd.conf: clamd directives -- LogFile = /var/log/clamav/clamd.log LogFileMaxSize = 0 LogTime = yes LogSyslog = yes PidFile = /var/run/clamav/clamd.pid TemporaryDirectory = /var/tmp ScanPDF = yes DatabaseDirectory = /var/lib/clamav LocalSocket = /var/run/clamav/clamd.sock User = clamav AllowSupplementaryGroups = yes /etc/freshclam.conf: freshclam directives -- LogFileMaxSize = 0 LogTime = yes LogSyslog = yes PidFile = /var/run/clamav/freshclam.pid DatabaseDirectory = /var/lib/clamav AllowSupplementaryGroups = yes Checks = 24 UpdateLogFile = /var/log/clamav/freshclam.log DatabaseMirror = db.us.clamav.net DatabaseMirror = database.clamav.net CompressLocalDatabase = yes NotifyClamd = /etc/clamd.conf Engine and signature databases -- Engine version: 0.94 Database directory: /var/lib/clamav main db: Format: .cvd, Version: 47, Build time: Mon Jun 23 11:20:53 2008 daily db: Format: .cld, Version: 8162, Build time: Thu Sep 4 09:38:45 2008 [EMAIL PROTECTED] ~]$ Maybe more than one freshclam.conf? Do the files in /var/lib/clamav have a recent timestamp? Search for another daily.cld somewhere? File ownership problems? Change CompressLocalDatabase back to the default no? -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Freshclam to ClamAV sig parity count mismatch
== /var/log/clamav/clamd.log == Thu Sep 4 11:29:48 2008 - Socket file removed. Thu Sep 4 11:29:48 2008 - Pid file removed. Thu Sep 4 11:29:48 2008 - --- Stopped at Thu Sep 4 11:29:48 2008 Thu Sep 4 11:29:49 2008 - +++ Started at Thu Sep 4 11:29:49 2008 Thu Sep 4 11:29:49 2008 - clamd daemon 0.94 (OS: linux-gnu, ARCH: i386, CPU: i686) Thu Sep 4 11:29:49 2008 - Running as user clamav (UID 977, GID 977) Thu Sep 4 11:29:49 2008 - Log file size limit disabled. Thu Sep 4 11:29:49 2008 - Reading databases from /var/lib/clamav Thu Sep 4 11:29:49 2008 - Not loading PUA signatures. Thu Sep 4 11:29:51 2008 - Loaded 312304 signatures. I get: Sep 4 14:05:11 mgate2 clamd[34304]: clamd daemon 0.94 (OS: freebsd5.3, ARCH: i386, CPU: i386) Sep 4 14:05:11 mgate2 clamd[34304]: Not loading PUA signatures. Sep 4 14:05:14 mgate2 clamd[34304]: Loaded 413475 signatures. ... Which looks reasonable. == /var/log/clamav/freshclam.log == Thu Sep 4 11:29:51 2008 - -- Thu Sep 4 11:29:51 2008 - freshclam daemon 0.94 (OS: linux-gnu, ARCH: i386, CPU: i686) Thu Sep 4 11:29:51 2008 - ClamAV update process started at Thu Sep 4 11:29:51 2008 Thu Sep 4 11:29:51 2008 - main.cvd is up to date (version: 47, sigs: 312304, f-level: 31, builder: sven) Thu Sep 4 11:29:51 2008 - daily.cld is up to date (version: 8162, sigs: 101510, f-level: 35, builder: neo) Thu Sep 4 11:29:51 2008 - -- Seems quite suspicious that your clamd is reporting the number of signatures in main.cvd and seems to be ignoring daily.cld. I didn't notice before that those numbers matched. Something (AppArmor or SELinux or similar?) interfering with clamd accessing the daily.cld file? My only other (wild, unlikely) guess is that the CompressDatabase is somehow interfering. See if it starts working after the next daily update. The uncompressed file size here is currently: -rw-r--r-- 1 vscan vscan 6168064 Sep 4 12:23 daily.cld Good luck, maybe someone else has more suggestions. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam Can't connect to port 80 of host database.clamav.net
Oscar Usifer wrote: my freshclam update daemons are complaining they connet get updates. been like this about an hour Thu Sep 4 14:14:29 2008 - Ignoring mirror 64.246.134.219 (due to previous errors) Thu Sep 4 14:14:29 2008 - Trying host database.clamav.net (168.143.19.95)... Thu Sep 4 14:14:59 2008 - nonblock_connect: connect timing out (30 secs) Thu Sep 4 14:14:59 2008 - Can't connect to port 80 of host database.clamav.net (IP: 168.143.19.95) Thu Sep 4 14:14:59 2008 - Ignoring mirror 207.57.106.31 (due to previous errors) Thu Sep 4 14:14:59 2008 - WARNING: getpatch: Can't download main-48.cdiff from database.clamav.net Thu Sep 4 14:14:59 2008 - WARNING: Incremental update failed, trying to download main.cvd Thu Sep 4 14:14:59 2008 - Ignoring mirror 207.57.106.31 (due to previous errors) Thu Sep 4 14:14:59 2008 - Trying host database.clamav.net (209.170.150.7)... Thu Sep 4 14:15:29 2008 - nonblock_connect: connect timing out (30 secs) Thu Sep 4 14:15:29 2008 - Can't connect to port 80 of host database.clamav.net (IP: 209.170.150.7) Thu Sep 4 14:15:29 2008 - Ignoring mirror 64.246.134.219 (due to previous errors) Thu Sep 4 14:15:29 2008 - Trying host database.clamav.net (168.143.19.95)... Thu Sep 4 14:15:29 2008 - nonblock_connect: select() failure 3: errno=4: Interrupted system call There was an update for main about an hour ago. I expect the database servers are swamped with folks[1] trying to download the whole ~35M main.cvd Give it a little while, it should work eventually. This seems to happen for a couple hours every time there is a main update. [1]I presume this is mostly folks with very old clam versions that don't support incremental updates. Hopefully they will upgrade real soon now. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] freshclam Can't connect to port 80 of host database.clamav.net
Xavier Beaudouin wrote: Hello, Le 4 sept. 08 à 23:34, Noel Jones a écrit : Oscar Usifer wrote: my freshclam update daemons are complaining they connet get updates. been like this about an hour [...] There was an update for main about an hour ago. I expect the database servers are swamped with folks[1] trying to download the whole ~35M main.cvd Hum seens to be 17M on my mirror. Ack. I was looking at the uncompressed .cld version. -- Noel Jones Give it a little while, it should work eventually. This seems to happen for a couple hours every time there is a main update. [1]I presume this is mostly folks with very old clam versions that don't support incremental updates. Hopefully they will upgrade real soon now. On my hand I have definitively denied access to clamav 0.90 since they hurt too mutch my mirror. 0.9x has really good comportments in term of bandwith... Good work Clamav team :p I have still access from clamav 0.7x, so strange that people that use a software to protect from malware are not upgraded... /Xavier ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unknown phishing email virus?
Jonas Jacobsson wrote: Hi, System: debian, clamav 0.93.3.dfsg-1, amavisd-new 1:2.6.1.dfsg-1. I got the following in my log running amavis and clamav. The virusdb was up to date when it happened (by freshclam). The receiver is an email address at my domain and the mail is directly forwarded to the hotmail address after the scan. The receiving server telling me it contains a virus is my ISP's smarthost which I must send via. When the ISP finds this virus mail, they will block my internet connection until I call their abuse department. I searched for Phishing.Heuristics.Email.SpoofedDomain in the clamav- virusdb archive, and it seems that it does not exist? Unfortunately I don't have the infected mail saved... This is a heuristics based signature. It attempts to detect malicious links to financial sites. Phishing is controlled in clamd.conf with: # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes #PhishingSignatures yes # Scan URLs found in mails for phishing attempts using heuristics. # Default: yes #PhishingScanURLs yes As you can see, both options are enabled by default. Some people (and possibly some package maintainers) think phish detection should not be part of an antivirus package, so they set PhishingSignatures no In the past, the heuristics based scanning was a major source of false positives, but that's much improved now (although this still accounts for the majority of FPs here, the number of FPs has reduced significantly). Some people or package maintainers may disable heuristic scanning with PhishingScanURS no Maybe you're not scanning for phish. The same thing happens with Email.Trojan-2 (which does exist in the db), they are scanned and reported as CLEAN, but the ISP's smarthost blocks it due to the detected virus. No insight on this one. Maybe the ISP received an update faster than you did. Maybe the mail didn't pass through your clam for some reason. Maybe you've set your amavisd-new to tag pass viruses rather than discard them. Aug 24 20:26:10 moria postfix/smtp[31311]: F15EC8AC158: to=[EMAIL PROTECTED] , orig_to=[EMAIL PROTECTED], relay=ch- smtp02.sth.basefarm.net[80.76.149.213]:25, delay=1.4, delays=0.01/0/0.17/1.2, dsn=4.0.0, status=SOFTBOUNCE (host ch- smtp02.sth.basefarm.net[80.76.149.213] said: 550 This message contains a virus (Phishing.Heuristics.Email.SpoofedDomain) (in reply to end of DATA command)) It appears the mail stayed in your queue, note status=SOFTBOUNCE. If your postfix maximal_queue_lifetime hasn't been reached yet, you can view the message with # postcat -q F15EC8AC158 -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.94rc1 crash when processing a specific html file
Brandon Perry wrote: Can you dissect the email to find what exactly it is in the email causing this? It's an html attachment in an unquestionably legit business-related email message. Extracting the attachment with ripmime and scanning the html file by itself reproduces the crash. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clamav phishing sigs
Dennis Peterson wrote: Noel Jones wrote: Darren G Pifer wrote: Chambers, Phil wrote: Take a look at http://iserv.rs-hilter.de/doc/clamav-0.91.2/signatures.pdf I have seen this document but it does not show how to add signatures to a database OR for clamd to detect the phishing e-mail. I was able to create the signature (a .hbd file) and clamscan detects the phishing but clamd does not. Maybe I am missing something. If the sig works with clamscan, it will also work with clamdscan. Clamd must be stopped and restarted to recognize new signature files. Make sure you have the latest version of clamav. I think there are times when a milter might pull an incoming message apart and submit it in pieces to clamd that creates a different situation than scanning a message that is whole, and stored as a disk file. In this case two entirely different objects are being scanned, and depending on the way the signature was defined, there can be differences in the results. dp That's true. There are some milters and such that try to be helpful and unpack/demime mail into its component parts, causing signatures designed to scan the complete mail to not work. However, there was a time not too long ago (maybe 0.93.1) that some signatures worked with clamscan but were silently ignored by clamdscan. This was seen with command-line file scanning of a static file, no milter/filter/whatever involved. There was discussion here about it at the time. So make sure you have the latest version, which is never bad advice when dealing with (seemingly) inconsistent behavior. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Is it possible to add signatures to the ClamAV database?
Darren G Pifer wrote: Hello, Just to let everyone know, I have been searching for the answer to this question by using Google and searching on the ClamAV web site but still have not found an answer. I have viewed the information at: www.*clamav*.net/doc/latest/*signatures*.pdf but it still does not show me how to add signatures to the database. The reason I need to create our own signatures, is that the university is getting more phishing specific to the university - Old Dominion University. So, it would not make sense to file these with the CVD database maintainers as it would do no good for anyone else. So, I have been looking for a way to add signatures to the daily.cvd file. I am able to create the signature with sigtool and clamscam detects that I added it but the clamd daemon does not detect it. One document suggests placing the .hdb (signature) file in the ClamAV directory and restarting clamd, and then clamd will read this file. This does not work. Anyhow, if anybody has done this, please let me know. You can't add signatures to the clam daily or main files, you create your own extra file. This works - all the various unofficial add-on signatures (such as the excellent http://www.sanesecurity.com/clamav/) rely on this feature of clamav. Yes, the documentation on creating your own signatures is rather skimpy. Some other info here: http://www.sanesecurity.com/clamav/docs.htm -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] UNDETECTED EXECUTABLE
jean-paul wrote: Not sure if it is a virus, but it sailed right through clam/symantec/and avg naturally not from where it claims From: United Parcel Service [mailto:[EMAIL PROTECTED] file name is ups_invoice.exe Jean-Paul Natola _ Submit it to http://www.clamav.org/sendvirus as as suspicious file. Sure sounds suspicious to me... and/or submit it to jotti or virustotal to see what numerous other virus scanners think of the file. http://virusscan.jotti.org/ http://www.virustotal.com/ -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml