Re: [clamav-users] ClamAV 1.4.0 release candidate now available!

should I worry if it's not present? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@c

Re: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

one should reasonably still be affected > by the vulnerabilities. > > I am curious though - what are your MaxFileSize / MaxScanSize > settings? I wonder if you're seeing timeouts with the default settings > or if you increased them. MaxFileSize 100M MaxScanSize 200M M

[clamav-users] Bytecode run timed out in interpreter after 5000 opcodes

led to run: Exceeded time limit is this a bad Bytecode rule? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.

Re: [clamav-users] [ext] Announcing Fangfrisch release 1.8.0

> - Sanesecurity (https://sanesecurity.com) provider default > configuration overhaul. Switch to a less congested mirror site, > add/remove several signature URLs. Thanks for that! -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz |

[clamav-users] Yara rule for Anydesk files...

way as to be usable from withn clamav (1.3.0)? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de ht

Re: [clamav-users] [ext] ClamAV 1.3.0 second release candidate published!

gt; page<https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc>. https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc2 returns a 404. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalid

Re: [clamav-users] [ext] Compressing log files with clamav

strotate if [ -d /run/systemd/system ]; then systemctl -q is-active clamav-freshclam && systemctl kill --signal=SIGHUP clamav-freshclam || true else invoke-rc.d clamav-freshclam reload-log > /dev/null ||true fi endscript } -- Ralf Hildebra

Re: [clamav-users] [ext] Re: Cannot "decode" a SHA256 signature

* Al Varnell via clamav-users : > Sent from my iPad > > On Sep 12, 2023, at 01:29, Ralf Hildebrandt via clamav-users > wrote: > > should sigtool --decode-sigs really throw an error in that case? > > Perhaps not, but it's been the case for as long as I've

[clamav-users] Cannot "decode" a SHA256 signature

kages from clamav.net: # dpkg -l |fgrep clam ii clamav 1.2.0-1 amd64 ClamAV open source email, web, and end-point anti-virus toolkit. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin

Re: [clamav-users] [ext] CVE-2023-20032 how to identify and solve

opline.malware.redirect.ecpms.net.720". What does this have to do with CVE-2023-20032? # sigtool --find-sigs=sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 | sigtool --decode-sig VIRUS NAME: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 DECODED SIGNATURE:

Re: [clamav-users] [ext] Clamav 1.0.1 and email scan failed

sue (since amavis does the unpacking) More logging is needed for the message in question. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 45

Re: [clamav-users] [ext] ClamAV and Cohesity

ot;Non-LTS feature releases will be allowed access to download signatures until at least four (4) months after the next-next feature release is published." -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1.

Re: [clamav-users] [ext] ClamAV and Cohesity

How are the updates done? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://ww

Re: [clamav-users] [ext] Segfaults with database version 26908

een this, too? I've seen this with 1.1.0-1 as well. Maybe they're related to the "pattern issue" I posted a while ago -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hinde

[clamav-users] LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0

]: LibClamAV Warning: cli_ac_addsig: cannot use filter for trie -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450

Re: [clamav-users] [ext] ppa for ClamAV for Ubuntu 22.04.1

tc/clamav/clamd.conf /usr/local/etc/clamd.conf service clamav-freshclam restart service clamav-daemon restart -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Be

Re: [clamav-users] [ext] Re: parallel processes fail at startup when clamd is running

* JOHN URBAN : > Not quite as easy to set up as I made it sound, as lots of pieces and people > involved but that is exactly one of the tests we hope to run today; thanks! Yes, ths sounds like hours of fun :/ But the insight gained will be rewarding :) -- Ralf Hildebrandt C

Re: [clamav-users] [ext] Re: parallel processes fail at startup when clamd is running

ailing: strace --failed-only $program -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@char

Re: [clamav-users] [ext] Re: ClamAV 1.0.0 release candidate now available

interesting. I'm using the *.deb from > > http://www.clamav.net/downloads/production/clamav-1.0.0-rc.linux.x86_64.deb -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgd

Re: [clamav-users] ClamAV 1.0.0 release candidate now available

> > https://github.com/Cisco-Talos/clamav/issues/736 Ah, interesting. I'm using the *.deb from http://www.clamav.net/downloads/production/clamav-1.0.0-rc.linux.x86_64.deb -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benj

Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

0:19 2022 -> main.cld database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) Thu Oct 27 11:00:19 2022 -> bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2) Thu Oct 27 11:00:19 2022 -> ------

Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available

gt; bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2) Fri Oct 28 09:07:10 2022 -> -- Still failing. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin

Re: [clamav-users] [ext] PDF scan

clamdscan -V /tmp/LPBB0010-10.pdf ClamAV 0.105.1/26663/Mon Sep 19 09:56:35 2022 -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel.

Re: [clamav-users] [ext] More info about detected virus

it finds an email containing a BASE64 encoded "readme.exe" using the content type "audio/x-wav"... Maybe this helps: VIRUS NAME: Win.Trojan.N-68 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE: REMOVED A MIME BOUNDARY HERE Content-Type: audio/x-wav; name="readme.exe&

Re: [clamav-users] Fuzzy image signatures, Y U no work?

* Ralf Hildebrandt via clamav-users : > Today I installed 0.105.0 to test the new fuzzy image signatures. I'm a moron: "Added image fuzzy hash sub-signatures for logical signatures" -- thus it must be an LDB file :/ > Alas, I started up my trusty editor an genera

[clamav-users] Fuzzy image signatures, Y U no work?

dir: error loading database /var/lib/clamav/rezeptfrei.hdb ERROR: Malformed database So what IS the correct syntax? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 B

Re: [clamav-users] [ext] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd

main.cld ERROR: listdb: Error listing database /var/lib/clamav/main.cld Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!

mav.so.9 /usr/local/lib/libclammspack.so /usr/local/lib/libclammspack.so.0 /usr/local/lib/libclamunrar.so /usr/local/lib/libclamunrar.so.5 /usr/local/lib/libclamunrar_iface.so /usr/local/lib/libclamunrar_iface.so.9 /usr/local/lib/libfreshclam.so /usr/local/lib/libfreshclam.so.2 Ralf Hildeb

Re: [clamav-users] [ext] Re: ClamAV® blog: Are you still attempting to download safebrowsing.cvd?

* Vladislav Kurz via clamav-users : > How about just making the file empty? I think this causes an error in clamav/clamd Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm

Re: [clamav-users] [ext] Re: Regarding ClamAV code coverage metrics with help of existing unit-test cases

> > I usually rebuild from a recent debian source (hah!) > > that's what I recommend. > > with changing version to something lower than 0.103 e.g. 0.103~backport > - it gets upgraded to ubuntu-provided version when it's available. Same here. Ralf Hildebrand

Re: [clamav-users] [ext] Re: Regarding ClamAV code coverage metrics with help of existing unit-test cases

t; Do you want to take care of it since now (forever)? > > It is possible, but it should be easier to backport clamav e.g. version > 0.103 from hirsute. That way, when newer version appears in ubuntu > repository, it may get upgraded so you won't have to care. I usually rebu

[clamav-users] pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects

arser while extracting objects. Sep 18 11:47:55 proxy-cbf-1 clamd[791]: LibClamAV Error: pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects. What is the timeout value? Can it be configured? Is there any way of preserving the files for further analysis?

Re: [clamav-users] [ext] Xls.Malware.Sagent-7132944-0

00020819---C000-0046}" anywhere 1: contain "CallByName" anywhere 2: contain "ThisWorkbook" anywhere -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburg

Re: [clamav-users] Becoming disillusioned

Sanesecurity and to lesser extent SecuriteInfo). The only offical "hit" in the top 25 is "Win.Downloader.WannaMine-6442440-2" I see the extensibility as a major advantage. Just the other day I created a set of patterns to detect EPOCH3 EMOTET files. But to some extent I agre

Re: [clamav-users] [ext] ClamAV Development Release: Cannot compile, no configure-script available...

quot; Remove autotools generated files, add autogen.sh 26 days ago Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@

Re: [clamav-users] [ext] Re: ClamAV® blog: Freshclam, cdiffs and bandwidth are your friends

63, builder: raynman) Tue Jul 28 18:00:53 2020 -> daily.cld updated (version: 25887, sigs: 3681654, f-level: 63, builder: raynman) Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburg

Re: [clamav-users] [ext] About Madeba-8019734

ED SUBSIGNATURE: words(85 So, as you can see the signature consists of 6 subsignatures numbered 0-5, ll of which must match. It sort-of looks highly specific to me. Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin

Re: [clamav-users] [ext] SelfCheck: Database modification detected. Forcing reload.

* Cliff Hayes via clamav-users : > I have a daily cron job that runs around 3am that: > - shuts down clamd > - runs freshclam > - starts clamd Why? freshclam usually runs all the time, updating and signalling clamd on demand. But you do have a point... Ralf Hildebr

Re: [clamav-users] rpm files question [was: ClamAV 0.101.2 announcement?]

; Would you, and others here, be interested in installing a ClamAV > snap in the future? That definitely sounds interesting! -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de

Re: [clamav-users] [ext] What kind of mails is clam* checking? Only mails with attachments / mailflow

achments and usually scans the whose mail "as is" and the text parts and attachments sperately. > As clam* can also do URL checks and stuff, also mails withouth attachments > can be infected. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@ch

Re: [clamav-users] [ext] MBL_17713260 false positive!

trol were to > list the specific site where the malware was reportedly found, rather > than condemning the entire sub-domain. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de

Re: [clamav-users] [ext] Re: MBL_17713260 false positive!

this is not a false > positive. > > There is no reason to believe that the Google infrastructure doesn't > host malware. In case you still don't want or can't block such domain, > we advise you to whitelist it before applying our block lists." Fucking idiots.

Re: [clamav-users] [ext] MBL_17713260 false positive!

do anymore. Is it worth it to keep malwarepatrol? I'm wondering this as well. That stuff pops up every other day. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgd

Re: [clamav-users] [ext] Re: Malwarepatrol false positive

* Paul Stead : > Yet another Malwarepatrol FP: > > MBL_14437114 - https://drive.google.com That's a recurring FP. Happens every week. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://

Re: [clamav-users] [ext] Re: WARNING: Local version: 0.99.4 Recommended version: 0.100.0

* Philip : > Has this been released yet by the major Distros? I'm using Debian 9 and > can't get any higher than 0.99.x Debian has 0.100: https://packages.debian.org/buster/clamav I used that source package to rebuild for my Ubuntu installaions. -- Ralf Hildebrandt

Re: [clamav-users] [ext] Re: Question regarding SIGUSR2 and clamd

mav/clamd.ctl PONG # echo RELOAD | socat - /var/run/clamav/clamd.ctl RELOADING # echo PING | socat - /var/run/clamav/clamd.ctl # echo PING | socat - /var/run/clamav/clamd.ctl PONG Yeah! -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.de

[clamav-users] Question regarding SIGUSR2 and clamd

trying to parse the logfile? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 sig

Re: [clamav-users] Announcement missing

* Joel Esler (jesler) : > You're right. That's my fault. I'll correct that here in a second after I > read through all the emails in my ClamAV folder. OK, tomorrow then :) -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@cha

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

* Reindl Harald : > > > Am 26.01.2018 um 13:40 schrieb Ralf Hildebrandt: > > * maxal : > > > nobody of clamav/cisco reading this list? > > > > It's 7:45AM on the east coast > > so what - i don't get how such updates slip through at all - i

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

* lukn : > As ClamAV/Thalos is owned by Cisco I assume all ClamAV employees are > located in Silicon Valley area and therefore still enjoying a good > Californian night's sleep. Or maybe in Philadelphia. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

* maxal : > nobody of clamav/cisco reading this list? It's 7:45AM on the east coast. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 1220

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

> Arguably if a bug in the signatures can lead to such massive problems > then that is in itself a bug in the software, which might be (but > apparently so far isn't) fixed in a later version. Amen to that. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

548fe87bc9a454486cbe37d5c89b.tmp (deleted) lrwx-- 1 root root 64 Jan 26 10:38 995 -> /tmp/clamav-0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted) ... -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

* Reindl Harald : > sounds like an issue with the official signatures given that you are not the > first reporter and that we don't use them and have no problems Thought so. Must be a recent signature in daily.cvd. -- Ralf Hildebrandt Charite Universitätsmed

Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?

* Karl Pielorz : > This ends up with a lot of wedged mail processes (and we slowly run out of > fd's as the process table fills up). Same here on Ubuntu 16.04 with official patterns. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...

Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.

0.838784 952 881 fcntl ... -- --- --- - 100.00 195.366582 47161 total -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de

Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.

0 0 480 futex 0.000.00 0 1 restart_syscall -- --- --- - - ---- 100.000.103050 3803012 total -- Ralf Hildebrandt Charite Universitätsmedizi

Re: [clamav-users] Win.Exploit.CVE_2016_3301-6210129-0 detected. Could this be a false positive?

* ANANT S ATHAVALE : > Hi List, > > One of the .pptx file which was attached is getting detected as VIRUS: > Win.Exploit.CVE_2016_3301-6210129-0. As it is a official document and can't > to uploaded for submission. How to manually verify? What do you want to verify?

Re: [clamav-users] Grizzly Steppe

t this, could anyone comment? They probably mean the exploit code used in operation Grizzly Steppe ATP 29, APT 28, Cozybear, Fancybear, Sandworm, Sofacy etc. https://www.dhs.gov/news/2016/12/30/executive-summary-grizzly-steppe-findings-homeland-security-assistant-secretary -- Ralf Hi

Re: [clamav-users] Porting LibClamAV for Android

* Bengt H. : > Unsubscribe please List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/options/clamav-users>, -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.c

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Ralf Hildebrandt : > * Al Varnell : > > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > > > * Al Varnell : > > >> Has anybody submitted a PDF yet? > > > > > > Of course. > > > > Hash? > &

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? 8d62c398679ab6c7b85749eacf7a9a80 -- Ralf Hildebrandt Cha

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > Has anybody submitted a PDF yet? Of course. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzw

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

dy did a FP report. It happened with PDFs from "Springer Medical". had to diable that signature. > I hope there are some additional FP-Reports from other people regarding this > virus to review this signature. Yep. -- Ralf Hildebrandt Charite Universitätsmedizin

Re: [clamav-users] One final clamd Frage

can together with clamd eliminated the long startup time. > does it provide any added features or functionality not already present > with freshclam + clamscan running on-demand from cronjobs? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@c

Re: [clamav-users] ClamAV® blog: CRDF Joins the ClamAV Signature Partner Program!

* Joel Esler (jesler) : > > > http://blog.clamav.net/2016/07/crdf-joins-clamav-signature-partner.html Are these signatures already active? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.c

Re: [clamav-users] Problem with mirrors overnight?

rom freshclam? > All of them are failing since last night on all of our servers. > > Probed are: > 178.63.73.246 > 84.39.110.99 > 88.198.17.100 http://lutz.donnerhacke.de/Blog/ClamAV-aktualisiert-sich-nicht-mehr -- Ralf Hildebrandt Charite Universitätsmedizi

Re: [clamav-users] Bad detection rate

> 2. Up to now, I never got a notification, although "Notify me" was checked. Indeed. I also submitted quite a lot of malware and never got a notification (in years!) > 3. Why shall we not post more than two sample files per day ? I also wondered about that. -- Ralf Hil

Re: [clamav-users] An FP?

* Gene Heskett : > > It's an UNOFFICIAL pattern, not a core clamav pattern > > Still, is it not un-needed noise? It's obviously a FP, but calling it un-needed noise is a bit off. If the pattern were correct and would find a real virus, is it not un-needed noise?

Re: [clamav-users] An FP?

IAL FOUND > /home/gene/src/linux-3.0.69/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > > But https://virustotal.com thinks otherwise. It's an UNOFFI

Re: [clamav-users] Error build clamav 0.98

st since you don't have valgrind installed -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT

Re: [clamav-users] Error build clamav 0.98

* Константин Белозеров : > Errors are listed in log file. Would you mind pasting them here? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Ber

Re: [clamav-users] Error build clamav 0.98

* Константин Белозеров : > Hello. > > Error when building from source anti-virus in the operating system > GNU/Linux Debian 7.1 Performed make check VG=1. But to no avail. But which error are you getting? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin r

Re: [clamav-users] Major new false positive? BC.Exploit.CVE_2012_0184

* Joel Esler : > Please run Freshclam. This has already been cleared up. Thanks for the heads up. Time to release stuff from the quarantine. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin h

Re: [clamav-users] Major new false positive? BC.Exploit.CVE_2012_0184

0165). > > Anyone else seeing this? Yes, I'm also seeing a lot of FP's for BC.Exploit.CVE_2012_0184 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgda

[clamav-users] Solved: False positive submission page down (for a few days now)?

own" and a subsequent error page from varnish. Setting it to "delete", "on" or "truncate" make the page http://cgi.clamav.net/sendfp.cgi work again. Only "off" causes the page to fail. -- Ralf Hildebrandt Charite Universitätsmedizi

Re: [clamav-users] False positive submission page down (for a few days now)?

ol: max-age=0 Connection: keep-alive answer: HTTP/1.1 503 Service Unavailable Server: Varnish Content-Type: text/html; charset=utf-8 Retry-After: 5 Content-Length: 284 Accept-Ranges: bytes Date: Fri, 04 May 2012 10:29:21 GMT X-Varnish: 221993613 Age: 0 Via: 1.1 varnish Connection: close -- Ral

Re: [clamav-users] False positive submission page down

software which > receives the requests cannot pass them to the right server instance > because your client has not told it which one it wants to talk to. It's not a client issue. It depends on my source IP. -- Ralf Hildebrandt Charite Universitätsmedizin B

Re: [clamav-users] False positive submission page down (for a few days now)?

orking and unfortunately your admin is not willing to check the logs to see whats being logged for my source IP. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm

Re: [clamav-users] False positive submission page down (for a few days now)?

vice Unavailable. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +4

Re: [clamav-users] False positive submission page down (for a few days now)?

* Ralf Hildebrandt : > * Török Edwin : > > > Can you try flushing your varnish cache, and trying again? > > It's your varnish cache :) (we don't have any here) > > I already restarted my squid servers, no change. It's very odd. Now I emptied my c

Re: [clamav-users] False positive submission page down (for a few days now)?

* Török Edwin : > Can you try flushing your varnish cache, and trying again? It's your varnish cache :) (we don't have any here) I already restarted my squid servers, no change. It's very odd. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hild

Re: [clamav-users] False positive submission page down (for a few days now)?

tion: close ... remained of page sent correctly ... The FP submission page used to work for us uptill now. Hm. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30,

Re: [clamav-users] False positive submission page down (for a few days now)?

GMT X-Varnish: 216808379 Age: 0 X-Cache: MISS from proxy-cvk-1 Via: 1.1 varnish, 1.0 proxy-cvk-1 (squid/3.1.19-20120412-r10444) Connection: close http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"; Maintenance Under maintenance. Try again later. Connection closed by fo

Re: [clamav-users] False positive submission page down (for a few days now)?

* Török Edwin : > On 04/19/2012 04:10 PM, Ralf Hildebrandt wrote: > > > >> I just tested and it worked fine for me. > >> > >> What's exactly the problem on your side? > > > > I keep getting: > > > > Under maintenance. Try again

Re: [clamav-users] False positive submission page down (for a few days now)?

> I just tested and it worked fine for me. > > What's exactly the problem on your side? I keep getting: Under maintenance. Try again later. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin

Re: [clamav-users] False positive submission page down (for a few days now)?

* Török Edwin : > On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote: > > Is there an alternative way of submitting FP's? > > > > Are you using this page? > http://www.clamav.net/lang/en/sendvirus/submit-fp/ Yep. -- Ralf Hildebrandt Chari

[clamav-users] False positive submission page down (for a few days now)?

Is there an alternative way of submitting FP's? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

/local/share/clamav/local.ign2 > > BC.Exploit.CVE_2011_3412 > > The entry is not complete. The correct one is: > > BC.Exploit.CVE_2011_3412.{CVE_2011_3412} After applying your fix, correct? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.de

Re: [clamav-users] Unit Testing

* Jan-Pieter Cornet : > I haven't got any experience with IRIX, but I do wonder: why are you > using tits for testing purposes? That seems inappropriate. No, he's using un-tits. Everything but tits. E.g. a canary would be an un-tit. Like an undead is anything but dead. PS ;-) ___

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

t emit a line number. Fields are not seperated with : but with ; -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin G

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

* Bill Maidment : > > What am I doing wrong here? Running clamv 0.97.3 > > It's the same story here. We've had to switch off all bytecode rules in > the conf file. Not ideal. Sound like one cannot whitelist a bytecode signature? -- Ralf Hildebrandt

Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

* Alain Zidouemba : > Ralf, > > We got your FP reports and will address them today. Thanks :) But the original question remains in case I need to whitelist a signature. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus

[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP

c5aab:1317888) FOUND What am I doing wrong here? Running clamv 0.97.3 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt.

Re: [clamav-users] Fwd: Re: AV timeout?

* Török Edwin : > On 2011-06-29 17:01, Michael Scheidell wrote: > > > > > > On 6/29/11 9:24 AM, Michael Scheidell wrote: > >> Ok, so not just me. > >> > >> I am going to ask Ralf Hildebrandt what version of os he is using. > >> maybe w

Re: [Clamav-users] clamd DLP(Data Loss Prevention) w/Postfix

digits in Subject or Body) You'd probably need to use amavisd-new -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ral

Re: [Clamav-users] DNS server "blocks" database.clamav.net?

e.clamav.net 85.255.112.204: > > $ nslookup database.clamav.net 85.255.112.204 > Server: 85.255.112.204 > Address: 85.255.112.204#53 Why don't you ask your ISP? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berl

Re: [Clamav-users] announcing ClamAV 0.94rc1

* Dennis Peterson <[EMAIL PROTECTED]>: > > My point was that it's ten times as big as it should be > > Which begs the question: How big should it be, and why is that size > better than the one it is? > Size matters not! -- Ralf Hildebrandt (i.A. des IT-Zentr

Re: [Clamav-users] announcing ClamAV 0.94rc1

ted. 0.90: 11.575.374 0.91: 13.026.634 0.92: 16.134.725 0.93: 20.247.322 -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zen

Re: [Clamav-users] WARNING: Suspicious recipient address blocked

> ' followed by the address in question, > i've tried a number of addresses manually but anything containing | has the > same problem. Please do show the logs. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin Berlin

  1   2   >