Latest from clamav-virusdb announcements:
ClamAV database updated (28 May 2014 04-17 -0400): daily.cvd
Yet freshclam says (with and without -no-dns)
# freshclam
ClamAV update process started at Wed May 28 09:33:52 2014
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
Oops, left off the latest version of patterns - 19041, allegedly, yet we're
stuck on 19037.
Cheers,
Phil
-Original Message-
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil
Sent: 28 May 2014 09:35
To: Clamav-Users
There are packages in the rpmforge (aka repoforge) yum repository.
Cheers,
Phil
--
Phil Randal
Infrastructure Engineer
Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT
Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.uk
-Original Message-
From:
of it.
-Original Message-
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil
Sent: 07 July 2010 11:11
To: clamav-users@lists.clamav.net
Subject: [Clamav-users] Mirrors not being updated
Hi folks,
Anyone else having
Francis Stevens wrote:
Chris wrote:
I've misplaced the original post I made so I can't reply to it,
however I'd like to make a note for the archives what the problem is
and to thank Steve Basford and Edwin for the their help in finding
it. Seems like I had both a main.cvd and main.cld. I
That looks like the same issue we've got wth clamd 0.96 and MailScanner:
http://thread.gmane.org/gmane.mail.virus.mailscanner/74234
Cheers,
Phil
--
Phil Randal | Networks Engineer
NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office |
I.C.T. Services Division
Thorn
Check out Julian Field's ScamNailer:
http://www.scamnailer.info/
18/10/2009 - New scamnailer.ndb ClamAV signature database is now
available from http://www.mailscanner.eu/scamnailer.ndb. This is updated
very frequently. Do not download it more than once per hour!
Cheers,
Phil
--
Phil Randal |
On the subject of 0.94.x's end-of-life, will the ClamAV developers
please work with the folks at VirusTotal to ensure that VirusTotal runs
ClamAV 0.95.x.
It is still on 0.94.x.
Cheers,
Phil
P.S. This has come up on the list before, but was never resolved.
--
Phil Randal | Networks Engineer
aCaB wrote:
Charles Gregory wrote:
Oh, and FTR, I could not find a change log or version notes on
the main clamav website, or I could have answered this question
myself A link in the left-side menu would be nice. :)
It's not that hard...
immediately and destroy all copies of it.
-Original Message-
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Randal, Phil
Sent: 18 February 2009 17:31
To: ClamAV users ML
Subject: [Clamav-users] Once again,daily updates being announced
Francesco Peeters wrote:
Seeing this list is clearly an OPT-IN affair, those rules are mostly
irrelevant, and - as stated - the required info *is* provided...
Having said that, I do think it would be a good idea to expose the
unsubscribe link in the footer, even though nobody will read it
Just a heads up.
DNS is still reporting 9002, which seems to be the latest on mirrors,
yet 9005 has been announced.
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2
No 8996, 8997, 0r 8998
clamav tweeted Daily CVD 8998 (sigs: 13223; new: 15) on 16 Feb 2009
22-40 -0500 but no sign.
No message on web page, no tweet explaining difficulties, or anything.
Arrrggghhh...
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's
Luca Gibelli wrote:
Hello Randal,
A quick nudge of the ClamAV team.
Christoph Cordes announced update 8996 at 16:51GMT (or thereabouts),
but there's no sign of it on mirrors...
we have experienced some connectivity problems between the server
where the CVD are created and the server
A quick nudge of the ClamAV team.
Christoph Cordes announced update 8996 at 16:51GMT (or thereabouts), but
there's no sign of it on mirrors...
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre,
Nigel Horne wrote:
McDonald, Dan wrote:
how about:
Daily CVD 8721 (sigs: 32788, new: 1) at 04 Dec 2008 13-26 +
Thank you for your suggestion. It's a great idea so we've made the
change!
-Nigel
And now you've sorted out twittering, how about fixing the
clamav-virusdb mailing list?
Steve Basford wrote:
For details of the new features please refer to the Changelog. For an
overview please refer to
http://www.clamav.net/press/0.94.1-WhatsNew.pdf.
Nigel, does the stats sent... only send information regarding ClamAV
default signatures (when detected)... or does this
Tomasz Kojm wrote:
On Thu, 16 Oct 2008 13:43:12 +0100
Randal, Phil [EMAIL PROTECTED] wrote:
I haven't had the time to check the source code.
How does it send it? What protocol and port, to which servers?
Anything that firewall admins will need to be aware of?
It sends information
[EMAIL PROTECTED] wrote:
Hi,
For a couple of days now, I have some performance issues with clamav.
I use clamav on my email server to scan incoming traffic. I faced the
problem yesterday with the Trojan.Agent-49425 before clamav was
considering it as a virus. The scanning time of this
This is what I have in my milter-greylist's greylist.conf.
The google entries are accurate as of a week or so ago, taken from their
SPF record.
list broken mta addr { \
12.5.136.141/32\ # Southwest Airlines (unique sender)
12.5.136.142/32\ # Southwest Airlines
Last pattern posted to clamav-virusdb was:
ClamAV database updated (10 Jun 2008 14-18 +): daily.cvd
Version: 7421
Yet the DNS, clamav homepage, and mirrors still say 7417.
What gives?
Cheers,
Phil
--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK
I wrote earlier that
clamscan --version behaves differently in 0.92.1 to 0.92
# clamscan --version
ClamAV 0.92.1
# clamscan --version
ClamAV 0.92/5785/Tue Feb 12 10:41:10 2008
It looks like the checkin to fix bug 699
(https://wwws.clamav.net/bugzilla/show_bug.cgi?id=699) has broken
clamscan --version behaves differently in 0.92.1 to 0.92
# clamscan --version
ClamAV 0.92.1
# clamscan --version
ClamAV 0.92/5785/Tue Feb 12 10:41:10 2008
Can we have the old behaviour back please?
Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
[EMAIL PROTECTED] wrote:
There is an article on eWeek.com today concerning instability in AV
software due to the impossibility of adequately testing updates when
releasing them as quickly as they are needed
(www.eweek.com/article2/0,1895,2240656,00.asp?kc=EWKNLINF010208STR3).
Just to force
Do you give risk assessments of each and every virus caught, then?
That would be a complete waste of time.
But, just to let you know the risks we're talking about here:
eCard stuff: emails containing either a link to a website pushing
Trojans onto the PCs of those stupid enough to visit; or a
Conrad Zane Minnaar wrote:
Le mercredi 27 juin 2007 15:09, Schramm e.K. [ Deutschland ] a écrit :
Dear clamav-users-list,
like the subject sounds have i some problems
with clamav.
Known bug. Already corrected in version 0.91 rc2.
I don't know if it is really fixed. I have posted a
[EMAIL PROTECTED] wrote:
Michael Heiming wrote:
René Berber wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Michael Heiming wrote:
Tests show pretty bad performance with 0.90.2 and clamscan. Running
Mailscanner it seems not trivial to switch to clamd,
It is trivial, just
Christopher X. Candreva wrote
I've been running 0.90rc2 here for a few months. IMHO it is
more stable than
the 0.88.x I was running previously.
Just yeaterday I received a Bugzilla note from one I had
submitted that it
was fixed in 0.90rc3. I am taking that to mean we will see rc3
Galactic wrote:
Seems it is already in the DB as something else,
Trojan.Downloader-6xx.
Norton was stripping the file from my email so I couldn't
read the headers
on it. Not sure why it was slipping past ClamAV however. When
I tried to
upload these 3 files postcard.exe, Full Clip.exe, and
Not detected here either, nor by ClamAV at http://virusscan.jotti.org
Scan taken on 23 Jan 2007 14:57:25 (GMT)
AntiVir Found nothing
ArcaVir Found Trojan.Door.Mirc-based
Avast Found Win32:Trojan-gen. {VC}
AVG Antivirus Found HideExec.G, IRC/BackDoor.Flood
BitDefender Found
There were two or three variants of that Trojan (not strictly a virus)
spammed out on the 18th, with one or more variants pushed out a day
later (sample submitted, still waiting for the updated patterns for
that).
Trojan-downloader.647 was one of the variants.
If you keep your eye on whatever
I'd recommend pmwiki.
Phil
___
http://lurker.clamav.net/list/clamav-users.html
Daniel Hertanu wrote:
Yesterday I received 3 emails in which the local antivirus (AVG for
Windows, Free edition) has detected a virus named
I-Worm/Generic.RX. The email server is a sendmail with
clamav-milter. Having a look into the log
file I discovered that clamav-milter declared the
Diego Lorenzo - OJC said
Hello, folks!
I´m needing to mark all incoming and outgoing e-mails with a
virus scanned message, kindda This e-mail was scanned by
Clamav (or Amavis), something like that. Is there any flag I
can set it? It is really in Clamav configuration file I can do that?
Dear all,
1) I am going to use the anti-virus in a closed network, and
connection to
the Internet is not possible. How can ClamAV be updated
manully without
accessing the Internet? Can freshclam be deactivated? And
will there be
any effect on the signature update if freshclam is
Fernando Azevedo asked:
I'm running a pretty stable server with clamav 0.88.2 on top of qmail
with simscan. I'm checking all messages (incoming and
outgoing) and I'd
like to append a small footnote with a disclaimer and also with some
(free) advertisement stating that the message has gone
Pat Masterson wrote:
I just installed clamav-0.88.2 on a solaris 9 system. when running
freshclam I get this:
[EMAIL PROTECTED] [170]: /usr/local/bin/freshclam --datadir=/home/clamav -v
Current working dir is /home/clamav
Max retries == 3
ClamAV update process started at Fri Jun 16
I'd keep well clear of this until PSCM is updated to use MailScanner
4.53.8.
4.53.6 had a major bug in the phishing detection code which could cause
MailScanner to loop.
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From:
Robert Isaac wrote:
4.53.7 is the latest version, it came out a few days after 4.53.6
Check http://www.sng.ecs.soton.ac.uk/mailscanner/downloads.shtml for
yourself if you don't believe me!
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
It's always worth submitting samples to http://www.virustotal.com and
http://virusscan.jotti.org as well.
They forward to the ClamAV team and other antivirus vendors.
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL
Don't know when this started happening, but ClamAV is misidentifying the
Zafi worm as Trojan.Downloader.Small-1004.
From a MailScanner notification:
Sender: [EMAIL PROTECTED] IP Address: 85.98.131.226
Recipient: [EMAIL PROTECTED] (changed to protect the innocent)
Subject: Fw: Merry
Jason Haar wrote:
I've been watching CME (Common Malware Enumerator) starting
to take off over the past few weeks, and I've noticed CME
entries and their corresponding names used by antivirus vendors.
...and ClamAV ain't in there from what I've seen...
Is there no interest in
I have the latest version of ClamAV and the signature files
installed, however it fails to detect the Win32.Blackmail.F virus.
My mail is delivered to a FreeBSD server that I run. One of
the machines on the network is a WinXP machine running
ZoneAlarm Suite. When this Windows machine
Jay Lee wrote:
I've already submitted a sample to the website, any hope of getting
this blocked soon?
Did you submit it to the online testing web page to see if
that system
handles it differently from yours?
I have now yes, I tried sending the raw email message, the
attached .zip
But you do not know the sender. You only know an address that the
virus presents as the sender address. And you trust the virus...
Ok, i see you must have experience. Are there really so many
virussender who specify a fake REAL EXIST mail address?
Michael Neurohr
Many viruses harvest
Dennis Peterson said:
Regardless, anything you need to know about the message can
be found in the logs. I've never seen a need to keep a virus
around - even in the postmaster account or quarantine directory.
I have. It's very useful when a new virus variant arrives and is
detected by only
Dennis Peterson said:
I guess I don't understand the need to submit a detected and
quarantined virus to anti-virus vendors.
It's called being socially responsible.
Just because ClamAV (or Bitdefender or McAfee or whatever) detected it
doesn't mean that everybody else does or have even seen
Maurizio Marini said:
Hi there
i have received a mail with an attachment:
Secret.zip
inside it there is a file
Filename 9.src
Size 75,776
Size now 43721
is this a virus/worm/malware?
the mail server report this freshclam output:
mailgw1:/etc/postfix# freshclam
ClamAV update
We've received over two dozen copies of a new Bagle / Mytob variant in
the last few hours.
Various subjects, attached files
Re: DocumentDetails.exe
Re: Hello Information.exe
Re: Details.exe
Encrypted document MoreInfo.exe
I wrote:
Both caught by Bitdefender as [EMAIL PROTECTED]
ClamAV daily update 1085 catches one of them as Worm.Bagle.BO
(McAfee also picks it up as generic malware) but not the later one.
I've submitted samples of both to clamav.net,
virusscan.jotti.org, virustotal.com, malwareupload.com,
[EMAIL PROTECTED] asked:
Subject: [Clamav-users] Clam AV on windows with the cygwin
environment installed
Is this possible? Are there any pitfalls in doing this?
Yes, take a look at http://www.clamwin.com/. It's not a realtime
scanner, just an on-demand one.
Cheers,
Phil
Phil
Pablo Chamorro C. wrote:
Try submitting the infected file to http://virusscan.jotti.org and
http://www.virustotal.com and see if any of their scanners
detect it.
Thank for all the answers, I found that only clamav on July
12th included that signature, but now, where can I find
Pablo Chamorro C. said
I installed clamwin under windows 2000 and it found a file
infected with Trojan.Briss-1 but looking up in
http://www.rainingfrogs.co.uk/index.orig.php?search=numvid=97961
I'm noting that only clamav detect that virus.
How can we know that virus is really a virus if
Pedro Silva asked:
Dear members,
During the last hours I have received several email
containing the W32/Mytob-Fam (Sophos name), which were not
caught by Clam.
Can someone tell me why Clam is not detecting this virus?
No idea, but you should submit samples to:
David Kandou wrote:
Dear all,
When I want to install clamav 0.85 (rpm version) i found that
clamav need libcrypto.so.4 installed.
Can anybody help me how to get libcrypto.so.4 ???
Regards,
David Kandou
That's an OpenSSL library (see
[EMAIL PROTECTED] wrote:
Hello,
I'm running clamav (currently version 0.85) on two separate
servers and my home notebook and recently noticed odd
behavior when running freshclam.
While on one server and my notebook it always both displays
to the console and logs information about both
Douglas Ward asked:
Do you by chance know of any resources that I could look at
that would outline how to plug the two together? Thanks!
Have a look at MailScanner (http://www.mailscanner.info).
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
It's easy to block.
Check the handler's Diary at http://isc.sans.org/ and follow the links.
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Bart Silverstrim
[EMAIL PROTECTED] wrote:
On Wed, 2005-05-04 at 16:24 +0100, Nigel Horne wrote:
On Wednesday 04 May 2005 16:16, [EMAIL PROTECTED] wrote:
Man that never gets old. hahahaha not funny.
I have no control over this warning.
Yes you do. Use a hotmail/yahoo/gmail account.
At our company,
Francis Stevens wrote:
I'm seeing several false positives for Exploit.W32.MS05-002
since I upgraded to 0.82 yesterday. I've posted samples to
the submission website but would like to do something about
this. Using sigtool -l
doesn't list Exploit.W32.MS05-002 as a signature in the
Look at the thread on
http://news.gmane.org/gmane.comp.security.virus.clamav.user entitled
RAR Module Failure. ClamAV supports RAR 2 and not RAR 3 format
archives.
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL
[EMAIL PROTECTED] wrote:
Trog wrote:
It is detected by Clam as Trojan.Downloader.Small-165, which was
added on 8th Nov 2004 by Christoph.
Wow, that was some time ago, and TrendNet is only just now
putting out an update! That's scarry!
Thanks Trog
--
Craig Daters ([EMAIL PROTECTED])
[EMAIL PROTECTED] wrote:
Craig Daters
Wow, that was some time ago, and TrendNet is only just now putting
out an update! That's scarry!
Thanks Trog
What concerns me (if it is true that ClamAV has detected this
specific variant since November) is that ClamAV is not
performing due
David Thompson wrote:
I would like to download clamav. however using adblock in
mozilla stops the ability to download.
I'm using AdBlock here without problems.
It looks like you have some erroneous or over-zealous AdBlock rules.
Cheers,
Phil
Phil Randal
Network Engineer
Herefordshire
Alessandro Bianchi wrote:
I've reopened the bug I filed against Mail::ClamAV for this issue:
http://rt.cpan.org/NoAuth/Bug.html?id=7320
The workaround is to uninstall 0.80rc, install 0.75, build
Mail::ClamAV, uninstall 0.75, reinstall 0.80rc.
Thank you Phil
Alex
Unfortunately,
Steffen wrote:
Hi
Why? Since all you achieve with rejects is indirectly
causing a lot of
virus bounces to appear at innocent bystanders.
NO.
Virii are usually send directly from the virus and the virus
will not send bounces... :D However, if a virus can send
through an SMTP server,
Submit it to the clamav team (link on www.clamav.net).
It is probably Mydoom.u (McAfee).
http://vil.nai.com/vil/content/v_128346.htm
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Daniel J McDonald wrote:
That's one of the things that seems to be driving the size of
daily.cvd up - updating main.cvd entails a massive
distribution of files to the world.
Current main.cvd = 1103636 bytes, last updated on July 8
Current daily.cvd = 156470 bytes
A bit of mental arithmetic
[EMAIL PROTECTED] wrote:
Everyone,
For the last 2 days I have been getting:
ERROR: Verification: Broken or not a CVD file
when freshclam tries to download an updated file.
I am getting this message on both of our servers. Any ideas?
Greg Ennis
Which version of ClamAV are you
Last update details on clamav-virusdb is 349 (June 10th), current version is
354.
Are the individual update summaries available elsewhere?
Phil
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
---
This SF.Net email is
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gervase
Sent: 03 June 2004 14:24
To: [EMAIL PROTECTED]
Subject: RE: [Clamav-users] Re: Freshclam not responding
On Wed, 2004-06-02 at 15:49, Ron Snyder wrote:
if you do a 'dig
Graham Murray wrote:
So maybe, as with celestial objects, there should be
agreement that the first AV 'vendor' to publish a detection
for a virus should be given the honour of naming it and the
other vendors adopt the same name rather than inventing their
own (and potentially causing
I do still have the old style signatures located in
/usr/share/clamav from clam-0.65. Tomasz mentioned
in an earlier post that this could be the problem.
I am wondering if I should change the freshclam.conf
database line from /var/lib/clamav to /usr/share/clamav?
It seems to me that I
Don't call us, we'll call you.
Marketing emails are spam unless explicitly requested.
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Jeffrey Moskot wrote:
Based on what this article says, it looks like there will
soon be problems
with my config:
http://www.sophos.com/virusinfo/articles/bagletwist.html
I wasn't able to get my version of amavis properly patched to
submit the
body of the message to clam (or at least
Doug Hardie erote:
The problem I encountered has now been identified and I have
a working
clamd that does not hang. I compiled it two different ways and both
worked. The problem was /dev/urandom returning either a -1 or a 0.
Either of those will cause others.c to hang as it does not
MailScanner users need to upgrade to MailScanner 4.28.4 (just out), which
can block password-protected .zip files.
Cheers,
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL PROTECTED]
Would you rather have a prompt and timely detection of new viruses or wait
for a committee to decide a common name?
Your call.
Cheers,
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL
What McAfee detects as Netsky and Netsky.b are both detected by ClamAV as
Worm.SomeFool.
It's starting to flood in here.
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL PROTECTED]
It is also known as W32/[EMAIL PROTECTED] (McAfee) Alua (symantec)
http://vil.nai.com/vil/content/v_101030.htm
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From: [EMAIL PROTECTED]
http://www.win-rar.com/index.php?lang=aid=knowlkb_category_id=kb_article_
id=67kb=
And the license.txt reads:
*** ** unRAR - free utility for RAR archives
** ** ** ** ** ** ~
** *** **License for use and
MailScanner (from http://www.mailscanner.info).
See also http://www.sng.ecs.soton.ac.uk/mailscanner/install/zmailer.shtml
for how to use it with ZMailer.
Cheers,
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original
I think you'll find it was one of the first to detect it.
ClamAV calls it Worm.SCO.A, and it has caught hundred of the critters here.
Cheers,
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
-Original Message-
From:
ClamAV's just detected Worm.Mimail.R here.
McAfee calls it Mimail.s - http://vil.nai.com/vil/content/v_100989.htm
Cheers,
Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
ClamAV was picking up the original version here 6 hours before McAfee had
their 4319 DATs out, and detected the B variant here yesterday at least 4
hours before McAfee's 4320 DATs were released.
You guys deserve medals.
A big heartfelt thank you to all the ClamAV team (and virus submitters).
85 matches
Mail list logo
