I have offered sigs to ClamAV official but have heard nothing back yet.
> On Jan 4, 2017, at 6:52 PM, Eric Tykwinski wrote:
>
> This was my concern about Cisco’s AMP product on ASA’s and NGIPS’s. I’m
> going to be beta testing stuff out shortly, but don’t have high
gainst a virgin ClamAV
> signature database to answer the question? I'd be happy to if there are
> samples I can access.
>
> -Al-
>
> On Wed, Jan 04, 2017 at 07:33 AM, TR Shaw wrote:
>>
>> I added detection in winnow_extended_malware.hdb which is distributed is th
I added detection in winnow_extended_malware.hdb which is distributed is the
sanesecurity feed the day after the JAR was released. I also searched for the
RAT and added signatures for that as well in winnow_malware_links.ndb
Signatures are identified as winnow.Trojan.GRIZZLY_STEPPE.
Tom
>
How does ClamAV decide to unpack an attachment?
In particular this is in reference to the recent Locky attachments that are
zips but have the attachment extension “dip”
___
clamav-users mailing list
clamav-users@lists.clamav.net
You missed my point. It was it was a shame that safe browsing sigs only for of
files that look like email.
> On Nov 11, 2016, at 12:43 AM, Gene Heskett <ghesk...@shentel.net> wrote:
>
> On Thursday 10 November 2016 17:45:24 TR Shaw wrote:
>
>> Thanks, all.
>>
eve
> Twitter: @sanesecurity
>
>
>
> On 10 November 2016 19:53:05 TR Shaw <ts...@oitc.com> wrote:
>
>> I have freshclam set to load safe browsing:
>>
>> -rw-r--r-- 1 _clamav admin 57874944 Nov 10 11:51 daily.cld
>> -rw-r--r-- 1 _clamav ad
I have freshclam set to load safe browsing:
-rw-r--r-- 1 _clamav admin 57874944 Nov 10 11:51 daily.cld
-rw-r--r-- 1 _clamav admin 103419904 Nov 10 13:51 safebrowsing.cld
I placed http://ianfette[.]org/ in a file safebrowsingtest.txt
Then I run clam and expect to hit safe browsing but I
Actually there is always a probability that a detection will not occur if you
beak apart at file into pieces This is due to the following
1) md5 signatures based upon any file type are applied on any file and match to
the md4 hash of that file AND the file’s size. If you break apart a file,
Actually they approved ClamAV for use in CI PL 4 & 5 since mid 2000s
iPhone says hi!
> On Jul 12, 2016, at 5:55 PM, Albrecht, Thomas C
> wrote:
>
> Hi,
>
>
>
> I'm hoping someone on this list can answer this question. I work as a
> defense contractor, and one
The following is safebrowsing’s test host name, malware.testing.google[.]test,
and using google’s test page
https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=malware.testing.google[.]test
shows that it is listed.
I have enabled safebrowsing in freshclam.cong and
You should remind your security dept that ClamAV is owned and maintained by
Cisco.
> On Apr 18, 2016, at 11:13 AM, Retailleau, Damien (GE Capital)
> wrote:
>
> Hi ClamAV users,
>
> We are, at GEMB France, currently looking for a solution to scan files upload
> on
Removed when I saw the original message
> On Apr 14, 2016, at 3:22 AM, Paul Whelan wrote:
>
> On 13 Apr 2016 at 11:20, Alex wrote:
>
>> Hi,
>>
>> I don't understand why themastersbaker.com would be tagged?
>>
>> # sigtool --find-sigs winnow.spam.ts.untyped.966134 |
ClamAV does provide for heuristic detection and its normal ruleset includes
heuristic rule as does the UNOFFICIAL feeds.It meets the mail for NIST as well
as DCID (and its followon regs)
Tom
> On Jan 29, 2016, at 7:01 AM, Brad Scalio wrote:
>
> Can anyone answer the mail on
On Jul 23, 2015, at 9:26 PM, Al Varnell alvarn...@mac.com wrote:
On Thu, Jul 23, 2015 at 05:28 PM, phoenixcomm wrote:
I am new to clamAV so be gentle.
the Tk interface is very nice but I have a problem
you have only 2 choices to scan home or everything.
you need to add other dir as
Steve I have my own yara rules. Are you going to accept them for rsync?
Tom
On Jun 5, 2015, at 11:02 AM, Steve Basford steveb_cla...@sanesecurity.com
wrote:
On Wed, June 3, 2015 8:02 pm, Joel Esler (jesler) wrote:
ClamAV 0.99b Meets YARA!
The first beta release of ClamAV 0.99 is now
I originally signed on using gmail. However gmail no longer support OpenID 2.
Per Google, OpenID 2.0 was replaced by OpenID Connect, and since April 20,
2015, no longer works for Google Accounts. OpenID 2.0 support was shut down in
order to focus on the newer open standard OpenID Connect,
your.local.ndb file:
signame.1:4:*: . bin2hex(http://bad.domain.com/path;) . \n;
signame.2:5:*: . bin2hex(http://bad.domain.com/path;) . \n;
On Mar 30, 2015, at 2:34 PM, Dave McMurtrie dav...@andrew.cmu.edu wrote:
Hi,
Hopefully someone here can steer me in the right
On Mar 29, 2015, at 1:45 AM, Dennis Peterson denni...@inetnw.com wrote:
On 3/28/15 10:43 PM, Jinwon Lee wrote:
Thanks for that. I guess ‘Hash Value’ refers to the ClamAV identifying the
.dmg as a known file that contains virus/es.
Jinwon
That was the case too for password protected
On Mar 29, 2015, at 12:24 PM, G.W. Haywood cla...@jubileegroup.co.uk wrote:
Hi there,
On Sun, 29 Mar 2015, Denis Peterson wrote:
... I meant dd, not cpio. But that won't work either ...
Does kpartx help? I use it for mounting bits of assorted disc images,
mostly when I'm playing
You need to look into a content filter that can use spamhaus.ro and/or
surbl.org DNS based RBLs.
On Dec 18, 2014, at 9:40 AM, Steve Basford steveb_cla...@sanesecurity.com
wrote:
On Thu, December 18, 2014 2:29 pm, polloxx wrote:
Since more and more malware is not attached to a mail but only
Sanesecurity's distibution of multiple sourced data (sansesecurity, CRDF,
winnow and others) have url detections in them but you really need to add SURBL
and Spamhaus' DBL in content filtering as well.
On Dec 18, 2014, at 11:50 AM, Arnaud Jacques / SecuriteInfo.com
webmas...@securiteinfo.com
Many use hxxp for http or [.] or dot for the period in the domain name.
Tom
On Mar 3, 2014, at 9:00 AM, Steve Hill wrote:
On 03.03.14 13:49, Steve Basford wrote:
I think a h t t p non-clickable link might have been wise though,
just in case someone hasn't had their coffee yet and clicks
btw that one should have been detected by winnow (distributed in Steve's rsync
feed)
On Mar 3, 2014, at 9:03 AM, Larry Stone wrote:
On Mar 3, 2014, at 7:49 AM, Steve Basford steveb_cla...@sanesecurity.com
wrote:
On 03.03.14 12:38, Dennis Peterson wrote:
Did you just send a link to
$ nslookup geneslinuxbox.net.multi.uribl.com
Server: 10.0.1.1
Address:10.0.1.1#53
** server can't find geneslinuxbox.net.multi.uribl.com: NXDOMAIN
On Feb 6, 2014, at 4:48 PM, Dennis Peterson wrote:
I'm not part of your problem or your solution. I don't own the TTL of the
This is the mail system at host si01.clam.sourcefire.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster
If you do so, please include this problem report. You can
Any ideas?
btw, Happy Thanksgiving!
This is the mail system at host si01.clam.sourcefire.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster
If you do so, please
On Jun 22, 2013, at 8:52 AM, Denis McMahon wrote:
On 22/06/13 04:10, Dennis Peterson wrote:
On 6/21/13 5:45 AM, Denis McMahon wrote:
appear to suggest that my dns is fine (these are included in the log). I
have another machine on the LAN which updates fine.
What do you get if you run
On Nov 25, 2012, at 10:19 PM, Paul Wise wrote:
Hi all,
Bill Landry is the developer of clamav-unofficial-sigs and since I'm the
Debian maintainer of that, I need to discuss some things with him but
his domain inetmsg.com doesn't respond to HTTP or SMTP connections. Does
anyone know what
Linux, bsd unix and MacOSX all support directory/folder changed actions.
Tom
On Dec 6, 2012, at 1:26 PM, Jari Fredriksson wrote:
06.12.2012 19:44, franckm kirjoitti:
Is it possible to have clamd (clamav deamon) watch a specific folder (and
only that one) and automatically scan the files as
On Nov 27, 2012, at 1:11 PM, Nigel Houghton wrote:
On Nov 27, 2012, at 12:32 PM, Dennis Peterson denni...@inetnw.com wrote:
Can we get a link to a SourceFire statement on the future of ClamAV? I just
rolled it out to a very large enterprise and they won't be happy if this
thing is
Hi
winnow.attachments.hdb
winnow_bad_cw.hdb
winnow_malware_links.ndb
Also work to stop these
On Nov 15, 2012, at 4:55 PM, Steve Basford wrote:
OK, I'm stumped as to why clamav-milter did not catch this virus. It was
from this address, being masked as from UPS:
File:
It meets NIST's requirements (NIST Special Publication 800-53 and associated)
and is running on NIST approved and DCID 6/3 approved systems.
Tom
On Nov 8, 2012, at 10:17 AM, Royce Williams wrote:
On Wed, Nov 7, 2012 at 4:01 PM, Kaushal Shriyan
kaushalshri...@gmail.com wrote:
Is clamAV
I don't mind if SourceFire decides they don't like my proposals or problem
sets. But I do think it shows poor stewardship of clamav when on bugzilla and
on mail lists there is not a peep of a response from SourceFire after 90 days.
Either yea or nay. Its like they are ignoring bugzilla entries.
For years I have been feeding usdetected samples directly to Luca and the clam
AV team. Ever since the handover of personnel my submittal bounce! My
submittal address was:
redac...@unfiltered.clamav.net
Any help would be appreciated.
Tom
___
Help
On Jun 22, 2012, at 2:56 PM, Joel Esler wrote:
Earlier this week we announced a new chapter for ClamAV with the departure of
Tomasz Kojm, Alberto Wu, Luca Gibelli and Edwin Török. While we are sad to
see them go, we are grateful for the contributions they have made and are
committed to
On May 8, 2012, at 5:30 AM, Fajar A. Nugraha wrote:
On Tue, May 8, 2012 at 4:18 PM, Al Varnell alvarn...@mac.com wrote:
On 5/8/12 1:42 AM, Nicole Brown supp...@faxserverplus.com wrote:
We got some reports from our customers said our website reported as Malware
Site by Bitdefender.
Here is
On May 7, 2012, at 8:35 PM, Pepijn Schmitz wrote:
Hi Al,
On 07-05-12 20:44, Al Varnell wrote:
And is there no place where I can find more information about the trojan
ClamAV thinks it is detecting? Surely there is more information than a
hex string, somewhere?
The only one that might
On Apr 19, 2012, at 8:24 AM, Ralf Hildebrandt wrote:
* Török Edwin ed...@clamav.net:
On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote:
Is there an alternative way of submitting FP's?
Are you using this page?
http://www.clamav.net/lang/en/sendvirus/submit-fp/
Yep.
Works here in
Does ClamAV teat .jar files in a similar fashion as to .zip's? eg. is the jar
broken apart and then individual .class and other files get scanned as well?
Looking into options for whiting signatures for these.
TIA,
Tom
___
Help us build a
ClamAV 0.97.4/14681/Wed Mar 21 12:47:18 2012
Bytecode 34 failed to run
Submitted to bugzilla as Bug 4629
Tom
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
$ clamdscan -V
ClamAV 0.97.3/14323/Wed Jan 18 09:09:29 2012
LibClamAV Warning: Bytecode runtime error at line 0, col 0
LibClamAV Warning: [Bytecode JIT]: recovered from error
LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
LibClamAV Warning: Bytecode 36 failed to run:
Works fine for 32bit intel
./configure --enable-llvm --enable-clamdtop --with-user=_clamav
--with-group=_clamav
Under 0.97.2 it worked fine on 64 bit as well. Now it fails along with
CFLAGS=-arch x86_64 CXXFLAGS=-arch x86_64 ./configure --enable-llvm
--enable-clamdtop --with-user=_clamav
, TR Shaw wrote:
Ideas?
If you've got MacOS X 10.6.8, then you can't use Xcode 4.2-- that's for 10.7
or later:
xcode42.tiff
ClamAV 0.7.3 appears to compile and pass all self-checks under 10.6.8 using
Xcode 4.0 (or 3.x also):
make check-TESTS
PASS: check_clamav
PASS
On Sep 19, 2011, at 12:04 PM, Bowie Bailey wrote:
On 9/19/2011 11:46 AM, Michael Orlitzky wrote:
A hostname cannot be all digits and except when the IP is used there
will be a TLD, so if you see a pattern such as
http:// 123456789/ cgi-bin/innocent_code.pl
(Ignore the spaces they are
On Jun 29, 2011, at 6:04 AM, polloxx wrote:
On Wed, Jun 29, 2011 at 11:45 AM, Henrik K h...@hege.li wrote:
On Wed, Jun 29, 2011 at 12:27:46PM +0300, Mihamina Rakotomandimby wrote:
On Wed, 29 Jun 2011 11:24:24 +0200
polloxx poll...@gmail.com wrote:
Are there other user with the same
On Jun 29, 2011, at 7:58 AM, polloxx wrote:
On Wed, Jun 29, 2011 at 12:49 PM, Joel Esler jes...@sourcefire.com wrote:
If you have a sample of the file, submitting it through ClamAV's submission
interface makes it bubble up so the rule writers can get to it faster.
(instead of waiting for
On Jun 2, 2011, at 7:10 PM, Al Varnell wrote:
On 6/2/11 3:37 PM, Russ Tyndall fitz...@redshanksoftware.com wrote:
On Jun 2, 2011, at 2:31 PM, Al Varnell wrote:
I'm sure I've seen answers to this question on ClamXav's forum
http://markallan.co.uk/BB/viewforum.php?f=1 if you don't get an
On Mar 29, 2011, at 1:06 PM, Al Varnell wrote:
On 3/29/11 6:29 AM, Russ Tyndall fitz...@redshanksoftware.com wrote:
On Mar 27, 2011, at 2:31 AM, Al Varnell wrote:
Some Mac users will recall that several months back we discussed the bzip2
bug and I filed a bug report with Apple when it
On Mar 16, 2011, at 1:31 PM, Russ Tyndall wrote:
On Mar 15, 2011, at 7:10 PM, TR Shaw wrote:
On Mar 15, 2011, at 4:48 PM, TR Shaw wrote:
Look at your config file. You don't need to scan all more than probably
200KB of a file.
So you are suggesting I use the MaxScanSize directive
Russ,
Look at your config file. You don't need to scan all more than probably 200KB
of a file. If you're using google; don't. It will help for email but probably
will not help finding badness on a file server. Likewise with unofficials. Not
all unofficials are appropriate for your application.
You have to set CXXFLAGS
CFLAGS=-arch x86_64 CXXFLAGS=-arch x86_64 ./configure --enable-llvm
--enable-clamdtop --with-user=_clamav --with-group=_clamav
On Feb 12, 2011, at 9:16 AM, James Brown wrote:
I have been compiling clamav all day with a great many combinations of
options.
No matter
On Jan 2, 2011, at 7:12 PM, Bob Traktman wrote:
Is there any reason not to keep ClamAv and Sophos Anti-Virus -- both active?
None whatsoever. Defense in depth is a good thing.
Tom
___
Help us build a comprehensive ClamAV guide: visit
On Dec 31, 2010, at 2:25 AM, Török Edwin wrote:
Actually in 0.96.5 freshclam gets the stats directly from clamd, not the
logs. If you restart clamd the stats are lost as they are not saved
anywhere.
Oh so that means if you want to keep stats you need to run freshclam on
shutdown or restart
On Dec 30, 2010, at 4:56 PM, Jerry wrote:
I recently noticed that my stats are not being updated online. The
Last detected IP: 0.0.0.0 is obviously incorrect. When I attempt to
update manually, I receive this message:
*** Virus databases are not updated in this mode ***
OSX 10.6.5
Other than the normal bzip2 and .map warnings and a number of long int to off_t
cast warnings and
detect.cpp: In function ‘void cli_detect_env_jit(cli_environment*)’:
detect.cpp:128: warning: enumeration value ‘Minix’ not handled in switch
Seemed to be fine:
make check-TESTS
SKIP:
On Nov 14, 2010, at 6:41 PM, Larry Stone wrote:
On 11/14/10 1:44 PM, Spiro Harvey at sp...@knossos.net.nz wrote:
This is where your trouble started. This is telling you it can't find
an appropriate C compiler (gcc).
configure:3749: found /Developer/usr/bin/gcc
configure:3760: result:
On Nov 13, 2010, at 7:46 PM, Larry Stone wrote:
On 11/13/10 5:35 PM, TR Shaw at ts...@oitc.com wrote:
I just got around to compiling 0.96.4 and no joy. My configure command no
longer is working properly. I have xcode install and my search path is
/Developer/usr/share:/Developer/usr/sbin
I have detection for it in winnow malware unofficial and samples have been
forwarded to Luca..
Tom
On Oct 30, 2010, at 3:36 AM, Al Varnell wrote:
Above named Trojan or worm, depending on your prospective, was found in the
wild last week, rated critical by at least one commercial vendor. I
PS Its not just OSX It exploits a flaw in java so linux, unix, and windoz are
all infect-able.
On Oct 30, 2010, at 3:36 AM, Al Varnell wrote:
Above named Trojan or worm, depending on your prospective, was found in the
wild last week, rated critical by at least one commercial vendor. I have
On Oct 14, 2010, at 7:05 AM, Luca Gibelli wrote:
Hello,
starting from the 0.96.2 release, our source tarball includes a script to
automatically restart clamd in case the daemon crashes.
The script is currently placed in the contrib/ directory. Latest version
is always available from:
Al
Just compile bzip2 from the source. Thats what I did and everything was fine.
Tom
On Oct 1, 2010, at 1:10 AM, Al Varnell wrote:
On Sep 30, 2010, at 9:05 PM, Dennis Peterson denni...@inetnw.com wrote:
On 9/30/10 8:57 PM, Syed Zubair wrote:
This is what I get when I try to install ClamAV
There is a patch for bsd (also required for Apple) for PDFs and there is a
bogus link warning about ,map files which you can ignore.
Tom
On Oct 1, 2010, at 1:10 AM, Al Varnell wrote:
On Sep 30, 2010, at 9:05 PM, Dennis Peterson denni...@inetnw.com wrote:
On 9/30/10 8:57 PM, Syed Zubair
On Sep 27, 2010, at 10:36 PM, Florian Friesdorf wrote:
Hi,
I host several mailing list with plenty of users having gmail accounts.
gmail blocks attachments with certain file endings (also if the files
are in certain archives):
http://mail.google.com/support/bin/answer.py?answer=6590
On Sep 27, 2010, at 4:24 PM, Alex wrote:
Hi,
In addition, there a brilliant Third-Party signature decoder here, which
will easily show you the content of the Third-Party signature,
just cut/paste or type in the signature name and it'll decode it:
Having issues:
/usr/local/bin/clamscan --official-db-only --infected --detect-broken
--move=/Usersx/virus_archive /Usersx/malware/
LibClamAV Error: cli_pdf: mmap() failed (2)
Have no idea what this means. Should I sumbit a bug report?
Tom
___
Help
Wendy
Download the bzip2 security release and compile. I have to go back to my
office to check what compile settings are necessary as the dedault make file is
nor good enough.
Tom
On Sep 22, 2010, at 11:59 AM, Wendy J Bossons wrote:
I am running clamav on my dev laptop which is Snow
Wendy,
Download the source from bzip, open the make file and insert
CFLAGS=-Os -arch i386 -arch x86_64 $(BIGFILES)
or
CFLAGS=-Os -arch ppc $(BIGFILES)
depending on which processor you need and then
sudo make install
Tom
On Sep 22, 2010, at 11:59 AM, Wendy J Bossons wrote:
I am running
On Sep 14, 2010, at 7:00 AM, Alex wrote:
Hi,
In addition, there a brilliant Third-Party signature decoder here, which
will easily show you the content of the Third-Party signature,
just cut/paste or type in the signature name and it'll decode it:
On Sep 13, 2010, at 12:48 PM, Alex wrote:
Hi,
We had a user report that their email was tagged with
winnow.botnets.zu.zeus.4637.UNOFFICIAL, according to the logs. How can
I track this, and determine which database it was that contains this
pattern, and why it considered this email to
On Sep 13, 2010, at 1:58 PM, Alex wrote:
Hi,
winnow.botnets.zu.zeus.4637.UNOFFICIAL, according to the logs. How can
That signature is not is our active database. When did you last update your
files? zeus urls and IP come and go as machines are infected and cleaned so
you must keep
On Dec 10, 2009, at 6:24 AM, Török Edwin edwinto...@gmail.com wrote:
On 2009-12-10 13:06, Sundara Kaku wrote:
Thanks for the reply,
However if all you want is detect phishing, the heuristic phishing
detection won't work with webpages, it is designed for phishing mails
(which are
71 matches
Mail list logo