Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

2021-04-20 Thread Pavel Řezníček 
I can't reproduce the issue any more. ☹ Tried to create a new .fp file 
with another signature and both the files, the old and the new, get 
parsed properly now. This is a bit spooky. Nevertheless, thank you for 
your assistance, Richard!


Should I discover the same behavior again, I'll report as soon as possible.

BTW. yes, I don't even have clamd & clamdscan installed so I am pretty 
sure I had been running /clamscan./


Dne 20. 04. 21 v 16:55 Richard Graham via clamav-users napsal(a):
On Tue, Apr 20, 2021 at 11:54 AM Pavel Řezníček 
mailto:pavel.rezni...@evangnet.cz>> wrote:


Humm, I’ve restarted my laptop and now the .fp file gets read and
the detection gets ignored.

How come I need to restart the machine? Is there any service I
could restart instead?

A restart shouldn't be necessary.  Is that behavior repeatable?  Are 
you sure you're using `clamscan` and not `clamdscan`?


I don't think clamscan uses any service, although clamdscan does. When 
observing `clamscan --debug ...` or `strace clamscan ...` output, I 
can see the ".fp" files being loaded each time clamscan is executed.


Maybe have a look at the details of what is actually being executed 
and the details of that execution?


Good luck!


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

2021-04-20 Thread Richard Graham via clamav-users 
On Tue, Apr 20, 2021 at 11:54 AM Pavel Řezníček 
wrote:

> Humm, I’ve restarted my laptop and now the .fp file gets read and the
> detection gets ignored.
>
> How come I need to restart the machine? Is there any service I could
> restart instead?
>
A restart shouldn't be necessary.  Is that behavior repeatable?  Are you
sure you're using `clamscan` and not `clamdscan`?

I don't think clamscan uses any service, although clamdscan does. When
observing `clamscan --debug ...` or `strace clamscan ...` output, I can see
the ".fp" files being loaded each time clamscan is executed.

Maybe have a look at the details of what is actually being executed and the
details of that execution?

Good luck!

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

2021-04-20 Thread Pavel Řezníček 
Humm, I’ve restarted my laptop and now the .fp file gets read and the 
detection gets ignored.


How come I need to restart the machine? Is there any service I could 
restart instead?


Pavel

Dne 17. 04. 21 v 20:55 Richard Graham via clamav-users napsal(a):
Very curious!  It seems to work as expected on my Fedora 32 system.  
If you run clamscan with the --debug option, you can see it load the 
".fp" files (all lots and lots of other stuff too!).


*$ clamscan --version
ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021
*
*
*
*$ cat /var/lib/clamav/xmr-stak-linux.fp
2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz
*
*
*
*$ clamscan -av /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
Scanning /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
Scanning 
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak

/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz: OK

--- SCAN SUMMARY ---
Known viruses: 12743774
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 16.49 MB
Data read: 1.99 MB (ratio 8.28:1)
Time: 25.887 sec (0 m 25 s)
Start Date: 2021:04:17 20:52:21
End Date:   2021:04:17 20:52:47*


On Tue, Apr 13, 2021 at 5:29 PM Pavel Řezníček 
mailto:pavel.rezni...@evangnet.cz>> wrote:


Hello folks,

I am new to this mailing list. I’ve got a question related to
ClamAV’s
.fp files. Since I am a Ubuntu user, I asked my question on
askubuntu.com :

https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2

.

Got directed to a ClamAV forum so I am here. Copying my original post.

My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.

Trying to make ClamAV ignore several files. These are almost
cryptocoin
miners which I do use. Cryptocoin miners get flagged by most
antivirus
programs for they can be distributed as malware (using other people’s
computers for the attacker’s profit). At the same time, they can
be used
for a tiny profit by the computer’s user himself, knowing what he is
doing. ClamAV also reports the miners as malware and I’d like to
teach
it to ignore the files I actually use, knowing what I am doing.

I also want to ignore the files on a per-file basis. Ignoring a whole
malware type can be dangerous.

Well, still no success here.

Read this manual page: http://pig.made-it.com/clamav.html

>.

Then this manual page:
https://www.clamav.net/documents/allow-list-databases

>.

Then this: https://www.clamav.net/documents/file-hash-signatures

>.

In all these documents, they state that all I have to do is:

  * Create a file in the ClamAV database folder (on Ubuntu, it’s
    /var/lib/clamav) with the |.fp| extension,
  * place the file signatures therein, following the format
    |MD5:SIZE:COMMENT|, one per line,
      o |MD5| being the MD5 sum of the file,
      o |SIZE| being the file size, and
      o |COMMENT| being anything, defaulting to the file name.

However, this
> blog
entry
states that the format has to be |MD5:SIZE:ID_NAME|, where:

  * |ID| is a 6-digit identifier (can be the current date in the
    |YYMMDD| format) and
  * |NAME| is the file name *without the extension.*

Tried to follow even the second, restricted ruleset but to no avail.
Clamscan still marks the file as a virus.

I have got this file:

|clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1
clamav
clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |

with this content:


|2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar

|

Then I run |clamscan|:

|clamav@precision-7510:~$ clamscan /home/pavel/Installace/Těžba\ a
kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
/home/pavel/Installace/Těžba a
kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
Multios.Coinminer.Miner-6781728-2 FOUND --- SCAN SUMMARY
--- Known viruses: 8653609 Engine version: 0.102.4 Scanned
directories: 0 Scanned files: 1 Infected files: 1 Data

Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

2021-04-17 Thread Richard Graham via clamav-users 
Oops, my first email text formatting may have destroyed the contents.
Here's another try.

On Sat, Apr 17, 2021 at 8:55 PM Richard Graham  wrote:
> >
> > Very curious!  It seems to work as expected on my Fedora 32 system.  If
> you run clamscan with the --debug option, you can see it load the ".fp"
> files (all lots and lots of other stuff too!).
> >
> > $ clamscan --version
> > ClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021
> >
> > $ cat /var/lib/clamav/xmr-stak-linux.fp
> > 2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz
> >
> > $ clamscan -av /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> > Scanning /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz
> > Scanning
> /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak
> > /home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz: OK
> >
> > --- SCAN SUMMARY ---
> > Known viruses: 12743774
> > Engine version: 0.103.2
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 16.49 MB
> > Data read: 1.99 MB (ratio 8.28:1)
> > Time: 25.887 sec (0 m 25 s)
> > Start Date: 2021:04:17 20:52:21
> > End Date:   2021:04:17 20:52:47

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

2021-04-17 Thread Richard Graham via clamav-users 
Very curious!  It seems to work as expected on my Fedora 32 system.  If you
run clamscan with the --debug option, you can see it load the ".fp" files
(all lots and lots of other stuff too!).



*$ clamscan --versionClamAV 0.103.2/26143/Sat Apr 17 13:06:39 2021*



*$ cat /var/lib/clamav/xmr-stak-linux.fp
2461e99e1135fe07ced7fc035db93797:2089980:xmr-stak-linux-2.10.5-cpu.tar.xz*
















*$ clamscan -av
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xzScanning
/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz!POSIX_TAR:xmr-stak-linux-2.10.5-cpu/xmr-stak/home/rick/Downloads/xmr-stak-linux-2.10.5-cpu.tar.xz:
OK--- SCAN SUMMARY ---Known viruses: 12743774Engine
version: 0.103.2Scanned directories: 0Scanned files: 1Infected files: 0Data
scanned: 16.49 MBData read: 1.99 MB (ratio 8.28:1)Time: 25.887 sec (0 m 25
s)Start Date: 2021:04:17 20:52:21End Date:   2021:04:17 20:52:47*


On Tue, Apr 13, 2021 at 5:29 PM Pavel Řezníček 
wrote:

> Hello folks,
>
> I am new to this mailing list. I’ve got a question related to ClamAV’s
> .fp files. Since I am a Ubuntu user, I asked my question on
> askubuntu.com:
>
> https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2.
>
> Got directed to a ClamAV forum so I am here. Copying my original post.
>
> My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.
>
> Trying to make ClamAV ignore several files. These are almost cryptocoin
> miners which I do use. Cryptocoin miners get flagged by most antivirus
> programs for they can be distributed as malware (using other people’s
> computers for the attacker’s profit). At the same time, they can be used
> for a tiny profit by the computer’s user himself, knowing what he is
> doing. ClamAV also reports the miners as malware and I’d like to teach
> it to ignore the files I actually use, knowing what I am doing.
>
> I also want to ignore the files on a per-file basis. Ignoring a whole
> malware type can be dangerous.
>
> Well, still no success here.
>
> Read this manual page: http://pig.made-it.com/clamav.html
> .
>
> Then this manual page:
> https://www.clamav.net/documents/allow-list-databases
> .
>
> Then this: https://www.clamav.net/documents/file-hash-signatures
> .
>
> In all these documents, they state that all I have to do is:
>
>   * Create a file in the ClamAV database folder (on Ubuntu, it’s
> /var/lib/clamav) with the |.fp| extension,
>   * place the file signatures therein, following the format
> |MD5:SIZE:COMMENT|, one per line,
>   o |MD5| being the MD5 sum of the file,
>   o |SIZE| being the file size, and
>   o |COMMENT| being anything, defaulting to the file name.
>
> However, this
>  blog entry
> states that the format has to be |MD5:SIZE:ID_NAME|, where:
>
>   * |ID| is a 6-digit identifier (can be the current date in the
> |YYMMDD| format) and
>   * |NAME| is the file name *without the extension.*
>
> Tried to follow even the second, restricted ruleset but to no avail.
> Clamscan still marks the file as a virus.
>
> I have got this file:
>
> |clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav
> clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |
>
> with this content:
>
> |2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar
>
> |
>
> Then I run |clamscan|:
>
> |clamav@precision-7510:~$ clamscan /home/pavel/Installace/Těžba\ a
> kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz
> /home/pavel/Installace/Těžba a
> kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz:
> Multios.Coinminer.Miner-6781728-2 FOUND --- SCAN SUMMARY
> --- Known viruses: 8653609 Engine version: 0.102.4 Scanned
> directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB
> Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |
>
> So I still get a detection. What am I doing wrong?
>
> Cheers,
> Pavel Řezníček
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV MD5 sum based whitelists (*.fp) don’t work in Ubuntu MATE 20.04.2

2021-04-13 Thread Pavel Řezníček 

Hello folks,

I am new to this mailing list. I’ve got a question related to ClamAV’s 
.fp files. Since I am a Ubuntu user, I asked my question on 
askubuntu.com: 
https://askubuntu.com/questions/1331021/clamav-md5-sum-based-whitelists-fp-don-t-work-in-ubuntu-mate-20-04-2. 
Got directed to a ClamAV forum so I am here. Copying my original post.


My ClamAV version is 0.102.4+dfsg-0ubuntu0.20.04.1 on a 64bit system.

Trying to make ClamAV ignore several files. These are almost cryptocoin 
miners which I do use. Cryptocoin miners get flagged by most antivirus 
programs for they can be distributed as malware (using other people’s 
computers for the attacker’s profit). At the same time, they can be used 
for a tiny profit by the computer’s user himself, knowing what he is 
doing. ClamAV also reports the miners as malware and I’d like to teach 
it to ignore the files I actually use, knowing what I am doing.


I also want to ignore the files on a per-file basis. Ignoring a whole 
malware type can be dangerous.


Well, still no success here.

Read this manual page: http://pig.made-it.com/clamav.html 
.


Then this manual page: 
https://www.clamav.net/documents/allow-list-databases 
.


Then this: https://www.clamav.net/documents/file-hash-signatures 
.


In all these documents, they state that all I have to do is:

 * Create a file in the ClamAV database folder (on Ubuntu, it’s
   /var/lib/clamav) with the |.fp| extension,
 * place the file signatures therein, following the format
   |MD5:SIZE:COMMENT|, one per line,
 o |MD5| being the MD5 sum of the file,
 o |SIZE| being the file size, and
 o |COMMENT| being anything, defaulting to the file name.

However, this 
 blog entry 
states that the format has to be |MD5:SIZE:ID_NAME|, where:


 * |ID| is a 6-digit identifier (can be the current date in the
   |YYMMDD| format) and
 * |NAME| is the file name *without the extension.*

Tried to follow even the second, restricted ruleset but to no avail. 
Clamscan still marks the file as a virus.


I have got this file:

|clamav@precision-7510:~$ ls -l /var/lib/clamav/*.fp -rw-rw-r-- 1 clamav 
clamav 81 dub 12 22:54 /var/lib/clamav/sigfile.fp |


with this content:

|2461e99e1135fe07ced7fc035db93797:2089980:210412_xmr-stak-linux-2.10.5-cpu.tar 
|


Then I run |clamscan|:

|clamav@precision-7510:~$ clamscan /home/pavel/Installace/Těžba\ a 
kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz 
/home/pavel/Installace/Těžba a 
kryptoměny/Horníci/xmr-stak-linux-2.10.5-cpu.tar.xz: 
Multios.Coinminer.Miner-6781728-2 FOUND --- SCAN SUMMARY 
--- Known viruses: 8653609 Engine version: 0.102.4 Scanned 
directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 7.19 MB 
Data read: 1.99 MB (ratio 3.61:1) Time: 17.547 sec (0 m 17 s) |


So I still get a detection. What am I doing wrong?

Cheers,
Pavel Řezníček


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml