Re: [clamav-users] Fwd: ClamAV®

[Micah Snyder (micasnyd) via clamav-users]

The blog post is advanced notice so that if anyone thinks they will be 
affected, they can plan for it. It won’t be changing until the 18th. For now 
it’s still “clamav-devel”.
I don’t believe the repo name change will cause any problems because github 
automatically redirects requests for renamed/moved repositories, but it 
couldn’t hurt to give people a heads up before we remove the “-devel” suffix.

-Micah

From: clamav-users  On Behalf Of Joel 
Esler (jesler) via clamav-users
Sent: Saturday, May 8, 2021 6:28 AM
To: ClamAV users ML 
Cc: Joel Esler (jesler) 
Subject: Re: [clamav-users] Fwd: ClamAV®

No, this is the public git repository. Unless I am misunderstanding what you’re 
saying.
Sent from my  iPhone


On May 8, 2021, at 03:38, Frans de Boer 
mailto:fr...@fransdb.nl>> wrote:

On 06/05/2021 01:19, ClamAV® blog wrote:
"clamav-devel" GitHub repository name change to 
"clamav"<http://feedproxy.google.com/~r/Clamav/~3/HLo75DA2w0E/clamav-devel-github-repository-name.html?utm_source=feedburner_medium=email>
Ok, That is thus a misleading phrase since this only applies to the non-public  
Cisco git repository.
The public git as stated on the website is still the correct one.

Clear and correct communication is a skill and should not be left to technical 
or otherwise untrained people.

--- Frans



--

A: Yes, just like thatA: Ja, net zo

Q: Oh, Just like reading a book backwards Q: Oh, net als een boek 
achterstevoren lezen

A: Because it upsets the natural flow of a story  A: Omdat het de natuurlijke 
gang uit het verhaal haalt

Q: Why is top-posting annoying?   Q: Waarom is Top-posting zo 
irritant?

___

clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fwd: ClamAV®

[Joel Esler (jesler) via clamav-users]

No, this is the public git repository. Unless I am misunderstanding what you’re 
saying.

Sent from my  iPhone

On May 8, 2021, at 03:38, Frans de Boer  wrote:


On 06/05/2021 01:19, ClamAV® blog wrote:
"clamav-devel" GitHub repository name change to 
"clamav"
Ok, That is thus a misleading phrase since this only applies to the non-public  
Cisco git repository.
The public git as stated on the website is still the correct one.

Clear and correct communication is a skill and should not be left to technical 
or otherwise untrained people.

--- Frans


--
A: Yes, just like thatA: Ja, net zo
Q: Oh, Just like reading a book backwards Q: Oh, net als een boek 
achterstevoren lezen
A: Because it upsets the natural flow of a story  A: Omdat het de natuurlijke 
gang uit het verhaal haalt
Q: Why is top-posting annoying?   Q: Waarom is Top-posting zo 
irritant?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: ClamAV®

[Frans de Boer]

On 06/05/2021 01:19, ClamAV® blog wrote:
"clamav-devel" GitHub repository name change to "clamav" 

Ok, That is thus a misleading phrase since this only applies to the 
non-public  Cisco git repository.

The public git as stated on the website is still the correct one.

Clear and correct communication is a skill and should not be left to 
technical or otherwise untrained people.


--- Frans

--
A: Yes, just like thatA: Ja, net zo
Q: Oh, Just like reading a book backwards Q: Oh, net als een boek 
achterstevoren lezen
A: Because it upsets the natural flow of a story  A: Omdat het de natuurlijke 
gang uit het verhaal haalt
Q: Why is top-posting annoying?   Q: Waarom is Top-posting zo 
irritant?


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 25538

[Joel Esler (jesler) via clamav-users]

I’m working on it.  Been at Blackhat/defcon 

Sent from my  iPhone

> On Aug 11, 2019, at 07:32, Al Varnell via clamav-users 
>  wrote:
> 
> 
> Any idea what happened here? I see details do show up in the file downloaded 
> from the hyperlink.
> 
> -Al-
>> Begin forwarded message:
>> 
>> From: nore...@sourcefire.com
>> Subject: [clamav-virusdb] Signatures Published daily - 25538
>> Date: August 11, 2019 at 1:18:47 AM PDT
>> To: clamav-viru...@lists.clamav.net
>> 
>> An embedded and charset-unspecified text was scrubbed...
>> Name: not available
>> URL: 
>> 
> 
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


smime.p7s
Description: S/MIME cryptographic signature

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 25538

[Al Varnell via clamav-users]

Any idea what happened here? I see details do show up in the file downloaded 
from the hyperlink.

-Al-
> Begin forwarded message:
> 
> From: nore...@sourcefire.com 
> Subject: [clamav-virusdb] Signatures Published daily - 25538
> Date: August 11, 2019 at 1:18:47 AM PDT
> To: clamav-viru...@lists.clamav.net 
> 
> An embedded and charset-unspecified text was scrubbed...
> Name: not available
> URL: 
>   
> >


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: Clamav problems

[Furkan Yücebaş via clamav-users]

-- Forwarded message -
From: Furkan Yücebaş 
Date: Mon, Jun 10, 2019 at 5:55 PM
Subject: Re: Clamav problems
To: , 


Anyone have a solution or thought on this ??

On Thu, May 30, 2019 at 10:04 PM Furkan Yücebaş  wrote:

>
>
> -- Forwarded message -
> From: Furkan Yücebaş 
> Date: Thu, May 30, 2019 at 1:46 PM
> Subject: Clamav problems
> To: 
>
>
> Hi there,
> About a month ago, I installed clamav on my debian-based(jessie)linux
> machine from jessie repository.
>
> *You can find first installed version (slow running one)
>
> root@ruhi:~# apt-cache policy clamav
> clamav:
>   Kurulu: 0.101.2+dfsg-1
>   Aday:   0.101.2+dfsg-1
>   Sürüm çizelgesi:
>  *** 0.101.2+dfsg-1 500
> 500 http://http.kali.org/kali kali-rolling/main amd64 Packages
> 500 http://ftp.de.debian.org/debian testing/main amd64 Packages
> 100 /var/lib/dpkg/status
>  0.100.0+dfsg-0+deb8u1 500
> 500 http://ftp.tr.debian.org/debian jessie/main amd64 Packages
> root@ruhi:~# apt-cache policy clamdscan
> clamdscan:
>   Kurulu: 0.101.2+dfsg-1
>   Aday:   0.101.2+dfsg-1
>   Sürüm çizelgesi:
>  *** 0.101.2+dfsg-1 500
> 500 http://http.kali.org/kali kali-rolling/main amd64 Packages
> 500 http://ftp.de.debian.org/debian testing/main amd64 Packages
> 100 /var/lib/dpkg/status
>  0.100.0+dfsg-0+deb8u1 500
> 500 http://ftp.tr.debian.org/debian jessie/main amd64 Packages
>
> In this try, I had a very serious scanning time problem.
> For 110 mb file (this is not encrypted file - normal exe), scanning time
> is : 1 m 33s (below screenshot)
>
> [image: image.png]
>
> After that, I installed clamav from the source code that you share on your
> web page (same version 0.101.2)
> The problem of slowing has been solved, but now it seems that not running
> stable and it is getting very fast results. I want to make sure the results
> are correct or not. Also you can see that "clamdscan" couldn't find
> infected files in my zip while "clamscan" could. Compressed files is
> enabled in my conf file.
>
> To see scanning time :
>
> root@furkan:~/Downloads# du -sh clamtest2.zip
> 8,7G clamtest2.zip
>
> root@furkan:~/Downloads/clamtest2# ls -la
> toplam 9174376
> drwxr-xr-x  2 root root   4096 May 27 19:26 .
> drwxr-xr-x 29 root root  20480 May 27 19:49 ..
> -rw-r--r--  1 root root 1951432704 Şub 20 08:55
> debian-live-9.8.0-amd64-xfce.iso
> -rw-r--r--  1 root root 68 Nis 29 01:53 eicar.com
> -rw-r--r--  1 root root308 Nis 29 01:53 eicarcom2.zip
> -rw-r--r--  1 root root184 May 27 18:55 eicar_com.zip
> -rw-r--r--  1 root root  873116238 Ara 23 18:29
> metasploitable-linux-2.0.0.zip
> -rwxr-xr-x  1 root root  166729977 Ara 27 01:54
> metasploit-latest-linux-x64-installer.run
> -rw-r--r--  1 root root  317542415 Mar  4 01:08 OMNET_OS3_UAVSim-master.zip
> -rw-r--r--  1 root root  816301191 Ara 27 02:33 Rapid7Setup-Linux64.bin
> -rw-r--r--  1 root root  952795136 May  1 16:59 ssi-9.601-5.1.iso
> -rw-r--r--  1 root root 4168089600 Mar 18 02:41 tsurugi_lab_2018.1.iso
> -rwxr-xr-x  1 root root  148464193 Ara 23 18:24
> VMware-Player-15.0.2-10952284.x86_64.bundle
>
> test :
>
> root@furkan:~/Downloads# clamdscan clamtest2/
> /root/Downloads/clamtest2/eicar_com.zip: Eicar-Test-Signature FOUND
> /root/Downloads/clamtest2/eicar.com: Eicar-Test-Signature FOUND
> /root/Downloads/clamtest2/eicarcom2.zip: Eicar-Test-Signature FOUND
>
> --- SCAN SUMMARY ---
> Infected files: 3
> Time: 0.153 sec (0 m 0 s)
>
> root@furkan:~/Downloads# clamdscan clamtest2.zip
> /root/Downloads/clamtest2.zip: OK
>
> --- SCAN SUMMARY ---
> Infected files: 0
> Time: 0.000 sec (0 m 0 s)
>
> root@furkan:~/Downloads# clamdscan clamtest2/
> /root/Downloads/clamtest2/eicar_com.zip: Eicar-Test-Signature FOUND
> /root/Downloads/clamtest2/eicar.com: Eicar-Test-Signature FOUND
> /root/Downloads/clamtest2/eicarcom2.zip: Eicar-Test-Signature FOUND
>
> --- SCAN SUMMARY ---
> Infected files: 3
> Time: 0.005 sec (0 m 0 s)
>
> root@furkan:~/Downloads# clamscan clamtest2/
> clamtest2/ssi-9.601-5.1.iso: OK
> clamtest2/metasploitable-linux-2.0.0.zip: OK
> clamtest2/tsurugi_lab_2018.1.iso: OK
> clamtest2/eicarcom2.zip: Eicar-Test-Signature FOUND
> clamtest2/metasploit-latest-linux-x64-installer.run: OK
> clamtest2/debian-live-9.8.0-amd64-xfce.iso: OK
> clamtest2/eicar_com.zip: Eicar-Test-Signature FOUND
> clamtest2/OMNET_OS3_UAVSim-master.zip: OK
> clamtest2/VMware-Player-15.0.2-10952284.x86_64.bundle: OK
> clamtest2/Rapid7Setup-Linux64.bin: OK
> clamtest2/eicar.com: Eicar-Test-Signature FOUND
>
> --- SCAN SUMMARY ---
> Known viruses: 6139363
> Engine version: 0.101.2
> Scanned directories: 1
> Scanned files: 11
> Infected files: 3
> Data scanned: 0.00 MB
> Data read: 8959.26 MB (ratio 0.00:1)
> Time: 49.356 sec (0 m 49 s)
>
> root@furkan:~/Downloads# clamscan clamtest2.zip
> clamtest2.zip: OK
>
> --- SCAN SUMMARY ---
> 

Re: [clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 24446

[Arnaud Jacques]

Still detected as :
com.apple.audio.driver: Osx.Trojan.ColdrootRAT-6492296-0 FOUND


Le 03/04/2018 à 15:26, Al Varnell a écrit :

Begin forwarded message:

From: nore...@sourcefire.com
Subject: [clamav-virusdb] Signatures Published daily - 24446
Date: April 3, 2018 at 6:08:03 AM PDT
To: clamav-viru...@lists.clamav.net

Dropped Detection Signatures:


* Osx.Malware.Agent-6453877-0


Not sure why you would drop this as it's clearly part of the OSX.Coldroot RAT

VT: 
>

>


-Al-



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 24446

[Al Varnell]

> Begin forwarded message:
> 
> From: nore...@sourcefire.com
> Subject: [clamav-virusdb] Signatures Published daily - 24446
> Date: April 3, 2018 at 6:08:03 AM PDT
> To: clamav-viru...@lists.clamav.net
> 
> Dropped Detection Signatures:
> 
> 
>* Osx.Malware.Agent-6453877-0

Not sure why you would drop this as it's clearly part of the OSX.Coldroot RAT

VT: 
>

>


-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 24065

[Alain Zidouemba]

They were replaced with:

Osx.Malware.Proton-6377366-1

- Alain


On Fri, Nov 24, 2017 at 7:08 AM, Al Varnell  wrote:

> > Begin forwarded message:
> >
> > From: nore...@sourcefire.com
> > Subject: [clamav-virusdb] Signatures Published daily - 24065
> > Date: November 22, 2017 at 5:10:11 PM PST
> > To: clamav-viru...@lists.clamav.net
> >
> > Dropped Detection Signatures:
> >
> >   * Osx.Trojan.Proton-6352640-0
> >
> >   * Osx.Trojan.Proton-6352641-0
> >
> >   * Osx.Trojan.Proton-6352642-0
> >
> >   * Osx.Trojan.Proton-6352643-0
>
> I'm quite confused and concerned about why these are being dropped. All
> added in daily - 23973, 20 Oct.
>
> > $ sigtool -fOsx.Trojan.Proton-6352640-0
> > [daily.hsb] cc3297083ad89cabfd58d251cbbe3ca9:44592:Osx.Trojan.Proton-
> 6352640-0:73
> > $ sigtool -fOsx.Trojan.Proton-6352641-0
> > [daily.hsb] 5f145ed27ec88add379676729cbad15f:2056450:Osx.Trojan.Proton-
> 6352641-0:73
> > $ sigtool -fOsx.Trojan.Proton-6352642-0
> > [daily.hsb] 0ca749b61c7e76e6ec07c33aab01aab3:1175737:Osx.Trojan.Proton-
> 6352642-0:73
> > $ sigtool -fOsx.Trojan.Proton-6352643-0
> > [daily.hsb] ff80d97674e148687affd6a4e3ccf00a:44592:Osx.Trojan.Proton-
> 6352643-0:73
>
> Two of these are a perfect match for samples I personally have of the
> hijacked Elmedia Player that installed OSX.Proton.C as described in this
> Intego blog:
>  malware-is-back-heres-what-mac-users-need-to-know/> and this Malwarebytes
> blog:
>  malware-osx-proton-strikes-again/>, among others.
>
> They are all broadly detected on VirusTotal by 30 or more scanners.
>
> VirusTotal
> >  5354888f63c60a3205ade6d467cc620dc5/analysis/>
> >  d34b1fb1b260a27f40b34718be3b71a3a7/analysis/>
> >  7d39e304651bdd1281c7a7ff15b8f43cad/analysis/>
> >  b44905e0308bd3662a496a0701f2ec942d/analysis/>
>
> Can somebody explain why they are being dropped at this time?
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 24065

[Al Varnell]

> Begin forwarded message:
> 
> From: nore...@sourcefire.com
> Subject: [clamav-virusdb] Signatures Published daily - 24065
> Date: November 22, 2017 at 5:10:11 PM PST
> To: clamav-viru...@lists.clamav.net
> 
> Dropped Detection Signatures:
> 
>   * Osx.Trojan.Proton-6352640-0
> 
>   * Osx.Trojan.Proton-6352641-0
> 
>   * Osx.Trojan.Proton-6352642-0
> 
>   * Osx.Trojan.Proton-6352643-0

I'm quite confused and concerned about why these are being dropped. All added 
in daily - 23973, 20 Oct.

> $ sigtool -fOsx.Trojan.Proton-6352640-0
> [daily.hsb] 
> cc3297083ad89cabfd58d251cbbe3ca9:44592:Osx.Trojan.Proton-6352640-0:73
> $ sigtool -fOsx.Trojan.Proton-6352641-0
> [daily.hsb] 
> 5f145ed27ec88add379676729cbad15f:2056450:Osx.Trojan.Proton-6352641-0:73
> $ sigtool -fOsx.Trojan.Proton-6352642-0
> [daily.hsb] 
> 0ca749b61c7e76e6ec07c33aab01aab3:1175737:Osx.Trojan.Proton-6352642-0:73
> $ sigtool -fOsx.Trojan.Proton-6352643-0
> [daily.hsb] 
> ff80d97674e148687affd6a4e3ccf00a:44592:Osx.Trojan.Proton-6352643-0:73

Two of these are a perfect match for samples I personally have of the hijacked 
Elmedia Player that installed OSX.Proton.C as described in this Intego blog: 

 and this Malwarebytes blog: 
,
 among others.

They are all broadly detected on VirusTotal by 30 or more scanners.

VirusTotal
> 
> 
> 
> 

Can somebody explain why they are being dropped at this time?

-Al-
-- 
Al Varnell
Mountain View, CA







smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 23900

[Adnan de Castro Donato]

In keeping with one false positive reports
I have 8 CentOS servers report below after Signatures Published daily - 23900 
update:

All attachment with extension *.xls have the same issue:

VIRUS ALERT

Our content checker found
virus: Ppt.Exploit.CVE_2017_0199-6336815-1


Believe this is a false positive  Would like confirmation and an update if 
possible

Thanks.





- Mensagem original -
De: nore...@sourcefire.com
Para: clamav-viru...@lists.clamav.net
Enviadas: Quarta-feira, 4 de outubro de 2017 1:40:01
Assunto: [clamav-virusdb] Signatures Published daily - 23900

ClamAV Signature Publishing Notice

Datefile:   daily
Version:23900
Publisher:  Alain Zidouemba
New Sigs:   128
Dropped Sigs:   0
Ignored Sigs:   166


New Detection Signatures:


* Ppt.Exploit.CVE_2017_0199-6336815-1

* Rtf.Exploit.CVE_2017_0199-6336824-0

* Email.Phishing.VOF2-6336842-0

* Email.Phishing.VOF2-6336844-0

* Email.Phishing.VOF2-6336845-0

* Email.Phishing.VOF2-6336846-0

* Win.Trojan.Emotet-6336856-1

* Osx.Malware.Agent-6337576-0

* Doc.Dropper.Agent-6337577-0

* Doc.Dropper.Agent-6337578-0

* Doc.Dropper.Agent-6337579-0

* Doc.Dropper.Agent-6337580-0

* Doc.Dropper.Agent-6337581-0

* Doc.Dropper.Agent-6337582-0

* Doc.Dropper.Agent-6337583-0

* Doc.Dropper.Agent-6337584-0

* Doc.Dropper.Agent-6337585-0

* Doc.Dropper.Agent-6337586-0

* Doc.Dropper.Agent-6337587-0

* Doc.Dropper.Agent-6337588-0

* Doc.Dropper.Agent-6337589-0

* Doc.Dropper.Agent-6337590-0

* Doc.Dropper.Agent-6337591-0

* Doc.Dropper.Agent-6337592-0

* Doc.Dropper.Agent-6337593-0

* Doc.Dropper.Agent-6337594-0

* Doc.Dropper.Agent-6337595-0

* Doc.Dropper.Agent-6337596-0

* Doc.Dropper.Agent-6337597-0

* Doc.Dropper.Agent-6337598-0

* Doc.Dropper.Agent-6337599-0

* Doc.Dropper.Agent-6337600-0

* Doc.Dropper.Agent-6337601-0

* Doc.Dropper.Agent-6337602-0

* Doc.Dropper.Agent-6337603-0

* Doc.Dropper.Agent-6337604-0

* Doc.Dropper.Agent-6337605-0

* Doc.Dropper.Agent-6337606-0

* Osx.Malware.Agent-6338335-0

* Doc.Dropper.Agent-6338336-0

* Doc.Dropper.Agent-6338337-0

* Doc.Dropper.Agent-6338338-0

* Doc.Dropper.Agent-6338339-0

* Doc.Dropper.Agent-6338340-0

* Doc.Dropper.Agent-6338341-0

* Doc.Dropper.Agent-6338342-0

* Doc.Dropper.Agent-6338343-0

* Doc.Dropper.Agent-6338344-0

* Doc.Dropper.Agent-6338345-0

* Doc.Dropper.Agent-6338346-0

* Doc.Dropper.Agent-6338347-0

* Doc.Dropper.Agent-6338348-0

* Doc.Dropper.Agent-6338349-0

* Doc.Dropper.Agent-6338350-0

* Doc.Dropper.Agent-6338351-0

* Doc.Dropper.Agent-6338352-0

* Doc.Dropper.Agent-6338353-0

* Doc.Dropper.Agent-6338354-0

* Doc.Dropper.Agent-6338355-0

* Doc.Dropper.Agent-6338356-0

* Doc.Dropper.Agent-6338357-0

* Doc.Dropper.Agent-6338358-0

* Doc.Dropper.Agent-6338359-0

* Doc.Dropper.Agent-6338360-0

* Doc.Dropper.Agent-6338361-0

* Doc.Dropper.Agent-6338362-0

* Doc.Dropper.Agent-6338363-0

* Doc.Dropper.Agent-6338364-0

* Doc.Dropper.Agent-6338365-0

* Doc.Dropper.Agent-6338366-0

* Doc.Dropper.Agent-6338367-0

* Osx.Malware.Agent-6338368-0

* Doc.Dropper.Agent-6338369-0

* Doc.Dropper.Agent-6338370-0

* Doc.Dropper.Agent-6338371-0

* Doc.Dropper.Agent-6338372-0

* Doc.Dropper.Agent-6338373-0

* Doc.Dropper.Agent-6338374-0

* Doc.Dropper.Agent-6338375-0

* Doc.Dropper.Agent-6338376-0

* Doc.Dropper.Agent-6338377-0

* Doc.Dropper.Agent-6338378-0

* Doc.Dropper.Agent-6338379-0

* Doc.Dropper.Agent-6338380-0

* Doc.Dropper.Agent-6338381-0

* Doc.Dropper.Agent-6338382-0

* Doc.Dropper.Agent-6338383-0

* Doc.Dropper.Agent-6338384-0

* Doc.Dropper.Agent-6338385-0

* Doc.Dropper.Agent-6338386-0

* Doc.Dropper.Agent-6338387-0

* Doc.Dropper.Agent-6338388-0

* Doc.Dropper.Agent-6338389-0

* Doc.Dropper.Agent-6338390-0

* Osx.Malware.Agent-6338391-0

* Doc.Dropper.Agent-6338392-0

* Doc.Dropper.Agent-6338393-0

* Doc.Dropper.Agent-6338394-0

* Doc.Dropper.Agent-6338395-0

* Doc.Dropper.Agent-6338396-0

* Doc.Dropper.Agent-6338397-0

* Doc.Dropper.Agent-6338398-0

* Doc.Dropper.Agent-6338399-0

* Doc.Dropper.Agent-6338400-0

* Doc.Dropper.Agent-6338401-0

* Doc.Dropper.Agent-6338402-0

* Doc.Dropper.Agent-6338403-0

* Doc.Dropper.Agent-6338404-0

* Doc.Dropper.Agent-6338405-0

* Doc.Dropper.Agent-6338406-0

* Doc.Dropper.Agent-6338407-0

* Doc.Dropper.Agent-6338408-0

* Doc.Dropper.Agent-6338409-0

* Doc.Dropper.Agent-6338410-0

* Doc.Dropper.Agent-6338411-0

* Doc.Dropper.Agent-6338412-0

* Doc.Dropper.Agent-6338413-0

* Doc.Dropper.Agent-6338414-0

* Doc.Dropper.Agent-6338415-0

* 

[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 23583

[Rafael Ferreira]

looks like the signatures are stuck again, the appear to be empty since 
yesterday. 

> Begin forwarded message:
> 
> From: nore...@sourcefire.com
> Subject: [clamav-virusdb] Signatures Published daily - 23583
> Date: July 21, 2017 at 1:17:47 AM PDT
> To: clamav-viru...@lists.clamav.net
> 
> 
> ClamAV Signature Publishing Notice
> 
> Datefile:   daily
> Version:23583
> Publisher:  Alain Zidouemba
> New Sigs:   0
> Dropped Sigs:   0
> Ignored Sigs:   34
> 
> 
> New Detection Signatures:
> 
> 
> 
> Dropped Detection Signatures:
> 
> 
> 
> 
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-virusdb
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 22968

[Rafael Ferreira]

Hey folks, it seems like database creation is stuck again,  versions 22965 
through 22968 all have 0 new and dropped sigs. 

- Rafael 

> Begin forwarded message:
> 
> From: nore...@sourcefire.com
> Subject: [clamav-virusdb] Signatures Published daily - 22968
> Date: January 29, 2017 at 5:29:30 PM MST
> To: clamav-viru...@lists.clamav.net
> 
> 
> ClamAV Signature Publishing Notice
> 
> Datefile:   daily
> Version:22968
> Publisher:  Alain Zidouemba
> New Sigs:   0
> Dropped Sigs:   0
> Ignored Sigs:   146
> 
> 
> New Detection Signatures:
> 
> 
> 
> Dropped Detection Signatures:
> 
> 
> 
> 
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-virusdb
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: [clamav-virusdb] Signatures Published osx - 1

[Al Varnell]

The previous update to this one was daily - 21491 which is the last update 
available using freshclam.  

What is the mechanism for bringing this update into the definitions database?

-Al-


> Begin forwarded message:
> 
> From: nore...@sourcefire.com
> Subject: [clamav-virusdb] Signatures Published osx - 1
> Date: April 13, 2016 at 12:59:09 PM PDT
> To: clamav-viru...@lists.clamav.net
> 
> 
> ClamAV Signature Publishing Notice
> 
> Datefile:   osx
> Version:1
> Publisher:  Alain Zidouemba
> New Sigs:   656
> Dropped Sigs:   0
> Ignored Sigs:   0

-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: [clamav-virusdb] Signatures Published daily - 21467

[Al Varnell]

Not sure exactly what this update was about (suspect a test), and perhaps I 
don’t have the correct Clamav.Text.File (s) but scanning the 0.99.1 source file 
I am still getting the following:

> File Name Infection Name  Status
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam_cache_emax.tgz   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.ea05.exe 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.bin-be.cpio  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-aspack.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-mew.exe  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.rtf  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.pdf  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clamjol.iso   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.chm  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.odc.cpio 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.ole.doc  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.impl.zip 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-nsis.exe 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.zip  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.ppt  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-v3.rar   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.tar.gz   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.mbox.uu  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.ea06.exe 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam_IScab_int.exe
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.sis  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-fsg.exe  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-pespin.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-petite.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-upack.exe
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-upx.exe  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-v2.rar   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-wwpack.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-yc.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.7z   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.arj  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.bin-le.cpio  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.bz2.zip  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.cab  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.d64.zip  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.binhex   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.bz2  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.html 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.mbox.base64  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.szdd 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.iso  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.mail 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.newc.cpio
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.tnef 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam_IScab_ext.exe
> Win.Trojan.Trojan-476   
> 

[clamav-users] Fwd: clamav-mirror.sonic.net

[A K Varnell]

Ryan,

A couple of us have been dealing with the 69.12.162.28 mirror. It doesn't seem 
to be included on the mirror status page and it often fails and appears to be 
off-line. Joel once said that it was not in the rotation, but it keeps showing 
up in mine.  The OP I referred to has posted a link to his log including some 
recent verbose results today on the ClamXav Forum 
http://www.clamxav.com/BB/viewtopic.php?p=18626#p18626, if that will help.




-Al-
-- 
Al Varnell
Mountain View, CA

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Fwd: ClamAV plugin - testers please!

[Andres Riancho]

List,

I've developed a new w3af [0] plugin which uses ClamAV to find
malware on your site. The basic idea is that w3af will crawl your site
and send all http response bodies to clamd, and then report any
findings it returns.

I need your help for testing! Follow these steps if you've got
some minutes to spare:

git clone g...@github.com:andresriancho/w3af.git
cd w3af
git checkout feature/clam
git pull
./w3af_console # Install the new clamd dependency using pip

# Install clamd in your system (this is for ubuntu):
sudo apt-get install clamav-daemon clamav-freshclam clamav-unofficial-sigs
sudo freshclam
sudo service clamav-daemon start

Then, run a scan against your site using the new grep.clamav
plugin. Remember that for the grep plugin to analyze your site, you
need to activate a crawl plugin like web_spider. If you want to test
with something real, remember you can use the EICAR test binary[0]

If you want to read the source for this mesh please see this [1]
link. Let me know if there is something I'm doing wrong with the
w3af-clamd integration!

Happy testing!

[0] http://www.eicar.org/85-0-Download.html
[1] 
https://github.com/andresriancho/w3af/blob/feature/clam/plugins/grep/clamav.py

Regards,
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Fwd: [Clamav-mirrors] mirror.ac.za details update.

[Joel Esler]

Begin forwarded message:

 From: Patrick Holahan patri...@tenet.ac.za
 Subject: [Clamav-mirrors] mirror.ac.za details update.
 Date: August 20, 2012 10:52:03 AM EDT
 To: clamav-mirr...@lists.clamav.net
 X-Mimeole: Produced By Microsoft Exchange V6.5
 Mime-Version: 1.0
 User-Agent: Microsoft-Entourage/12.33.0.120411
 
 Dear clamav mirror adminstrator,
 
 I hope this is the right email address to send this to.
 
 This email is to advise you of a change in the administrator of the
 mirror.ac.za mirror site.
 Please note that I, Patrick Holahan, with email address
 mirrorad...@tenet.ac.za, am now the administrator of mirror.ac.za.
 The previous administrator, Andrew Alston, left TENET's employ some months
 ago and is no longer authorised to represent TENET.
 
 For information, clamav is mirrored on mirror.ac.za, and is accessible via
 http and ftp at clamav.mirror.ac.za and rsync at mirror.ac.za::clamav/ which
 is operated by the South African NREN, Tertiary Education and Research
 Network of South Africa (TENET).
 
 Mirror server details:
 Country: South Africa (ZA)
 City: Johannesburg (Jnb)
 Source IP for rsync/ftp connections: 155.232.191.200
 Contact email: mirrorad...@tenet.ac.za
 Connectivity/Speed: 10 000mbps
 Protocols: HTTP/FTP/rsync
 
 If you have any questions, please don't hesitate to contact me.
 
 Thanks  Regards,
 Patrick Holahan
 
 TENET ­ Senior Network Engineer
 GSM: +27 79 523 
 Email: patri...@tenet.ac.za
 
 
 ___
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-mirrors

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Fwd: [Clamav-announce] Sourceforge CCA '09: watch the video!

[Beppe Di Maio]

ahah nice video Clam guys ;-) it's fun to finally see you, although
the quality could be better...

Why are you asking to vote again anyway? I thought the voting phase was over?

-Original Message-
From: Luca Gibelli
To: ClamAV users

Dear ClamAV users,

Yesterday Sourceforge announced the finalists for Community Choice
Awards 2009.
We are glad to let you know that ClamAV was among the 10 projects
that collected more nominations in the quot;Best tool for sysadminquot;
category!

We really appreciate your support and we are happy that you find our
project useful.

It's now time to select the winner among the 10 finalists in each
category.
Head over to Sourceforge website and cast your vote! Our project is
listed under the quot;Best tool for sysadminquot; category:

http://sourceforge.net/community/cca09/vote/

We prepared a video message for all of you, to say thanks for everything
you did to make this project grow: be it submit a malware sample, report
a false positive, open a bug report, edit the wiki, or answer a message
on our mailing-lists:

http://www.youtube.com/watch?v=3tQcxNSt-1camp;fmt=18

Let us know if you enjoy the video :) maybe we'll try to make more
in the future.

More information on Sourceforge Community Choice Awards 2009 is
available at http://sf.net/cca .
---

-- 
BdM
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Fwd: clamav detects phishing in my database dump

[Mister Johnson]

Hello List.

Can anyone tell me what I can do about this. Is there any chance my  
false positive virus example is take care of from clamAV's side, or do  
I have to find an other way around? (e.g. not using ClamAV?)

Unfortunately I never got an answer to my virus submission and it's  
been a while since the submission.

thx
Florian

Begin forwarded message:
 From: Mister Johnson mister.john...@gmx.net
 Date: January 14, 2009 10:23:58 PM GMT+01:00
 To: ClamAV users ML clamav-users@lists.clamav.net
 Subject: Re: [Clamav-users] clamav detects phishing in my database  
 dump
 Reply-To: ClamAV users ML clamav-users@lists.clamav.net

 On Jan 7, 2009, at 0:17 , Brandon Perry wrote:
 Submit it as a false positive. http://www.clamav.net/sendvirus/

 How long does it usually take until a false positive is in the  
 database?

 On Tue, Jan 6, 2009 at 5:15 PM, Mister Johnson
 mister.john...@gmx.netwrote:
 While scanning my mail clamav detects a virus or phishing file with
 the message:

 HTML.Phishing.SPK-3 FOUND

 But the scanned file is a simple mysql-dump in a zip-file, which is
 regularly send to me via e-mail from my blog. After looking deeper  
 in
 the sql-dump I can now reproduce the phishing-warning with only two
 lines of the sql-dump.

 Best Regards
 Florian
 --
 Time flies like an arrow, fruit flies like a banana.




___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] [Fwd: [Clamav-devel] 0.93.1 / libclamav: no CL_EMAX*-Error-Codes for Applications?]

[Marcus Neukert]

no answer does mean: there is no chance to change it?

Marcus Neukert schrieb:
 please take a look at the following scenario:
 I receive a zip-archive containing more files than configured in 
 MaxFiles. the files at the end of the archive (after the limit) are 
 viruses. the scanner will abort the scan when reaching the 
 max-files-limit and will return CL_CLEAN. i have no information from the 
 scanner that the scan is aborted and not all files have been scanned.
 
 but in my use-case I need this information. I think the scanner should 
 return the corresponding error-codes (CL_EMAX*), that the application 
 has the posssibility to handle it. applications which are not interested 
 or annoyed by these errors can ignore it.
 
 Marcus Neukert
 
 aCaB schrieb:
 Marcus Neukert wrote:
 Forwarding to clamav-users-list, hoping for an answer ...
 Please take a look at
 http://lurker.clamav.net/message/20080129.163022.5183157e.en.html

 -aCaB
 ___
 Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
 http://lurker.clamav.net/list/clamav-users.html
 
 


-- 
Marcus Neukert
Softwareentwickler - Development Services
Tel. +49-721-91374-3943 · Fax +49-721-91374-2740
[EMAIL PROTECTED] · http://www.web.de/

11 Internet AG
Brauerstraße 48
76135 Karlsruhe

Amtsgericht Montabaur HRB 6484

Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas 
Gottschlich, Matthias Greve, Robert Hoffmann, Markus Huhn, Oliver Mauss, 
Achim Weiss
Aufsichtsratsvorsitzender: Michael Scheeren
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] [Fwd: [Clamav-devel] 0.93.1 / libclamav: no CL_EMAX*-Error-Codes for Applications?]

[James Kosin]

Marcus Neukert wrote:

no answer does mean: there is no chance to change it?

  
There may have been a chance to change it when the developers proposed 
the change in the functionality originally on this list.  The change was 
to get rid of the ZipTooLarge virus definition; which caused more 
confusion than it solved.
And also; unfortunately, many milters consider any non-zero value as a 
VIRUS regardless of the return code.  So even if we had the granularity 
we would still end up with a lot of complaints about the issue.


The solution you are posing would require all the milters be updated to 
have a three stage error message:

 1) Successful, NO VIRUS.
 2) Unsuccessful, due to space or limits set.
 3) VIRUS detected.

The case 1 would be the message would be delivered,  2 the message may 
be delivered with a warning about the reason for the failure, 3 the 
message would be rejected for a VIRUS.


James



signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] [Fwd: [Clamav-devel] 0.93.1 / libclamav: no CL_EMAX*-Error-Codes for Applications?]

[Marcus Neukert]

please take a look at the following scenario:
I receive a zip-archive containing more files than configured in 
MaxFiles. the files at the end of the archive (after the limit) are 
viruses. the scanner will abort the scan when reaching the 
max-files-limit and will return CL_CLEAN. i have no information from the 
scanner that the scan is aborted and not all files have been scanned.

but in my use-case I need this information. I think the scanner should 
return the corresponding error-codes (CL_EMAX*), that the application 
has the posssibility to handle it. applications which are not interested 
or annoyed by these errors can ignore it.

Marcus Neukert

aCaB schrieb:
 Marcus Neukert wrote:
 Forwarding to clamav-users-list, hoping for an answer ...
 
 Please take a look at
 http://lurker.clamav.net/message/20080129.163022.5183157e.en.html
 
 -aCaB
 ___
 Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
 http://lurker.clamav.net/list/clamav-users.html


-- 
Marcus Neukert
Softwareentwickler - Development Services
Tel. +49-721-91374-3943 · Fax +49-721-91374-2740
[EMAIL PROTECTED] · http://www.web.de/

11 Internet AG
Brauerstraße 48
76135 Karlsruhe

Amtsgericht Montabaur HRB 6484

Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas 
Gottschlich, Matthias Greve, Robert Hoffmann, Markus Huhn, Oliver Mauss, 
Achim Weiss
Aufsichtsratsvorsitzender: Michael Scheeren
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] [Fwd: [Clamav-devel] 0.93.1 / libclamav: no CL_EMAX*-Error-Codes for Applications?]

[Marcus Neukert]

Forwarding to clamav-users-list, hoping for an answer ...

 Original-Nachricht 
Betreff: [Clamav-devel] 0.93.1 / libclamav: no CL_EMAX*-Error-Codes for 
Applications?
Datum: Wed, 11 Jun 2008 12:30:35 +0200
Von: Marcus Neukert [EMAIL PROTECTED]
Antwort an: ClamAV Development [EMAIL PROTECTED]
An: ClamAV Development [EMAIL PROTECTED]
Referenzen: [EMAIL PROTECTED] [EMAIL PROTECTED]

Hello,

following has changed in clamav-0.93.1 (see Changelog):
-
Mon Apr 28 16:13:33 CEST 2008 (tk)
--
* libclamav/scanners.c: don't return CL_EMAX* error codes to
applications (bb#1001)
-

If a limit wae reached, the return-code for applications is: CL_CLEAN.
(see scanners.c / cli_magic_scandesc):
-
switch(ret) {
  case CL_EFORMAT:
  case CL_EMAXREC:
  case CL_EMAXSIZE:
  case CL_EMAXFILES:
  cli_dbgmsg(Descriptor[%d]: %s\n, desc, cl_strerror(ret));
  return CL_CLEAN;
  default:
  return ret;
}
-

Now, when scanning an archive which does contain more files than
configured in cl_limits.maxfiles, the scan will end when the limit is
reached and the Result of the scanner is CL_CLEAN !!, although the
following files after reaching the limit have not been scanned and can
possibly be infected.

What is the reason for changing this behaviour? IMHO the scanner should
return the CL_EMAX* error-code to inform the application that the
scanned file can possibly be infected.

Best,
Marcus Neukert

-- 
Marcus Neukert
Softwareentwickler - New Technology
Tel. +49-721-91374-3943 · Fax +49-721-91374-2740
[EMAIL PROTECTED] · http://www.web.de/

11 Internet AG
Brauerstraße 48
76135 Karlsruhe

Amtsgericht Montabaur HRB 6484

Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas
Gottschlich, Matthias Greve, Robert Hoffmann, Markus Huhn, Oliver Mauss,
Achim Weiss
Aufsichtsratsvorsitzender: Michael Scheeren

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] [Fwd: [Clamav-devel] 0.93.1 / libclamav: no CL_EMAX*-Error-Codes for Applications?]

[aCaB]

Marcus Neukert wrote:
 Forwarding to clamav-users-list, hoping for an answer ...

Please take a look at
http://lurker.clamav.net/message/20080129.163022.5183157e.en.html

-aCaB
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] [Fwd: [ClamAV] Clamd High Memory usage]

[ddimuc]

 Original Message 
Subject:[ClamAV] Clamd High Memory usage
Date:   Sat, 30 Jun 2007 14:36:55 -0400
From:   [EMAIL PROTECTED]
To: clamav-users@lists.clamav.net
CC: Self [EMAIL PROTECTED]



 I've noticed clamd using about 17% of memory (according to ps aux
 command).  17% on my system is about 179MB!  That seems like a lot to
 me.  I quickly browsed the net as well as clamav-user posts - it appears
 others have reported similar complaints/observations/issues.  Though I
 was unable to find any definitive answers as to why this is happening, I
 have read that such high memory usage might be normal.  Is this
 normal?  If not, how does one go about correcting it?
 
 My system is Slackware 11.0, kernel 2.6.20.11, clamav 0.90.3.
 
 If you think more info
 
 Ciao,
 DPD

Correction: Clamd is using about 85MB of RAM.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] [Fwd: [ClamAV] Clamd High Memory usage]

[Dennis Peterson]

[EMAIL PROTECTED] wrote:

 
 Correction: Clamd is using about 85MB of RAM.

One if my installations is using 71MB (Solaris 8, Sparc) and the other 
is using 48M (Solaris 10, Intel). Both have been running for months. 
These are pretty normal values.

dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] [Fwd: [ClamAV] Clamd High Memory usage]

[ddimuc]

Dennis Peterson wrote:
 [EMAIL PROTECTED] wrote:

   
 Correction: Clamd is using about 85MB of RAM.
 

 One if my installations is using 71MB (Solaris 8, Sparc) and the other 
 is using 48M (Solaris 10, Intel). Both have been running for months. 
 These are pretty normal values.

 dp

   

Thanks for the feedback, dp. DPD.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Fwd: clamav 0.65 remote DOS exploit

[russ]

Hello,

This just came to the qmail-scanner list. Is this an issue for all users
of the stable 0.65? 

Did I miss the thread on this issue?

Fwd: clamav 0.65 remote DOS exploit

 Original Message 
Subject: clamav 0.65 remote DOS exploit
Date: Mon, 09 Feb 2004 15:24:17 +0100
From: Oliver Eikemeier [EMAIL PROTECTED]
Organization: Fillmore Labs GmbH - http://www.fillmore-labs.com/
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]

Description:

It is trivial to crash clamd using a malformed uuencoded message, 
resulting in a
denial of service for all programs (e.g. SMTP daemons) relying on clamd 
running.
The message must only contain one uuencoded line with an illegal line 
lenght, i.e.
starting with a small letter.

libclamav calculates the line lenght of an uuencoded line by taking the 
ASCII value
of the first character minus 64 and does an `assert' if the length is 
not in the
allowed range, effectively terminating the calling program.

How-To-Repeat:

Save the following file to ~/clamtest.mbox, removing the leading 'X':

XFrom -
X
Xbegin 644 byebye
Xbyebye
Xend

Then do:

# clamscan --mbox -v ~/clamtest.mbox
assertion (len = 0)  (len = 63) failed: file message.c, line 887
Abort (core dumped)

or

# clamdscan -v ~/clamtest.mbox; ps ax | grep clam

Fix:

Apply the following patch to libclamav/message.c:

--- libclamav/message.c.origWed Nov  5 11:59:53 2003
+++ libclamav/message.c Mon Feb  9 15:17:13 2004
@@ -878,13 +878,16 @@
if(strcasecmp(line, end) == 0)
break;

-   assert(strlen(line) = 62);
+   if(strlen(line)  62)
+   break;
+
if((line[0]  0x3F) == ' ')
break;

len = *line++ - ' ';

-   assert((len = 0)  (len = 63));
+   if(len  0 || len  63)
+   break;

ptr = decode(line, ptr, uudecode, (len  3) ==
0);
break;

References:

FreeBSD PR 62586:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=62586
-- 
Russel Oliver
[EMAIL PROTECTED]



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Fwd: clamav 0.65 remote DOS exploit

[Michael Dankov]

On Tue, 10 Feb 2004, russ wrote:

rThis just came to the qmail-scanner list. Is this an issue for all users
rof the stable 0.65?

This is unfortunately true. It was fixed in CVS five days after 0.65 came
out:

mbox.c:

 * Revision 1.11  2003/11/17 07:57:12  nigelhorne
 * Prevent buffer overflow in broken uuencoded files

ChangeLog:

Wed Nov 12 02:34:56 CET 2003 (tk)
-
  * docs: included clamav-mirror-howto.pdf by Luca Gibelli
  * docs: included clamd+daemontools HOWTO by Jesse D. Guardiani
  * docs: included signatures.pdf
  V 0.65


misha



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Fwd: clamav 0.65 remote DOS exploit

[The Count of CipherSpace]

Something to be worried about?

 Begin Forwarded Message 
Date:2004-02-09 12:53
Received:2004-02-09 13:03
From:deleted
To:  deleted



Date: Mon, 09 Feb 2004 15:24:17 +0100
From: Oliver Eikemeier [EMAIL PROTECTED]
Subject: clamav 0.65 remote DOS exploit


Description:

It is trivial to crash clamd using a malformed uuencoded message, 
resulting in a
denial of service for all programs (e.g. SMTP daemons) relying on clamd 
running.
The message must only contain one uuencoded line with an illegal line 
lenght, i.e.
starting with a small letter.

libclamav calculates the line lenght of an uuencoded line by taking the 
ASCII value
of the first character minus 64 and does an `assert' if the length is not 
in the
allowed range, effectively terminating the calling program.

How-To-Repeat:

Save the following file to ~/clamtest.mbox, removing the leading 'X':

XFrom -
X
Xbegin 644 byebye
Xbyebye
Xend

Then do:

# clamscan --mbox -v ~/clamtest.mbox
assertion (len = 0)  (len = 63) failed: file message.c, line 887
Abort (core dumped)

or

# clamdscan -v ~/clamtest.mbox; ps ax | grep clam

Fix:

Apply the following patch to libclamav/message.c:

--- libclamav/message.c.origWed Nov  5 11:59:53 2003
+++ libclamav/message.c Mon Feb  9 15:17:13 2004
@@ -878,13 +878,16 @@
if(strcasecmp(line, end) == 0)
break;
 
-   assert(strlen(line) = 62);
+   if(strlen(line)  62)
+   break;
+
if((line[0]  0x3F) == ' ')
break;
 
len = *line++ - ' ';
 
-   assert((len = 0)  (len = 63));
+   if(len  0 || len  63)
+   break;
 
ptr = decode(line, ptr, uudecode, (len  3) == 0);
break;

References:

FreeBSD PR 62586:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=62586


- End Forwarded Message -


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users