Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Steve Basford
On Tue, December 11, 2018 1:58 pm, Sunny Marwah wrote: Hi Sunny/All, Here's the summary The phishing attempt looks like this html code: h-t-t-p-s:/-/-pastebin DOT com/TL5WUJZh This first link is just a hijacked graphic and won't be in safebrowsing... h-t-t-p-s:-/-/gokdenizhealthtourism

[clamav-users] Question about LLVM...

2018-12-11 Thread J.R.
I've googled to no end, but haven't been able to come up with anything except a few snips mentioning LLVM and bytecode here and there... I'm curious exactly what the benefit would be to use LLVM, is there much of a performance gain over the built-in (non-llvm) bytecode interpreter? Is it an

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-11 Thread Dennis Peterson
You know the daily.cvd file is now larger than the main.cvd file, so you are burning up a lot of bandwidth if your world-facing ClamAV mirror is ignoring cdiff files. If it is using freshclam then it is using cdiffs and merging them as part of the process of mirroring. In that case your clients

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Dennis Peterson
Yes - the extension can be one or the other. The other thing to check is the file ownership and permissions, and finally to search your clamd.log file (or what ever it is called on your system) for "FOUND". If it is a useful signature source your logs should indicate clamd is finding targets

Re: [clamav-users] Question about LLVM...

2018-12-11 Thread Micah Snyder (micasnyd)
Sorry about the broken links on the website and in the clamav-faq manual pages. Our web dev team is actively working on integrating the newly remodeled user manual into the website. The bytecode interpreter was nonfunctional for a long time but was fixed a few years ago. This is why LLVM was

Re: [clamav-users] Question about LLVM...

2018-12-11 Thread J.R.
Micah & Scott, Thank you for the replies, you answered exactly what I was thinking too based on posts referring to the built-in improvements and hush on llvm. ___ clamav-users mailing list clamav-users@lists.clamav.net

Re: [clamav-users] Question about LLVM...

2018-12-11 Thread Scott Kitterman
On Tuesday, December 11, 2018 05:59:05 PM Micah Snyder wrote: > Sorry about the broken links on the website and in the clamav-faq manual > pages. Our web dev team is actively working on integrating the newly > remodeled user manual into the website. > > The bytecode interpreter was nonfunctional

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Al Varnell
Sunny, Please note that the reply was not from me, rather it was from "Micah Snyder (micasnyd)" , ClamAV Engineer. You need to ask him for any additional details. Also, you are correct that safebrowsing.cld is just an updated, decompressed version of safebrowsing.cvd. -Al- On Tue, Dec 11,

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Micah Snyder (micasnyd)
Hi Sunny, I meant to say that if I scanned a saved email file containing the malicious URL in an HTML link (i.e. a href=link ), then it will detect the link with the safebrowsing signature. However, if the malicious URL is not an HTML link, for example if the email content is plain text,

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-11 Thread Joel Esler (jesler)
Cloudflare's cache timeout is set to 5 seconds. So, I would doubt that Cloudflare's cache is the issue, it may be an ISP thing in the middle doing the caching, which is what Paul is guessing at this point, if I am following the thread correctly. Out of an abundance of caution I did a

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-11 Thread Al Varnell
I have to support you in that this guidance has been there for many years now, but I've never really understood why that was necessary. Obviously this method is part of the problem that Joel has been describing about the number of users always downloading the .cvd and it also greatly increases

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Dennis Peterson
In your ClamAV signature folder does there exist a safebrowsing.cvd file? dp On 12/10/18 9:46 PM, Sunny Marwah wrote: Same question again : Chrome don't open malicious links due to labeling them dangerous as per "Safebrowsing". Then why ClamAV is not able to identify such malicious links

Re: [clamav-users] A workaround for the major ClamAV DB update delays we have been experiencing

2018-12-11 Thread Paul Kosinski
Ever since we set up a local mirror on our LAN, we have not been using cdiffs. The reason for this is that I followed the procedure outlined on the ClamAV website (about 2/3 down the page) at: http://www.clamav.net/documents/clamav-virus-database-faq where it says: [Q] I’m running ClamAV on a

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Sunny Marwah
I can see below files in /var/lib/clamav/ directory : main.cvd bytecode.cvd safebrowsing.cld daily.cld mirrors.dat But it is 'safebrowsing.cld', not 'safebrowsing.cvd'. Is it Ok ?? On Tue, Dec 11, 2018 at 1:47 PM Dennis Peterson wrote: > In your ClamAV signature folder does there exist a

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Al Varnell
Here was the earlier reply to your question >. Sent from my iPad -Al- On Dec 10, 2018, at 21:46, Sunny Marwah mailto:sunnymar...@trepup.com>>

Re: [clamav-users] Can't detect deceptive URL's as infected !!

2018-12-11 Thread Sunny Marwah
Hi Al, Thanks for sharing that reply. Do you mean ClamAV did not detect that file (containing deceptive link) as 'Infected" in your scanning ? FYI, i have also tried Google's Safebrowsing API to check such deceptive links. It was really strange to know that even Google's Safebrowsing lookup