In my freshclam.conf I have 'CompressLocalDatabase yes' set, yet I
noticed that I have daily.cld & safebrowsing.cld instead of .cvd? I
always thought the .cvd was the compressed version and spent quite a
bit of time trying to find out how to manually compress a .cld file
into a .cvd (note to others
The secureiteinfo files require you to signup (it's free) then you get
your own token to use in the URLs, which you can configure freshclam
to check / update automatically...
i.e. one of the files would look like this in the freshclam.conf
DatabaseCustomURL
http://www.securiteinfo.com/get/signatu
I've kind of been reading this thread about the delay at one location
vs the other.
Maybe I missed it, but I don't seem to recall which DNS servers you
were querying. I remember you saying the one location you were having
the issues was Comcast as the ISP, but were you always using the
Comcast DNS
I've googled to no end, but haven't been able to come up with anything
except a few snips mentioning LLVM and bytecode here and there...
I'm curious exactly what the benefit would be to use LLVM, is there
much of a performance gain over the built-in (non-llvm) bytecode
interpreter? Is it an expand
Micah & Scott,
Thank you for the replies, you answered exactly what I was thinking
too based on posts referring to the built-in improvements and hush on
llvm.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mai
> So I would like to ask, does bytecode have access to its environment
> (like ActiveX unfortunately did) and, how well is bytecode sandboxed?
Well, first of all, only bytecode signatures published by Cisco/Talos
are considered "trusted" and will run by default. You would have to
manually specify
I seem to recall you said you had comcast, and I'm assuming it is a
business account. Have you tried calling their business support and
talked to someone that is actually local to explain your problem and
see if they possibly have a transparent cache in place and if it would
be possible to exclude
First question hopefully someone from ClamAV can answer... When a new
cdiff is released, is a new daily.cvd also released at the same time?
I would assume so, but best to get this question answered clearly than
continue to speculate.
Second, I don't think doing a manual flush of the cached file af
Joel - In regards to the comment on pointing everyone to Cloudflare...
I'm guessing that statement means you are using a mix of the
Cloudflare CDN and the original volunteer mirrors still?
Also, is there a way to force a selection of a particular mirror
(either by CF datacenter or previous mirror)
Al...
> Note these restrictions:
You must either be running an old version of ClamAV or using an old
.conf file... Relevant part from my freshclam.conf below... Doing a
DNS lookup requires very little data transfer since it's just a small
UDP packet (~100 bytes maybe) back & forth (and is probabl
I think you have it wrong...
clamd.conf would only be read by the clam daemon...
freshclam.conf on the other hand is read by freshclam when it does its
update (or how to configure that daemon)...
I run my freshclam via a cronjob, so I don't know exactly how one
would configure in daemon mode...
Maybe they are talking about how 0.101.0 can cause issues with 3rd
party programs? I believe that is why one of the ClamAV staff posted a
while back talking about how the next release after new years will fix
supposed problem.
Google Translate is failing hard with this conversation...
I just have my ClamAV scan email. I don't think the default signatures
would pick up much else on a linux OS (I could be wrong though).
There are 3rd party signatures you can implement that can look for
linux malware. I do a nightly scan on my server that include those.
Depending on what the mach
> I think I framed my problem statement differently.
> So, our requirement is similar the one asked by John in the
> below link. I do not know if the solution proposed is a correct one..
> Also, how do you propose I should scan an archive of 100GB ( let's say) size.
> Does clamav have any limitatio
Also I believe you have to use clamscan, not clamdscan if you want to
use the "-d" option. However once you test it successfully you can add
it as a custom db for clamd to load.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clam
> Has anyone rigged clamd to check what looks like questionable links
> contained in incoming emails? It seems over the last 2 weeks my spam has
> tripled, and I suspect the real payload is in the urls in the message.
>
> Or is this so time consuming and bandwidth wasting its not worth it?
There a
Trying not to get too far off topic, but I wanted to add if you reject
based on the hostname of the mail server that can also drop an
overwhelming majority of the spam. The most basic test is to see if
the IP resolves to anything. Next, does the hostname contain any red
flags, like: dhcp, dynamic,
> unixpackages.com uses gcc-3.4.6 and has clamav built, along with 20
> dependency packages.
> Pointing it out because 'severely ancient' compilers aren't necessarily the
> issue here.
I know on the x86_64 platform, I think it started with the 0.100 there
were some new flags that weren't impleme
> Btw I can't use 'yum' or 'apt-get' to install as our RHEL servers have no
> Internet access
The *systemd* packages appear to be empty and the description merely says:
Empty package just to allow migration of service without stop it and
disable it (#1583599). you may remove this package now (dn
> I've made some investigation and the people on google says that this
> is a BUG with zlib, and the last zlib for RHEL 6.7 x32 fail to correctly
> decompress the CVD signature database.
>
> A solution is to use a newer version of zlib but I'm not able to find a
> newer version of zlib for this ver
> does anyone here have experience/knowledge about LMD/maldet?
>
> What I don't understand is whether it provides any advantage over
> running just ClamAV for regular weekly scans. If I understand it
> correctly, the malware definitions are shared among these programs, does
> maldet give any advant
> When crontab execs freshclam
> CPU server goes to 100%
> Hanged finishing Downloading daily-25380.cdiff [100%]
Just checked my server and it happened to me too! A little after 5am
central time. :(
___
clamav-users mailing list
clamav-users@lists.cla
> So basically it does nothing extra, just has more definitions
> which I can import to clamav anyway?
You can download the program and look it over without installing, it's
just bash scripts. It does appear in its own sigs directory there are
additional signature files:
-rw-r--r-- 1 root root 44
> - after Downloading daily-25380.cdiff
> am getting stuck : just nothing happens
It's not really stuck it just takes a lng time to process (people
reported over an hour):
https://lists.clamav.net/pipermail/clamav-users/2019-March/007651.html
Faster option is to delete the daily.cld then r
> The simplest way to achieve this right now would probably be to use
> two servers for scanning, and arrange for them to update their DBs
> at different times. A simple milter with a knowledge of the update
> schedule could choose which scanner to use just by checking the time.
> I imagine that i
> But I think that this signature update will probably cause all ClamAV
> installations to fail on CentOS 5 and maybe other distros as well. This
> is the first time I have encountered such an error. So maybe if it is
> possible it would be better to optimise/change the signature to a more
> failsa
I keep thinking about this from time to time, but keep forgetting to
post before I get sidetracked doing something else...
Are the ClamAV default signature files geared towards Windows
executables / malware / documents / (generic spam)? Or do they cover
other platforms as well?
Reason I'm asking,
> People have been doing that kind of thing for years, I'm not sure how
> much it's increasing. Most of the time it seems to me they don't know
> why they're doing it nor even, if there is something in there to find,
> how likely it is that a ClamAV scan will find it.
I know people have been scan
> That’s super interesting. I’d be interested in what the
> 6500 signatures were. Just for a real world “what are
> you seeing” conversation.
Any update on when ClamAV might be re-implementing the ability to
submit detection stats?
___
clamav-users m
> I am new here and I don't know how to use drush or command line. Can I
> still install clamav? Is there an installation guide for absolute beginners
> like me?
What OS? Windows there is an exe that has a GUI. Linux distro's
typically have their own packages which you would install through your
O
> I do not know if the virus is on the server, in the files, or in the db.
> Here is what I know:
> Under each folder of each site, files appear with a name such as:
> f68z319m.php
> When visitors go to my websites, they get a message that the site is
> unsecured
>
> Does this information help iden
I saw 0.101.2 was released yesterday (3/26/2019) but I can't find an
announcement anywhere?
Anything noteworthy on this release?
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help u
> I use EPEL RPM files to upgrade Clamav on my Linux systems.
>
> When urgent vulnerability fixes are released is it advisable to wait for
> stable rpm? I don't know if it is safe to apply testing rpm.
>
> Usually EPEL stable rpms are released after weeks of delay from new
> Clamav versions.
>
> Do
> I use ClamAv Virus Scanner (or Clamscan) to scan my server on a weekly
> basis. I have the Virus Scanner via my cPanel control panel. I have always
> taken the action to Destroy the files, but others will return over a period
> of time.
>
> My Question is "What is the difference between the choic
At the bottom of the page on the website it says:
All content on this website, unless otherwise noted, is licensed under
the Creative Commons Attribution - NoDerivs License.
With a link to: https://creativecommons.org/licenses/by-nd/2.5/
Which says:
You are free to:
Share — copy and redistribut
I just doubled checked, but I don't see a LICENSE file in the
clamav-0.101.2.tar.gz archive???
EDIT - There is the GPLv2 contained in the COPYING file. I just
realized each of those files gives the licence for each part of
ClamAV. Probably the most notable is the unrar licence, which if I
recall R
> Just an FYI thatclamav was linking to libz.so.1.1.4 and upgrading to
> libz.so.1.2.11 resolved the issue with being unable to verify updates.
>
> Might need to be a check for a minimum zlip version though I don't have
> input which version specifically demonstrates the issue.
zlib 1.1.4 ??? How
Perhaps it would also be worthwhile to report dd.heheda.tk to their
hosting provider & domain registrar that they are hosting malware and
get that site shut down...
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mai
> But it seems that ClamAV only reads the general directory and does not
> recurse to my local defnition.
If you do them as yara rules, you can create just one file in the main
clamav directory which can contain a list of 'includes' that can be
any path you want to multiple files (assuming file /
> This link generates 403 error code :
> https://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-virusdb
>
> What's wrong ?
Try this link instead (without the cgi-bin):
https://lists.clamav.net/mailman/listinfo/clamav-virusdb
___
clamav-users mailing
Marco,
A little more info might be helpful...
What OS is your NAS running?
What version of ClamAV are you using?
Have you enabled debugging and checked the output from that?
The main file has not changed in over a year (Jan 8, 2018)...
The bytecode file has not changed in almost 7 months... (Jan
> However, it's difficult to do a good comparison of how changes in the
> signatures have affected performance over time, as it doesn't seem to be
> possible to download older copies of e.g. daily.cvd unless I'm missing
> something?
I'm not aware of any official source for older daily.cvd files, b
Have you tried building without specifying the paths to see what it does?
There is a 0.101.2 RPM for FC30... Why not just modify the .src.rpm if
you want to enable some custom options?
I believe you also need libxml2-devel last time I looked at the .SPEC
for EPEL...
You can also try the followin
> I would like to get advice or feedback about the use of clamav on a
> samba share server.
>
> I have a fresh install of samba on a centos 7 (share server), and I
> would like to know if it makes sense to install clamav on this centos 7
> box ?
>
> Because all workstations on which domain users mo
> What do you mean by "You could enable 'on access' scanning
> on the CentOS box" ?
> Is there a special to start clamav with mode 'on access' ?
>
> What is this 'on acess' mode ?
https://www.clamav.net/documents/on-access-scanning
https://www.clamav.net/documents/scanning#on-access-scanning
htt
I just checked my logs, and it looks like 'safebrowsing' was doing the
same thing intermittently for me too (usually about once or twice a
day)...
Something is definitely up.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.cla
> Can you please tell me the H/W and S/W Specification
> of the Private local Mirror Server as a best practice for CVD?!
https://www.clamav.net/documents/private-local-mirrors
It's going to depend on how many clients you will be serving...
10 vs 10,000 is a huge difference in hardware requirement
> Why is this so slow? I see almost 100% cpu. But seriously on a 1MB file 2
> mines? What could cause this high load? Can i speed this up a bit with kind
> of cache or something?
Basically what Iulian said... When running 'clamscan' it takes a while
(especially if you have 3rd party rules) to load
> Then, when we had trouble with Cloudflare's BOS server often being out
> of sync (for CVDs) with the DNS TXT record, I removed it. Now, I am
> dismayed that I have to give our file server a bit of Internet access so
> that it can directly download the CDIFFs.
I remember issue where some proxy wa
> I think that's the intended purpose of the local private mirror in this case.
>
I realize that, but I believe in that person's case back the he was
doing a basic web server to re-distributed the full .cvd files (which
is what were getting stale). Whereas doing a proxy server (like squid)
would b
> Indeed we do use clamav-unofficial-sigs from
> https://github.com/extremeshok/clamav-unofficial-sigs/
>
> And interesting timing just announced a new version:
> Version 6.0 (30 July 2019)
I noticed recently he was doing a ton of bugfixes to the script.
There's not any new features or data source
I just checked (again) today and SecuriteInfo.com doesn't support HTTP
compression when downloading its signatures...
Which is a shame because the files compress down to about 1/3-1/4
their original size.
Due to the semi-static nature of your files, you might want to have
pre-compressed copies on
When browsing the page on creating signatures for clamav, I couldn't
find info on the *.db format
https://www.clamav.net/documents/creating-signatures-for-clamav
It used the simple format: MalwareName=HexSignature
I'm guessing it has been depreciated in favor of the extended
signature format? Do
Even RHEL/CentOS 7 uses cURL 7.29.0... Most linux distos lock in
versions for a release and then simply do backports to fix things and
add new features. Otherwise you start to fall into "dependency hell"
and unexpected issues by updating to new releases that could break
previous functionality and o
Well, that can take a little figuring out since the package is
maintained by SUSE. A package can receive "backports" to fix
vulnerabilities (and new features) so they don't have to update to a
new version and re-certify everything still works and won't break
other packages.
SUSE does publish info
I was compiling the new version of ClamAV and figured I would see if
it would build against OpenSSL 1.1.1 (which apparently it did).
That got me to thinking, what exactly is it used for? I did some
searching and only found one little post that didn't give any real
detail. Is it just used to verify
main.cvd rarely changes (last update was Jan 2018), it is only when
the daily gets so large they push a bunch of signatures over. Bytecode
also does not get updated very often. Really the only things are daily
& safebrowsing (if enabled) that change regularly.
Since the are 'signed' files, there's
> What I'm looking for is a way to delay Freshclam's search for updates
> upon booting, something like 2 minutes; or in general, to have more
> control over its scheduling. I don't see a relevant parameter in
> /etc/clamav/freshclam.conf, or anything in the crontab folders. My MX
> Linux system use
> I would suggest not packaging them at all, and they
> should be downloaded from the update servers the
> first time the update is ran.
Ideally yes, I would agree.
However then you run into the edge-case of what if the machine has no
(or very limited) internet access? I *think* it's a requiremen
> So it downloaded main.cvd, daily.cvd, safebrowsing.cvd, and
> bytecode.cvd, but can't download database1.cvd or something, and there
> might be a problem with teh mirrors in my conf file, which didn't
> contain any mirrors and I didn't mess with them if they're there and I
> didn't see them.
The
Dora,
It looks like you went through the freshclam.conf and just uncommented
a bunch of things without knowing what they were for and setting the
variable correctly for the custom options.
Like Al said, you need to comment the line with the ExtraDatabase, but
there are also a couple others I see
Scott,
First - "clamd" is the daemon. It starts up and parses / loads all the
virus definitions into memory, then clamdscan (or other programs)
interact with it (via local unix socket) to scan files.
I checked my CentOS 7 server and I'm not seeing all those packages you
mentioned. Do you have oth
daily-25558.cdiff downloaded fine for my linux server this morning...
You can always remove the daily.cld file and let freshclam download
the current whole file.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailm
> Hence, my question or curiosity over how ClamAV determines
> the *true* threat level of a malicious file.
If the virus pattern is in one of the database files, then you are
alerted... If it's not, then no alert... That's how every antivirus
works...
You are more than welcome to report files for
> Normally postfix gets a response after 3 secondes.
>
> In the clamav.log I see at the same time, that reloading the database
> takes up to two minutes.
Yes, reloading the DB can take some time depending on which signature
DBs you are using. I can't speak for postfix (I run sendmail), but on
my s
As someone else pointed out, it looks like your Ubuntu AppArmor is
denying the process from running properly:
https://wiki.ubuntu.com/AppArmor
https://help.ubuntu.com/lts/serverguide/apparmor.html
https://help.ubuntu.com/community/AppArmor
That's your #1 problem...
As Mr. Haywood pointed out, th
This patch will be a very welcome addition! Oddly enough today my
hosting company had an emergency and I needed to shutdown my server so
it could be physically moved mid-day.
The painfully slow load time of ClamAV was excruciating apparent while
I was watching the console slowly go through the boo
> One thing we could do is have clamd "start" before loading the database.
> That is to say that it would immediately begin listening on the unix/tcp
> socket
> for requests and fork into the background so as not to block the boot process.
> All scan requests would then be blocked while the datab
Scott,
The files that would be on the local web server *are* static names...
bytecode.cvd
daily.cvd
main.cvd
safebrowsing.cvd
If your machines can't access the internet by policy, then that is one
route you can go. However, if you are trying to save bandwidth,
letting them download the .diff fil
Log rotation done by clamav is totally separate than your system's log
rotation that is done by a cronjob...
Unless you are doing some serious debugging, there isn't a lot that is
written to the clamd & freshclam log files...
My daily clamd.log is maybe 2 KB, and freshclam.log maybe around 20 KB.
Franky,
I'm not sure exactly what feature is the requirement from the version
of Curl that's required, the blog only says, "...communication between
clamonacc and clamd." So you might have to go browsing through the
clamav source to see exactly what it's doing with Curl. There is
always the slim p
> While I applaud the re-use of existing components, requiring this
> (minimum) version of libcurl will be a problem for redhat/centOS 7
> users: everybody is still on RHEL7 (RHEL8 is "just" released and still
> lacks support from many vendors).
> In RHEL/Centos, clamav is only packaged in EPEL, an
> I think you misunderstand me, I'm merely stating a fact here.
> Epel won't do anything about libcurl, and redhat won't just backport new
> features "because of". Even so, backport requests take a long time at redhat.
> Maybe the epel guys will include a static version of libcurl for clamav, I
>
> Not wanting to appear stuipid but exactly what important security feature
> does the new lincurl include that is so important to moving clamav forward?
Shamelessly ripped from Micah's post the other week:
Unlike clamdscan, which has the network socket code written by hand,
clamonacc depends on
> I had already seen all this, but the code itself does not know where it is
Are you talking about the virus definitions? Those are also available
on the clamav download page. Once downloaded you can use sigtool to
extract all the raw files into something you can read.
___
> This particular hard requirement (libcurl) affects the communication channel
> which is different than causing the code to fail to run at all. So the
> question
> is do the new libcurl requirements immediately break existing systems that are
> not yet updated with new libcurl functionality. It i
> > Maybe it's time to update main.cvd and reduce daily.* while
> > bug 12389 is being processed?
> >
>
> I support this idea. Daily.cvd is at the moment bigger than main.cvd and
> main.cvd has not beeen updated at least two years (maybe even more).
I don't know how the viruses are tracked, but ma
> Franky Van Liedekerke
> I won't go into the discussion of supporting "old" libraries on "old OS's"
> again,
> but for enterprise users (RHEL 6/7, Centos, Ubuntu LTS, ...) this is a bit of
> a problem
> Micah Snyder:
> Perhaps there is something we can do to make it easier to statically link
>
> Steve Basford:
> So, is the above hash still relevant or should it moved into archived.hsb,
> which by default doesn't load ?
I would *guess* the ClamAV team would have a *little* more detailed of
a back-end system tracking viruses (though I could be wrong)...
> G.W. Haywood:
> Well I only run
Vladislav,
If you are going to put everything on hold while your AV database
reloads, be sure you have appropriate timeout settings for your milter
or whatever else is handling things so the email program doesn't
timeout waiting for a response from it.
While the *default* timeouts for email chat
> I thought ClamAV unpacked TARs (and other archives) and looked at the
> contents. If it doesn't, it wouldn't be very effective in detecting
> viruses in compressed files.
I've been wondering about this too during this particular discussion.
Is ClamAV scanning the archive as-is, then additionally
> Which brought clamd back to life and the system load returned to
> normal. no idea is this is a OS bug, a ClamAV bug or some kind of user
> error, any help here will be appreciated.
What version of ClamAV? What OS? What customization / edits to config
files have you made?
__
> I have been using cvd signature files but over the last couple of days,
> I've seen the daily.cvd disappear and be replaced with the much larger
> daily.cld file. If I delete the daily.cld then run freshclam I receive
> the daily.cvd again, but it has switched to the cld file a couple of
> times
Gary,
I believe one of the new features of 0.102 was that freshclam would
connect via https (as your debug shows it's trying to do). I guess
there is no fallback to regular http.
What SSL package / version are you using? When compiling does configure find it?
Not sure if freshclam uses CURL at a
> How do I purge a CustomDatabaseURL correctly?
Did you remove that DB from your FreshClam config and / or
clamav-unofficial-signatures script so it won't re-download it?
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.
> All good :-) Going to remove javascript.ndb too. Sorry again.
Rather than deleting entire signature databases because of one false
positive, why don't you either:
1. Whitelist the file (if it's static)
or
2. Whitelist the signature(s)
Both are a quick google search and very easy to do...
__
> I have always preferred to build ClamAV and SpamAssassin from source so I
> don't have
> to wait on the packages. I just got a bit behind on ClamAV this time because
> I had
> to wait for avfilter to be updated to work with ClamAV 102.
If you are going to roll your own, you really should down
> I build rpms for a couple of other packages. I've never done it for ClamAV
> since it
> doesn't ship with a spec file I can use. Honestly, I can generally just
> download the
> source, configure, make, test, install, and done. This is the first time
> I've had an
> issue updating Clam in ye
Jay,
If you are going to upgrade to the newest version manually, I *highly*
suggest using the EL6 source RPM as a template as it bundles &
statically builds a newer version of zlib for use with ClamAV as a
workaround to prevent the "malformed database" errors.
https://download-ib01.fedoraproject.
Yes, the regular channel update will work fine to update to 0.100.3
I meant if you wanted to update to the latest 0.102.2 you will have to
roll your own...
> I was going to update via the software update tool!! Would that work???
>
>Jay
___
clamav-u
> I installed it via the steps listed in the install guide for both
> Ubuntu and CentOS linux boxes. It is Ubuntu 16 LTS and
> CentOS 6, 7, and 8.
Fortunately there are 3rd party *current* RPMs of CURL for CentOS:
https://curl.haxx.se/download.html
(Note: Look under Redhat)
Then you can grab th
91 matches
Mail list logo
