Paolo De Michele wrote:
> the support reply:
>
> "While it is possible, due to the nature of SSD storage we do not
> support swap space on droplets."
>
> honestly, I do not think that increasing my VPS to 1gb of ram solve the
> situation
> how can I fix it?
If you won't add RAM, and your hosting
Gene Heskett wrote:
> On Sunday 02 February 2014 09:12:36 G.W. Haywood did opine:
>> You might be. IF I understand what you're doing, it seems to me that
>> you're piping a stream of data to the standard input of a process and
>> asking that process to scan the stream for interesting things. You
Thorvald Hallvardsson wrote:
> Hi,
>
> I have got clamav running on the box and recently had a complain from the
> customer saying that he is getting viruses. In fact Clamav is finding
> phishing messages but any virus (besides eicar) is not being found. Tried
> to test it from the command line an
Bowie Bailey wrote:
> I highly recommend the Sanesecurity signatures. They catch much more
> than the stock signatures. They also catch spam, scam, phishing, and
> other misc junk emails. I haven't had any problems with false positives.
>
> Here's the breakdown from my recent logs:
>
> 818 Tot
I just came across a FP report for a hit from
Heuristics.Phishing.Email.SpoofedDomain.
On checking the message by hand, it no longer triggers this test, either
on my desktop test/dev system running 0.98.4, or on the production
servers running 0.97.6.
Examining the message by hand, the best guess
Al Varnell wrote:
> You have certainly found the correct pair as your message is still showing up
> immediately as infected here.
... and here, too; I wondered why my message hadn't shown up in my
clamav mail folder...
> Heuristics detections are accomplished by the engine, not a specific
> si
Tim Edwards wrote:
> The recent addition of Zip.Suspect.MiscDoubleExtension signatures has been
> causing a lot of trouble for us, as it keeps getting flagged for completely
> innocuous files such as foo_handle_pdf.js.
One common thread I've been seeing is that people reporting specific
cases are
fannnvirusss wrote:
> Hi all, We are running ClamAV-0.97.4 on RHEL 5.4 for a long time, but
> recently clamd process exit quietly and frequently, about four times one day.
> Log file has nothing useful information. When I use gdb attach clamd,
> finally gdb say something like this: P
How do I whitelist all combinations of TLD 1 and TLD 2 with/without
subdomains in one entry?
I've just had a series of FP reports, all appear to be triggered by a
Scotiabank internal mail system URL that shows scotiabank.com (with a
host/subdomain in some messages, without in others) and a real li
Kris Deugau wrote:
> How do I whitelist all combinations of TLD 1 and TLD 2 with/without
> subdomains in one entry?
>
> I've just had a series of FP reports, all appear to be triggered by a
> Scotiabank internal mail system URL that shows scotiabank.com (with a
> host/sub
Jingo Administrator wrote:
> Already more than a week ago I posted my first question to the list. I
> must admit I'm a bit disappointed that nobody responds. Is it that I
> asked a silly question? Or is the issue just to hard to solve and just
> nobody wants to burn his fingers on it?
It's like mo
Marco wrote:
> Hello,
>
> I installed clamd server (0.98.7) with clamav-milter using RPM of EPEL.
>
> With this installation, after every freshclam update session, clamd is
> forced to read the DB:
>
> 2015-09-29T09:12:41.244383+02:00 av1 clamd[15201]: Reading databases
> from /var/lib/clamav
>
I've been seeing Javscript malware on and off where (one layer of) the
Javascript obfuscation is done by taking the real code, sticking in
random characters every other character, wrapping it in one or more
strings, and then using string manipulation to pull out the original
characters and execute
G.W. Haywood wrote:
> Hi there,
>
> On Mon, 2 Nov 2015, Hajo Locke wrote:
>
>> ... It seems to be so easy for a php-programmer to generate infinite
>> number of malwarefiles ...
>
> That's correct.
>
> Any .php file sent here goes straight to /dev/null without inspection.
I can't say I've seen
Alex wrote:
> Steve Basford wrote:
>> I've posted the email here:
>> http://pastebin.com/n4WRjmzE
>
>> Got a match: f.email.americanexpress.com/ with /moc.sserpxenacirema
>> Before inserting .: .f.email.americanexpress.com
>> Lookup result: in regex list
>> Phishcheck:host:.r.smartbrief.com
>> Ph
Gene Heskett wrote:
> But, I do wish that clamd would send me a substitute email advising that
> it has stashed a suspect incoming email into the
> mailfile /var/spool/mail/virii. I try to look that file over for FP's,
> but quickly get lost in the visual garbage because its probably a zip'd
>
Steve Basford wrote:
> 1) .rmd/.zmd databases are obsolete, they are replaced with .cdb
>
> More details:
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
Does anyone have any examples of valid signatures for the .cdb sigfiles?
I've tried a couple of times to port some
Groach wrote:
> As a side note: is anyone surprised a virus hasnt been released,
> embedded in a 'password protected' Zip file (to fool AV scans) with the
> body of the email sayuing something like "to fight against viruses and
> to protect you, it is password protected. Your password is: ABC12
Charles Swiger wrote:
> The milter approach is less flexible. With a scoring mechanism, you can rate
> actual viruses sufficiently negative that the scoring algorithm will always
> reject them.
That depends on the milter you're using. My own favoured milter is
MIMEDefang, which allows you do
Charles Swiger wrote:
> On Jul 19, 2016, at 10:39 AM, Kris Deugau wrote:
>> ClamAV hits on any of the Heuristics.* tests get flagged instead of
>> treated the same as the signature-based hits, and that flag either
>> causes an an adjustment in the SpamAssassin results
Alex wrote:
> Hi,
>
> I have a false-positive with Heuristics.Phishing.Email.SpoofedDomain
> for capitaloneemail.com, but can't figure out how to use sigtool to
> determine which actual domain it thinks was spoofed.
>
> # sigtool --find-sigs Heuristics.Phishing.Email.SpoofedDomain |
> sigtool --d
Alex wrote:
> Please don't send me to the amavis list - there must be someone who
> uses both clamav and amavis that understands what's happening here.
Much like SpamAssassin, Clamav in and of itself can only say "Matched
signature " or "Triggered heuristic test ", or "Didn't match
anything".
It'
Is there a way to force matching on the raw file, or at least control
the normalization to some degree so that formatting and details in the
original code aren't lost?
I've been coming across .wsf files in .zip files, which are essentially
Javascript wrapped in a very thin wrapper:
[insert nasty
Kris Deugau wrote:
> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?
As a complement to that question, is there a way to *force* other
Javascript files to be
Steven Morgan wrote:
> Please try clamscan --scan-html=no to turn off normalization.
Mmmm. I suppose that's technically the functionality I'm asking for,
but in its current form it's a pretty blunt instrument - it's all or
nothing, especially if set for clamd with the "ScanHTML" option in
clamd.c
Matus UHLAR - fantomas wrote:
> On 15.09.16 00:51, Reindl Harald wrote:
>> frankly i have seen companies blocking every .doc and .xls attachment
>> with a reject info that you should use .docx and .xslx becasue they
>> can't contain macros (would be .docm for the new formats)
>
> .docm is docx wit
crazy thinker wrote:
> Hi,
>
> I would you like to get each file status call back in *Clamdscan output*
> while perfrom scan over a dirtectory using *clamdscan*. but i able to get
> a file status call back *(OR | ERROR| FOUND)* in *Clamdscan output* when
> i perfrom scan over a *single file.
John T. Bryan wrote:
> I’ve been running ClamAV now for some years as the virus-checking plug-in on
> my main multi-client mail server. For a long time, I was very pleased with
> it and how easily I was able to integrate it into the custom software back
> when I first switched to it.
>
> Lately,
Joel Esler (jesler) wrote:
> Dave,
>
> Check out:
> https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf
Unfortunately this document still leaves a number of questions, since
it's quite easy to create a signature that looks to be valid but which
ClamAV won't accept. And the
Mark Foley wrote:
> Kees - thanks for that info. So, basically I'd have to start a new clamd with
> a
> different socket and therefore pointing to a different config file. Not sure
> then what the point of the --config-file parameter to clamdscan is ...
It allows you to call a different clamd tha
Al Varnell wrote:
> On Dec 27, 2016, at 1:53 PM, demonhunter wrote:
>> Office Open XML file format (.doc(x|m), .xls(x|m), etc.,
>> https://en.wikipedia.org/wiki/Office_Open_XML) are ZIP files, and those with
>> macros typically contain an OLE2 file named vbaProject.bin. This signature
>> appear
Groach wrote:
> If I could exclude the Clam default
> signatures and just continue to use Sane then I would and then I could
> turn back on quarantining to make our systems safe again.
You can; turn off freshclam and delete the stock signature files.
Also make sure that you don't use the --off
nobswolf wrote:
Hello,
I just added virus support by ClamAV to my email-server. I am almost
satisfied. It already catched some "zero days".
But I'd like to separate the detection of junk from the detection of
malware. So I'd like to disable the junk detection in ClamAV.
I commented out the Jur
Joel Esler (jesler) wrote:
We already distribute some third party feeds into the official database, we
have a program for that which can be found on our website.
For my part I would far prefer an enhancement to freshclam to allow it
to download arbitrary third-party signature sets, much as Sp
Cedric Knight wrote:
Devs - is it possible to block PDFs based on containing '/JavaScript'
and '/OpenAction' (or '/Launch')? I wish ClamAV has a hierarchy from
definite signatures first to secondly checking heuristics...
Not a ClamAV developer, but yes, you can create a signature for this.
Y
outre...@epsilon.com wrote:
Hi Al,
Could you please confirm exactly what is the issue you see with the links? As
far as I can see, they use standard link tracking.
^^
In my experience that, in and of itself, is often the problem.
The c
Mark Foley wrote:
So, the question posted below remains:
Will the expetr.yara rule, described in this thread, run as is, or not, on
Linux?
Any valid signature file will be loaded and used.
Any *invalid* signature file will cause clamd to exit.
If clamd is running, and you've been able to co
Crystalslave wrote:
Return-Path: harlequin...@gmail.com
First off, my apologies for the confusion. This is my first time
posting to a mailing list; I didn't really know how to handle the
return path thing, so I had to start over. Is this better? The return
path goes at the top of the message bod
Chris Johnson wrote:
I have on access scanning configured and we successfully run a script
when a virus is found. This script allows us to make a log that the
file was scanned and a virus found. However we'd also like to run a
script to make a log when the file has been scanned and no virus has
Ravi wrote:
Hi,
Looking forward for comments and suggestions for the below reported issue
from the community.
Well, to answer your original question, it looks to me like the test is
doing exactly what it's supposed to. Core dumps would quite reasonably
contain executable chunks, but may not
Ravi wrote:
Thanks Kris for your comments. Currently we scan the incoming
files(zips/archives) placed on the local hard drive with the
clamdscan(which uses clamd daemon), Can you share more info on what you
meant on handling the result differently if we are using the clamdscan?
Whatever calls c
Sandeep Talla wrote:
Hi All,
We have ClamAV installed on Ubuntu. On Ubuntu, the rules can be
specified or modified under the directory */var/lib/clamav/main.cvd*.
However, We are trying to consume ClamAV rules from the FireEye as
shown below link which is*.ldb* file and we are trying to conv
Sandeep Talla wrote:
Hi Mark/Kris,
Thank you for your responses. I have placed the *fireeye.ldb* file under
the directory /var/lib/clamav/ and modified the permission to 644 and
ownership to clamav. Then we have restarted the service
Clamav-Deamon and then started clamscan. However, Clamscam
Orion Poplawski wrote:
Can anyone give me some details about the Urlhaus.Malware.452652-9766253-0
signature? We're seeing following URLs trigger it:
https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt
https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-
G.W. Haywood via clamav-users wrote:
One of the reasons that malicious senders send so many malicious
password protected documents by email is that it is not always easy
to detect malware in them without knowledge of the password, so by
and large scanners like ClamAV don't attempt to do it (even
Vangelis Katsikaros via clamav-users wrote:
Hi Joel, thanks for the quick response. We already download once every
hour (the default ubuntu 18.04 behavior). However, we are using auto
scaling and we might be running a large number of EC2 instances (a few
hundreds), that could try to download si
Joe Acquisto-j4 wrote:
In log find (snipped)
". . .infected by Heuristics.OLE2.ContainsMacros.VBA"
This is enabled by the AlertOLE2Macros directive in clamd.conf
". . .infected by Heuristics.Phishing.Email.SpoofedDomain"
This is enabled by the PhishingScanURLs directive in clamd.conf.
I
Wayne Florence via clamav-users wrote:
Hello,
I have recently updated my 4 ClamAV private mirrors to
version 0.103.0 to fix issues downloading the cvd files.
However I am still having issues I have the servers
setup to use freshclam via a cron once per day.
I have a phishy PDF.
I want to match a string I've extracted from one of the files left by
clamscan --leave-temps, but ONLY if the outermost file being scanned is
a PDF.
The string on its own is just generic enough I don't want to rely on it
alone, so I want to limit matching to PDF files.
Michael Wang wrote:
I understand "more" is not clamscan, I was just showing that the file in
question cannot be opened with clamscan nor with "more" as
administrator. I also understand if clamscan cannot read a file, it
cannot scan it. My question is how I can let clamscan to read a file, as
I
Choate, Nathan via clamav-users wrote:
Hello,
Ive recently been experimenting with using the recently built ClamAV
Docker image in a Kubernetes deployment.
We want to utilize the ClamAV container in our deployment alongside a
basic server application running in a separate pod.
We think th
Hart, Steven A. via clamav-users wrote:
Hello all,
ClamAV documentation states that tar archives are supported. I've
created a small sample tar archive that includes an eicar sample.
Clamscan seems to only look at the tar archive as a single file and does
not hit on the eicar sample withi
Vu, Hong-Duc V. via clamav-users wrote:
Hello,
How often does the main.cvd file get updated? According to this old post
they have seven changes in two years.
https://lists.clamav.net/pipermail/clamav-users/2014-September/000916.html
This will help me troubleshoot any issues with my freshclam
novpenguincne via clamav-users wrote:
I'm still experimenting with Clam and I've got 103.4 installed on an OEL
7.9 box.
What is "OEL"? I'm guessing it's some Red Hat derivative.
I've got freshclam configured to download new updates every
few hours. I can manually run freshclam and success
novpenguincne via clamav-users wrote:
OEL = Oracle Enterprise Linux
Under /usr/lib/systemd/system, there are the four clam*.service files. But
since none of them are active or enabled, I don't think can be the source. I
scanned the entire file system for cl*.service and they are the only one
G.W. Haywood via clamav-users wrote:
IMHO this is a pretty unconvincing reason to change your init system,
especially to one which is both as new as systemd, and as capable of
stupidity on a scale never before seen in any init system. A couple
of examples here (the wanton renaming of Ethernet in
I've just come across a presumed-malicious .zip file of about 500K that
contains a ~315M ISO image, which in turn appears to contain a ~315M
executable file.
After a bit of searching and testing I see the --max-ratio option has
been removed from clamscan, and ArchiveMaxCompressionRatio in clam
G.W. Haywood via clamav-users wrote:
Hi there,
On Fri, 14 Jan 2022, Kris Deugau wrote:
I've just come across a presumed-malicious .zip file of about 500K
that contains a ~315M ISO image, which in turn appears to contain a
~315M executable file.
After a bit of searching and testing
After chasing docs back and forth and trying small variations, I think
I've found what's arguably a bug in Clam's YARA implementation.
These two YARA rules should both match exactly the same, but don't. The
first will only match if the condition is changed to indicate a single
match in some v
Maarten Broekman via clamav-users wrote:
There's not a lot that you can do in Yara rules that you can't do in LDB
sigs... for what it's worth, here's a logical sig that detects the same
thing as the Yara rules...
mbroekman@lothlorien:~$ grep MJB.JS.SendEmail
clamdb/javascript_sigs.ldb| sigtoo
Laurent S. via clamav-users wrote:
Dear Kris,
I've had the same issue. In the last two years, I was regularly writing YARA
sigs in ClamAV and finding that it behaves in strange ways... Especially the
regex integration.
I specifically remember that counting regex wasn't possible and that I had
Alex via clamav-users wrote:
Hi,
I have a fedora34 system with clamd-0.103.5 and amavisd/SA/postfix. I
have a newsletter from ncua.gov that keeps getting blocked because it
apparently contains links.gd in the body somewhere, although I can't
find it.
How do I exclude this email from being tagge
Micah Snyder (micasnyd) via clamav-users wrote:
G.W. Haywood wrote:
Execution time will be important for scanning filesystems, less so for
scanning mail (at least for scanning low-volume mail) and readability
can be hugely important if you're writing a lot of rules. Perhaps we
should be aski
Kris Deugau wrote:
For some types of content, just allowing a plain ASCII string instead of
the hex-coded version of the same would be a big help. Or an
enhancement in the current file formats allowing embedded comments -
I've lost track of how many times I've created something co
Jorge Elissalde via clamav-users wrote:
Thank you for your answer.
I'm using Windows clamd release 0.104.2
I have double checked with wireshark and the data sent is ok.
suppose I just send: char *eicarTest =
"X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
Result is ok: i
G.W. Haywood via clamav-users wrote:
Hi Micah,
On Wed, 16 Mar 2022, Micah Snyder (micasnyd) wrote:
I'm not sure what you mean here. Can you elaborate? If you simply
want ClamAV ignore garbage rules on load and continue with the rest
of the file (see point #4) - that's something we can easily
G.W. Haywood via clamav-users wrote:
Hi there,
On Mon, 21 Mar 2022, Kris Deugau wrote:
TBH I'd prefer if Clam *did* continue, just skipping malformed rules
(and also whinging loudly in the log).
I could live with that if it didn't *also* crash.
Either would be better than ju
I've been seeing a series of Excel files recently that seem to be
triggering a bug of some kind.
These are not matched by any stock signatures (yet), so I've been using
clamscan --leave-temps to extract components for signatures.
Most of the time I just create hashes of a component from one s
Matus UHLAR - fantomas wrote:
On 31.03.22 11:02, Petr Jurášek via clamav-users wrote:
https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51769.html
It's the same situation. Vir is detected, but file is "clean", you can
see it in summary.
looks like that. I completely missed it.
joe a wrote:
To semi-hijack, I was attempting to deal with my own occasional false
positive by using this thread as a clue.
Attempting to follow the docs, I hit a wall here:
"To help you identify what triggered a heuristic phishing alert,
clamscan or clamd will print a message indicating the
Andrew C Aitchison via clamav-users wrote:
On Mon, 12 Dec 2022, newcomer01 wrote:
Well on my PC I changed a lot because the naming was too messy for me.
I have "program" clam*d*scan for which I have a clam*d*.conf and a
"program" clamscan for which I have a clamscan.conf. And then the
normal
newcomer01 via clamav-users wrote:
no one can help me?
I think most of us have just about given up on this test, and are either
doing without or call ClamAV in a way that allows us to handle FP-prone
tests like this differently from other results (either by whitelisting
mail ahead of ClamAV
I went to load a semi-bookmarked page for signature writing
(https://docs.clamav.net/manual/Signatures.html), but it failed and kept
reloading Cloudflare's "security check" voodoo.
(Side question to pass up the chain at Cisco/Talos - is there a knob
that can be twisted somewhere to force that
clamav.mbou...@spamgourmet.com wrote:
Kris Deugau wrote:
I went to load a semi-bookmarked page for signature writing
(https://docs.clamav.net/manual/Signatures.html), but it failed and
kept reloading Cloudflare's "security check" voodoo.
ClamAV's site works for me, usi
steven aldenkamp via clamav-users wrote:
Thanks.
Apparently the info I gave earlier was older.
We noticed also
ClamAV 0.103.5
This is still three minor patch releases behind the current one in the
0.103 series, and IIRC there were some low-grade security fixes in that
span.
It should stil
CentOS 5, Clam installed from RPMForge repo.
Was running 0.95.1 when this happened yesterday, upgrading to 0.95.2
didn't change anything.
[r...@snafu kdeugau]# /etc/init.d/clamd restart
Stopping Clam AntiVirus Daemon:[FAILED]
Starting Clam AntiVirus Daemon: LibClamAV
Dennis Peterson wrote:
Kris Deugau wrote:
clamscan seems to be able to read the database files just fine.
Any suggestions on what to poke to get more detail on what's actually
broken?
Send the result of running clamconf and ps -ef |grep [c]lam
Seems this was a SELinux issue afte
Steven Stern wrote:
Checking outgoing mail is pointless. Why bother?
So you can reduce malware propagation? (And as a result, maybe not end
up on everyone's local blacklist for spewing garbage...)
If I were mailing malware, I'd be sure to mark that it had been scanned,
approved, and was s
Jerry wrote:
On Wed, 24 Feb 2010 10:33:09 -0500
Kris Deugau articulated:
Steven Stern wrote:
Checking outgoing mail is pointless. Why bother?
So you can reduce malware propagation? (And as a result, maybe not
end up on everyone's local blacklist for spewing garbage...)
It is
(FWIW, the original inverse question/argument was about blindly
accepting third-party claims that something was clean; I responded
noting that I would [mostly] happily trust third-party claims that
something *wasn't* clean.)
Jerry wrote:
Lets take this from the top.
You, and other advocates
Jerry wrote:
On Thu, 25 Feb 2010 16:40:13 -0500
Bowie Bailey articulated:
Abide by what edict? Email marked as containing a virus is simply
rejected. If a spammer or bot wishes to send out viruses from my
network, they'll have to bypass my MTA to do it, which is more
difficult since very few
Chuck Swiger wrote:
On Feb 25, 2010, at 5:24 PM, Jerry wrote:
Lets take this from the top.
[ ... ]
The morgue is getting full of flogged-to-death horses and slain strawman
arguments. Please stop.
Butbutbut... It's still horse-shaped! And I think I saw that bale of
straw move!
-kgd, tr
I just received a report from a customer about a legitimate Amazon.ca
order confirmation that tripped the
Phishing.Heuristics.Email.SpoofedDomain code in Clamav (0.95.3 from
Debian lenny volatile).
I'm not sure what this heuristic test looks for, but after inspecting
the message source I'm pr
Török Edwin wrote:
It should already be whitelisted:
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:.+\.amazon\.com([/?].*)?:17-
X:.+:.+images\.amazon\.com([/?].*)?:17-
What is the domain of the image, and the domain of the href target?
Can you craft a simple example html mail with just
Török Edwin wrote:
The existing whitelist doesn't pass because amazon.com doesn't have
anything preceding it.
Try this:
X:.+\.amazon\.(at|ca|co\.uk|co\.jp|com|de|fr)([/?].*)?:(.+\.)?amazon\.com([/?].*)?:17-
Looks good, thanks!
I've put this in daily.wdb on the live servers; is that the
offi
I've had reports of several FPs due to PhishingScanURLs recently - is
there any way it can be made less aggressive rather than just turning it
off outright?
The messages triggering it so far have been both outgoing and incoming
mail from our customers: forwarded copies of legitimate Amazon.ca
Török Edwin wrote:
On 04/22/2010 05:26 PM, Kris Deugau wrote:
I've had reports of several FPs due to PhishingScanURLs recently - is
there any way it can be made less aggressive rather than just turning it
off outright?
You could remove domains from daily.pdb
I don't seem to have
Török Edwin wrote:
Are you sure it was a Heuristics.Phishing.*, or Phishing.Heuristics.*
detection?
It doesn't look at the subject line at all.
Pretty certain; I don't recall the username so it's a bit hard to check
back in the mail logs.
What does the "17-" at the end indicate?
It indic
I'd whitelist the specific URLs in question, but they vary from message
to message, since they're in the form:
http://www.google.com/url?sa=X&q=http://
(the full URL runs about 500 characters in total - so far as I
understand the SpoofedDomain heuristic, it's only that first pair of
site
bling the
heuristics rules (for those who can't whitelist these messages further
upstream)?
-kgd
Kris Deugau wrote:
I'd whitelist the specific URLs in question, but they vary from message
to message, since they're in the form:
http://www.google.com/url?sa=X&q=http://
ANANT S ATHAVALE wrote:
Dear List,
I am replying to my own query. Please suggest a way to solve my problem.
You have two basic options for reducing or eliminating false positives
from the heuristic phishing test within ClamAV's setup:
-> Get a copy of the message, or enough of a copy, that
I tried twice yesterday, but the submission was refused as "not detected
by Clamav" both times, likely since I haven't managed to extract a
suitable fragment of the document that's triggering the FP.
I have not received an OK from the customer to release the complete
attachment that triggered
G.W. Haywood wrote:
The ClamAV database mirrors appear to have a growing capacity problem.
Torrents are intended to alleviate the problem, and it takes, oh, ten
minutes to set one up. Scripts already exist which could be adapted
fairly easily to use torrents instead of mirrors to download the da
Bruno Barosa wrote:
> Hi, can anyone help?
> Running on Centos 5.x (various versions from 5.4 to 5.8) 64bit.
> Epel installed, RPMForge unninstalled, and prefer to keep it this way.
> [root@myserver ~]# yum update clamav
...
> No Packages marked for Update
Your choices are:
1) Wait for EPEL to u
Bruno Barosa wrote:
> Hi,
>
> The issue is not beeing able to update the clamav "core".
> Nigel posted about databse updates, if i understood it right.
>
> I'm quoting my original post:
>
> "
> Hi, can anyone help?
> Running on Centos 5.x (various versions from 5.4 to 5.8) 64bit.
> Epel installe
Alain Zidouemba wrote:
> Massimo,
>
> Actually, I'd recommend you send it in here:
> http://www.clamav.net/lang/en/sendvirus/
>
> That way we can review your file that was detected
> as BC.Exploit.CVE_2012_0165 and tell you if you are dealing with a true
> positive of a false positive. In the cas
Greg Folkert wrote:
> On Tue, 2013-06-11 at 14:38 -0400, Kris Deugau wrote:
>> (Resend; list seems to have gone black-hole for a few days)
>
> FYI, I saw your last e-mail on Wednesday of last week on this very
> subject. I didn't have any answers so I didn't respon
Alain Zidouemba wrote:
> The following seems to work for me:
>
>
> X:\.scotiarewards\.com:\.scotiabank\.com
>
>
> It will be released shortly to whitelist the redirection from
> scotiarewards.com to scotiabank.com
Thanks!
However, I tried adding this to daily.wdb locally, and I'm still gettin
Kees Theunissen wrote:
> Or just check your virus-filter logs.
*blink*
*poke*
Ah, that *is* enabled on my account. I had forgotten that.
> Both your messages were rejectecd by my filter. The log shows:
> "Messsage rejected because of virus Heuristics.Phishing.Email.SpoofedDomain."
> It trigger
Jim Goode wrote:
> I am currently running version 0.88.7 on SME 6.0.1-01 (built on Red Hat
> 7.x).
> [EMAIL PROTECTED] tmp]# rpm -qa | grep clam
> clamav-es-libs-0.88.7-es01
> clamav-es-0.88.7-es01
OK, so you've got a pair of packages called "clamav-es-libs" and
"clamav-es".
> I downloaded:
> [EM
1 - 100 of 149 matches
Mail list logo