Re: [Clamav-users] clamscan extremly slow

2007-06-24 Thread Paul Kosinski
had any bad slowness. Paul Kosinski P.S. Clamav may be slower than commercial scanners, however, my observation has been that clamav scans the *entire* file, rather than only part of it, as commercial scanners tend to do. (In some cases, they couldn't even *read* the entire file that fast.) I'm

[Clamav-users] Sourcefire acquires ClamAV

2007-08-30 Thread Paul Kosinski
There is another aspect to the acquisition of ClamAV that seems not to have been discussed. What happens to the people who made monetary donations to the ClamAV project? (I am not in this group, as I never quite got around to it.) I would imagine that many people who donated to ClamAV did so in

[Clamav-users] Email viruses almost non-existent?

2007-12-24 Thread Paul Kosinski
In December 2006, we were running ClamAV 0.88.7, and there were still a fair number of real viruses being detected in inbound email. Now running 0.91.2 and 0.92, there seem to be only phishing attempts, and not even very many of them. In fact it seems that our log file shows almost as many

Re: [Clamav-users] Email viruses almost non-existent?

2007-12-31 Thread Paul Kosinski
email server. (Previous to that, I'm not sure what version we were running.) Perhaps Postfix is now doing a better job of rejecting bad SMTP, although the overall spam rate is still quite high. Paul Kosinski ___ Help us build a comprehensive ClamAV guide

[Clamav-users] Instability and Modern Anti-Virus Software

2008-01-02 Thread Paul Kosinski
There is an article on eWeek.com today concerning instability in AV software due to the impossibility of adequately testing updates when releasing them as quickly as they are needed (www.eweek.com/article2/0,1895,2240656,00.asp?kc=EWKNLINF010208STR3). As I understand it, ClamAV is perhaps unusual

Re: [Clamav-users] Tomasz, you're an idiot, and you don't even know it

2008-01-03 Thread Paul Kosinski
the Windows version (AFAIK) doesn't hook in to the kernel (like most Windows AV), making it less likely to be a path to total compromise of the computer. Paul Kosinski ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http

[Clamav-users] Malware variants may have hit half-million mark

2008-01-04 Thread Paul Kosinski
Fri 4 Jan 2008 According to today's SecurityFocus.com, there are as many as 500,000 different versions of malware. Most are not original code, but mass- produced attempts to foil antivirus filters. And here I thought that ClamAV's 186,092+ signatures was getting out of hand! In the interest of

[Clamav-users] Why is ClamAV signature file so unpopular?

2008-11-28 Thread Paul Kosinski
When I go to the download page for ClamAV at SourceForge, I observe that the signature file (clamav-0.*.*.tar.gz.sig) is downloaded less than 10% of the time that the source code (clamav-0.*.*.tar.gz) is downloaded. I find this strange, especially for anti-malware software, whose users presumably

[clamav-users] Has ClamAV mailing list been leaked?

2012-07-06 Thread Paul Kosinski
Today we got a spam email claiming to be From: clamav at our domain, from IP address 201.80.225.194. We already get spam To: clamav. Since we indeed have a virtual mailbox named clamav (to receive this list), I am wondering if this is just a good guess by the spammer, or if somehow the ClamAV

[Clamav-users] Speed of ClamAV vs Norton AV

2006-09-22 Thread Paul Kosinski
I am in the process of replacing my old Windows 98 SE (!) file server with a Linux/Samba server. The Samba server is nicer and much faster than the Windows one except for virus scanning. On my old server (a 900 MHz Athlon with 768 MB RAM) I had an old version of Norton AV (v5.0) which ran

Re: [Clamav-users] Speed of ClamAV vs Norton AV

2006-09-23 Thread Paul Kosinski
Dennis Peterson wrote [reordered]: You didn't say what your iowait rate was during your scan (from top, for example). If you have multiple disks/arrays you can also fire off multiple scanning sessions as I doubt you're pegging the cpu's. This doesn't work well if you're on a set of mirrored

Re: [Clamav-users] Speed of ClamAV vs Norton AV

2006-10-16 Thread Paul Kosinski
clamscan doesn't follow symbolic links.) # # Usage is: $0 working-directory directory-1 ... # Copyright (C) 2006 Paul Kosinski pk[at]iment[dot]com # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published

Re: [clamav-users] clamav-users Digest, Vol 113, Issue 18

2014-02-27 Thread Paul Kosinski
The blog post concerning OpenSSL being required for ClamAV only has one reason as to why it might *benefit* ClamAV, the other reasons are why OpenSSL *itself* in good. That single reason is: We will be able to provide a better freshclam experience in a future release. What exactly does this

Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV

2014-03-02 Thread Paul Kosinski
...@inetnw.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 2/27/14, 3:43:08PM, Paul Kosinski wrote: The blog post concerning OpenSSL being required for ClamAV only has one reason as to why it might *benefit* ClamAV, the other reasons are why OpenSSL *itself* in good

Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV

2014-03-12 Thread Paul Kosinski
users ML clamav-users@lists.clamav.net Subject: Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV Message-ID: 53204248.3050...@datev.de Content-Type: text/plain; charset=ISO-8859-1 Am 03.03.2014 08:38, schrieb Paul Kosinski: There are only a few of reasons I can imagine

Re: [clamav-users] Problem with Freshclam and local mirror

2014-04-01 Thread Paul Kosinski
I run a special Bash-scripted CRON job to pull the 'daily.cvd' files from a local ClamAV mirror, and don't have much trouble, although I have to make sure the action is retried a couple of times, in case the mirror is being updated while the script is being run. Instead of using a full-blown

Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format

2014-05-20 Thread Paul Kosinski
in such an environment? If so, how? Paul Kosinski P.S. I also get a *lot* of compiler warnings of the form: discards 'const' qualifier from pointer target type ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http

Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format

2014-05-22 Thread Paul Kosinski
by having both 64 and 32 stuff to deal with. I didn't try 0.98.4rc1, as I was building for production use. Paul Kosinski On Tue, 20 May 2014 15:37:34 -0400 Paul Kosinski cla...@iment.com wrote: It isn't just libxml2. I'm getting the equivalent errors for libbz2 and libz as well

[clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files

2014-06-25 Thread Paul Kosinski
I'm using HAVP (0.92) on Linux (openSuSE 13.1) as a virus scanning filter for HTTP traffic. It worked perfectly with ClamAV 0.98.3 (and many previous versions), but now it won't start at all with 0.98.4. HAVP uses libclamav.so to do the actual scanning (more efficient than even the socket

Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files

2014-06-26 Thread Paul Kosinski
Shawn, Yes indeed, HAVP calls into libclamav directly. But then why does this only fail in 0.98.4 but *not* in 0.98.3? Wasn't OpenSSL already being used in 0.98.3? An additional problem is that the HAVP developer seems to have stopped working on it, according to the HAVP forum

Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files

2014-06-27 Thread Paul Kosinski
Kare, Thanks for the suggestion. I also had thought of using the clamd socket interface, but won't do that unless there is no other way. HAVP is running here on a minimal 2-core Athlon II (3.1 GHz) and HAVP by itself comprises over 10 processes. Given this configuration, I fear that using the

Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files

2014-07-09 Thread Paul Kosinski
A few days ago, I looked at the ClamAV stuff on GitHub and found the patch that moved the declarations of cl_initialize_crypto() etc. from crypto.h to clamav.h. I then added a call to cl_initialize_crypto() to clamlibscanner.cpp (see diff below), recompiled and now HAVP starts up properly, and

Re: [clamav-users] Can I deploy the virus database to our intranet?

2014-08-06 Thread Paul Kosinski
We use 'HTTPi' as the basis of a very simple Perl-powered mechanism to proxy the ClamAV CVD files on our small LAN. We have it listening on a dedicated TCP port via xinetd (a very handy 'server' for simple services one wants to make network accessible). HTTPi (http://www.floodgap.com/httpi/) is

Re: [clamav-users] Libclamav :: Issue with version 0.98.4 on FC20 - Can't load /usr/local/share/clamav/daily.cvd: Can't allocate memory

2014-08-08 Thread Paul Kosinski
Date: 8 Aug 2014 12:44:39 - From: Chinmay Mahata chinmay_mah...@rediffmail.com Subject: [clamav-users] Libclamav :: Issue with version 0.98.4 on FC20 Can't load /usr/local/share/clamav/daily.cvd: Can't allocate memory Hi, I need to use clamav library in one of my modules. I

Re: [clamav-users] Daily.cvd file

2014-09-17 Thread Paul Kosinski
improve the Website and the servers, consider reducing the total bandwidth used in some way. It will help everybody. Paul Kosinski ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html

Re: [clamav-users] daily.cvd vs main.cvd

2014-09-18 Thread Paul Kosinski
to the daily.cvd file downloaded in one 24 hour period this week. Paul Kosinski P.S. Maybe it's time for an 'rsync' or 'drpm' approach for daliy.cvd? ++ From our records of CLAMAV files backed up 0.93 -rw-r--r-- 1 clamav clamav 13050207 Apr 15 2008 main.cvd 0.93.1 -rw-r--r-- 1 clamav

Re: [clamav-users] daily.cvd vs main.cvd

2014-09-19 Thread Paul Kosinski
freshclam runs on a schedule so that the other NTP-synced machines on our LAN can run their cron-driven freshclams a few minutes later to pull the latest daily.cvd from our local mirror. Hope this clarifies what we are doing. Paul Kosinski P.S. I could provide our getfreshclam script if anyone

Re: [clamav-users] daily.cvd vs main.cvd

2014-09-22 Thread Paul Kosinski
. (That reporter suggested that the verification process was treating cld files as if they were cvd files, and therefore failed.) Thus I'll have to go back to the old way of having the Internet-facing freshclam retrieve the whole cvd files, instead of the much shorter cdiff files. Paul Kosinski

Re: [clamav-users] clamav-users Digest, Vol 120, Issue 17

2014-09-26 Thread Paul Kosinski
to be viewed as if it were a giant signature. Paul Kosinski P.S. In my opinion, there are no *good* email clients, only tolerable ones. (And Claws-Mail, with the Fancy HTML Viewer plugin, is on a level with the old Eudora, which was the most tolerable back

Re: [clamav-users] Realtime scanner

2014-11-28 Thread Paul Kosinski
Not completely sure what you mean by real-time scanner: file scanning or scanning HTTP responses (Web browsing)? For file scanning, there is (or used to be) Clamuko, which hooked in to the Linux kernel. I never used it, so can't say anything about it. For Web browsing, I use HAVP, which in turn

Re: [clamav-users] Streaming support in ClamD

2015-07-21 Thread Paul Kosinski
I'm still using HAVP for HTTP scanning, and it seems to still work OK with the latest ClamAV (i.e., libclamav etc.). I hope that ClamAV doesn't become incompatible in a way that can't be accommodated. (I had to change HAVP's init temporarily during to the openssl hiccup). Paul Kosinski On Tue

Re: [clamav-users] Detection in windows but not Linux

2015-12-14 Thread Paul Kosinski
Just a wild thought, but could the Linux version of ClamAV somehow be doing a "DOS to UNIX" processing on signatures as if they were ASCII, thus converting "0d0a" to "0a"? On Mon, 14 Dec 2015 12:00:01 -0500 clamav-users-requ...@lists.clamav.net wrote: > Send clamav-users mailing list

Re: [clamav-users] Clamav fails to detect exe within rar

2015-11-20 Thread Paul Kosinski
; and don't have any unrar-related '.so' files in any of the usual 'lib' directories. Paul Kosinski P.S. Actually, I compile ClamAV for "/opt/clamav.d/clamav.x.y.z" using the "--prefix" option on 'configure', copy over the latest CVD files, and then make "/opt/clamav

Re: [clamav-users] Clamav fails to detect exe within rar

2015-11-21 Thread Paul Kosinski
Whenever I compile ClamAV with 'unrar' support, it seems to be the case that "libclamunrar_iface.so.6.1.26" is automatically included along with "libclamunrar.so.6.1.26" and the associated symbolic links and '.la' files. Since my use of ClamAV never detected any '.rar' files containing malware, I

Re: [clamav-users] ClamAV-users Digest

2016-06-03 Thread Paul Kosinski
Hi, I haven't received any Digest email since Feb 3, is the list still in operation? Paul Kosinski ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV in production environment

2016-06-01 Thread Paul Kosinski
I lost trust in Symantec (and maybe others) when they didn't flag the infamous Sony rootkit (on music CDs) as malware. Even the US DHS took Sony to task for compromising Windows computers with their buggy DRM software, which, even if it weren't buggy, was an uninvited install. (Corporate

[clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Paul Kosinski
I just downloaded samba-4.4.0.tar.gz (the latest) from samba.org, and, after downloading via HTTPS, ClamAV (0.99.1/21479) reports that the gz file contains Win.Trojan.Qhost-106. In particular, the single file wintest.py in the subdirectory wintest is reported.

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Paul Kosinski
s, I think ClamAV is much more than just an email scanner. Paul Kosinski P.S. I compile Samba myself because I make a slight change to the way the VFS-Recycle component names versions: I name the backup of "X" to be "X.1" rather than "Copy-of-X". (That may be

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Paul Kosinski
l have to let those familiar with how advisable it is to disabling > the firewall on a Windows machine would be under these circumstances. > > -Al- > > On Wed, Mar 30, 2016 at 05:46 PM, Paul Kosinski wrote: > > > > The only file that was flagged as containing a virus (trojan) w

Re: [clamav-users] Latest samba source contains Win.Trojan.Qhost-106?

2016-03-30 Thread Paul Kosinski
e advantages of Windows Server. Paul Kosinski On Thu, 31 Mar 2016 10:51:55 +1100 Andrew McGlashan <andrew.mcglas...@affinityvision.com.au> wrote: > > > On 31/03/2016 5:32 AM, Alain Zidouemba wrote: > > Paul: > > > > Thanks for reporting this FP. Thi

[clamav-users] Signature updates?`

2016-03-19 Thread Paul Kosinski
Am I right that there have been no new signatures available in the past 5 days (60 hours)? Paul Kosinski ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml

[clamav-users] DIgest mode not working

2016-03-19 Thread Paul Kosinski
l postings in that period I didn't get.) So I turned off digest mode, and again I get lots of email from the ClamAV Users list. What's going on? Paul Kosinski ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

2016-03-31 Thread Paul Kosinski
I disable Javascript in our PDF viewer. PostScript (which underlies PDF) is a Turing-complete executable language, and even has a mechanism to read and write files, so it could cause some trouble on its own. On Thu, 31 Mar 2016 10:36:18 -0500 Noel Jones wrote: > Known

Re: [clamav-users] Why has clam started updating itself every 3 hours?

2016-03-21 Thread Paul Kosinski
Ours is looking for updates every 1.5 hours, just as the cron job says. But there have been no new sigs from current.cvd.clamav.net since Friday, which is somewhat worrisome. On Mon, 21 Mar 2016 21:21:17 + Andy Keller wrote: > This is new behavior, as far as I

[clamav-users] ClamAV Digest weirdness

2016-05-06 Thread Paul Kosinski
Today (6 May), I received a single 1.22 MB Digest email with an astounding *586* items, dated from Feb 7 through yesterday, May 5. The Digest had mysteriously stopped in early February, and couldn't be restarted even when I signed up with a *new* email address. I then gave up on the Digest and

Re: [clamav-users] ClamAV - References

2016-04-18 Thread Paul Kosinski
"However, as a bank, our security department do not like to use such free opensource initiatives." Do they realize that (as far as I know) essentially all commercial software (that you pay for) has a clause in the EULA disclaiming any liability for *consequential* damages. In other words, if the

[clamav-users] Using clamd across containers

2016-07-22 Thread Paul Kosinski
I couldn't find anything in some quick Google searches about this, and I don't remember seeing anything relevant on this list, so I will ask: Currently I avoid clamscan startup delay on ad-hoc scans by using a small Perl script to expand the name(s) of the file(s) or directory(s) to be scanned

Re: [clamav-users] Using clamd across containers

2016-07-23 Thread Paul Kosinski
is set for the Container(s), or on the FD itself. Even clamd(scan) might have a problem, I suppose, if the FD mechanism wasn't designed with Containers in mind. On Sat, 23 Jul 2016 18:20:15 +0100 (BST) "G.W. Haywood" <cla...@jubileegroup.co.uk> wrote: > Hi there, > >

Re: [clamav-users] Scanning very large files in chunks

2016-08-11 Thread Paul Kosinski
After posting a while ago about scanning (extremely) large disk images, I realized that files need not be contiguous in a disk image. It all depends on the block allocation algorithm of the file system and, in many cases, to fragmentation that occurs as the disk is used. So, even if you could

[clamav-users] Freshclam question

2016-07-13 Thread Paul Kosinski
Is there an easy way to get freshclam do multiple "attempts" at a lower rate than it does? I use an LAN-local server (a tiny Perl program) to redistribute signatures, and occasionally ClamAV's DNS shows that the official current version is beyond what the redistribution server has, so it

Re: [clamav-users] ClamAV® blog: CRDF Joins the ClamAV Signature Partner Program!

2016-07-13 Thread Paul Kosinski
I too would like the option. (One of the reasons I use ClamAV is because of its lack of bloat.) So how about having "extra" databases in freshclam.conf that are enabled by default? Or perhaps a minimal ClamAV-origin-only database as an alternative to the default "full" data

Re: [clamav-users] Scanning very large files in chunks

2016-08-04 Thread Paul Kosinski
Really large files like this would likely either be video files or disk images (incl. DVD and Blu-Ray). Both kinds could, in principle, have malware embedded. Disk images often contain whole file systems and thus many, many files. The alternative is to scan the entire FS after it is "mounted".

Re: [clamav-users] YARA: filesize condition

2016-06-30 Thread Paul Kosinski
On Thu, 30 Jun 2016 11:26:07 -0400 Steven Morgan wrote: > On Thu, Jun 30, 2016 at 10:06 AM, Axb wrote: > > > > > When trying to use filesize conidtion in a Yara sig > > > > rule FileSize_200KB > > { > > condition: > >filesize < 200KB > >

Re: [clamav-users] whitelisting sender or recipient

2017-01-19 Thread Paul Kosinski
vices and so > the uncondtional whitelisting in the milter at last stage is only for > dumb unconditional fasle positives leading to rejects > > Am 19.01.2017 um 20:54 schrieb Reindl Harald: > > Am 19.01.2017 um 20:50 schrieb Paul Kosinski: > >> What if a white-listed sender later

Re: [clamav-users] whitelisting sender or recipient

2017-01-19 Thread Paul Kosinski
What if a white-listed sender later becomes part of a botnet? However trustworthy the person is, their email isn't necessarily trustworthy. (The "From:" address could easily be a faked, for example.) On Thu, 19 Jan 2017 08:02:39 +0100 z...@aian.de wrote: > Hey there, > > I bet it's an easy one

Re: [clamav-users] ClamAV updates

2016-09-09 Thread Paul Kosinski
I just looked at my logs, and I agree it's bad. I haven't seen an update since the one to 22199, which was 72 hours ago (see below). Paul -- Tuesday 06 September 2016 at 21:06:02 -- Current working dir is

Re: [clamav-users] Feature request: show checksums of virus databases on the clamav.net website

2016-09-29 Thread Paul Kosinski
Is the reason you don't want people downloading the CVDs directly because that approach doesn't distribute the load, or do you have some changes in mind for Freshclam that are incompatible with simple direct downloading? I'd hate to see ClamAV going the way of smartphones and tablets, with

Re: [clamav-users] How to get each file status when scan a ditrtectory using clamdscan

2016-10-05 Thread Paul Kosinski
Some years ago, before ClamAv had an option to follow symlinks when recursing, I modified the source code to add an option to do that. It was not too much work to do it once, but it got tedious to roll the modifications forward and recompile with every new version, as I like to keep up, even ahead

Re: [clamav-users] clamd does not bind to port when starting through init.d/service ubuntu 16.04

2016-08-27 Thread Paul Kosinski
Does systemd have any ALLOW/DENY option (like Apache) for directories? The "InaccessibleDirectories" option seems tedious and error prone, especially since *all* x.service files would have to be checked every time a new service, with perhaps new directories, is added. On Sat, 27 Aug 2016

Re: [clamav-users] clamd does not bind to port when starting through init.d/service ubuntu 16.04

2016-08-28 Thread Paul Kosinski
(contemporaneous with Unix, but totally independent), and IBM Research 1970-1971 ("Future Systems", leading to System 38 and AS/400). On Sat, 27 Aug 2016 20:52:58 +0200 Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 27.08.2016 um 20:45 schrieb Paul K

Re: [clamav-users] Whitelist based on sign *and* filename?

2016-11-28 Thread Paul Kosinski
Of course, if anybody is able to find out what the magic filename is, they could mount a targeted attack. How are the PDFs generated? Would it be possible to attach a cryptographic signature to asset to their validity? (That would probably require an additional step on receipt as well as

Re: [clamav-users] Old virus databases?

2017-01-05 Thread Paul Kosinski
To make back-out easier, I rarely purge daily.cvd and main.cvd, but just rename the old ones with a date suffix, e.g., "daily.cvd.150416-0235". I could easily provide a few from the past 1.5 years, and might be able to find even older ones (with the associated main.cvd). On Thu, 5 Jan 2017

Re: [clamav-users] Daily 23161 broke Clam

2017-03-05 Thread Paul Kosinski
I build Linux ClamAV from source, mainly due to distro maintainers being (quite) behind the latest official ClamAV. Also, I build ClamAV into /opt, so I can keep previous versions just in case. On Sun, 5 Mar 2017 12:51:04 + "Joel Esler (jesler)" wrote: > The question here

Re: [clamav-users] ClamAV documentation help needed

2017-08-10 Thread Paul Kosinski
I use a very simple logging setup (not syslog): LogFile /var/log/clamav/clamd.log LogFileMaxSize 0 You didn't say how your MTA is passing the emails to be scanned to ClamAV. Perhaps that interface program, such as Amavis, a Milter, etc., is logging something useful. Or it may even not be

Re: [clamav-users] scanning mp3-files with clamscan

2017-07-17 Thread Paul Kosinski
Are MP3 files ignored because it is impossible that MP3 software ever has buffer overflows or other security flaws??? Or is it because MP3 files are compressed (i.e., random-looking) and thus may cause false positives? What about all the other compressed or encrypted file types which might do the

Re: [clamav-users] scanning mp3-files with clamscan

2017-07-18 Thread Paul Kosinski
"...the worst thing that might happen would involve crashing the player..." No, the worst thing that might happen is that a buffer overflow results in code execution in the player's security context. With deliberate malicious code added to the MP3 data stream, this could even lead to encrypting

[clamav-users] New ClamAV update?

2017-06-29 Thread Paul Kosinski
I just got a security notice from SuSE talking about updating ClamAV. The CVE looks quite old: is SuSE so far behind, or is there something recent to worry about? SUSE Security Update: Security update for clamav

Re: [clamav-users] issues with mirror - 194.186.47.19

2017-06-19 Thread Paul Kosinski
IP addresses which PTR-resolve to ".edu", but I don't do that a lot (and I certainly don't log every dropped SYN). On Sun, 18 Jun 2017 18:23:32 +0100 (BST) "G.W. Haywood" <cla...@jubileegroup.co.uk> wrote: > Hi there, > > On Sun, 18 Jun 2017, Paul Kosins

Re: [clamav-users] issues with mirror - 194.186.47.19

2017-06-20 Thread Paul Kosinski
0 "Walter H." <walte...@mathemainzel.info> wrote: > On Sat, June 17, 2017 18:23, Paul Kosinski wrote: > > Why do you reject *all* email from ".edu". Doesn't that cut you off > > from lots of useful technological info? (I don't think I *ever* see > > spam from &q

Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19

2017-06-01 Thread Paul Kosinski
I, too, get very annoyed by companies that use more than one domain at the first level: it seems that relatively few companies do it the "way it was intended", via a subdomain. Even Google (who ought to know better) has several extra first level domains, like gstatic.com, 1e100.net (ha, ha) etc.,

Re: [clamav-users] Main CVD and Main Cdiff have been published

2017-06-07 Thread Paul Kosinski
My new "main.cvd" is 117,892,267 bytes. Paul On Wed, 07 Jun 2017 15:36:13 -0700 Al Varnell wrote: > Joel, > > It might help some to know the sizes for both main.cvd and > the .cdiff. You had previously promised to provide us with that > information. > > -Al- > > On Wed,

Re: [clamav-users] issues with mirror - 194.186.47.19

2017-06-17 Thread Paul Kosinski
Why do you reject *all* email from ".edu". Doesn't that cut you off from lots of useful technological info? (I don't think I *ever* see spam from ".edu".) On Fri, 16 Jun 2017 17:22:53 +0100 (BST) "G.W. Haywood" wrote: > Hi there, > > On Jun 15, 2017, Joel Esler

Re: [clamav-users] Use on linux operating systems

2017-06-13 Thread Paul Kosinski
As well as mail scanning, we use CLAMAV with HAVP for HTTP scanning. Although HAVP is not currently being developed, it seems to work OK. P.S. HAVP uses the CLAMAV library directly to do the scanning, rather than CLAMD or (worse) CLAMSCAN. On Tue, 13 Jun 2017 09:37:36 + Paul Moreno

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Paul Kosinski
I was mistaken: it turns out that ClamAV 0.99.2 *will* scan CD-size ISO files. I just had to set --max-filesize and --max-scansize big enough. And with the -v and -a options added, it *did* indicate it was scanning files within the ISO. I haven't had a chance to try 0.99.3 yet. On Thu, 14 Sep

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Paul Kosinski
To continue... Since this is the year 2017, and 64-bit computing has been around for years, I decided to see how a Windows AV package would handle my ISO which is "too big" for ClamAV. I copied it over to a 64-bit Win7 machine with lots of RAM (32 GB), and scanned it with Microsoft "Security

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Paul Kosinski
the problem that DVD ISOs are "too big". Paul Kosinski On Thu, 14 Sep 2017 12:51:38 -0400 Steven Morgan <smor...@sourcefire.com> wrote: > ClamAV contains an iso9660 parser. > > The clamscan --debug option may give a clue as to why it is not being >

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-13 Thread Paul Kosinski
Thanks, but it doesn't help (still scans 0 data bytes). On Wed, 13 Sep 2017 10:33:35 -0400 Steven Morgan wrote: > Paul, > > in addition to max-filesize, try max-scansize. > > Steve > ___ clamav-users mailing list

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-13 Thread Paul Kosinski
On Tue, 12 Sep 2017 21:49:17 -0800 kristen R wrote: > > The file is an image. Open the image up and then scan. Does clamscan > open images itself and then preform a scan? > > YES! It scans *inside* ZIP, TAR, RAR etc. (Maybe these have a 4 GB limit too?) If ClamAV

Re: [clamav-users] Signatures in md5sum not in sha256sum

2017-09-08 Thread Paul Kosinski
MD5 has been discredited (found insecure) a long time ago. Putting out *new* signatures with SHA256 shouldn't be all that hard. And just like some new sigs needing a recent version of ClamAV because of their content, SHA-signed sigs could demand a new ClamAV version. As far as a being a security

[clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-12 Thread Paul Kosinski
Clamscan read the entire ISO, but didn't scan any of it! I thought 21st century software was finally in the 64-bit era. --- ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso -rw-r--r-- 1 ime users 4660914176

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-25 Thread Paul Kosinski
We were getting a lot of failed attempts to download from various mirrors, but I don't think it ever completely blocked updates. In any case, early Friday morning I deleted mirrors.dat to see if it would help. Since then I have seen several "bad" mirrors, but have still been able to download

Re: [clamav-users] Questions about ClamAV

2017-11-20 Thread Paul Kosinski
My experience is that ClamAV is limited by to 4 GB for the size of a file. Apparently it still uses 32-bit numbers (as opposed to addresses) even on 64-bit machines. On Mon, 20 Nov 2017 18:42:22 -0800 Al Varnell wrote: > On Mon, Nov 20, 2017 at 03:48 PM, Micah Snyder

Re: [clamav-users] Clamav - web monitoring

2017-11-03 Thread Paul Kosinski
If you mean a way to scan live HTTP traffic, then take a look at HAVP. I use HAVP on Linux. It's a proxy-ish process: it scans data passing through. It isn't actively being developed, but it still works OK. Since it uses libclamav directly, it doesn't add the extra overhead that involving clamd

Re: [clamav-users] fail updates

2017-11-06 Thread Paul Kosinski
Here's our latest actual download (subsequent queries showed nothing new). Note that 204.130.133.50 worked for us (from 66.31.152.192). Paul -- Monday 06 November 2017 at 09:06:03 EST -- Current working dir is

Re: [clamav-users] fail updates

2017-11-06 Thread Paul Kosinski
I killed our "mirrors.dat" at 2017-11-06 19:35:35 (EST). It was last modified at 2017-11-06 18:06:29 (EST). We'll see what happens. Paul Kosinski On Mon, 6 Nov 2017 21:21:58 + "Joel Esler (jesler)" <jes...@cisco.com> wrote: > It would be helpful, if, start

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-01 Thread Paul Kosinski
ation lookup. Helps us see what > versions people are running out there and what version of ClamAV > people are using. It’s failure shouldn’t stop the update process. > Please give us a debug. > > Sent from my iPhone > > > On Jun 30, 2018, at 19:28, Paul Kosinski > &g

Re: [clamav-users] VirusDB Updates Broken?

2018-06-26 Thread Paul Kosinski
Looking into it. > >> > >> Sent from my iPhone > >> > >> > >> > On Jun 24, 2018, at 23:12, Al Varnell wrote: > >> > > >> > Yes, but all but one was empty. > >> > > >> > Sent from my iPad > >> >

Re: [clamav-users] Tweet by ClamAV - Cloudflare

2018-06-27 Thread Paul Kosinski
Assuming my map reading is correct, it looks like the San Francisco area saw the biggest improvement. Why wouldn't they have had really good service to begin with? On Wed, 27 Jun 2018 14:25:47 + "Joel Esler (jesler)" wrote: > I generally wouldn’t copy a Tweet over to the mailing list, but

Re: [clamav-users] Tweet by ClamAV - Cloudflare

2018-06-27 Thread Paul Kosinski
o it, is because for some reason, there are > a bunch of people in Italy attempting to fetch from the Ireland > mirror. Maybe because of unreliability in that region at some point, > and they left it that way... In any case, everyone is being served > out of their closest POP now

Re: [clamav-users] off topic Re: clamav list spf problem

2018-06-24 Thread Paul Kosinski
This reminds me of one of the reasons I dropped commercial AV software in favor of Open Source ClamAV: I decided that I would prefer somewhat less comprehensive AV rather than "full featured" AV that does things you can't control (or sometimes even know about). P.S. We also have internal email

Re: [clamav-users] VirusDB Updates Broken?

2018-06-24 Thread Paul Kosinski
I've gotten several daily.cvd updates in that period. They came from several IP addresses associated with http://db.us.clamav.net/. On Sun, 24 Jun 2018 18:08:59 -0700 Al Varnell wrote: > Just wanted to point out that there has only been one signature added > to the VirusDB by daily updates in

Re: [clamav-users] VirusDB Updates Broken?

2018-06-26 Thread Paul Kosinski
Esler (jesler)" wrote: > I just purged db.us’s cache. Can you try? > > Sent from my iPhone > > > On Jun 26, 2018, at 20:24, Paul Kosinski > > wrote: > > > > Joel, > > > > Sorry to have been somewhat cryptic: I assumed the context of the > &

Re: [clamav-users] VirusDB Updates Broken?

2018-06-26 Thread Paul Kosinski
enever]? On Tue, 26 Jun 2018 20:01:09 + "Joel Esler (jesler)" wrote: > Define broken in your context? Doesn't have the file? (Humor me, so > I understand from your parlance) > > > > > On Jun 26, 2018, at 2:59 PM, Pa

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-02 Thread Paul Kosinski
> mirrors are synched (push) quickly from the repository and the next > tier of mirrors can now update from this block of mirrors rather than > the repository alone, and this will distribute the load and minimize > bandwidth induced lag. NIS works in this fashion. > > Another o

[clamav-users] Proposals for more reliable updates

2018-07-02 Thread Paul Kosinski
Currently, when a daily.cvd is downloaded, its version and other such info is in the first N bytes of the whole file, which is quite big. How about repeating that information in the HTTP response header, so it could be retrieved by an HTTP HEAD command, rather than having to do a massive GET,

[clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-06-30 Thread Paul Kosinski
We are *still* failing to get ClamAV cvd files updates reliably -- even after deleting mirrors.dat before each attempt! The basic problem seems to be that the query to (e.g.): daily.24710.85.1.0.6810BB8A.ping.clamav.net fails as often as not (e.g.): Querying

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-02 Thread Paul Kosinski
a result of > > the move from ClamAV mirrors to the ClamAV CDN. > > > > Sent from my iPad > > > > -Al- > > > >> On Jul 1, 2018, at 20:38, Dennis Peterson > >> wrote: > >> > >>> On 7/1/18 8:24 PM, Paul Kosinski wrote: > &

Re: [clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

2018-07-03 Thread Paul Kosinski
Determining what version a *mirror* has is a bit tricky. Looking at the capture of the entire HTTP session with the new mirrors, they seem to require some header magic to be acceptable: Host: db.us.clamav.net User-Agent: ClamAV/0.99.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Simply trying

Re: [clamav-users] Problem with Max Open descriptor Files limit

2018-01-26 Thread Paul Kosinski
I observed this running out of file descriptors yesterday when running 0.99.2 to scan the download of 0.99.3. I had never seen this behavior before, but ascribed it to using clamscan with its memory limit set to 4095M to ensure that absolutely everything was scanned. One of our clamd process died

[clamav-users] I have older daily.cvd files if anyone is interested

2018-01-26 Thread Paul Kosinski
I have been keeping various old versions of the "daily" files for years, and felt like that was silly -- until now! I have now replaced my daily.cvd with version 24253, and clamd doesn't seem to be eating file descriptors. If anyone wants 24253, I have made it available at

  1   2   >