Re: [clamav-users] Clamd ERROR: On-access scan is not available

It looks ScanOnAccess requires fanotify rather than Dazukofs. Do you have /usr/include/linux/fanotify.h on your system? Steve On Mon, Dec 23, 2013 at 4:37 AM, wrote: > > > Hi, > > I have installed clamav, clamd 0.98 on redhat EL5.8. I have also > installed Dazukofs to support on access scan

Re: [clamav-users] Clamd ERROR: On-access scan is not available

here to get the latest manual for troubleshooting such problem. > > Thanks in advance. > > AUTHOR: Steven Morgan[1] > DATE: 2013-12-24 01:12 +800 > TO: ClamAV users ML[2] > SUBJECT: Re: [clamav-users] Clamd ERROR: On-access scan is not available > > It looks ScanOnAccess requ

Re: [clamav-users] Multiboot System

Please see the --database option of clamscan and the DatabaseDirectory clamd.conf statement. On Fri, Jan 10, 2014 at 7:04 AM, Adam Berridge wrote: > I have a single computer with One linux and two MS Windows XP systems on > it. I want to know if I can, and how to set clamAV up on each system so

Re: [clamav-users] Clamav configuration

The IP address in clamd.conf TCPAddr is a local address on the clamd machine. Remote clients using clamd will connect to this address. On Wed, Jan 15, 2014 at 3:01 AM, Joshua Soulwin Malayappan < joshua_malayap...@infosys.com> wrote: > Hi, > > I am using clamav server to scan from another host c

Re: [clamav-users] Problems with obfuscated code (php)

Torge, You may find the ClamAV useful in doing this. http://www.clamav.net/lang/en/download/sources/ On Fri, Jan 31, 2014 at 12:08 PM, Torge Husfeldt wrote: > Hi List, > > I have a problem with obfuscated php-code of well-known shells. > I have prepared an example where clamav correctly detect

Re: [clamav-users] Problems with obfuscated code (php)

Sorry, I mistyped my previous reply, meant to say: You may find the ClamAV "bytecode compiler" useful in doing this. http://www.clamav.net/lang/en/download/sources/ On Fri, Jan 31, 2014 at 2:53 PM, Steven Morgan wrote: > Torge, > > You may find the ClamAV useful in d

Re: [clamav-users] ClamAV Socket Read Timeout

You can make sure clamd is working by telnet'ing to the clamd port and using one of the commands shown in 'man clamd' such as PING and/or by turning on a network trace such as wireshark. Steve On Wed, Feb 5, 2014 at 10:30 AM, Bhinder, Harinder < harinder.bhin...@zoominfo.com> wrote: > I'm conne

Re: [clamav-users] On access scan: OnAccessIncludePath not recursive?

Sandro, Yes, that is a reasonable expectation. From reviewing the code (clamd/fan.c), the current use of fanotify will not recurse into sub-directories. There is a way to specify fanotify for a mount point including sub-directories(FAN_MARK_MOUNT), but that appears to be unimplemented at present.

Re: [clamav-users] On access scan: OnAccessIncludePath not recursive?

any plans > to add recursion for OnAccessIncludePath? Would be a great feature, > especially when users add directories to their home dir. > > Regards, > Sandro > > Am 11.02.2014 01:02, schrieb Steven Morgan: > > Sandro, > > > > Yes, that is a reasonable expectatio

Re: [clamav-users] about MaxQueue

Tsutomu, Take a look at the clamdtop command. There are also some unix commands that may help: ps -eLF, lsof, gdb/info threads. If these do not get you the info you are looking for, you can modify the code to put in the confirmations. The code handling threads and queues is clamd/others.c, clamd/t

Re: [clamav-users] about MaxQueue

Steve, > > Thanks your advice. > We'll try clamdtop command. > > BTW how it affects MaxQueue in clamd? > > Best regards, > Tsutomu Oyamada > > On Tue, 18 Feb 2014 16:13:15 -0500 > Steven Morgan wrote: > > > Tsutomu, > > > > Take a look

Re: [clamav-users] Finding infections in a tar-ball

Mischa, Can you send me your file for debugging? Thanks, Steve On Fri, Apr 11, 2014 at 5:20 AM, Mischa Coenen wrote: > > > Tried the scan with the --recursive option but didn't help, I see that the > archive is extracted and scanned when I check the debug output but the > eicars are not dete

Re: [clamav-users] Finding infections in a tar-ball

essage- > > From: clamav-users-boun...@lists.clamav.net > [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Steven Morgan > > Sent: vrijdag 11 april 2014 20:03 > > To: ClamAV users ML > > Subject: Re: [clamav-users] Finding infections in a tar-ball > > >

Re: [clamav-users] Finding infections in a tar-ball

have send > you an email on your own email account with a link to the > > > debug file. > > > > > > Regards, > > > > > > Mischa > > > > > > > > > > -Original > > > > Message- > > > > > >

Re: [clamav-users] clamav issues - Cannot find Socket (/var/run/clamav/clamd) Exiting!

Hi Rich, I'll have a look at the verbose/debug output if you can send that. Also, on which OS does this occur? Steve On Thu, May 1, 2014 at 10:12 AM, Richard Mealing wrote: > Hi everyone, > > I'm running clamav with mailscanner and I'm seeing lots of problems with > clamd crashing. > > I did

Re: [clamav-users] Clamav is not finding any viruses

Hi Thorvald, You can also check which vendors' AV systems detect viruses on a file at virustotal.com. Also, please submit your virus file to http://www.clamav.net/lang/en/sendvirus/ so that we can write a ClamAV signature for it. Thanks, Steve On Thu, May 8, 2014 at 11:01 AM, Thorvald Hallvar

Re: [clamav-users] Crash on db reload: 0.98.3 (OS: win32, ARCH: i386

Hi Steve, We're looking into this. A couple questions: which version of windows? 32bit or 64bit windows? 32bit or 64bit ClamAV? Thanks, Steve On Thu, May 8, 2014 at 11:41 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > Just a quick report... > > 0.98.3 crashes... 0.98.1 no issues.

Re: [clamav-users] Crash on db reload: 0.98.3 (OS: win32, ARCH: i386

Sorry, didn't pay attention to subject line :) On Thu, May 8, 2014 at 11:55 AM, Steven Morgan wrote: > Hi Steve, > > We're looking into this. A couple questions: which version of windows? > 32bit or 64bit windows? 32bit or 64bit ClamAV? > > Thanks, > Steve > &

Re: [clamav-users] Crash on db reload: 0.98.3 (OS: win32, ARCH: i386

Thanks, we have reproduced the problem as well and will have it fixed shortly. Steve M On Thu, May 8, 2014 at 7:19 PM, Paul Whelan wrote: > On 8 May 2014 at 18:48, Steve Basford wrote: > > > > > > > > Hey Steve, > > > Could you send me over a copy of your clamd.conf, please? > > Hi Shawn, > >

Re: [clamav-users] Version 0.98.3 hard loops on "clamdscan -V"

Eric, I have confirmed this on ubuntu 12.04 on x64. Bugzilla bug for tracking is 10992. Thanks for your report, Steve On Fri, May 9, 2014 at 2:48 PM, Eric Shubert wrote: > On 05/09/2014 04:41 AM, Shawn Webb wrote: > >> On Thu, May 8, 2014 at 10:35 PM, Eric Shubert wrote: >> >> Immediately

Re: [clamav-users] Version 0.98.3 hard loops on "clamdscan -V"

Confirmed in gdb, it is looping in the same place in proto.c lines 97 and 98. On Fri, May 9, 2014 at 3:17 PM, Shawn Webb wrote: > On Fri, May 9, 2014 at 3:02 PM, Philippe Ratté > wrote: > > > Hello, > > > > This may not be related; however I am also having some loop issues with > > 0.98.3 > > >

Re: [clamav-users] Version 0.98.3 hard loops on "clamdscan -V"

Eric, I've confirmed this is fixed by the patch in https://bugzilla.clamav.net/show_bu<https://bugzilla.clamav.net/show_bug.cgi?id=10987> g.cgi?id=10987 <https://bugzilla.clamav.net/show_bug.cgi?id=10987> Steve On Fri, May 9, 2014 at 3:21 PM, Steven Morgan wrote: > Con

Re: [clamav-users] clamav-0.98.1 crashing

Hi Rich, Any details will help for starters, such as a stack trace of the crash, clamav version, OS version, processor architecture, clamav debug logs, etc. Also, you could try the 0.98.4 release candidate, which is a bug fix release. It is here: http://sourceforge.net/projects/clamav/files/RC/c

Re: [clamav-users] clamav-0.98.1 crashing

GR: active jobs for 0x8163b3a60: 3 > Tue May 20 14:59:59 2014 -> THRMGR: queue (single) crossed low threshold > -> signaling > Tue May 20 14:59:59 2014 -> THRMGR: queue (bulk) crossed low threshold -> > signaling > Tue May 20 14:59:59 2014 -> Finished scanthread > Tue May

Re: [clamav-users] [Clamav-devel] ClamAV(R): ClamAV 0.98.4rc1 is now available!

Hi, It would help a lot and eliminate much guesswork if someone who has this problem could build a debug version of clamav, as in: ./configure --enable-debug [other flags] CFLAGS='-g -O0' and reproduce the problem with clamd running under gdb (sudo gdb clamd) with the clamd.conf statement: Fore

Re: [clamav-users] List-Archive header field update needed

Scott, List-Archive: now redirects to: http://lurker.clamav.net/list/clamav-users.html Thanks for noting this. On Thu, Jun 26, 2014 at 12:47 AM, Scott Kitterman wrote: > The mails from the list currently include: > > List-Archive:

Re: [clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email

Alessandro, Also, have a look at the document phishsigs_howto.pdf in the ClamAV docs/ directory. It contains some info on identifying the reason for the phish detection and on how to write whitelist signatures. You should be able to create a local whitelist, local.wdb for example, and add that to

Re: [clamav-users] Bank's newsletter tagged as Heuristics.Phishing.Email

Alessandro, Agreed. You can submit fp's and help keep the databases current by sending the messages to this website: http://www.clamav.net/lang/en/sendvirus/submit-fp/ On Fri, Jul 18, 2014 at 3:28 PM, Alessandro Vesely wrote: > Hi Steve, > > On Fri 18/Jul/2014 19:00:08 +0200

Re: [clamav-users] False Positive & File Decompression errors

Manoj, Please open a bugzilla ticket at bugzilla.clamav.net and attach the swf file. We'll investigate ASAP. Thanks, Steve On Tue, Aug 19, 2014 at 9:32 AM, Manoj Chitrala wrote: > Thanks Douglas. Please can you suggest about the errors about > decompressing the file. > > > Thank

Re: [clamav-users] clamav-milter: Failed to create temporary file

Hi Urban, I took a look at this code. The real problem is the inability to create a temporary file. The second message just results from the return code of the function that attempts to create the temp file. We need to find out why the temp file creation fails. There should also be a clamav error

Re: [clamav-users] clamav-milter: Failed to create temporary file

d Rye wrote: > On Thu, 2014-08-21 at 19:22 -0400, Steven Morgan wrote: > > Hi Urban, > > > > I took a look at this code. The real problem is the inability to > > create a > > temporary file. The second message just results from the return code > > of the > &

Re: [clamav-users] Conflicting structured data detections

Hi Frank, I've looked at the code. --structured-ssn-format alone does nothing. What is your result using both --structured-ssn-format and --detect-structured=yes? Also, I hear you about your regex scan. If you want to open a ticket at bugzilla.clamav.net and post your file, we can take a look at

Re: [clamav-users] clamd crashed

Hello Hans, Please send your clamd.conf to me at smor...@sourcefire.com. If you can identify a file or email that causes the failure, that will help as well. In the meantime, I'll find a place where you can send your core file. Thanks, Steve On Wed, Sep 3, 2014 at 11:46 AM, MAYER Hans wrote:

Re: [clamav-users] clamav-milter: Failed to create temporary file

Roadtech < d@roadtech.co.uk> wrote: > On Tuesday 02 September 2014 23:12, Steven Morgan wrote: > > Hi J. David, > > > > Thanks for the additional analysis and information. I've been looking at > > this for a bit today. I have opened a ticket in the ClamAV bu

Re: [clamav-users] LibClamAV Warning: cli_scanxz: decompress file size exceeds limits

Chamal, Have a look at the --max-filesize parameter on the clamscan man page and try using with a value that accommodates your file size. Steve On Fri, Sep 26, 2014 at 1:09 AM, chamal desilva wrote: > Hi, > > OS: Ubuntu 14.04 64 bit > ClamAv Version: ClamAV 0.98.1/19437/Fri Sep 26 04:06:13 201

Re: [clamav-users] ARM Cross Compile

Thanks for the reports. Yes, we can fix those, I've opened bugzilla bug 11124 for the next ClamAV maintenance release. Bernd, you may want to set up an account at bugzilla.clamav.net for reporting and to help keep track of these sorts of things. Steve On Sun, Sep 28, 2014 at 9:08 AM, Bernd Kuhls

Re: [clamav-users] Bugzilla setup, was: Re: ARM Cross Compile

I'll CC you on the bug report. On Fri, Oct 3, 2014 at 4:55 AM, Bernd Kuhls wrote: > Steven Morgan wrote in news:CAH- > jhOA_stD2h8pvK3zU_aa3q0rfOE0r7S_F=xwjmihhtbc...@mail.gmail.com: > > > Thanks for the reports. Yes, we can fix those, I've opened bugzilla bug >

Re: [clamav-users] Bugzilla setup, was: Re: ARM Cross Compile

Try it now. The bug report is now public. On Fri, Oct 3, 2014 at 10:36 AM, Gene Heskett wrote: > On Friday 03 October 2014 04:55:34 Bernd Kuhls did opine > And Gene did reply: > > Steven Morgan wrote in news:CAH- > > > > jhOA_stD2h8pvK3zU_aa3q0rfOE0r7S_F=xwjm

Re: [clamav-users] clamav eating CPU since Friday

Hi Patrick, Sounds like you probably have an infinite (or long running) loop, but I would like to get a little more info. Are you running the latest version of ClamAV? The latest is 0.98.4. You can tell with 'clamscan --version'. There was a long running loop issue that was fixed in 0.98.4. If yo

Re: [clamav-users] Archive & signature precedence

Hi Cedric, I have a few questions/points: - Are you writing your own zmd/rmd signatures? - If so, have have you tried using .cdb signatures? I've noticed in docs/signatures.pdf the zmd/rmd are annotated as "obsolete" and the cdb format seems to subsume, although this may not accomplish what you wa

Re: [clamav-users] clamscan detects, but clamd doesn't

Hi Dave, I am wondering what happens if you use clamdscan on your phish_test file? Steve On Mon, Jan 26, 2015 at 7:42 AM, Dave McMurtrie wrote: > Hi, > > We've been running ClamAV successfully for years. Recently, I added a URL > to our local.gdb database to block a malicious URL. When I se

Re: [clamav-users] clamscan detects, but clamd doesn't

files: 1 > Time: 0.017 sec (0 m 0 s) > > > Is there a way to configure clamd to do debug-level logging like you can > do with clamscan? > > Thanks! > > Dave > > > From: clamav-users [clamav-users-boun...@lists.clamav.net] on beh

Re: [clamav-users] clamscan detects, but clamd doesn't

aw message for the DATA phase. I > was initially sending the message using a program I wrote that basically > does the same except it will munge a few of the headers. I stopped using > that to remove any variables from my testing. > > In case it matters, I'm running 0.98.

Re: [clamav-users] I have some queries about ClamAV

clamscan and clamd options exist to remove or move (--move --remove) infected files. The documentation indicates use with care. I've not tried them myself. Steve On Tue, Jan 27, 2015 at 7:40 PM, Dennis Peterson wrote: > He wants to know if ClamAV takes any corrective action such as quarantine >

Re: [clamav-users] I have some queries about ClamAV

1. I found the documentation on --move and --remove options in the man pages for clamscan and clamdscan. 2.--move=DIRECTORY Move infected files into DIRECTORY. However, as the man pages and Dennis point out, use of these is probably not a good idea. Steve On Mon, Feb 2, 2015 at 10

Re: [clamav-users] Calamav cannot scan tar file and gzip files?

Manoj, Seem like this should work. What happens if you scan your tar and tar.gz files just using clamscan? You can run your clamd in debug mode by setting "Foreground yes" and "Debug yes" in clamd.conf, then run clamd from a terminal window. This may give you an indication about why clamd does no

Re: [clamav-users] [SUSPECTED SPAM] Re: Calamav cannot scan tar file and gzip files?

On Tue, Feb 17, 2015 at 1:11 AM, Manoj Ramakrishnan < manojramakrish...@nbnco.com.au> wrote: > Hi Al, > > Thanks for replying. > It is exactly what I thought. But why is it different from ZIP file? > I added extra characters in the beginning of the ZIP file but no issues in > scanning that and fin

Re: [clamav-users] Why is ArchiveBlockMax obsoleted?

Hi Vladislav, Unfortunately there is currently not an option to flag files when MaxRecursion is exceeded. Looking at the README, ArchiveBlockMax was removed from ClamAV in 0.93, don't know what were the reasons, it was before my time. Maybe a search of the mail list archive could give insight, or

Re: [clamav-users] clamav 0.98.6 debian wheezy segfault after database modification

Hello Hudri, Is it possible to capture the email and/or create a test scenario? This will help to get the issue resolved. Steve On Wed, Mar 11, 2015 at 4:12 PM, Hudri Wudri wrote: > Hello, > > I am using clamav in combination with clamsmtp and postfix. I used this > setup since two weeks with

Re: [clamav-users] clamav 0.98.6 debian wheezy segfault after database modification

What you can do is open a bugzilla ticket at bugzilla.clamav.net and attach it to the ticket. Steve On Wed, Mar 11, 2015 at 4:47 PM, Hudri Wudri wrote: > The user got the email in his inbox in outlook. How do i attach that mail > to the mailing list? > Am 11.03.2015 21:41 schrie

Re: [clamav-users] clamav 0.98.6 debian wheezy segfault after database modification

g the email? > Am 11.03.2015 22:01 schrieb "Steven Morgan" : > > > What you can do is open a bugzilla ticket at bugzilla.clamav.net and > > attach > > it to the ticket. > > > > Steve > > > > On Wed, Mar 11, 2015 at 4:47 PM, Hudri Wudri >

Re: [clamav-users] ClamXav and Compressed Files

Al, Could you please open a ticket at bugzilla.clamav.net and attach your EicarTest.dmg and also the command used to create it? We'll take a look at what's going on. Thanks, Steve On Sat, Mar 28, 2015 at 6:21 PM, Al Varnell wrote: > I sent this out last night, but it must have been rejected fo

Re: [clamav-users] clamd stops working - No stats for Database check - - forcing reload - stops

This message (" No stats for Database check - forcing reload ") is from clamd's initial self check function. It is indicating that the signature database will be force reloaded. Subsequent self checks (every 10 minutes or as specified by parameter SelfCheck) do not force reload the database. This

Re: [clamav-users] using clamdscan and clamd to do complete file system scan

Clamdscan with clamd should scan directories recursively. Check out clamd configuration parameters FollowDirectorySymlinks and FollowFileSymlinks in case they apply. Steve On Tue, Apr 28, 2015 at 2:33 PM, John McGowan wrote: > Hi, > > I've been banging my head trying to figure this out on my ow

Re: [clamav-users] Clamd Segmentation Fault when built on Mac OS X Yosemite

Please try ./configure --enable-llvm=no. There was a bug report for Clam 0.98.7 on MacOS X 10.10.3 involving llvm, so this is worth a try. On Wed, Apr 29, 2015 at 11:43 PM, Larry Stone wrote: > I tried building with the options from ClamXav article you referenced > below but it was no help. Stil

Re: [clamav-users] Clamd Segmentation Fault when built on Mac OS X Yosemite

Fault occurs when trying to build > 0.98.6 on 10.10.3 so it would appear to be an OS X 10.10.3 issue, not a > 0.98.7 issue. I went directily from 10.9.latest to 10.10.3 so I don't know > if 10.10.x x<3 has the same issue. > > -- Larry Stone > lston...@stonejongleux.com >

Re: [clamav-users] Clamd Segmentation Fault when built on Mac OS X Yosemite

Should I submit a bug on this or does 11309 > cover it although it's a different symptom? I see 11309 has new activity > today. Having always found a solution with a good search in the past, > submitting a bug will be all new to me. > > > -- Larry Stone >lston...@stonej

Re: [clamav-users] Clamav Scan on Access

Hi Alessandro, We are tracking the future "on access" effort in ClamAV with the following: https://bugzilla.clamav.net/show_bug.cgi?id=11049 Thanks, Steve On Thu, May 14, 2015 at 11:03 AM, Alessandro Baggi < alessandro.ba...@gmail.com> wrote: > Hi list, > I'm new user on list. > I've installe

Re: [clamav-users] Prioritise Custom signatures first when scanning

Unfortunately ClamAV is not structured for this use case. Sounds like it could be done, but would require writing a custom application using multiple ClamAV scanning engines. Steve On Tue, Jun 2, 2015 at 10:03 AM, Adam Massey wrote: > hello > Is there any way to make clamav test custom virus si

Re: [clamav-users] daily.cvd: Malformed database

You could also try './configure --enable-llvm=no' and compile with gcc 3. This will disable compiling the bytecode just-in-time compiler and use the bytecode interpreter instead. On Fri, Jun 5, 2015 at 5:24 AM, Yuri Voinov wrote: > Solaris 10 have shipped GCC 3. You need to use fresh GCC 4 from,

Re: [clamav-users] ClamAVÂ(R) blog: ClamAV 0.99b Meets YARA!

No windows binaries yet, but work is in progress. Thanks, Steve On Fri, Jun 5, 2015 at 11:02 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Wed, June 3, 2015 8:02 pm, Joel Esler (jesler) wrote: > > > > > ClamAV 0.99b Meets YARA! > > The first beta release of ClamAV 0.99 is now

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

Dennis, We don't have an on-line rule testing utility. If I see one anywhere, I'll let you know. Line feeds and other white space can be compressed in yara rules. Referencing other rules within a condition is one of the yara features that is not supported in ClamAV 0.99 beta1. We are looking at

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

he grammar. > > dp > > > On 6/10/15 12:55 PM, Steven Morgan wrote: > >> Dennis, >> >> We don't have an on-line rule testing utility. If I see one anywhere, I'll >> let you know. >> >> Line feeds and other white space can be compressed

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99b Meets YARA!

015 at 11:00 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > > On Thu, June 11, 2015 3:51 pm, Steven Morgan wrote: > > > > We've borrowed the yacc/lex code from yara project. > > Hi, > > Does that mean ClamAV will support this condition in the current

Re: [clamav-users] daily.ftm

Thanks, we are looking int this. On Fri, Jun 19, 2015 at 6:39 AM, Steve Basford < steveb_cla...@sanesecurity.com> wrote: > Hi, > > Wasn't sure if this should be a bugzilla or not but... > > daily.ftm seems to be out-of-sync with the latest filetypes_int.h > > Eg, 4546492050415254 is missed and a

Re: [clamav-users] Using clamscan with multiple cores

Hi, Clamscan uses a single execution thread. Clamd uses multiple threads vi pthreads and can better take advantage of multicore CPUs. Steve On Sat, Jun 20, 2015 at 1:15 PM, Markus Egg wrote: > Hello, > > how can I use clamscan on multicore CPUs ? > I found "clamdscan" with --multiscan but for

Re: [clamav-users] clamav 0.99 beta yara

Steve, Thanks for the pointers. We'll look in to adding a yara suffix, although it is not done for other sig types and it is also easy to grep the sig name within the database directory to identify the sig type/origin. As for whitelisting yara, that code should be already in place. I'll double c

Re: [clamav-users] clamav 0.99 beta yara

Steve, Thanks. We'll look into additional command line/clamd.conf options to select or exclude signature types. This might be best done if/when Cisco ships yara signatures, since currently users are responsible for the content and locations of database directories regarding yara and these can easi

Re: [clamav-users] clamav 0.99 beta yara

Steve, One more question: is Sansecurity planning to distribute yara signatures when 0.99 final is released? This will help with appropriate scheduling of any parameter implementations. Thanks, Steve On Thu, Jun 25, 2015 at 3:20 PM, Steven Morgan wrote: > Steve, > > Thanks. We

Re: [clamav-users] help connection being refused.

Clamd running? I get that same result from clamdscan(connection refused) if clamd is not started. 127.0.0.1 is fine for clamd as long as all of your clamdscan/clamav-milter requests are initiated from the machine clamd is running on. On Mon, Jul 27, 2015 at 9:24 PM, josh schooler wrote: > 2015-

Re: [clamav-users] [sanesecurity] PUAexclude

Try this: http://www.clamav.net/doc/pua.html On Fri, Jul 31, 2015 at 9:15 AM, polloxx wrote: > Dear, > > What categories can be excluded by PUAexclude? The documentation for that > seems not available. > > Thx, > P. > ___ Help us build a comprehensiv

Re: [clamav-users] Fwd: Unable to detect pdf virus (Not working in sharepoint)

I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11380. Please attach to this bugzilla ticket the original pdf file and the original multipart document. Thanks. On Tue, Aug 18, 2015 at 10:48 AM, P K wrote: > Hi Guys, > > Again troubling you. Can you please let me know why its not working

Re: [clamav-users] Clamd logging dictionary to aid integration with SIEM application

All clamav messages are embedded in the code. They should be pretty easy to fish out of the code using greps of 'logg" for clamd messages and CLI_ERRMSG/CLI_WARNMSG for messages from the engine. Hope this helps, Steve On Thu, Sep 17, 2015 at 6:08 AM, Chris Needham2 wrote: > Hi, > > I have gone

Re: [clamav-users] Problems with daily db?

Rafael, I don't see this. Which version of ClamAV are you using? Steve On Thu, Oct 15, 2015 at 11:24 AM, Rafael Ferreira wrote: > Howdy folks, we started noticing problems with daily.cvd: > > Retrieving http://scanii-assets.s3.amazonaws.com/daily.cvd > > Trying to download http://scanii-asset

Re: [clamav-users] Problems with daily db?

Thanks, that is working for me with ClamAV 0.98.7. It even worked using http://scanii-assets.s3.amazonaws.com/daily.cvd. What OS and hardware are you using? On Thu, Oct 15, 2015 at 1:30 PM, Rafael Ferreira wrote: > 0.98.7 > > > On Oct 15, 2015, at 8:46 AM, Steven Morgan > wrote:

Re: [clamav-users] how to narrow down the signature database?

Bond, You can use 'sigtool --unpack-current [daily|main|bytecode]' to unpack the virus database. Then remove/edit out the files/sigs that are not of interest. Then use the clamd.conf DatabaseDir parameter to point to the result. docs/signatures.pdf may help. Also, look at ./configure --help to re

Re: [clamav-users] Problem configuring clamav-0.99

Hi Ali, Can you heck to see that you have installed the development versions of bzip2 and check rpms (bzip2-devel-*.rpm / check-devel-*rpm)? Steve On Mon, Dec 7, 2015 at 10:03 AM, wrote: > Hello everybody > > I am using Linux Centos6.7 (i686 ) > and i am using clamav as antivirus for my qmail

Re: [clamav-users] undefined identifier modules

Hi Kilburn, There are a couple of yara items still TBD. "uint32be" arrived in a more current yara release than that used for ClamAV 0.99, "pe" is a keyword requiring yara module support. Yara modules are not yet supported by ClamAV. Yara modules and yara version upgrade are on the ClamAV road map.

Re: [clamav-users] Problem configuring clamav-0.99

bzip2 1.0.5 looks kind of old. Can you try a more current version? On Mon, Dec 7, 2015 at 12:25 PM, wrote: > > Hi Ali, > > > > Can you heck to see that you have installed the development versions of > > bzip2 and check rpms (bzip2-devel-*.rpm / check-devel-*rpm)? > > > > Steve > > Hi Steve, > >

Re: [clamav-users] Problem configuring clamav-0.99

Todd, PCRE support is new in ClamAV 0.99 and ./configure looks for it by default. So in your case it found an old version of pcre which is incompatible with ClamAV 0.99. Minimum PCRE version checks have been added for the upcoming 0.99.1 release. For installing 0.99 on your system, you will either

Re: [clamav-users] Problem configuring clamav-0.99

brooke, Quebec > CANADA J1M 1Z7 > > > > > > > > > -Original Message- > From: clamav-users on behalf of > Steven Morgan > Reply-To: ClamAV users ML > Date: Wednesday, December 16, 2015 at 2:43 PM > To: ClamAV users ML > Subject: Re: [clamav-

Re: [clamav-users] Problem configuring clamav-0.99

" failing because it cannot link to the pcre shared library. If this is the case, I can suggest looking into using ldconfig or setting the environment variable LD_LIBRARY_PATH to resolve the link issue, and then configure ClamAV. Hope this helps, Steve On Wed, Dec 16, 2015 at 3:00 PM

Re: [clamav-users] several malware samples, clamav doesn't detect

Walter, Please submit your malware samples here (website was changed recently): http://www.clamav.net/reports/malware. Thanks, Steve On Wed, Dec 23, 2015 at 3:01 PM, Walter H. wrote: > Hello, > > I've got several malware samples - received via E-mail - that ClamAV > doesn't detect > where

Re: [clamav-users] several malware samples, clamav doesn't detect

gt; browser I'm used to; > > Merry Christman and Greetings from a very strange weather here in Austria > (one might think to get t-shirt and shorts instead of pullovers and fur > coats) > > Thanks, > Walter > > > > On 23.12.2015 21:17, Steven Morgan wrote: > &g

Re: [clamav-users] Error: cl_load(): No such file or directory

Hi, Do you have a /home/user/programming/clamav/share/clamav? Also, did you run run freshclam? Steve On Tue, Jan 5, 2016 at 8:58 AM, im zkoko wrote: > Hello > > I asked the following question on github ( > https://github.com/vrtadmin/clamav-devel/issues/46 ), and I waited for ~1 > month witho

Re: [clamav-users] some clamd.conf issues

I believe the configuration statement keyword is supposed to be "BytecodeMode". Steve On Tue, Jan 12, 2016 at 7:36 AM, Michael K. wrote: > Hello Kevin, > > Am Mon, 11 Jan 2016 10:36:51 -0500 > schrieb Kevin Lin : > > This is a minor bug in the current release of ClamAV 0.99. > nice to know, tha

Re: [clamav-users] clamav-milter crash

If this is still a problem with the most current software on github, please create a bug report at http://bugzilla.clamav.net. Please attach samples that result in the crash. Steve On Tue, Jan 26, 2016 at 9:26 AM, Benny Pedersen wrote: > i have seen it do this so many times now that i like to

Re: [clamav-users] Freshclam Non-repudiation

Brad, The official ClamAV virus database is digitally signed before posting to the ClamAV mirrors. The CVD signature is checked before database load time. Virus names of signatures from non-signed databases are appended with ".UNOFFICIAL". Hope this helps, Steve On Thu, Jan 28, 2016 at 5:29 PM,

Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM

Bernhard, Clamd does not currently support ALLMATCH mode with the INSTREAM protocol. The only other suggestion I can offer is to preserve those files found to contain viruses and research them separately using ALLMATCH. Steve On Mon, Feb 1, 2016 at 5:27 AM, Bernhard Vogel wrote: > Hi, > > is t

Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM

rough the clamd-socket? > Currently we're facing the tradeoff between giving the clamd-process > more permissons or running multiple instances of the scanning-engine > (clamd + clamscan) and parsing the output of clamscan with "tainted" > filenames. > > Thanks > &

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

David, I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11498 to investigate and track the issue. Plz sign up for an account at https://bugzilla.clamav.net and send me the user id and I will CC you on the bug. Once that is done, I will need for you to attach your signatures and sample files

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

our bugzilla, effective mechanisms toward that end are in place. Try it now. We do want your bug reports! Thanks, Steve On Mon, Feb 8, 2016 at 4:42 PM, Benny Pedersen wrote: > On 2016-02-08 22:26, Steven Morgan wrote: > > I've opened https://bugzilla.clamav.net/show_bug.c

Re: [clamav-users] ClamAV automation question

Edwin, Sounds like on-access scanning with clamd may be useful in your case. You will need ClamAV 0.99. Here is some additional info: http://blog.clamav.net/2015/09/clamav-099b2-on-access-scanning-now.html Steve On Wed, Feb 10, 2016 at 3:58 AM, Edwin Nguku wrote: > Hi, what commands can I

Re: [clamav-users] Filename Regex

cdb signatures use a regex library known as "Henry Spencer's regular expressions." Googling documentation for that should give what you want. Steve On Thu, Feb 18, 2016 at 6:39 AM, Mehmet Avcioglu wrote: > > What is the format for Filename Regex pattern used in cdb signature files? > > I have n

Re: [clamav-users] Filename Regex

Feb 18, 2016, at 8:14 PM, Steven Morgan > wrote: > > > > cdb signatures use a regex library known as "Henry Spencer's regular > > expressions." Googling documentation for that should give what you want. > > Thank you for the information. I searched out for

Re: [clamav-users] Filename Regex

ample to get you going. I don't see any .cdb in the official ClamAV virus database. Steve On Thu, Feb 18, 2016 at 6:13 PM, Steven Morgan wrote: > Please see https://garyhouston.github.io/regex/. > > Looks like ClamAV uses what is called the "old library." I don't

Re: [clamav-users] windows cache

Hi, Caching is supported in windows and enabled by default. Clamd local socket is not supported in windows. On Fri, Feb 26, 2016 at 6:55 AM, fdff affg wrote: > Hi! > Does the cache engine(caching scanned files to increase performance > and no scanning again) work on windows version(official w

Re: [clamav-users] heuristic-scan-precedence is broken

David, Thanks for your report. Tracking here: https://bugzilla.clamav.net/show_bug.cgi?id=11512 Steve On Sun, Feb 28, 2016 at 6:10 AM, David Shrimpton wrote: > Hi, > > --heuristic-scan-precedence=no is broken in clamav-0.99 > > eg create a test encrypted zip /tmp/abcdef.zip > > clamscan -z

Re: [clamav-users] What does TargetType 10 for a signature mean ?

Hi, Could you please open a bug report at bugzilla.clamav.net? Please attach the sample(s) and signatures(s) that you are using. I'd like to make sure this is tracked for investigation and possible code and documentation improvements. Sounds like there are some things to sort out here... Thanks,

Re: [clamav-users] Couple problems

Hi, I took a quick look at the code. The "Heuristics.Encrypted.PDF" is off by default. Try clamscan --block-encrypted. If you have 'ArchiveBlockEncrypted yes' in your clamd.conf, it would explain the results you are seeing with milter. Is testfile.pdf encrypted? Check these things out and if it

  1   2   >