Re: [clamav-users] [Clamav-devel] ClamAV® blog: ClamAV 0.103.0 released!

[lukn via clamav-users]

On 15.09.20 14:24, Gary R. Schmidt wrote:
> Well, that was entertaining.

less of an adventure here (CentOS 7), but my spec file that has been
working without modifications since clamav 0.9x needed some patching
today, or else clamav-milter refused installation with:

Error: Package: clamav-milter-0.103.0-1.el7.x86_64 (clam-c7)
   Requires: libclamav.so.9(CLAMAV_PRIVATE)(64bit)

adding the following lines helped:
Provides: libclamav.so.9()(64bit)
Provides: libclamav.so.9(CLAMAV_PRIVATE)(64bit)
Provides: libclamav.so.9(CLAMAV_PUBLIC)(64bit)

no idea why this is suddenly necessary...


Now it runs like charm, thank you to everybody involved in the new release!

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: Freshclam, cdiffs and bandwidth are your friends

[lukn via clamav-users]

You may want to subscribe to the mailing list
clamav-viru...@lists.clamav.net
for a changelog of the virus db. Indeed this list only sends one mail
per day.


On 29.07.20 01:01, Paul Kosinski via clamav-users wrote:
> "...we also only release updates once a day."
> 
> Are there *never* any urgent virus updates released in between? In
> other words, is it always useless to check the TXT record more often?
> 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter not being built for 0.102.0

[lukn via clamav-users]

Thank you Micah
In that case I'll just lean back and wait for the bugfix release :-)


On 02.10.19 22:52, Micah Snyder (micasnyd) wrote:
> Hi lukn,
> 
> You're not missing something.  It appears that configure changes between 
> ClamAV 0.102.0-rc and 0.102.0 broke building of clamav-milter.  
> 
> We will identify the exact issue and include a fix for it in a 0.102.1 patch 
> release along with one or two other bug fixes.
> I'm sorry for the confusion.
> 
> Regards
> Micah
> 
> On 10/2/19, 4:17 PM, "clamav-users on behalf of lukn via clamav-users" 
>  clamav-users@lists.clamav.net> wrote:
> 
> Hello lis
> 
> Previous versions built perfectly, but on same build host 0.102.0 does
> not build clamav-milter, but also does not show any obvious error
> message as to why not.
> 
> Build hosts: Centos 6 (CentOS release 6.10 (Final)) and Centos 7 (CentOS
> Linux release 7.6.1810 (Core)) - admitted, I should maybe update the C7
> box to 7.7 first, but I highly doubt this will solve my problem. Clamav
> 0.101.4 was very happy to build clamav-milter on that very foundation.
> 
> configure is run as always, with the exception these ancient systems
> won't support clamonacc out of the box. But as it is not needed I felt
> it's safe to disable it:
> 
> ./configure --prefix=/usr/local --enable-milter --disable-clamonacc
> [..]
> configure: Summary of optional tools
>   clamdtop: yes (-lncurses)
>   milter  : yes ()
>   clamsubmit  : yes (libjson-c-dev found at /usr)
>   clamonacc   : no (disabled)
> 
> So configure claims it'll build my milter...
> 
> However, all make has to say about milter:
> make: Nothing to be done for `all'.
> 
> What am I missing?
> 
> If my curl is too old, so is maybe make or gcc?
> $ make --version
> GNU Make 3.82
> $ gcc --version
> gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-36)
> but in such cases I'd expect a loud error message, compile abort yada
> yada - not awkward output silence.
> 
> Any ideas? Any additional information needed?
> 
> Best regards
> lukn
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamav-milter not being built for 0.102.0

[lukn via clamav-users]

Hello list

Previous versions built perfectly, but on same build host 0.102.0 does
not build clamav-milter, but also does not show any obvious error
message as to why not.

Build hosts: Centos 6 (CentOS release 6.10 (Final)) and Centos 7 (CentOS
Linux release 7.6.1810 (Core)) - admitted, I should maybe update the C7
box to 7.7 first, but I highly doubt this will solve my problem. Clamav
0.101.4 was very happy to build clamav-milter on that very foundation.

configure is run as always, with the exception these ancient systems
won't support clamonacc out of the box. But as it is not needed I felt
it's safe to disable it:

./configure --prefix=/usr/local --enable-milter --disable-clamonacc
[..]
configure: Summary of optional tools
  clamdtop: yes (-lncurses)
  milter  : yes ()
  clamsubmit  : yes (libjson-c-dev found at /usr)
  clamonacc   : no (disabled)

So configure claims it'll build my milter...

However, all make has to say about milter:
make: Nothing to be done for `all'.

What am I missing?

If my curl is too old, so is maybe make or gcc?
$ make --version
GNU Make 3.82
$ gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-36)
but in such cases I'd expect a loud error message, compile abort yada
yada - not awkward output silence.

Any ideas? Any additional information needed?

Best regards
lukn

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd using up all cpu on certain hosts

[lukn]

Hi Micah and Henrik

I'm slowly getting to the conclusion that the old hosts are reaching EOL
which would explain the misbehaviour (just got a few unexplicable SSH
connection losses...).

grep -v '^$' clamd.conf | grep -v '^#'
LogSyslog yes
LogFacility LOG_MAIL
LogVerbose yes
TCPSocket 3310
TCPAddr 127.0.0.1
User clamav

As to Henrik's suggestion to use strace - now it gets really spooky.
Once excecuted under strace it took less than 2mins for clamd to start
up normally and then run as excpected without hogging the CPU. Of course :-/

I'd say: never mind those old boxes, gotta replace them anyway
eventually...

thx
lukn

On 16.11.18 20:45, Micah Snyder (micasnyd) wrote:
> That is... bizarre. What does your clamd configuration look like?  
> Specifically, do you have `ScanOnAccess` enabled and set to watch specific 
> mount or directory paths?
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> 
> 
> On Nov 16, 2018, at 9:52 AM, lukn 
> mailto:lukn...@gmail.com>> wrote:
> 
> Hello list
> 
> I'm having a weird CPU hogging issue here. I'm running some servers as
> VM hosts based on CentOS7 with qemu/kvm. On these I'm running various
> VMs with CentOS 7 and legacy CentOS 6 (all have latest updates
> installed). All of them are running clamd 0.100.2 which got installed
> from a self compiled RPM (built from official source, no patches), so
> software on all hosts and VMs should be identical.
> 
> However, in VMs on one host machine, clamd is idling, on the other it's
> running at 200-350% CPU (4 vcores) according to top - even when there is
> nothing to be scanned.
> 
> If I migrate a VM from the "idle" to the "busy" host, their clamd starts
> to spin too. If I migrate a VM from the "busy" to the "idle" host, clamd
> remains quiet.
> 
> The only noticeable difference between clamd going nuts and clamd
> staying calm is the CPU of the host system:
> 
> busy:
> model name  : Intel(R) Xeon(R) CPU   E5645  @ 2.40GHz
> 
> idle:
> model name  : Intel(R) Xeon(R) CPU E5-2650 v3 @ 2.30GHz
> 
> 
> As mentioned, clamd is installed from a self compiled rpm, this is the
> %build section of the spec file, nothing fancy in there:
> 
> %build
> ./configure --prefix=%{_prefix} --enable-milter
> make check
> make
> 
> The issue only occured recently... maybe some borked signature?
> Any ideas?
> 
> regards
> lukn
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamd using up all cpu on certain hosts

[lukn]

Hello list

I'm having a weird CPU hogging issue here. I'm running some servers as
VM hosts based on CentOS7 with qemu/kvm. On these I'm running various
VMs with CentOS 7 and legacy CentOS 6 (all have latest updates
installed). All of them are running clamd 0.100.2 which got installed
from a self compiled RPM (built from official source, no patches), so
software on all hosts and VMs should be identical.

However, in VMs on one host machine, clamd is idling, on the other it's
running at 200-350% CPU (4 vcores) according to top - even when there is
nothing to be scanned.

If I migrate a VM from the "idle" to the "busy" host, their clamd starts
to spin too. If I migrate a VM from the "busy" to the "idle" host, clamd
remains quiet.

The only noticeable difference between clamd going nuts and clamd
staying calm is the CPU of the host system:

busy:
model name  : Intel(R) Xeon(R) CPU   E5645  @ 2.40GHz

idle:
model name  : Intel(R) Xeon(R) CPU E5-2650 v3 @ 2.30GHz


As mentioned, clamd is installed from a self compiled rpm, this is the
%build section of the spec file, nothing fancy in there:

%build
./configure --prefix=%{_prefix} --enable-milter
make check
make

The issue only occured recently... maybe some borked signature?
Any ideas?

regards
lukn
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[lukn]

Hi

cudasvc was recently listed on Spamhaus' DBL. Looks like Barracuda has
some kind of issues with their service.
The other question is, why do people use such link cloakers?


On 27.08.2018 22:44, Mark G Thomas wrote:
> Hi,
> 
> But, there are more. This is nuts.
> 
> # sigtool --find-sigs MBL_13112740 | sigtool --decode-sigs
> VIRUS NAME: MBL_13112740
> DECODED SIGNATURE:
> https://linkprotect.cudasvc.com/url
> 
> Mark
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Rogue definition Pdf.Exploit.CVE_2018_12798-6633682-0 causing a LOT of FP's

[lukn]

cd /path/to/clamav/signatures
echo -n offending.rule.name >> whitelist.ign2

ensure there is no trailing empty newline at the end of whitelist.ign2

On 14.08.2018 23:52, Groach wrote:
> Could you detail how to whitelist the offending rule please?  (I fear it will 
> be some time, or never,  before this rule gets rectified officially).
> 
> 
> 
> On 14 August 2018 22:40:49 BST, lukn  wrote:
>> Same here. I agree this rule is causing too many FPs to remain active.
>> Therefore I ended up whitelisting this rule.
>>
>>
>>> I now only run in report mode and not delete mode
>>
>> I don't understand the whish to leave the decision of data destruction
>> to a third party software. My system should follow my rules... and
>> those
>> never include arbitrary data deletion as this can only end in tears.
>> Running any antivirus in delete mode is like playing Russian roulette.
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain False Positive

[lukn]

Hi

You cannot whitelist a sender in ClamAV. Whitelisting happens in the
software that calls ClamAV.

The alternative is to disable spoofing checks in ClamAV configuration.
They're not enabled by default, so if your ClamAV checks spoofing, then
someone enabled it on purpose.


As Al already pointed out you can whitelist the offending link
construct. To identify the offending link in the mail you need to
perform a bit of analysis:
clamscan /path/to/mailfile.eml --debug 2>&1 | less

I don't have a working example at hand, so here's a little outline from
my memory:
search in less output for the word "different"
nearby that match (a few lines above, iirc) you'll find the offending
value looking something like
yada yada yaday amazon.com:amazon.de yada yada yada
(using amazon just as an example)

In your clamav signature directory you then create a file called
spoofing.wdb with this content:
X:amazon\.com:amazon\.de
(copy the hit from clamav debug output, prepend X: and escape all regex
specials)

Alternatively have the sender fix the broken link you identified above.

HTH

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Rogue definition Pdf.Exploit.CVE_2018_12798-6633682-0 causing a LOT of FP's

[lukn]

Same here. I agree this rule is causing too many FPs to remain active.
Therefore I ended up whitelisting this rule.


> I now only run in report mode and not delete mode

I don't understand the whish to leave the decision of data destruction
to a third party software. My system should follow my rules... and those
never include arbitrary data deletion as this can only end in tears.
Running any antivirus in delete mode is like playing Russian roulette.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.4 has been released!

[lukn]

On 02.03.2018 15:12, Micah Snyder (micasnyd) wrote:
> The ClamAV version check should be updated now.  My apologies for the 
> inconvenience.

Also confirming that the issue has been resolved. Thanks for handling it
and thanks for the new version of ClamAV!
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.4 has been released!

[lukn]

On 02.03.2018 09:21, Al Varnell wrote:
> They just need to update DNS with updated version when they come in. Not a 
> big deal. It only results in display of the warning. Should not impact 
> operations in any way.


this is correct, 0.99.4 is fully operational and getting signature
updates. But the negligence to check whether all steps needed to publish
a release have been completed leaves some smell.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.4 has been released!

[lukn]

same here. #fail :-P

I guess we'll have to live with that until Talos people go back to
office. Reminds me a bit of that broken signature recently... push stuff
Thursday evening, then go home.

Maybe the releases need a better timing. Like in the morning hours of
Talos Office Time, to allow ample buffer for community feedback and
emergency fixes. And while we're at it, maybe not on Fridays, just to
ensure European, African, Asian and Oceanic sysadmins get to enjoy their
weekends.



On 01.03.2018 22:57, Yuri wrote:
>  # freshclam
> ClamAV update process started at Fri Mar  2 03:55:59 2018
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.99.4 Recommended version: 0.99.3
> DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
> main.cld is up to date (version: 58, sigs: 4566249, f-level: 60,
> builder: sigmgr)
> daily.cld is up to date (version: 24354, sigs: 1863576, f-level: 63,
> builder: neo)
> bytecode.cld is up to date (version: 319, sigs: 75, f-level: 63,
> builder: neo)
> 
> :-D
> 
> Funny message :) Hello from future :-!
> 
> 02.03.2018 03:39, Joel Esler (jesler) пишет:
>>
>> http://blog.clamav.net/2018/03/clamav-0994-has-been-released.html
>>
>> ClamAV 0.99.4 has been released!
>> Join us as we welcome ClamAV 0.99.4 to the family!
>>
>>
>> 0.99.4 Release Notes
>>
>> 0.99.4 is a security patch release, quick on the heels of the 0.99.3 
>> security patch release.  This is a renewal of our commitment to the ClamAV 
>> community for timely fixes to critical issues.
>>
>> 0.99.4 addresses a few outstanding vulnerability bugs.  It includes fixes 
>> for:
>>
>>
>>   *   
>> CVE-2012-6706
>>   *   
>> CVE-2017-6419
>>   *   
>> CVE-2017-11423
>>   *   
>> CVE-2018-185
>>
>> There are also a few bug fixes that were not assigned CVE’s, but were 
>> important enough to address while we had the chance.  One of these was the 
>> notorious file descriptor exhaustion bug that caused outages late last 
>> January.
>>
>> In addition to the above, 0.99.4 fixes:
>>
>>
>>   *   
>> CVE-2018-0202
>>  *   Two newly reported vulnerabilities in the PDF parsing code.
>>   *   GCC 6, C++11 compatibility issues.
>>
>>
>> A big "thank you" to everyone out there contributing patches, bug reports, 
>> and helping support the ClamAV community via our mailing 
>> lists and IRC channel.
>>
>> Thank you to the following ClamAV community members for your code 
>> submissions and bug reports!
>>
>> Alberto Garcia
>> Bernhard Vogel
>> Francisco Oca
>> Hanno Böck
>> Jeffrey Yasskin
>> Keith Jones
>> mtowalski
>> Suleman Ali
>> yongji.oy
>> xrym
>>
>> Stay tuned for the upcoming 0.100.0 release candidate!
>>
>>
>> --
>> Joel Esler | Talos: Manager | jes...@cisco.com
>>
>>
>>
>>
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[lukn]

As ClamAV/Thalos is owned by Cisco I assume all ClamAV employees are
located in Silicon Valley area and therefore still enjoying a good
Californian night's sleep.

On 26.01.2018 13:17, maxal wrote:
> nobody of clamav/cisco reading this list? as the impact is heavy and
> probably worldwide - anyone with personal contacts or any other channel
> to reach someone there? contact info on clamav.net is only referring to
> mailing lists and not very useful 
> 
> On Fri, 2018-01-26 at 12:07 +0100, Marco wrote:
>> Il 26/01/2018 10:39, Ralf Hildebrandt ha scritto:
>>
>>> clamd is leaking filedescriptors for temporary files - ls
>>> /proc/`pidof clamd`/fd shows a
>>> lot of:
>>>
>>> lrwx-- 1 root root 64 Jan 26 10:38 993 -> /tmp/clamav-
>>> 736a3d0d2a944a0a79d465671fb754d5.tmp (deleted)
>>> lrwx-- 1 root root 64 Jan 26 10:38 994 -> /tmp/clamav-
>>> 59b5548fe87bc9a454486cbe37d5c89b.tmp (deleted)
>>> lrwx-- 1 root root 64 Jan 26 10:38 995 -> /tmp/clamav-
>>> 0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted)
>>> ...
>>
>> I think that Clamav now knows this very big problem... Anyway these
>> are 
>> other logs I see (0.99.2 version on RH EL7):
>>
>> 2018-01-26T03:41:29.246852+01:00  clamd[18086]: LibClamAV Error: 
>> cli_gentempfd: Can't create temporary file 
>> /tmp/clamav-f553aa378e37664837deb720f2ce10f6.tmp/clamav-
>> ef95d457b05dc585eb4bc09d3fc83edc.tmp: 
>> Too many open files
>>
>> 2018-01-26T03:41:29.247296+01:00  clamd[18086]: LibClamAV Warning: 
>> fileblobScan, fullname == NULL
>>
>> 2018-01-26T03:41:29.247458+01:00  clamd[18086]: LibClamAV Error: 
>> fileblobDestroy: mixedtextportion not saved: report to 
>> http://bugs.clamav.net
>>
>>
>> Regards
>> Marco
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing somevirusdefinitions on a low memory server

[lukn]

stop freshclam daemon

On 26.01.2018 11:54, Rajesh M wrote:
> hi all
> 
> even though i removed
> 
> daily.cld
> main.cld
> bytecode.cld
> mirrors.dat 
> 
> all of these has been recreated automatically
> 
> i am not running freshclam via a cron job
> 
> help required in disabling clam updates 
> 
> rajesh
> 
> 
> - Original Message -
> From: Sophie Loewenthal [mailto:sop...@klunky.co.uk]
> To: clamav-users@lists.clamav.net
> Sent: Fri, 26 Jan 2018 10:12:12 +0100
> Subject: 
> 
> Thanks for the suggestions  h.rei...@thelounge.net 
>  and 24x7ser...@24x7server.net 
>  and alvarn...@mac.com 
> 
> Daily removed for the timebeing anyway.
> 
> 
> 
>> On 26 Jan 2018, at 09:55, Rajesh M <24x7ser...@24x7server.net> wrote:
>>
>> hi 
>>
>> this is what i did on my mail server
>>
>> cd /var/lib/clamav
>>
>> mv daily.cld daily.cld.BAK
>> mv main.cld main.cld.BAK
>> mv bytecode.cld bytecode.cld.BAK
>> mv mirrors.dat mirrors.dat.BAK
>>
>> kept foxhole_all and badmacro.ndb unoffical which handles all kinds of bad 
>> attachments / macros.
>>
>> also have spam-assassin with oledb macro plugin.
>>
>> things seem to work now
>>
>> rajesh
>>
>>
>> - Original Message -
>> From: Sophie Loewenthal [mailto:sop...@klunky.co.uk]
>> To: clamav-users@lists.clamav.net
>> Sent: Fri, 26 Jan 2018 09:41:38 +0100
>> Subject: 
>>
>> Hi everybody,
>>
>> Would removing some of the virus definitions on a memory sparse server still 
>> leave a semi-usable clamav scanner? 
>>
>> e.g if I just left 
>> main.cvd
>> bytecode.cvd
>>
>> and dropped daily.cvd?
>>
>> Or some other config.
>>
>> e.g just kept the unoffical sigs and the bytecode.
>>
>> I realize this is reducing clamav’s effectiveness, but my other option is to 
>> remove clamav.
>>
>> Kind regards,
>> Sophie
>>
>>
>>
>>
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?

[lukn]

Same on a machine with clamav-milter:

clamav-milter[8241]: Failed to initiate streaming/fdpassing
clamav-milter[8241]: Unknown reply from clamd
clamd[11895]: instream(127.0.0.1@49958): Can't open file or directory ERROR
clamav-milter[8241]: send failed: Broken pipe
clamav-milter[8241]: Streaming failed
clamd[11895]: accept() failed:

I suspect a toxic signature keeps killing clamd



On 26.01.2018 07:47, lukn wrote:
> Good morning list
> 
> same here, since about 4am CET we see permanent crashes of clamd.
> Process indeed disappears, but logging is minimal. All I see is:
> 
> clamd[25989]: instream(127.0.0.1@58142): Can't open file or directory ERROR
> clamd[25989]: accept() failed:
> 
> the second line repeats several dozen times.
> 
> I use clamd to scan mail with fuglu (fuglu.org) which talks to clamd via
> TCP socket.
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?

[lukn]

Good morning list

same here, since about 4am CET we see permanent crashes of clamd.
Process indeed disappears, but logging is minimal. All I see is:

clamd[25989]: instream(127.0.0.1@58142): Can't open file or directory ERROR
clamd[25989]: accept() failed:

the second line repeats several dozen times.

I use clamd to scan mail with fuglu (fuglu.org) which talks to clamd via
TCP socket.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirror issues and what we are doing to fix it

[lukn]

Hello List and Joel

I still see freshclam failures for mirror 193.230.240.8

WARNING: getfile: daily-23823.cdiff not found on database.clamav.net
(IP: 193.230.240.8)
WARNING: getpatch: Can't download daily-23823.cdiff from database.clamav.net


freshclam --list-mirrors
[..]
Mirror #2
IP: 193.230.240.8
Successes: 0
Failures: 31
Last access: Wed Sep 13 15:15:03 2017
Ignore: Yes


Apologies, I don't have full freshclam debug output available.


On 28.08.2017 15:33, Joel Esler (jesler) wrote:
> ClamAV Community —
> 
> For too long we’ve had a problem with mirrors and downloads.  There are a 
> bunch of really good excuses for this internally, but I can comfortably say 
> that we are beyond the problems we had in the past, and now it’s time for us 
> to go fix it.
> 
> As of Friday, I assumed control (From a Project Owner point of view, I don’t 
> directly control the mirrors), over the ClamAV Mirror infrastructure and am 
> taking steps to clean this up.
> 
> (Internally we break ClamAV down into a bunch of pieces, a little “inside 
> baseball” for you, but we have the development team, them mirror project, the 
> signature interface (where all signatures are written, tested, and 
> published), the malware team.  All of these responsibilities are spread 
> amongst several groups within Talos (who 
> owns ClamAV inside of Cisco, amongst many other things).)
> 
> I have called a meeting with our ClamAV team, both from my team (the Open 
> Source Team), the mirror team (operations), and the PM for Development on 
> Thursday.  My plan is to outline an immediate “fix” trajectory.   What is 
> working, what isn’t working, immediate fixes, and finally suggestions for 
> moving forward.
> 
> Please continue to bear with us a little while longer.  They always say 
> things get worse before they get better.  Right now, hopefully, we are at the 
> “worst” stage.
> 
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
> 
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials

[lukn]

Hello List

Same here, I do see FPs with
BC.Win.Exploit.CVE_2017_11244-6335828-0
hitting legitimate corporate files (so no submission possible from me
either).

md5sum of the affected file is
bf20323e1cea2c2c3fc26d09956dd906
(don't know if this is helpful without the actual file...)


On 13.09.2017 16:27, Leonardo Rodrigues wrote:
> 
> I'm also getting some excel files flagged by the same signature,
> excel files that are supposed to be clean by other commercial antiviruses
> 
> two files from my amavis quarantine folder scanned with actual
> signatures:
> 
> [root@correio shm]# clamdscan -v virus-2017*
> /dev/shm/virus-20170912T100210-14568-04-oYAqsgllorwh:
> BC.Win.Exploit.CVE_2017_11244-6335828-0 FOUND
> /dev/shm/virus-20170913T105721-11777-15-NJFMBYpgy4B5:
> BC.Win.Exploit.CVE_2017_11244-6335828-0 FOUND
> 
> signatures i'm running
> 
> [root@correio shm]# freshclam
> ClamAV update process started at Wed Sep 13 11:27:06 2017
> main.cld is up to date (version: 58, sigs: 4566249, f-level: 60,
> builder: sigmgr)
> daily.cvd is up to date (version: 23823, sigs: 1742928, f-level: 63,
> builder: neo)
> bytecode.cld is up to date (version: 311, sigs: 74, f-level: 63,
> builder: neo)
> 
> 
> unfortunelly these are corporate files and i cannot submit them for
> analysis :(
> 
> 
> Em 11/09/17 16:06, Judd Grayzel escreveu:
>> My Synology Diskstation running the Anti-Virus Essentials (ClamAV
>> based engine) quarantined almost 1000 files for the CVE-2017-11241
>> vulnerability. This CVE references a problem with Adobe Acrobat, but
>> the files that are being quarantined are Microsoft Excel fIles.
>> Do these files really have a virus of some sort, or is this a
>> False/Positive situation?
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Create md5 sig from HTML file

[lukn]

Hello Tomasz

Am 29.04.2011 16:45, schrieb Tomasz Kojm:

Please open a bug report at bugs.clamav.net and attach the HTML file if
possible.



Thanks for your quick reply, bug has been filed:
https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2764

bye
lukn
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Create md5 sig from HTML file

[lukn]

Dear Clamav-List

I'm trying to build an md5-sigs from HTML-files. My procedure is as follows:

mkdir /tmp/clamsig
cd /tmp/clamsig
sigtool --html-normalise=/data/foo.html
mv nocomment.html foo.html
sigtool --md5 foo.html >> /tmp/htmlfiles.hdb

Then I verified the file using
clamscan --database=/tmp/htmlfiles.hdb --leave-temps --debug /data/foo.html
But the signature did not match.

I investigated the leftover tempfiles from clamscan and it seems that 
sigtool and clamscan normalize differently. sigtool apparently converts 
& (ampersand) even in URLs to & where clamscan leaves ampersands 
intact. This can produce different files and therefore different md5 hashes.


I am not absolutely sure, but I think this is new since clamav 0.97. My 
procedure worked in previous versions of clamav.
Can anybody confirm this? Is this indended behaviour? If so, what's the 
recommended way of creating md5 signatures from HTML-files?


My current version of clamav is 0.97 from Debian repositories:
clamscan --version
ClamAV 0.97/13022/Fri Apr 29 08:03:10 2011

thanks and have a good weekend!
lukn
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml