[Clamav-devel] Question about threads

[crazy thinker]

Hi ClamAV Developers, ClamAV Users

what will happen if I  configure  more than 2 threads(for say example , I
keep MaxThreads attribute value 10 in clamd.conf) on Dual Core Processor
Systems.
How exactly ClamAV (clamd) will work  in this kind of scenarios?

Kindly waiting for knowledgable info from ClamAV  developers and users as
well


Thanks,
Crazy Thinker Inc
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question about Heuristic Scanning and Signature Based Scanning

[crazy thinker]

Hi ClamAV Developers,Users

As per My Understnading , Virus Signatures are Classified into two types

1.Static Virus Signatures(short/fixed  length virus signatures)
2.Dynamic Virus Signatures(long length Signatures with Regular Expression)

So  I guess, ClamAV performing both Signature Based Scanning and Heuristic
Based Scanning for Malware Detection Process

Please find below questions that in my mind

1.Does Signature Based Scanner uses  only  Static Signatures (not Dynamic
Signatures)  ?
2.Does  Heuristic Scanner uses only Dynamic Signatures for Malware
Detection?
3. If Herusitc Scanner uses Behaviour Based Approach, why  Heuristic
Scanner needs Virus Database?
4.To implement   Efficient AV Scanner, Can I go with Heuristic Scanning
Approach and Excluding Signature Based Scanning Approach?

I would like to get help/suggestions from you guys...


Kindly waiting for your reply


Thanks,
Crazy Thinker, Inc
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question about LibClamAV Library

[crazy thinker]

Hi ClamAV Developers,

I have compiled the ClamAV source code  on Mac OS X and  investigating
libclamav.dylib and libclamav.7.dylib internal files information for  my
curiousity.. Surprisingly   i got below info when i ran grep  with some
pattern

*admin-macbookPro-2:clamav-devel-0.99.2 CrazyThinker$ grep -ir "This file
was created by ClamAV for internal use and should not be run" .*

*Binary file ./libclamav/.libs/libclamav.7.dylib matches*

*Binary file ./libclamav/.libs/libclamav.dylib matches*

*Binary file ./libclamav/.libs/libclamav_la-rebuildpe.o matches*

*Binary file ./libclamav/.libs/libclamav_la-upx.o matches*

i still don't understand why those above binary files contains that
pattern(that i mentioned above) even though   single source file of ClamAV
Codebase doesn't have that kind of pattern . From where this pattern
appending to .dylib files.?


Thanks,

Satish Yaduvanshi
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] Question about LibClamAV

[crazy thinker]

Hi ClamAV Developers, Users

Sorry.. i missed proper info in my previous mail thread.. please find
correct info  below

I have compiled the ClamAV source code  on Mac OS X and  investigating
libclamav.dylib and libclamav.7.dylib internal files information for  my
curiousity.. Surprisingly   i got below info when i ran grep  with some
pattern
*admin-macbookPro-2:clamav-devel-0.99.2 tringappsinc$ grep -ir "This file
was created by ClamAV for internal use and should not be run"*

*Binary file ./libclamav/.libs/libclamav.7.dylib matches*

*Binary file ./libclamav/.libs/libclamav.dylib matches*

*Binary file ./libclamav/.libs/libclamav_la-rebuildpe.o matches*

*Binary file ./libclamav/.libs/libclamav_la-upx.o matches*

i still don't understand why those above binary files contains that
pattern(that i mentioned above) even though   single source file of ClamAV
Codebase doesn't have that kind of pattern . From where this pattern
appending to .dylib files.?

i am so curious to understand things behind it. is there any logic ClamV
Internally using?

Could please  any one of you to help me on this


On 17 April 2017 at 18:02, crazy thinker  wrote:

> Hi ClamAV Developers, Users
>
> I have compiled the ClamAV source code  on Mac OS X and  investigating
> libclamav.dylib and libclamav.7.dylib internal files information for  my
> curiousity.. Surprisingly   i got below info when i ran grep  with some
> pattern
> *admin-macbookPro-2:clamav-devel-0.99.2 tringappsinc$ grep -ir "This file
> was created by ClamAV for internal use and should not be run"*
>
> *Binary file ./libclamav/.libs/libclamav.7.dylib matches*
>
> *Binary file ./libclamav/.libs/libclamav.dylib matches*
>
> *Binary file ./libclamav/.libs/libclamav_la-rebuildpe.o matches*
>
> *Binary file ./libclamav/.libs/libclamav_la-upx.o matches*
>
> i still don't understand why those above binary files contains that
> pattern(that i mentioned above) even  single source file of ClamAV
> Codebase. from where this pattern appending to .dylib files.
>
> i am so curious to understand things behind it. is there any logic ClamV
> Internally using?
>
> Could please  any one of you to help me on this
>
>
> Thanks,
>
> Crazy Thinker Inc
>
>
> Thanks,
>
> Crazy Thinker
>
>
>
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question about LibClamAV

[crazy thinker]

Hi ClamAV Developers, Users

I have compiled the ClamAV source code  on Mac OS X and  investigating
libclamav.dylib and libclamav.7.dylib internal files information for  my
curiousity.. Surprisingly   i got below info when i ran grep  with some
pattern
*admin-macbookPro-2:clamav-devel-0.99.2 tringappsinc$ grep -ir "This file
was created by ClamAV for internal use and should not be run"*

*Binary file ./libclamav/.libs/libclamav.7.dylib matches*

*Binary file ./libclamav/.libs/libclamav.dylib matches*

*Binary file ./libclamav/.libs/libclamav_la-rebuildpe.o matches*

*Binary file ./libclamav/.libs/libclamav_la-upx.o matches*

i still don't understand why those above binary files contains that
pattern(that i mentioned above) even  single source file of ClamAV
Codebase. from where this pattern appending to .dylib files.

i am so curious to understand things behind it. is there any logic ClamV
Internally using?

Could please  any one of you to help me on this


Thanks,

Crazy Thinker Inc


Thanks,

Crazy Thinker
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question about .cvd files

[crazy thinker]

Hi ClamAV  Developer, users

I have below Questions on ClamAV Virus Database

1.what information bytecode.cvd contatins?  and how it is useful in malware
detection?

2.Why not ClamAV release virus databse in terms of platform specific like
Windows,Linux,Mac OS X,Androind,BSD etc? is there any logic behind this?

 3.How to  separate malware  signatures  based on target operating system
to optimize database size?

Could Anyone of you please help me in this.
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] Question have an about LibClamAV.dll

[Shanmugam, Suresh (Conduent)]

Hi Perrry,

I am not able to get the FileDescriptor for stream data because it is expecting 
always Physical file. 

Regards,
Suresh Shanmugam.


-Original Message-
From: clamav-devel [mailto:clamav-devel-boun...@lists.clamav.net] On Behalf Of 
Shanmugam, Suresh (Conduent)
Sent: Tuesday, April 11, 2017 12:31 AM
To: ClamAV Development <clamav-devel@lists.clamav.net>
Subject: Re: [Clamav-devel] Question have an about LibClamAV.dll

Thanks for your quick response. I believe that, I can start from this point.

Sent using Boxer
On Apr 11, 2017 12:23 AM, Brandon Perry <bperry.volat...@gmail.com> wrote:

> On Apr 10, 2017, at 1:50 PM, Shanmugam, Suresh (Conduent) 
> <suresh.shanmu...@conduent.com> wrote:
>
> Hi Brandon Perry,
>
> Okay. If you don't mind. Do you have any samples of implementation using 
> stream?. If you have please share to me.

I do not, but this should be a good start.

http://stackoverflow.com/questions/15669662/get-a-file-descriptor-handle-from-filestream
 
<http://stackoverflow.com/questions/15669662/get-a-file-descriptor-handle-from-filestream>
>
> Regards,
> Suresh Shanmugam.
>
> Sent using Boxer
> On Apr 10, 2017 10:51 PM, Brandon Perry <bperry.volat...@gmail.com> wrote:
>
>> On Apr 10, 2017, at 11:58 AM, Shanmugam, Suresh (Conduent) 
>> <suresh.shanmu...@conduent.com> wrote:
>>
>> Hi Brandon Perry,
>>
>> You are correct Perry. I am implementing the LibClamAV Library into C# 
>> application.  So I need to get the File descriptor from the Stream and need 
>> to assign the value to "cl_scandesc" Native method. Am I right?.
>
> Yes, I believe that's correct.
>
>>
>>
>> Regards,
>> Suresh Shanmugam.
>>
>> -Original Message-
>> From: clamav-devel [mailto:clamav-devel-boun...@lists.clamav.net] On Behalf 
>> Of Brandon Perry
>> Sent: Monday, April 10, 2017 9:12 PM
>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>> Subject: Re: [Clamav-devel] Question have an about LibClamAV.dll
>>
>>
>>> On Apr 10, 2017, at 9:00 AM, Shanmugam, Suresh (Conduent) 
>>> <suresh.shanmu...@conduent.com> wrote:
>>>
>>> Hi Developers,
>>>
>>> I've an query about doing the scan using byte[] help of 
>>> LibClamAV.dll(win32). If anyone know the methods to pass the byte[] provide 
>>> the details?.
>>>
>>> Note:
>>> I able to do the scan a physical path file. But not able to do with byte[]. 
>>> Please help me.
>>
>> It sounds like you are interacting with libclamav from C#. ClamAV requires a 
>> rewindable file stream, so a byte array can't be scanned on its own.
>>
>> You could map the byte array to a MemoryMappedFile.
>>
>> http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile
>>  
>> <http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile>
>>
>> Then you could potentially pass the file descriptor for this to native 
>> library.
>>
>>>
>>> Regards,
>>> Suresh Shanmugam.
>>>
>>> ___
>>> http://lurker.clamav.net/list/clamav-devel.html
>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> http://lurker.clamav.net/list/clamav-devel.html
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>
>> http://www.clamav.net/contact.html#ml
>
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] Question have an about LibClamAV.dll

[Shanmugam, Suresh (Conduent)]

Thanks for your quick response. I believe that, I can start from this point.

Sent using Boxer
On Apr 11, 2017 12:23 AM, Brandon Perry <bperry.volat...@gmail.com> wrote:

> On Apr 10, 2017, at 1:50 PM, Shanmugam, Suresh (Conduent) 
> <suresh.shanmu...@conduent.com> wrote:
>
> Hi Brandon Perry,
>
> Okay. If you don't mind. Do you have any samples of implementation using 
> stream?. If you have please share to me.

I do not, but this should be a good start.

http://stackoverflow.com/questions/15669662/get-a-file-descriptor-handle-from-filestream
 
<http://stackoverflow.com/questions/15669662/get-a-file-descriptor-handle-from-filestream>
>
> Regards,
> Suresh Shanmugam.
>
> Sent using Boxer
> On Apr 10, 2017 10:51 PM, Brandon Perry <bperry.volat...@gmail.com> wrote:
>
>> On Apr 10, 2017, at 11:58 AM, Shanmugam, Suresh (Conduent) 
>> <suresh.shanmu...@conduent.com> wrote:
>>
>> Hi Brandon Perry,
>>
>> You are correct Perry. I am implementing the LibClamAV Library into C# 
>> application.  So I need to get the File descriptor from the Stream and need 
>> to assign the value to "cl_scandesc" Native method. Am I right?.
>
> Yes, I believe that’s correct.
>
>>
>>
>> Regards,
>> Suresh Shanmugam.
>>
>> -Original Message-
>> From: clamav-devel [mailto:clamav-devel-boun...@lists.clamav.net] On Behalf 
>> Of Brandon Perry
>> Sent: Monday, April 10, 2017 9:12 PM
>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>> Subject: Re: [Clamav-devel] Question have an about LibClamAV.dll
>>
>>
>>> On Apr 10, 2017, at 9:00 AM, Shanmugam, Suresh (Conduent) 
>>> <suresh.shanmu...@conduent.com> wrote:
>>>
>>> Hi Developers,
>>>
>>> I've an query about doing the scan using byte[] help of 
>>> LibClamAV.dll(win32). If anyone know the methods to pass the byte[] provide 
>>> the details?.
>>>
>>> Note:
>>> I able to do the scan a physical path file. But not able to do with byte[]. 
>>> Please help me.
>>
>> It sounds like you are interacting with libclamav from C#. ClamAV requires a 
>> rewindable file stream, so a byte array can’t be scanned on its own.
>>
>> You could map the byte array to a MemoryMappedFile.
>>
>> http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile
>>  
>> <http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile>
>>
>> Then you could potentially pass the file descriptor for this to native 
>> library.
>>
>>>
>>> Regards,
>>> Suresh Shanmugam.
>>>
>>> ___
>>> http://lurker.clamav.net/list/clamav-devel.html
>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> http://lurker.clamav.net/list/clamav-devel.html
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>
>> http://www.clamav.net/contact.html#ml
>
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] Question have an about LibClamAV.dll

[Brandon Perry]

> On Apr 10, 2017, at 1:50 PM, Shanmugam, Suresh (Conduent) 
> <suresh.shanmu...@conduent.com> wrote:
> 
> Hi Brandon Perry,
> 
> Okay. If you don't mind. Do you have any samples of implementation using 
> stream?. If you have please share to me.

I do not, but this should be a good start.

http://stackoverflow.com/questions/15669662/get-a-file-descriptor-handle-from-filestream
 
<http://stackoverflow.com/questions/15669662/get-a-file-descriptor-handle-from-filestream>
> 
> Regards,
> Suresh Shanmugam.
> 
> Sent using Boxer
> On Apr 10, 2017 10:51 PM, Brandon Perry <bperry.volat...@gmail.com> wrote:
> 
>> On Apr 10, 2017, at 11:58 AM, Shanmugam, Suresh (Conduent) 
>> <suresh.shanmu...@conduent.com> wrote:
>> 
>> Hi Brandon Perry,
>> 
>> You are correct Perry. I am implementing the LibClamAV Library into C# 
>> application.  So I need to get the File descriptor from the Stream and need 
>> to assign the value to "cl_scandesc" Native method. Am I right?.
> 
> Yes, I believe that’s correct.
> 
>> 
>> 
>> Regards,
>> Suresh Shanmugam.
>> 
>> -Original Message-
>> From: clamav-devel [mailto:clamav-devel-boun...@lists.clamav.net] On Behalf 
>> Of Brandon Perry
>> Sent: Monday, April 10, 2017 9:12 PM
>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>> Subject: Re: [Clamav-devel] Question have an about LibClamAV.dll
>> 
>> 
>>> On Apr 10, 2017, at 9:00 AM, Shanmugam, Suresh (Conduent) 
>>> <suresh.shanmu...@conduent.com> wrote:
>>> 
>>> Hi Developers,
>>> 
>>> I've an query about doing the scan using byte[] help of 
>>> LibClamAV.dll(win32). If anyone know the methods to pass the byte[] provide 
>>> the details?.
>>> 
>>> Note:
>>> I able to do the scan a physical path file. But not able to do with byte[]. 
>>> Please help me.
>> 
>> It sounds like you are interacting with libclamav from C#. ClamAV requires a 
>> rewindable file stream, so a byte array can’t be scanned on its own.
>> 
>> You could map the byte array to a MemoryMappedFile.
>> 
>> http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile
>>  
>> <http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile>
>> 
>> Then you could potentially pass the file descriptor for this to native 
>> library.
>> 
>>> 
>>> Regards,
>>> Suresh Shanmugam.
>>> 
>>> ___
>>> http://lurker.clamav.net/list/clamav-devel.html
>>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> ___
>> http://lurker.clamav.net/list/clamav-devel.html
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> http://www.clamav.net/contact.html#ml
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] Question have an about LibClamAV.dll

[Shanmugam, Suresh (Conduent)]

Hi Brandon Perry,

Okay. If you don't mind. Do you have any samples of implementation using 
stream?. If you have please share to me.

Regards,
Suresh Shanmugam.

Sent using Boxer
On Apr 10, 2017 10:51 PM, Brandon Perry <bperry.volat...@gmail.com> wrote:

> On Apr 10, 2017, at 11:58 AM, Shanmugam, Suresh (Conduent) 
> <suresh.shanmu...@conduent.com> wrote:
>
> Hi Brandon Perry,
>
> You are correct Perry. I am implementing the LibClamAV Library into C# 
> application.  So I need to get the File descriptor from the Stream and need 
> to assign the value to "cl_scandesc" Native method. Am I right?.

Yes, I believe that’s correct.

>
>
> Regards,
> Suresh Shanmugam.
>
> -Original Message-
> From: clamav-devel [mailto:clamav-devel-boun...@lists.clamav.net] On Behalf 
> Of Brandon Perry
> Sent: Monday, April 10, 2017 9:12 PM
> To: ClamAV Development <clamav-devel@lists.clamav.net>
> Subject: Re: [Clamav-devel] Question have an about LibClamAV.dll
>
>
>> On Apr 10, 2017, at 9:00 AM, Shanmugam, Suresh (Conduent) 
>> <suresh.shanmu...@conduent.com> wrote:
>>
>> Hi Developers,
>>
>> I've an query about doing the scan using byte[] help of 
>> LibClamAV.dll(win32). If anyone know the methods to pass the byte[] provide 
>> the details?.
>>
>> Note:
>> I able to do the scan a physical path file. But not able to do with byte[]. 
>> Please help me.
>
> It sounds like you are interacting with libclamav from C#. ClamAV requires a 
> rewindable file stream, so a byte array can’t be scanned on its own.
>
> You could map the byte array to a MemoryMappedFile.
>
> http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile
>  
> <http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile>
>
> Then you could potentially pass the file descriptor for this to native 
> library.
>
>>
>> Regards,
>> Suresh Shanmugam.
>>
>> ___
>> http://lurker.clamav.net/list/clamav-devel.html
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>>
>> http://www.clamav.net/contact.html#ml
>
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] Question have an about LibClamAV.dll

[Brandon Perry]

> On Apr 10, 2017, at 11:58 AM, Shanmugam, Suresh (Conduent) 
> <suresh.shanmu...@conduent.com> wrote:
> 
> Hi Brandon Perry,
> 
> You are correct Perry. I am implementing the LibClamAV Library into C# 
> application.  So I need to get the File descriptor from the Stream and need 
> to assign the value to "cl_scandesc" Native method. Am I right?.

Yes, I believe that’s correct.

> 
> 
> Regards,
> Suresh Shanmugam.
> 
> -Original Message-
> From: clamav-devel [mailto:clamav-devel-boun...@lists.clamav.net] On Behalf 
> Of Brandon Perry
> Sent: Monday, April 10, 2017 9:12 PM
> To: ClamAV Development <clamav-devel@lists.clamav.net>
> Subject: Re: [Clamav-devel] Question have an about LibClamAV.dll
> 
> 
>> On Apr 10, 2017, at 9:00 AM, Shanmugam, Suresh (Conduent) 
>> <suresh.shanmu...@conduent.com> wrote:
>> 
>> Hi Developers,
>> 
>> I've an query about doing the scan using byte[] help of 
>> LibClamAV.dll(win32). If anyone know the methods to pass the byte[] provide 
>> the details?.
>> 
>> Note:
>> I able to do the scan a physical path file. But not able to do with byte[]. 
>> Please help me.
> 
> It sounds like you are interacting with libclamav from C#. ClamAV requires a 
> rewindable file stream, so a byte array can’t be scanned on its own.
> 
> You could map the byte array to a MemoryMappedFile.
> 
> http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile
>  
> <http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile>
> 
> Then you could potentially pass the file descriptor for this to native 
> library.
> 
>> 
>> Regards,
>> Suresh Shanmugam.
>> 
>> ___
>> http://lurker.clamav.net/list/clamav-devel.html
>> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] Question have an about LibClamAV.dll

[Shanmugam, Suresh (Conduent)]

Hi Brandon Perry,

You are correct Perry. I am implementing the LibClamAV Library into C# 
application.  So I need to get the File descriptor from the Stream and need to 
assign the value to "cl_scandesc" Native method. Am I right?.


Regards,
Suresh Shanmugam.

-Original Message-
From: clamav-devel [mailto:clamav-devel-boun...@lists.clamav.net] On Behalf Of 
Brandon Perry
Sent: Monday, April 10, 2017 9:12 PM
To: ClamAV Development <clamav-devel@lists.clamav.net>
Subject: Re: [Clamav-devel] Question have an about LibClamAV.dll


> On Apr 10, 2017, at 9:00 AM, Shanmugam, Suresh (Conduent) 
> <suresh.shanmu...@conduent.com> wrote:
> 
> Hi Developers,
> 
> I've an query about doing the scan using byte[] help of LibClamAV.dll(win32). 
> If anyone know the methods to pass the byte[] provide the details?.
> 
> Note:
> I able to do the scan a physical path file. But not able to do with byte[]. 
> Please help me.

It sounds like you are interacting with libclamav from C#. ClamAV requires a 
rewindable file stream, so a byte array can’t be scanned on its own.

You could map the byte array to a MemoryMappedFile.

http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile
 
<http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile>

Then you could potentially pass the file descriptor for this to native library.

> 
> Regards,
> Suresh Shanmugam.
> 
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> http://www.clamav.net/contact.html#ml

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] Question have an about LibClamAV.dll

[Brandon Perry]

> On Apr 10, 2017, at 9:00 AM, Shanmugam, Suresh (Conduent) 
>  wrote:
> 
> Hi Developers,
> 
> I've an query about doing the scan using byte[] help of LibClamAV.dll(win32). 
> If anyone know the methods to pass the byte[] provide the details?.
> 
> Note:
> I able to do the scan a physical path file. But not able to do with byte[]. 
> Please help me.

It sounds like you are interacting with libclamav from C#. ClamAV requires a 
rewindable file stream, so a byte array can’t be scanned on its own.

You could map the byte array to a MemoryMappedFile.

http://stackoverflow.com/questions/10806518/write-string-data-to-memorymappedfile
 


Then you could potentially pass the file descriptor for this to native library.

> 
> Regards,
> Suresh Shanmugam.
> 
> ___
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question have an about LibClamAV.dll

[Shanmugam, Suresh (Conduent)]

Hi Developers,

I've an query about doing the scan using byte[] help of LibClamAV.dll(win32). 
If anyone know the methods to pass the byte[] provide the details?.

Note:
I able to do the scan a physical path file. But not able to do with byte[]. 
Please help me.

Regards,
Suresh Shanmugam.

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question about detection of malware types

[crazy thinker]

Hi ClamAV User, Developer


I like ClamAV tool and have below question

does ClamAV able to detect below malware types?

*1.adware*
*2.spyware*
*3.virus*
*4.torjan*
*5.worm*
*6.rootkit*
*7.backdoors*
*8.keyloggers*
*9.rouge security software*
*10.ransomware*
*11.browser hijacker*
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question about Repairing infected files

[crazy thinker]

Hi All,


It is  known that ClamAV uses Pattern Matching  to Catch infected files. In
this case,Can We  use Pattern Removal Statergy  to repair infected files.

could anyone of you help me to get  steps that   follow for repairing
infected files
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question about mpool_malloc() error on 0.97.8

[Tsutomu Oyamada]

We have a question about mpool_malloc() error of version 0.97.8, as follows.

We know this error is caused by small value of fragsz[](defined 
libclamav/mpool.c).
Is this understanding correct?

Is there any reason why it doesnot stop unusually (abnormally), when the error 
was happened.
(It seems that treatment for the error was not completed correctly.)

The size  was increased from 0.98 to 1.28MB (8MB formerly).
Is that correct?

And,
Shall the similar error occurred, if it would become to be not big enough?
We are worrying if the same issue will occure out again, because;
We found that clamd went into an infinite loop and spent 100% of CPU in the 
case of
reading of CVD, when engine v.0.97.8 was reading CVD v.22408


___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question about ClamAV Engine

[crazy thinker]

Hi all,

I am doing research on anti-virus engines. for my research , i downloaded
clamav source code and built from source. when i debugged source code,i
came to know that  ClamAV internally 14 Engine instances for pefrom
Scanning  files against virus db files
 Could any one of you know, why creating 14 engine instances logically

I am palning   to port  ClamAV Source code to Andorid Platform. could
anyone of you intertested in this. please join your hands with me  :)
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question about Virus DB

[crazy thinker]

Hi all,

I have a doubt regarding virus db files. why ClamAV team providing common
database for paltforms like windows  linux and mac os x. why not they
provide virus database files based on platform specific. is there any
specific reason behind this? i am very curious  about  know it.


Thanks,

Crazy
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

[Clamav-devel] Question on Bloom fliter

[Satish Gampa]

Hi all,

I  am browsing clam av source code and i think currently clam av using
bloom fliter  data-structure in pre-filtering step. could some one help me
to understand internal logic of  signature stoarge in depth

what information bloom fliter contains about virus signature? and does
 full length of each virus signature is used to build a trie?

Kindly waiting for reply !!!


Thanks,
Satish Kumar G
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

Re: [Clamav-devel] Question about matcher-bm.c

[Chatsiri Ratana]

On Wed, Aug 15, 2012 at 11:35 PM, David Raynor dray...@sourcefire.comwrote:

 On Wed, Aug 15, 2012 at 6:58 AM, Chatsiri Ratana insider...@gmail.com
 wrote:

  Hello Dave R,
 
 1) How to ClamAV categories virus signature in SHA1, SHA256, MD5  and
  Hexdump  types?
 2) What's estimate signature types of virus load  to A-C and B-M on
  ClamAV? I see flags --ac-only for loading signature file to A-C tires,
 But
  I not sure how to selected virus types load to A-C and B-M algorithms
 when
  scanning virus in common mode.
 
 
 
 
  --
  :
  ___
  http://lurker.clamav.net/list/clamav-devel.html
  Please submit your patches to our Bugzilla: http://bugs.clamav.net
 

 1) Details on signature formats are in the signatures.pdf included in the
 docs folder of the source.

Hello Dave R,

I not found section in detail of why we selected signature virus is MD5
or SHA1 when using Sigtool get signature from binary files. Signature.pdf
present only method for creating signature virus with MD5.

Best Regards,
Chatsiri Rattana.


 2) This question is a little confusing. If you are asking about numbers of
 signatures, the numbers change daily. If you run clamscan in debug mode, it
 will report the size and contents of the tries with signature counts
 grouped by the filetypes they will scan. There are counts for both BM and
 AC.

 Hope this helps,

 Dave R.

 --
 ---
 Dave Raynor
 Sourcefire Vulnerability Research Team
 dray...@sourcefire.com
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 Please submit your patches to our Bugzilla: http://bugs.clamav.net




-- 
:
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question about matcher-bm.c

[Vishrut Sharma]

Hi Chatsiri,
PE section MD5 signatures are more useful than MD5 signatures of the entire
file (because it allows the other section of the PE to vary, thus catching more
samples with a single signature. Moreover, updating becomes easy this way.
Hope you got your answer.

On Thu, Aug 16, 2012 at 5:51 PM, Chatsiri Ratana insider...@gmail.comwrote:

 On Wed, Aug 15, 2012 at 11:35 PM, David Raynor dray...@sourcefire.com
 wrote:

  On Wed, Aug 15, 2012 at 6:58 AM, Chatsiri Ratana insider...@gmail.com
  wrote:
 
   Hello Dave R,
  
  1) How to ClamAV categories virus signature in SHA1, SHA256, MD5
  and
   Hexdump  types?
  2) What's estimate signature types of virus load  to A-C and B-M on
   ClamAV? I see flags --ac-only for loading signature file to A-C tires,
  But
   I not sure how to selected virus types load to A-C and B-M algorithms
  when
   scanning virus in common mode.
  
  
  
  
   --
   :
   ___
   http://lurker.clamav.net/list/clamav-devel.html
   Please submit your patches to our Bugzilla: http://bugs.clamav.net
  
 
  1) Details on signature formats are in the signatures.pdf included in the
  docs folder of the source.
 
 Hello Dave R,

 I not found section in detail of why we selected signature virus is MD5
 or SHA1 when using Sigtool get signature from binary files. Signature.pdf
 present only method for creating signature virus with MD5.

 Best Regards,
 Chatsiri Rattana.


  2) This question is a little confusing. If you are asking about numbers
 of
  signatures, the numbers change daily. If you run clamscan in debug mode,
 it
  will report the size and contents of the tries with signature counts
  grouped by the filetypes they will scan. There are counts for both BM and
  AC.
 
  Hope this helps,
 
  Dave R.
 
  --
  ---
  Dave Raynor
  Sourcefire Vulnerability Research Team
  dray...@sourcefire.com
  ___
  http://lurker.clamav.net/list/clamav-devel.html
  Please submit your patches to our Bugzilla: http://bugs.clamav.net
 



 --
 :
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 Please submit your patches to our Bugzilla: http://bugs.clamav.net




-- 
Vishrut Sharma
Security Researcher
Vice Chair, Membership Growth
and Sustainability Committee, IEEE CS India Council
-
Member of ACM, IEEE,
IEEE Computer Society, DSCI
-
URL: *http://member.acm.org/~vishrut1* http://member.acm.org/~vishrut1
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question about matcher-bm.c

[Chatsiri Ratana]

On Thu, Aug 16, 2012 at 8:01 PM, Vishrut Sharma v.vish...@gmail.com wrote:

 Hi Chatsiri,
 PE section MD5 signatures are more useful than MD5 signatures of the entire
 file (because it allows the other section of the PE to vary, thus catching
 more
 samples with a single signature. Moreover, updating becomes easy this way.
 Hope you got your answer.


Hello Vishrut Sharma,

 If not PE type in system, Such as javascript(malicious code) and
another file types. Should we use SHA1, SHA256 and Hexdump?

Best Regards,
Chatsiri Rattana.



 On Thu, Aug 16, 2012 at 5:51 PM, Chatsiri Ratana insider...@gmail.com
 wrote:

  On Wed, Aug 15, 2012 at 11:35 PM, David Raynor dray...@sourcefire.com
  wrote:
 
   On Wed, Aug 15, 2012 at 6:58 AM, Chatsiri Ratana insider...@gmail.com
   wrote:
  
Hello Dave R,
   
   1) How to ClamAV categories virus signature in SHA1, SHA256, MD5
   and
Hexdump  types?
   2) What's estimate signature types of virus load  to A-C and B-M
 on
ClamAV? I see flags --ac-only for loading signature file to A-C
 tires,
   But
I not sure how to selected virus types load to A-C and B-M algorithms
   when
scanning virus in common mode.
   
   
   
   
--
:
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
   
  
   1) Details on signature formats are in the signatures.pdf included in
 the
   docs folder of the source.
  
  Hello Dave R,
 
  I not found section in detail of why we selected signature virus is
 MD5
  or SHA1 when using Sigtool get signature from binary files. Signature.pdf
  present only method for creating signature virus with MD5.
 
  Best Regards,
  Chatsiri Rattana.
 
 
   2) This question is a little confusing. If you are asking about numbers
  of
   signatures, the numbers change daily. If you run clamscan in debug
 mode,
  it
   will report the size and contents of the tries with signature counts
   grouped by the filetypes they will scan. There are counts for both BM
 and
   AC.
  
   Hope this helps,
  
   Dave R.
  
   --
   ---
   Dave Raynor
   Sourcefire Vulnerability Research Team
   dray...@sourcefire.com
   ___
   http://lurker.clamav.net/list/clamav-devel.html
   Please submit your patches to our Bugzilla: http://bugs.clamav.net
  
 
 
 
  --
  :
  ___
  http://lurker.clamav.net/list/clamav-devel.html
  Please submit your patches to our Bugzilla: http://bugs.clamav.net
 



 --
 Vishrut Sharma
 Security Researcher
 Vice Chair, Membership Growth
 and Sustainability Committee, IEEE CS India Council
 -
 Member of ACM, IEEE,
 IEEE Computer Society, DSCI
 -
 URL: *http://member.acm.org/~vishrut1* http://member.acm.org/~vishrut1
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 Please submit your patches to our Bugzilla: http://bugs.clamav.net




-- 
:
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question about matcher-bm.c

[Chatsiri Ratana]

On Wed, Jul 4, 2012 at 4:25 AM, David Raynor dray...@sourcefire.com wrote:

 On Mon, Jul 2, 2012 at 5:07 PM, Alexandre Dias lexx...@gmail.com wrote:

  Hello,
 
  I'm studying multi-pattern matching and I was browsing the source code
 for
  ClamAV's implementation of a multi-pattern matcher (Wu-Maber based)
  algorithm.
 
  I've got a question regarding the block and minimum size values.
 
  At the moment, both the block size and the minimum pattern length are set
  to 3 bytes.
 
  If I understood the algorithm correctly, this means that the only
 possible
  shift values are either 0 (at which point a match is possible), or 1
  (minimum pattern size - block size + 1).
 
  If this is the case, given that the algorithm can only move at most one
  byte at a time, what is the advantage of using this algorithm instead of
  Aho-Corasick (besides space efficiency) ?
 
  Thank you for your time.
 
  Best regards,
 
  -Alexandre Dias
  ___
  http://lurker.clamav.net/list/clamav-devel.html
  Please submit your patches to our Bugzilla: http://bugs.clamav.net
 

 Space efficiency is important. We do need to care about memory usage. But
 ruling that out, consider that ClamAV has different places and different
 ways it uses pattern matching. For the sake of consistency with how it is
 named in the code, I'll refer to the two modified styles of matching as B-M
 (for Boyer-Moore/Wu-Manber style) and A-C (for Aho-Corasick).

 ClamAV has over 113,000 signatures right now and they are split between the
 A-C and B-M categories. ClamAV is not using pure pattern matching of either

Hello Dave R,

   1) How to ClamAV categories virus signature in SHA1, SHA256, MD5  and
Hexdump  types?
   2) What's estimate signature types of virus load  to A-C and B-M on
ClamAV? I see flags --ac-only for loading signature file to A-C tires, But
I not sure how to selected virus types load to A-C and B-M algorithms when
scanning virus in common mode.

style and has pre-filtering steps. Some signatures are scanning direct file
 content. Other signatures are matching hashes [or in some cases, hashes of
 file segments]. Files can have wildly varying lengths, while the hashes
 have predetermined lengths. There are logical signatures that require
 certain combinations of matches. ClamAV even uses pattern matching when
 checking signatures at load time to filter out those that have been added
 to the ignore lists. Any optimization would be impacted daily with each new
 signature that is added. To sum up, there are quite a variety of needles
 and haystacks involved in the searching.

 Back to your question. You are correct that the shift values will be 0 or
 1. While I cannot give you an analytical defense to the choice of minimum
 pattern size  block size, there is a natural tension between the two. From
 what I read, Wu  Manber used a block size of 3 in their May 1994 paper.
 And any efficiency gained from longer shifts (which would be based on
 values which never appear in any signature) could be targeted by malware
 writers to eliminate it by forcing creation of signatures that fill that
 gap. I also don't know the difference in effective cost of frequent partial
 matches between A-C and B-M. These are things that could be measurable but
 I do not have statistics at hand.

 There is more history on the topic of algorithms and their use in ClamAV to
 be found in the back history of the mailing list. Discussions of everything
 from extended Boyer-Moore to bloom filters.

 Hope this helps,

 Dave R.
 ---
 Dave Raynor
 Sourcefire Vulnerability Research Team
 dray...@sourcefire.com
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 Please submit your patches to our Bugzilla: http://bugs.clamav.net




-- 
:
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question about matcher-bm.c

[David Raynor]

On Wed, Aug 15, 2012 at 6:58 AM, Chatsiri Ratana insider...@gmail.comwrote:

 Hello Dave R,

1) How to ClamAV categories virus signature in SHA1, SHA256, MD5  and
 Hexdump  types?
2) What's estimate signature types of virus load  to A-C and B-M on
 ClamAV? I see flags --ac-only for loading signature file to A-C tires, But
 I not sure how to selected virus types load to A-C and B-M algorithms when
 scanning virus in common mode.




 --
 :
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 Please submit your patches to our Bugzilla: http://bugs.clamav.net


1) Details on signature formats are in the signatures.pdf included in the
docs folder of the source.

2) This question is a little confusing. If you are asking about numbers of
signatures, the numbers change daily. If you run clamscan in debug mode, it
will report the size and contents of the tries with signature counts
grouped by the filetypes they will scan. There are counts for both BM and
AC.

Hope this helps,

Dave R.

-- 
---
Dave Raynor
Sourcefire Vulnerability Research Team
dray...@sourcefire.com
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question about matcher-bm.c

[David Raynor]

On Mon, Jul 2, 2012 at 5:07 PM, Alexandre Dias lexx...@gmail.com wrote:

 Hello,

 I'm studying multi-pattern matching and I was browsing the source code for
 ClamAV's implementation of a multi-pattern matcher (Wu-Maber based)
 algorithm.

 I've got a question regarding the block and minimum size values.

 At the moment, both the block size and the minimum pattern length are set
 to 3 bytes.

 If I understood the algorithm correctly, this means that the only possible
 shift values are either 0 (at which point a match is possible), or 1
 (minimum pattern size - block size + 1).

 If this is the case, given that the algorithm can only move at most one
 byte at a time, what is the advantage of using this algorithm instead of
 Aho-Corasick (besides space efficiency) ?

 Thank you for your time.

 Best regards,

 -Alexandre Dias
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 Please submit your patches to our Bugzilla: http://bugs.clamav.net


Space efficiency is important. We do need to care about memory usage. But
ruling that out, consider that ClamAV has different places and different
ways it uses pattern matching. For the sake of consistency with how it is
named in the code, I'll refer to the two modified styles of matching as B-M
(for Boyer-Moore/Wu-Manber style) and A-C (for Aho-Corasick).

ClamAV has over 113,000 signatures right now and they are split between the
A-C and B-M categories. ClamAV is not using pure pattern matching of either
style and has pre-filtering steps. Some signatures are scanning direct file
content. Other signatures are matching hashes [or in some cases, hashes of
file segments]. Files can have wildly varying lengths, while the hashes
have predetermined lengths. There are logical signatures that require
certain combinations of matches. ClamAV even uses pattern matching when
checking signatures at load time to filter out those that have been added
to the ignore lists. Any optimization would be impacted daily with each new
signature that is added. To sum up, there are quite a variety of needles
and haystacks involved in the searching.

Back to your question. You are correct that the shift values will be 0 or
1. While I cannot give you an analytical defense to the choice of minimum
pattern size  block size, there is a natural tension between the two. From
what I read, Wu  Manber used a block size of 3 in their May 1994 paper.
And any efficiency gained from longer shifts (which would be based on
values which never appear in any signature) could be targeted by malware
writers to eliminate it by forcing creation of signatures that fill that
gap. I also don't know the difference in effective cost of frequent partial
matches between A-C and B-M. These are things that could be measurable but
I do not have statistics at hand.

There is more history on the topic of algorithms and their use in ClamAV to
be found in the back history of the mailing list. Discussions of everything
from extended Boyer-Moore to bloom filters.

Hope this helps,

Dave R.
---
Dave Raynor
Sourcefire Vulnerability Research Team
dray...@sourcefire.com
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

[Clamav-devel] Question about matcher-bm.c

[Alexandre Dias]

Hello,

I'm studying multi-pattern matching and I was browsing the source code for
ClamAV's implementation of a multi-pattern matcher (Wu-Maber based)
algorithm.

I've got a question regarding the block and minimum size values.

At the moment, both the block size and the minimum pattern length are set
to 3 bytes.

If I understood the algorithm correctly, this means that the only possible
shift values are either 0 (at which point a match is possible), or 1
(minimum pattern size - block size + 1).

If this is the case, given that the algorithm can only move at most one
byte at a time, what is the advantage of using this algorithm instead of
Aho-Corasick (besides space efficiency) ?

Thank you for your time.

Best regards,

-Alexandre Dias
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question about wildcards ?? and {n} in signatures

[Tomasz Kojm]

On Wed Mar 07 2012 01:21:25 GMT+0100 (CET)
Alexandre Dias lexx...@gmail.com wrote:
 Hello,
 
 I am doing my Msc thesis work in pattern matching, and I am using
 ClamAV's signature database.
 
 I've got a question about two specific wildcards that are stated in
 the signatures.pdf file (titled Creating Signatures for ClamAV).
 
 According to the document, the wildcard {n} states that n bytes can
 be matched. Also, the wildcard ?? states that any one byte can be
 matched. I have found some {1} wildcards in the database. I assume
 that by saying match n bytes, the meaning is that we can match any n
 bytes. If that is the case, what is the difference between ?? and
 {1} ?

There's no difference, ClamAV translates {1} into ??.

-TK
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] question about the database in clamav

[Török Edwin]

On Thu, 26 Aug 2010 19:33:44 -0700 (PDT)
outstandingcandy outstandingca...@gmail.com wrote:

 Hi all!
 Does anybody know what is the following signature mean
 (especially the last two sections)?
 VBS.Redlof-1:3:*:666f73b2079706f735b695d3d79:0:26

See signatures.pdf, the last two are minimum and maximum requires
functionality levels for the signature to be loaded.
This signature won't be loaded at all because its max level is 26 (we
are at 54 now).

Best regards,
--Edwin
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

[Clamav-devel] question about the database in clamav

[outstandingcandy]

Hi all!
Does anybody know what is the following signature mean (especially the last 
two sections)? 
VBS.Redlof-1:3:*:666f73b2079706f735b695d3d79:0:26


2010-08-27



outstandingcandy
-
定时提醒您处理邮件、高效办公不费心，请用网易闪电邮（fm.163.com）！
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] [QUESTION] How does clamAV updates the signature database on-the-fly?

[Ladar Levison]

 On 7/28/2010 6:18 PM, thyago wrote:

I'm researching ways of updating a signature database on-the-fly, so the way
clamAV does it, can really help me out...
I mean, what structures are there? how is it implemented?
Is there a data structure used to store the signatures on memory? If so, how
exactly is it updated?
what type of data structure? dynamic or static?
I need to know if you guys use a pointer to the structure, and then just set
it to point to the new updated structure,
and if for example, there's a condition, that limits when this pointer can
be changed...like a thread needing to finish first

I tried to look for the implementation on the code itself...but it's so
big...i don't know in which file to look =/



Thank you very much, for the help

Thyago



Attached is my implementation. As you can see I use a RW lock to 
minimize contention.
/**
 * @file /magma/providers/external/clamav.c
 *
 * @brief Interface for the ClamAV library.
 *
 * $Author: Ladar Levison $
 * $Date: 2010/08/13 10:32:38 $
 * $Revision: ecaee526d4ba88a141c5b889dd023b13c05c2654 $
 *
 */

#include magma.h

/**
 * The virus engine spool directory.
 */
char *virus_spool = NULL;

/**
 * The mask used to generate temporary file names.
 */
char *virus_spool_mask = NULL;

/**
 * The status of the signatures directory.
 */
struct cl_stat virus_stat;

/**
 * The number of signatures loaded by the virus engine.
 */
unsigned int virus_sigs = 0;

/**
 * The virus engine context pointer.
 */
struct cl_engine *virus_engine = NULL;

/**
 * The virus engine read/write lock.
 */
pthread_rwlock_t virus_lock = PTHREAD_RWLOCK_INITIALIZER;

/**
 * Obtains a virus engine read lock and records the number of virus signatures 
loaded by the active ClamAV engine context.
 *
 * @return Returns the number of virus signatures loaded by the active ClamAV 
engine context.
 */
uint64_t virus_sigs_loaded(void) {

uint64_t loaded = 0;

pthread_rwlock_rdlock(virus_lock);
loaded = virus_sigs;
pthread_rwlock_unlock(virus_lock);

return loaded;
}

/**
 * Counts the number of official signatures available inside the ClamAV 
database folder.
 *
 * @return Returns the number of official signatures available inside the 
ClamAV database folder.
 */
uint64_t virus_sigs_total(void) {

int state;
unsigned int total = 0;

if ((state = cl_countsigs_d(magma.iface.virus.signatures, 
CL_COUNTSIGS_OFFICIAL, total)) != CL_SUCCESS) {
log_error(ClamAV was unable to count the number of available 
signatures. {cl_countsigs = %i = %s}, state, cl_strerror_d(state));
return 0;
}

return total;
}

/**
 * Frees a ClamAV engine context and sets the pointer to NULL.
 *
 * @param target A doubly referenced pointer to a ClamAV engine context.
 */
void virus_engine_destroy(struct cl_engine **target) {
log_check(!target || !*target);
cl_engine_free_d(*target);
*target = NULL;
return;
}


/**
 * Generates a new ClamAV engine context.
 *
 * @param   signatures An optional pointer which will be used to record the 
number of signatures loaded.
 * @return Returns a pointer to the newly created context or NULL if an error 
occurs.
 */
struct cl_engine * virus_engine_create(uint64_t *signatures) {

int state;
unsigned int loaded = 0;
struct cl_engine *target = NULL;

// Reset the signatures pointer if one was passed in.
if (*signatures) {
*signatures = 0;
}

// Allocate ClamAV engine context.
if ((target = cl_engine_new_d()) == NULL) {
log_error(ClamAV returned an error while allocating the engine 
context. {cl_engine = NULL});
return NULL;
}

// Load the current signature database.
if ((state = cl_load_d(magma.iface.virus.signatures, target, loaded, 
CL_DB_STDOPT)) != CL_SUCCESS) {
log_error(ClamAV returned an error while loading the database. 
{cl_load = %i = %s}, state, cl_strerror_d(state));
cl_engine_free_d(target);
return NULL;
}

// Compile the internal lookup structures.
if ((state = cl_engine_compile_d(target)) != CL_SUCCESS) {
log_error(ClamAV database compilation error. 
{cl_engine_compile = %i = %s}, state, cl_strerror_d(state));
cl_engine_free_d(target);
return NULL;
}

// Max scan size. 2048 MB.
// Sets the maximum amount of data to be scanned for each input file.
if ((state = cl_engine_set_num_d(target, CL_ENGINE_MAX_SCANSIZE, 2048ll 
* 1048576ll)) != CL_SUCCESS) {
log_error(ClamAV configuration error. {cl_engine_set_num = %i 
= %s}, state, cl_strerror_d(state));
cl_engine_free_d(target);
return NULL;
}

// Max file size. 512 MB.
// Files larger than this limit won't be scanned.

Re: [Clamav-devel] [QUESTION] How does clamAV updates the signature database on-the-fly?

[Török Edwin]

 /**
  * @file /magma/providers/external/clamav.c
  *
  * @brief Interface for the ClamAV library.
  *
  * $Author: Ladar Levison $
  * $Date: 2010/08/13 10:32:38 $
  * $Revision: ecaee526d4ba88a141c5b889dd023b13c05c2654 $
   // Scan the message. The OLE code has a bug in it that causes
 segfaults. 

What bug ??

   // We ignore email that ClamAV thinks is a phishing
 based on scanner's internal heuristic checks. else if
 (starts_ci_bl_bl(Phishing, 8, virname, ns_get_length(virname)) ||
 starts_ci_bl_bl(Joke, 4, virname, ns_get_length(virname)))
 { pthread_rwlock_unlock(virus_lock);
 stats_increment_by_name(provider.virus.scan.total);
 stats_increment_by_name(provider.virus.scan.clean); close(fd);
 return 0; }

This is incorrect, if you want to match the heuristic Phishing
detection use Heuristics.Phishing.
There are signatures which contain *Phishing*, and *Joke*. ClamAV stops
on first match.

So if you get a zip that contains something ClamAV detects as
Phishing/Joke as first element in zip followed a real malware, then it
will only report the first match (Phishing/Joke). Your code will mark
it as clean, when in fact it could be infected.
(Note that this is not the case for Heuristics.Phishing where ClamAV
keeps on scanning and only reports the heuristics if it didn't find
anything else).

The proper way to deal with this is to not load the Phishing signatures
at all, there is an option you can pass to cl_load() for that.
For *Joke* there is no flag that you can pass though.

Best regards,
--Edwin
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] [QUESTION] How does clamAV updates the signature database on-the-fly?

[Ladar Levison]

 On 8/14/2010 3:19 AM, Török Edwin wrote:


// Scan the message. The OLE code has a bug in it that causes segfaults.


What bug ??


That comment was related to a bug I found in Feb/2008 and v0.92.1, but 
has long since been patched. See this email thread for details:


http://marc.info/?l=clamav-develm=120442553919615

I had an internal patch floating around for awhile that fixed the issue 
inside ole2_walk_property_tree() by incrementing rec_level. Somewhere 
along the line the issue was fixed, but I never removed the comment. The 
relevant lines in v0.96.2 increment rec_level just like my patch did. I 
never submitted the patch because back in 2008 because you indicated 
that wasn't the best solution.



// We ignore email that ClamAV thinks is a phishing
based on scanner's internal heuristic checks. else if
(starts_ci_bl_bl(Phishing, 8, virname, ns_get_length(virname)) ||
starts_ci_bl_bl(Joke, 4, virname, ns_get_length(virname)))
{ pthread_rwlock_unlock(virus_lock);
stats_increment_by_name(provider.virus.scan.total);
stats_increment_by_name(provider.virus.scan.clean); close(fd);
return 0; }


This is incorrect, if you want to match the heuristic Phishing
detection use Heuristics.Phishing.
There are signatures which contain *Phishing*, and *Joke*. ClamAV stops
on first match.

So if you get a zip that contains something ClamAV detects as
Phishing/Joke as first element in zip followed a real malware, then it
will only report the first match (Phishing/Joke). Your code will mark
it as clean, when in fact it could be infected.
(Note that this is not the case for Heuristics.Phishing where ClamAV
keeps on scanning and only reports the heuristics if it didn't find
anything else).

The proper way to deal with this is to not load the Phishing signatures
at all, there is an option you can pass to cl_load() for that.
For *Joke* there is no flag that you can pass though.


Is it possible to determine when ClamAV detects more than one virus and 
iterate through the resulting names? I revisited the ex1.c file, and the 
clamscan/manager.c file and they seem to suffer from the same issue. In 
the case of clamscan, it only outputs the first virus name, which like 
you pointed out could be innocuous compared to what else lies farther 
along in the file.


If we are limited to only a single result, wouldn't it make more sense 
to have a precendence order in place? Presumably malware would rate 
ahead of phishing or jokes.


--
Ladar Levison
Lavabit LLC
http://lavabit.com





___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] [QUESTION] How does clamAV updates the signature database on-the-fly?

[Ladar Levison]

 On 8/14/2010 5:30 AM, Török Edwin wrote:

Heuristics.Phishing.* will not stop the scan, and report only if
nothing else is found.
Other engine detections could be changed to behave the same way.
Signature based detections however always stop on first match, and that
is not configurable.
If you want to ignore certain signature categories, it is best to not
load them in the first place. To do that you can unpack the DBs, and
remove the sigs you don't want.



What I'm trying to do is let the user decide whether to enable a 
specific category, so removing the signatures from the database isn't an 
option for me. For awhile now, our users have been able to use the 
preferences portal on our website to enable/disable malware checks 
and/or phishing checks. The malware category is usually a reliable 
reason to send a message to the bit bucket. While the latter 
Phishing/Heuristic/Joke categories are more likely to generate a false 
positive. Perhaps its just me, but I would consider the ability to 
reliably determine what ClamAV found important.


--
Ladar Levison
Lavabit LLC
http://lavabit.com





___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

[Clamav-devel] [QUESTION] How does clamAV updates the signature database on-the-fly?

[thyago]

I'm researching ways of updating a signature database on-the-fly, so the way
clamAV does it, can really help me out...
I mean, what structures are there? how is it implemented?
Is there a data structure used to store the signatures on memory? If so, how
exactly is it updated?
what type of data structure? dynamic or static?
I need to know if you guys use a pointer to the structure, and then just set
it to point to the new updated structure,
and if for example, there's a condition, that limits when this pointer can
be changed...like a thread needing to finish first

I tried to look for the implementation on the code itself...but it's so
big...i don't know in which file to look =/



Thank you very much, for the help

Thyago
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question

[Mohammed Al-Saleh]

Hi Edwin,

On Apr 27, 2010, at 7:19 AM, Török Edwin wrote:

 On 04/26/2010 10:20 PM, Mohammed Al-Saleh wrote:
 Hi Edwin,
 
 Thanks for your reply.
 I need to know the cases where ClamAV has performance bottlenecks or issues.
 
 The best way to do that is by measuring it.
 Read the last part of this reply:
 http://lurker.clamav.net/message/20081204.212941.c9fa45c2.en.html
 
 What kind of texts that could make ClamAV takes more time than usual. 
 
 That question is hard to answer, since the signatures change each day,
 thus the AC trie changes, the prefiltering patterns change ...
 
 Aho-Corasick and Boyer-Moore might have some situations that cause 
 performance issue.
 
 There is also a prefiltering step now.
 You can search bugzilla on why it was introduced.
 
 I might consider doing improvements or study performance impact.
 
 Don't expect it to be easy to make improvements.
 
 I spent quite a lot of time on the prefiltering step, and the problem is
 that some signatures falsely match a lot of times (like 'PE' from the PE
 signature), but the entire signature usually doesn't.
 So ClamAV has to stop the trie lookup, test the match, continue the trie
 lookup lots of times.

My understanding (please correct me if I am wrong) is that the first step in 
matching (let's ignore the filetype recognition and such) is the prefiltering 
step.
If the filter matches then further matching (using either AC or BM) is needed 
to make sure that it is not a false positive because the filter could contain 
more patterns than it should (and the filter matches at most 8 characters of 
the original signature so the other parts might not match).
I am not sure if I understand your point here and I really want to understand 
it:
So ClamAV has to stop the trie lookup, test the match, continue the trie 
lookup lots of times.
Can you please explain this to me more?
If the filter matches but AC or BM does not, would we return back to the filter 
to continue from the point it matches?


 Although the actual test is fast enough, if it happens a million times
 it does slow things down.
 
 Also the AC and BM are not textbook versions, they contain extensions
 (like wildcards).
 It is important that you study the performance with the actual
 signatures from main/daily.cvd, and on real files (both clean and infected).
 
 Do you think that this could be a realistic problem to study?
 
 That depends if you have some specific ideas on how to improve AC/BM, or
 you just want to try improving it, and give up if its not possible.
 
 Best regards,
 --Edwin
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 Please submit your patches to our Bugzilla: http://bugs.clamav.net

Thanks much,

~Moe

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question

[Török Edwin]

On 05/18/2010 09:09 PM, Mohammed Al-Saleh wrote:
 Hi Edwin,
 
 On Apr 27, 2010, at 7:19 AM, Török Edwin wrote:
 
 On 04/26/2010 10:20 PM, Mohammed Al-Saleh wrote:
 Hi Edwin,

 Thanks for your reply.
 I need to know the cases where ClamAV has performance bottlenecks or issues.

 The best way to do that is by measuring it.
 Read the last part of this reply:
 http://lurker.clamav.net/message/20081204.212941.c9fa45c2.en.html

 What kind of texts that could make ClamAV takes more time than usual. 

 That question is hard to answer, since the signatures change each day,
 thus the AC trie changes, the prefiltering patterns change ...

 Aho-Corasick and Boyer-Moore might have some situations that cause 
 performance issue.

 There is also a prefiltering step now.
 You can search bugzilla on why it was introduced.

 I might consider doing improvements or study performance impact.

 Don't expect it to be easy to make improvements.

 I spent quite a lot of time on the prefiltering step, and the problem is
 that some signatures falsely match a lot of times (like 'PE' from the PE
 signature), but the entire signature usually doesn't.
 So ClamAV has to stop the trie lookup, test the match, continue the trie
 lookup lots of times.
 
 My understanding (please correct me if I am wrong) is that the first step in 
 matching (let's ignore the filetype recognition and such) is the prefiltering 
 step.
 If the filter matches then further matching (using either AC or BM) is needed 
 to make sure that it is not a false positive because the filter could contain 
 more patterns than it should (and the filter matches at most 8 characters of 
 the original signature so the other parts might not match).

Yes.

 I am not sure if I understand your point here and I really want to understand 
 it:
 So ClamAV has to stop the trie lookup, test the match, continue the trie 
 lookup lots of times.
 Can you please explain this to me more?
 If the filter matches but AC or BM does not, would we return back to the 
 filter to continue from the point it matches?

No, I was refering to how AC works.

After the AC trie detects a match it needs to check it, the AC trie
contains only a tiny part of the entire signature (up to ac_max_depth),
and the trie itself doesn't contain wildcards etc.

Best regards,
--Edwin
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question

[Török Edwin]

On 04/24/2010 11:39 PM, Mohammed Al-Saleh wrote:
 Does ClamAV use Aho-Corasick algorithm to match files against static 
 signatures and Boyer-Moore against signatures that have *'s and ??'s  ?

No it is not as simple as that, and it is usually the other way around.

read the cli_parse_add() function, it has all the logic of choosing
between AC and BM.

Why do you ask?

Best regards,
--Edwin
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

[Clamav-devel] Question

[Mohammed Al-Saleh]

Does ClamAV use Aho-Corasick algorithm to match files against static signatures 
and Boyer-Moore against signatures that have *'s and ??'s  ?

Thanks much,

~Moe

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Question about STREAM scanning

[John Giammarche]

--- Calin A. Culianu [EMAIL PROTECTED] wrote:
 
 On Mon, 14 Mar 2005, John Giammarche wrote:
 
  Hello everyone and thanks for reading my message.
 
  I want to use clamd to scan files that are
 uploaded to
  a Java Servlet. So far, I've connected to clamd
 and
  clamd answered the PORT that I should connect to
 send
  the file. So far so good.
 
  When I connect to that port and send the data
 (raw, as
  a byte array), clamd never answers. The questions
 here
  are:
 
  1- In which port does clamd answer? I assume it's
 the
  same one through which I sent the file. I want to
 read
  the answer to know if the file is infected or not.
 
 No, clamd actually answers once you close the
 connection on the data 
 socket.  It answers on the original port you
 connected to. It says stream: 
 OK if it's ok or stream: virus-name FOUND if
 there's a virus...


Well, then I have another problem.

I have a file that is known to be infected with a
virus. It's the ps executable from a server, inside
a .tar.bz2.

Scanned in the console, the result is as follows:

/root/ps.tar.bz2: Linux.RST.B FOUND
--- SCAN SUMMARY ---
Known viruses: 31605
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.06 MB
I/O buffer size: 131072 bytes
Time: 1.423 sec (0 m 1 s)

Scanned from the Java program:

stream: OK

In the logfile:

Tue Mar 15 10:58:34 2005 - Accepted connection on
port 1190, fd 7
Tue Mar 15 10:58:34 2005 - stream: OK


Something is not working good




 
 
  2- I comnfigured the logging so that it logs clean
  files also. Look at the log so far:
 
 
 Close the connection on the temporary data socket
 and read a line from the 
 control socket (the original one you connected to)
 and you should get 
 stream: OK/FOUND messages.  I think your problem was
 you were expecting it 
 to return an answer on the data connection right
 away, but of course it 
 couldn't, as it never knows when the stream is done.
  It kept waiting for 
 more data.  But your java program wanted to get a
 reply.  Both sides were 
 waiting for something and noone was talking.  The
 only way to tell clamd 
 you are done sending it data is to actually close
 the connection on the 
 data socket.  Then you get an answer right away on
 the control socket.
 
 -Calin
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] Question about STREAM scanning

[John Giammarche]

--- John Giammarche [EMAIL PROTECTED] wrote:
 
 --- Calin A. Culianu [EMAIL PROTECTED] wrote:
  
  On Mon, 14 Mar 2005, John Giammarche wrote:
  
   Hello everyone and thanks for reading my
 message.
  
   I want to use clamd to scan files that are
  uploaded to
   a Java Servlet. So far, I've connected to clamd
  and
   clamd answered the PORT that I should connect to
  send
   the file. So far so good.
  
   When I connect to that port and send the data
  (raw, as
   a byte array), clamd never answers. The
 questions
  here
   are:
  
   1- In which port does clamd answer? I assume
 it's
  the
   same one through which I sent the file. I want
 to
  read
   the answer to know if the file is infected or
 not.
  
  No, clamd actually answers once you close the
  connection on the data 
  socket.  It answers on the original port you
  connected to. It says stream: 
  OK if it's ok or stream: virus-name FOUND if
  there's a virus...
 
 
 Well, then I have another problem.
 
 I have a file that is known to be infected with a
 virus. It's the ps executable from a server,
 inside
 a .tar.bz2.
 
 Scanned in the console, the result is as follows:
 
 /root/ps.tar.bz2: Linux.RST.B FOUND
 --- SCAN SUMMARY ---
 Known viruses: 31605
 Scanned directories: 0
 Scanned files: 1
 Infected files: 1
 Data scanned: 0.06 MB
 I/O buffer size: 131072 bytes
 Time: 1.423 sec (0 m 1 s)
 
 Scanned from the Java program:
 
 stream: OK
 
 In the logfile:
 
 Tue Mar 15 10:58:34 2005 - Accepted connection on
 port 1190, fd 7
 Tue Mar 15 10:58:34 2005 - stream: OK
 
 
 Something is not working good


Well, I solved it, it was an error in the way I was
straming the file from the Java servlet.

Thanks everyone!

J


 
 
 
 
  
  
   2- I comnfigured the logging so that it logs
 clean
   files also. Look at the log so far:
  
  
  Close the connection on the temporary data socket
  and read a line from the 
  control socket (the original one you connected to)
  and you should get 
  stream: OK/FOUND messages.  I think your problem
 was
  you were expecting it 
  to return an answer on the data connection right
  away, but of course it 
  couldn't, as it never knows when the stream is
 done.
   It kept waiting for 
  more data.  But your java program wanted to get a
  reply.  Both sides were 
  waiting for something and noone was talking.  The
  only way to tell clamd 
  you are done sending it data is to actually close
  the connection on the 
  data socket.  Then you get an answer right away on
  the control socket.
  
  -Calin
  ___
  http://lurker.clamav.net/list/clamav-devel.html
  
 
 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam
 protection around 
 http://mail.yahoo.com 
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 



__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] Question about STREAM scanning

[John Giammarche]

--- Calin A. Culianu [EMAIL PROTECTED] wrote:
 
 
 On Tue, 15 Mar 2005, John Giammarche wrote:
 
 
 
 
  Well, then I have another problem.
 
  I have a file that is known to be infected with a
  virus. It's the ps executable from a server,
  inside
  a .tar.bz2.
 
  Scanned in the console, the result is as follows:
 
  /root/ps.tar.bz2: Linux.RST.B FOUND
  --- SCAN SUMMARY ---
  Known viruses: 31605
  Scanned directories: 0
  Scanned files: 1
  Infected files: 1
  Data scanned: 0.06 MB
  I/O buffer size: 131072 bytes
  Time: 1.423 sec (0 m 1 s)
 
  Scanned from the Java program:
 
  stream: OK
 
  In the logfile:
 
  Tue Mar 15 10:58:34 2005 - Accepted connection
 on
  port 1190, fd 7
  Tue Mar 15 10:58:34 2005 - stream: OK
 
 
  Something is not working good
 
 
 
 Hmm.  Do you have different config files that you
 use for clamscan versus 
 clamd?  Looks like archive scanning might be
 disabled in the clamd case.. 
 but normally it isn't.  Weird...


Thanks, but it's working now. Check the previous
posts.

 
 
 
 ___
 http://lurker.clamav.net/list/clamav-devel.html
 



__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
___
http://lurker.clamav.net/list/clamav-devel.html

RE: [Clamav-devel] Question about STREAM scanning

[John Giammarche]

--- [EMAIL PROTECTED] wrote:
 My personal notes to test clamav, think your missing
 the STREAM command
 or forgot to mention your using it
 
 open two shells 
 
 telnet localhost 3310
 STREAM
 
 
 will return IP x.x.x.x PORT x  (Your system will
 only return port,
 IP is for loadbalanced environment)
 
 Other shell
 telnet localhost x
 STREAM  -- Are you sending the work STREAM
 First?
 


Yes, of course I am!!! That's what the subject said :P


 
 ^]
 
 
 Zachary Buckholz - Linux Administrator - GoDaddy.com
 14455 North Hayden Road, Suite 226, Scottsdale, AZ
 85260
 480-505-8871 x4322 - 480-215-5218 (Cell)
 
 
   Original Message 
  Subject: [Clamav-devel] Question about STREAM
 scanning
  From: John Giammarche [EMAIL PROTECTED]
  Date: Mon, March 14, 2005 2:15 pm
  To: ClamAV Development
 clamav-devel@lists.clamav.net
  
  Hello everyone and thanks for reading my message.
  
  I want to use clamd to scan files that are
 uploaded to
  a Java Servlet. So far, I've connected to clamd
 and
  clamd answered the PORT that I should connect to
 send
  the file. So far so good.
  
  When I connect to that port and send the data
 (raw, as
  a byte array), clamd never answers. The questions
 here
  are:
  
  1- In which port does clamd answer? I assume it's
 the
  same one through which I sent the file. I want to
 read
  the answer to know if the file is infected or not.
  
  2- I comnfigured the logging so that it logs clean
  files also. Look at the log so far:
  
  Mon Mar 14 18:21:07 2005 - Accepted connection on
  port 1550, fd 7
  Mon Mar 14 18:22:05 2005 - Accepted connection on
  port 1057, fd 11
  Mon Mar 14 18:23:07 2005 - ERROR: ScanStream:
 read
  timeout.
  Mon Mar 14 18:23:07 2005 - ERROR: ScanStream:
 read
  poll failed.
  Mon Mar 14 18:23:07 2005 - stream: OK
  Mon Mar 14 18:24:06 2005 - ERROR: ScanStream:
 read
  timeout.
  Mon Mar 14 18:24:06 2005 - ERROR: ScanStream:
 read
  poll failed.
  Mon Mar 14 18:24:06 2005 - stream: OK
  Mon Mar 14 18:25:26 2005 - Accepted connection on
  port 1025, fd 7
  Mon Mar 14 18:25:59 2005 - stream: OK
  
  
  (I've tried a couple of times).
  
  Well, that's all for now. thanks for answering.
  
  John
  
  
  
  __ 
  Do you Yahoo!? 
  Yahoo! Small Business - Try our new resources
 site!
  http://smallbusiness.yahoo.com/resources/ 
  ___
  http://lurker.clamav.net/list/clamav-devel.html
 
 



__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
___
http://lurker.clamav.net/list/clamav-devel.html

Re: [Clamav-devel] Question about STREAM scanning

[Calin A. Culianu]

On Mon, 14 Mar 2005, John Giammarche wrote:
Hello everyone and thanks for reading my message.
I want to use clamd to scan files that are uploaded to
a Java Servlet. So far, I've connected to clamd and
clamd answered the PORT that I should connect to send
the file. So far so good.
When I connect to that port and send the data (raw, as
a byte array), clamd never answers. The questions here
are:
1- In which port does clamd answer? I assume it's the
same one through which I sent the file. I want to read
the answer to know if the file is infected or not.
No, clamd actually answers once you close the connection on the data 
socket.  It answers on the original port you connected to. It says stream: 
OK if it's ok or stream: virus-name FOUND if there's a virus...

2- I comnfigured the logging so that it logs clean
files also. Look at the log so far:
Close the connection on the temporary data socket and read a line from the 
control socket (the original one you connected to) and you should get 
stream: OK/FOUND messages.  I think your problem was you were expecting it 
to return an answer on the data connection right away, but of course it 
couldn't, as it never knows when the stream is done.  It kept waiting for 
more data.  But your java program wanted to get a reply.  Both sides were 
waiting for something and noone was talking.  The only way to tell clamd 
you are done sending it data is to actually close the connection on the 
data socket.  Then you get an answer right away on the control socket.

-Calin
___
http://lurker.clamav.net/list/clamav-devel.html

[Clamav-devel] Question about clam.exe sample signature

[Bogusław Brandys]

Hi,
Is clam.exe test signature a MD5 one ? How many MD5 signatures are in 
database ? Is this kind of signatures become be useless if memory scan 
would be implemented ? Just wondering

Boguslaw Brandys

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

[Clamav-devel] Question about GMP support in clamav

[Bogusław Brandys]

Hi,
Could somebody (probably from developers team) tell me if GMP library is 
used in clamav only for CVD file verification or it's wrong assumption ? 
Is it used in scanning or MD5 signatures support also?
I found only that is used in cli_versig function, but I 'd like to be 
sure.Working with porting libclamav to MSVC++ I found that porting GMP 
is rather difficult (and want to push it on future wish-list)

Thank You.
Regards
Bogusaw Brandys
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Re: [Clamav-devel] Question about GMP support in clamav

[Tomasz Kojm]

On Thu, 04 Nov 2004 12:12:19 +0100
Bogus³aw Brandys [EMAIL PROTECTED] wrote:

 Hi,
 
 Could somebody (probably from developers team) tell me if GMP library
 is used in clamav only for CVD file verification or it's wrong

Yes, it is.

 assumption ? Is it used in scanning or MD5 signatures support also?
 I found only that is used in cli_versig function, but I 'd like to be 
 sure.Working with porting libclamav to MSVC++ I found that porting GMP
 
 is rather difficult (and want to push it on future wish-list)

A lack of GMP support would be a BIG BUG.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Nov  4 12:34:49 CET 2004


pgpzlJMPbROB7.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Re: [Clamav-devel] Question about GMP support in clamav

[Bogusław Brandys]

Tomasz Kojm wrote:
On Thu, 04 Nov 2004 12:12:19 +0100
Bogusaw Brandys [EMAIL PROTECTED] wrote:

Hi,
Could somebody (probably from developers team) tell me if GMP library
is used in clamav only for CVD file verification or it's wrong

Yes, it is.

assumption ? Is it used in scanning or MD5 signatures support also?
I found only that is used in cli_versig function, but I 'd like to be 
sure.Working with porting libclamav to MSVC++ I found that porting GMP

is rather difficult (and want to push it on future wish-list)

A lack of GMP support would be a BIG BUG.
No so big, becouse I can use DLL file generated under mingw+Msys using 
freshclam sources :-) Anyway libclamav should be ported to MSVC , 
becouse there is no other choice for file system driver development to 
implement on-access scanner for Windows NT/XP.

Best Regards
Boguslaw Brandys
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Re: [Clamav-devel] Question about GMP support in clamav

[Reini Urban]

Bogusaw Brandys schrieb:
No so big, becouse I can use DLL file generated under mingw+Msys using 
freshclam sources :-) Anyway libclamav should be ported to MSVC , 
becouse there is no other choice for file system driver development to 
implement on-access scanner for Windows NT/XP.
Why? The DDK libs and headers compile fine with MingW also.
--
Reini Urban
http://xarch.tu-graz.ac.at/home/rurban/
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Re: [Clamav-devel] Question about GMP support in clamav

[Tomasz Kojm]

On Thu, 04 Nov 2004 14:28:05 +0100
Bogus³aw Brandys [EMAIL PROTECTED] wrote:

  A lack of GMP support would be a BIG BUG.
  
 
 No so big, becouse I can use DLL file generated under mingw+Msys using

I must re-state it: a lack of digital signature verification would be a
terrible shortcoming.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Nov  4 19:07:11 CET 2004


pgpAJp82zIdcF.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel