Re: [Clamav-users] How many False Positives with the "broken EXE" option?

[jef moskot]

On Fri, 3 Jun 2005, Jason Haar wrote:
> I've always been too afraid to turn it on as I was concerned about any
> assumptions made by the code might lead it to block otherwise valid
> executables

I wonder about that too, since it's not the default behavior.  For what
it's worth, I turned it on earlier this week and so far it's only blocked
2 files, both of them broken Netsky .pif files that ClamAV would not have
otherwise picked up.

Our server is pretty low volume, though.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] ClamAV HW acceleration

[Joanna Roman]

I am just wondering how feasible it is to do AV hw
acceleration in general. Besides using faster CPU and
faster memory, ASIC can't really help. Can anybody
shed some light ? I just want to have some
intellectual discussion. 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] How fast are main.cvd and daily.cvd growing monthly ?

[Damian Menscher]

On Sat, 4 Jun 2005, Joanna Roman wrote:


In terms of percentage and absolute size, how fast are
both databases growing monthly ? Anybody have any idea ?


According to my logs, as of May 1, main.cvd contained 33079 signatures, 
and daily.cvd contained 968.  One month later, on June 1, main.cvd 
contained 33079 signatures and daily.cvd contained 1949.  So... looks 
like an increase of about 1000/month, or 3%.


For the purpose of comparison to other vendors' products, it should be 
noted that, at present, there are 291 "Phishing" signatures in main.cvd 
and 96 "Phishing" signatures in daily.cvd.  Those numbers should be 
removed (or not) depending on whether the other vendor filters that type 
of mail.


I'm in agreement with Tomasz -- you ask some of the strangest questions. 
Mind telling us all what you're up to?


Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] How fast are main.cvd and daily.cvd growing monthly ?

[Tomasz Kojm]

On Sat, 4 Jun 2005 15:34:35 -0700 (PDT)
Joanna Roman <[EMAIL PROTECTED]> wrote:

> In terms of percentage and absolute size, how fast are
> both databases growing monthly ? Anybody have any idea ?

I was following your questions for the last three months and I still
have no idea what you're creating, John...

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Sun Jun  5 00:40:37 CEST 2005


pgpfupYjGLFkO.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] How fast are main.cvd and daily.cvd growing monthly ?

[Joanna Roman]

In terms of percentage and absolute size, how fast are
both databases growing monthly ? Anybody have any idea ?

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] clamav-milter "whitelist" not working?

[Dan O'Brien]

Primary mail server is a relay that has clamav-milter runnning (along with 
SpamAssassin) and filters mail for several domains.  No problem.  Mail 
found to be carrying a virus is quarantined to [EMAIL PROTECTED] and a 
notice is sent to the intended recipient to that effect.
Clamav-milter is called with -dH -m 10 --from -p [EMAIL PROTECTED] 
[EMAIL PROTECTED] -t /etc/clamav/virus-warning 
/var/local/clamav/clamav-milter.sock

I've put clamav-milter on a backup mail server to try and elmiminate some 
of the crap mail from the mass-mailing pestilence that's spreading itself 
around.  Backup mail server is running clamav-milter only.  When a 
virus-laden e-mail is found, it is quarantined to the same address 
([EMAIL PROTECTED]) and no notice is sent to the intended recipient.
For this configuration clamav-milter is called with -dH -m 10 --from -P 
[EMAIL PROTECTED] /var/local/clamav/clamav-milter.sock

Problem is that the primary mail server is catching the virus-infected 
e-mail again and generating the notification.  According to the man page, 
the quarantine address is supposed to be whitelisted by the milter.  I've 
also tried using the --whitelist-file option, but it doesn't seem to be 
working.

Anyone else using the whitelist feature successfully?

Dan O'Brien


__

Axon Solutions, Inc.   Telephone: 703-845-8400
P.O Box 16725  Facsimile: 703-845-5568
Alexandria, VA  22302www.axonsolutions.com
__

>From the Technology You Have to the Solutions You Need

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Kudos to the ClamAV team

[JamesDR]

Thomas Cameron wrote:

On Fri, 2005-06-03 at 10:51 -0400, JamesDR wrote:



So much for "You get what you pay for" ;-D



Oh, no, not at all!  They pay a *lot* for qualified sysadmins who set up
the right tools for the job!

At least that's the argument I use when going in for a raise!  :-)

Thomas

___
http://lurker.clamav.net/list/clamav-users.html



Well, I meant package cost, not our time cost ;-D
Given the time I've spent on ClamAV verses other singular things, it's 
still really close to free :-D


--
Thanks,
James
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Libclamav unable to detect virus compressed many time

[Securiteinfo.com]

Le samedi 4 Juin 2005 13:11, jcastanet a écrit :
> To summarize :
>
> I made all my tests from eicar web site :
>
> http://www.eicar.org/anti_virus_test_file.htm
>
> Virus is not detected when I try to download this file (via mod_clamav):
>
> - eicarcom2.zip ( 308 bytes)
>
> This virus is not detected by mod_clamav because the file "eicarcom2.zip
> contain a zipped file called "eicar_com.zip"

It works for me. It means it is not a clamav nor mod_clamav bug.
The problem is on your side. So please, check you conf, check the binaries, 
read the docs. If it still doesn't work, remove all clamav files 
(binaries+conf) and do a fresh install from sources.

Regards,

-- 
Cordialement,

Arnaud Jacques
Consultant Sécurité

Téléphone / Fax : +33-(0)3.44.39.76.46
Portable : +33-(0)6.24.40.95.03
E-mail : [EMAIL PROTECTED]

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
___
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Libclamav unable to detect virus compressed many time

[Tomasz Kojm]

On Sat, 4 Jun 2005 13:11:21 +0200
"jcastanet" <[EMAIL PROTECTED]> wrote:

> This virus is not detected by mod_clamav because the file
> "eicarcom2.zip
> contain a zipped file called "eicar_com.zip"
> 
> When I download the file eicarcom2.zip and I scan it with clamscan or
> clamdscan the virus is detected.

Wrong ML, then.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Sat Jun  4 13:18:15 CEST 2005


pgpHQCTHWYewm.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Libclamav unable to detect virus compressed many time

[jcastanet]

To summarize :

I made all my tests from eicar web site : 

http://www.eicar.org/anti_virus_test_file.htm


Virus is detected when I try to download theses files (via mod_clamav):

- eicar.com ( 68 bytes)
- eicar.com.txt (68 bytes)
- eicar_com.zip (184 bytes)

Virus is not detected when I try to download this file (via mod_clamav):

- eicarcom2.zip ( 308 bytes)

This virus is not detected by mod_clamav because the file "eicarcom2.zip
contain a zipped file called "eicar_com.zip"

When I download the file eicarcom2.zip and I scan it with clamscan or
clamdscan the virus is detected.

This is the content of my clamd.conf file : (line beginning with # are
remove from the output )

[EMAIL PROTECTED] etc]# grep -v "#" clamd.conf| grep -v ^$

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 0
LogTime
LogSyslog
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav
FixStaleSocket
TCPSocket 3310
MaxConnectionQueueLength 30
MaxThreads 50
ReadTimeout 300
User clamav
AllowSupplementaryGroups
DetectBrokenExecutables
ScanMail
ScanArchive
ArchiveMaxRecursion 9
ArchiveMaxFiles 1500
ArchiveMaxCompressionRatio 300
[EMAIL PROTECTED] etc]#


Others options of the config file are set to default value

Could someone post a sample and working config file to use with mod_clamav
??

Thank in advance for you help

-Message d'origine-
De : Odhiambo Washington [mailto:[EMAIL PROTECTED] 
Envoyé : samedi 4 juin 2005 10:19
À : ClamAV users ML
Cc : jcastanet
Objet : Re: [Clamav-users] Libclamav unable to detect virus compressed many
time

* jcastanet <[EMAIL PROTECTED]> [20050604 10:52]: wrote:
> this is the answer of andreas mueller, the person who have created
> mod_clamav 
> 
> as you can see, he told that this problem is a matter of Clamav !!
> 
> That why I have created a thread on this forum
> 
> You said that this problem is not the matter of Clamav.
> 
> Andreas Muller said this problem is not the mater of Mod_clamav
> 
> We are playing PING-PONG game 
>  
> 
> ## andreas Mueller wrote to me ###"
> 
> Am 13.05.2005 um 15:49 schrieb Jean Philippe (EXT):
> 
> *   is it possible to configure mod_clamav or clamav (0.85) to detect
> virus that   are compressed many time.
> 
> This  is  entirely  a  problem of clamav, as mod_clamav hands the file
over
> without modification to clamav for checking. Clamav  is supposed to do any
> extractions, maybe you need to modify the level to which recursion is done
> (this is, if I remember  correctly, a configuration parameter of clamav).
> 
> On Fri, 3 Jun 2005 11:17:18 +0200
> "jcastanet" <[EMAIL PROTECTED]> wrote:
> 
> > hi,
> > 
> > I'm using mod_clamav to scan HTTP download, everything work very well.
> > 
> > However ... When a virus is Zipped two time or more, the virus is not
> > detected in the ziped file.
> > 
> > The virus is detected only if it have been compressed one time.
> > 
> > Mod_clamav use libclamav to detect virus.
> 
> Report this problem to mod_clamav folks and not here.
> 
> > When I scan the same file ( compressed many time) directly with the
> > command clamscan or clamdscan the virus is detected.

Let's take another look at it. You say that if you scan the file many
times with clamscan or clamdscan then the virus is detected. Do you mean
that you decompress the file, scan that, decompress again what you got,
scan again, etc, etc, or what exactly do you mean by many times?

Can you put that file somewhere on a publicly accessible website and let
us download it.

When Dr. Andreas Muller responded to you, he mentioned that



...Clamav  is supposed to do any
extractions, maybe you need to modify the level to which recursion is
done (this is, if I remember  correctly, a configuration parameter of
clamav)



So let's think about it again. In clamd.conf, we have the following
config parameters in the section dealing with the scanning of archives
(compressed files, yes?), and I paste here verbatim:

PS: I am running CVS here, and it has the new config parser, so don't
be surprised with the yes and no you see here!



## Archives
##

# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes

# The options below protect your system against Denial of Service attacks
# using archive bombs.

# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# Default: 10M
ArchiveMaxFileSize 10M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a
RAR
# file, all files within it will also be scanned. This options specifies how
# deep the process should be continued.
# Value of 0 disables the limit.
# D

Re: [Clamav-users] Libclamav unable to detect virus compressed many time

[Securiteinfo.com]

Hello,

Le samedi 4 Juin 2005 09:51, jcastanet a écrit :
> this is the answer of andreas mueller, the person who have created
> mod_clamav
> as you can see, he told that this problem is a matter of Clamav !!
> That why I have created a thread on this forum
> You said that this problem is not the matter of Clamav.
> Andreas Muller said this problem is not the mater of Mod_clamav
>
> We are playing PING-PONG game 

I scanned an EICAR signature, rared and zipped 3 times, via mod_clamav.
It works for me.

Please check :
- your configuration files (ArchiveMaxFileSize, ArchiveMaxRecursion, 
ArchiveMaxCompressionRatio, ArchiveBlockEncrypted, ArchiveBlockMax)
- ls -l /usr/local/lib/libclamav.*
You should have only one version of libclamav with good symbolic links 
pointing to it.


Best regards,

Arnaud Jacques
Consultant Sécurité

Téléphone / Fax : +33-(0)3.44.39.76.46
Portable : +33-(0)6.24.40.95.03
E-mail : [EMAIL PROTECTED]

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
___

>
> ## andreas Mueller wrote to me ###"
>
>
>
> Am 13.05.2005 um 15:49 schrieb Jean Philippe (EXT):
>
> *   is it possible to configure mod_clamav or clamav (0.85) to detect
> virus that   are compressed many time.
>
>
>
> This  is  entirely  a  problem of clamav, as mod_clamav hands the file over
> without modification to clamav for checking. Clamav  is supposed to do any
> extractions, maybe you need to modify the level to which recursion is done
> (this is, if I remember  correctly, a configuration parameter of clamav).
>
>
>
> Mit herzlichem Gruss
>
>
>
>  Andreas Mller
>
>
>
> --
>
> Dr. Andreas Mller, Beratung und Entwicklung
>
> CH-8852 Altendorf, Bubental 53,  Switzerland
>
> Tel: +41 55 4621483  Fax: +41 55 4621485
>
> Email: [EMAIL PROTECTED]
>
>
>
> ... END ...
>
>
>
> On Fri, 3 Jun 2005 11:17:18 +0200
>
> "jcastanet" <[EMAIL PROTECTED]> wrote:
> > hi,
> >
> > I'm using mod_clamav to scan HTTP download, everything work very well.
> >
> > However ... When a virus is Zipped two time or more, the virus is not
> > detected in the ziped file.
> >
> > The virus is detected only if it have been compressed one time.
> >
> > Mod_clamav use libclamav to detect virus.
>
> Report this problem to mod_clamav folks and not here.
>
> > When I scan the same file ( compressed many time) directly with the
> > command
> > clamscan or clamdscan the virus is detected.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Libclamav unable to detect virus compressed many time

[Odhiambo Washington]

* jcastanet <[EMAIL PROTECTED]> [20050604 10:52]: wrote:
> this is the answer of andreas mueller, the person who have created
> mod_clamav 
> 
> as you can see, he told that this problem is a matter of Clamav !!
> 
> That why I have created a thread on this forum
> 
> You said that this problem is not the matter of Clamav.
> 
> Andreas Muller said this problem is not the mater of Mod_clamav
> 
> We are playing PING-PONG game 
>  
> 
> ## andreas Mueller wrote to me ###"
> 
> Am 13.05.2005 um 15:49 schrieb Jean Philippe (EXT):
> 
> *   is it possible to configure mod_clamav or clamav (0.85) to detect
> virus that   are compressed many time.
> 
> This  is  entirely  a  problem of clamav, as mod_clamav hands the file over
> without modification to clamav for checking. Clamav  is supposed to do any
> extractions, maybe you need to modify the level to which recursion is done
> (this is, if I remember  correctly, a configuration parameter of clamav).
> 
> On Fri, 3 Jun 2005 11:17:18 +0200
> "jcastanet" <[EMAIL PROTECTED]> wrote:
> 
> > hi,
> > 
> > I'm using mod_clamav to scan HTTP download, everything work very well.
> > 
> > However ... When a virus is Zipped two time or more, the virus is not
> > detected in the ziped file.
> > 
> > The virus is detected only if it have been compressed one time.
> > 
> > Mod_clamav use libclamav to detect virus.
> 
> Report this problem to mod_clamav folks and not here.
> 
> > When I scan the same file ( compressed many time) directly with the
> > command clamscan or clamdscan the virus is detected.

Let's take another look at it. You say that if you scan the file many
times with clamscan or clamdscan then the virus is detected. Do you mean
that you decompress the file, scan that, decompress again what you got,
scan again, etc, etc, or what exactly do you mean by many times?

Can you put that file somewhere on a publicly accessible website and let
us download it.

When Dr. Andreas Muller responded to you, he mentioned that



...Clamav  is supposed to do any
extractions, maybe you need to modify the level to which recursion is
done (this is, if I remember  correctly, a configuration parameter of
clamav)



So let's think about it again. In clamd.conf, we have the following
config parameters in the section dealing with the scanning of archives
(compressed files, yes?), and I paste here verbatim:

PS: I am running CVS here, and it has the new config parser, so don't
be surprised with the yes and no you see here!



## Archives
##

# ClamAV can scan within archives and compressed files.
# Default: yes
ScanArchive yes

# The options below protect your system against Denial of Service attacks
# using archive bombs.

# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# Default: 10M
ArchiveMaxFileSize 10M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deep the process should be continued.
# Value of 0 disables the limit.
# Default: 8
ArchiveMaxRecursion 8

# Number of files to be scanned within an archive.
# Value of 0 disables the limit.
# Default: 1000
ArchiveMaxFiles 1000

# If a file in an archive is compressed more than ArchiveMaxCompressionRatio
# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)
# Value of 0 disables the limit.
# Default: 250
ArchiveMaxCompressionRatio 250

# Use slower but memory efficient decompression algorithm.
# only affects the bzip2 decompressor.
# Default: no
#ArchiveLimitMemoryUsage yes

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
#ArchiveBlockEncrypted no

# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)
# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is
# reached.
# Default: no
#ArchiveBlockMax no




So, my question now is: Have you given those parameters a good thought
when handling that archive you are having trouble with?

Under ideal conditions, why would someone want to compress an archive so
many times, as to have an archive within an archive within another
archive ad nauseam (spelling?), while specifying a compression ratio
(yes, it can be specified for some archivers) should actually do a good
enough job?

For you, you should try a good value for ArchiveMaxRecursion.
For me, I'd simply use what we have by default - ArchiveMaxRecursion and
ArchiveBlockMax, and go for beer ;-)

Again, that is my humble opinion and you should not imagine crucifying
me for my opinion.

Wash now leaves for the beer dens


-Wash

http://www.netmeiste

Re: [Clamav-users] Libclamav unable to detect virus compressed many time

[jcastanet]

this is the answer of andreas mueller, the person who have created
mod_clamav 

 

as you can see, he told that this problem is a matter of Clamav !!

 

That why I have created a thread on this forum

 

You said that this problem is not the matter of Clamav.

Andreas Muller said this problem is not the mater of Mod_clamav

 

We are playing PING-PONG game 

 

 

## andreas Mueller wrote to me ###"

 

Am 13.05.2005 um 15:49 schrieb Jean Philippe (EXT):

*   is it possible to configure mod_clamav or clamav (0.85) to detect
virus that   are compressed many time.

 

This  is  entirely  a  problem of clamav, as mod_clamav hands the file over
without modification to clamav for checking. Clamav  is supposed to do any
extractions, maybe you need to modify the level to which recursion is done
(this is, if I remember  correctly, a configuration parameter of clamav).

 

Mit herzlichem Gruss

 

 Andreas Mller

 

--

Dr. Andreas Mller, Beratung und Entwicklung

CH-8852 Altendorf, Bubental 53,  Switzerland

Tel: +41 55 4621483  Fax: +41 55 4621485

Email: [EMAIL PROTECTED]

 

... END ...

 

On Fri, 3 Jun 2005 11:17:18 +0200
"jcastanet" <[EMAIL PROTECTED]> wrote:

> hi,
> 
> I'm using mod_clamav to scan HTTP download, everything work very well.
> 
> However ... When a virus is Zipped two time or more, the virus is not
> detected in the ziped file.
> 
> The virus is detected only if it have been compressed one time.
> 
> Mod_clamav use libclamav to detect virus.

Report this problem to mod_clamav folks and not here.

> When I scan the same file ( compressed many time) directly with the
> command
> clamscan or clamdscan the virus is detected.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\.  
http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Jun  3 13:15:33 CEST 2005

 

 

 

___
http://lurker.clamav.net/list/clamav-users.html