Re: [Clamav-users] Virus Caught that is a false positive
On 2008-06-22 20:34, Philippe Faure wrote: > > ClamAV 0.92.1. [...] > While clamscan reports the following: > > "camrela_backup/Movies_on_CD_DVD_40_e-version.zip: Oversized.Zip FOUND The handling of Oversized zip is removed in 0.93 (and replaced by much more efficient protection against DoS attacks). And, moreover, the current version is even 0.93.1. Time to upgrade anyway. -- Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *** ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Creating custom Phish DB signatures (pdb format)
Hi all, I've been frantically grazing through the ClamAV mail archives and been Googling to find out how to make regex work with pdb (phishing database) files. I'm using ClamAV version 0.93 on Linux platform. I was reading the phishsigs_howto.pdf included in the ClamAV tarball. My custom domainlist test.pdb contains: --- R:.+\.paypal\.com:.+\.yahoo\.com --- The email file which I need to scan is: --- Subject: test mail Content-Type: text/html Click here yahoo.com --- But somehow ClamAV doesn't detect the mail as virus. In contrast, if I use "H:yahoo.com" in test.pdb, the mail is detected as virus under Phishing.SpoofedDomain. As a sidenote, I've also tried "R .+ .+\.paypal\.com" as an entry in the test.pdb (as the phishsigs_howto.pdf) document says. But it is of no use. Can someone please enlighten me why this wouldn't work? Thanks, Srini ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Problem with internal logger > (UpdateLogFile = > /opt/zimbra/log/freshclam.log)
> Message: 3 > Date: Wed, 18 Jun 2008 15:23:43 +0300 > From: T?r?k Edwin <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] Problem with internal logger >(UpdateLogFile = > /opt/zimbra/log/freshclam.log). > To: ClamAV users ML > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Hermann T. Ribeiro wrote: > >> Edwin, the permissions are: 640, owner zimbra, is it right ? >> > > Is zimbra the user freshclam is running as? Check `clamconf|grep User` > If not, then either configure a different directory (in freshclam.conf) > that is owned by the user running freshclam, or > change permissions on that directory to allow freshclam to create its > log file. > > Best regards, > --Edwin > > Sorry Edwin, but I?ve felt a little bit confused :-( > What do you mean with clamconf|grep User ? Do you mean: verify if the owner > for clamd.conf is zimbra (?). No. I meant run this command in a terminal: clamconf | grep User Or just look in clamd.conf, and tell me what User is configured there. If the database directory, and log directory are owned by zimbra, then you should change User in clamd.conf to zimbra. > If this is what you wanna mean, I say: yes. > But I?ve realized that the permissions for freshclam.conf (version 0.92.1) > are: 644 and for freshclam.conf (version 0.93) are: 600, so I?m gonna change > the permissions I see what happens, ok ? It doesn't matter what permissions the configuration file has. It matters what user you have configured. Best regards, --Edwin - Hello folks, Edwin, I´ve made a mistake: in a previous email I said that when I´ve changed the clamd.conf´s permissions at the directory: ./clamav-0.93/etc/clamd.conf. >From 600 to 644 and the messager error: Problem with internal logger > (UpdateLogFile = > /opt/zimbra/log/freshclam.log) has disappeared, but I was wrong. In accordance with the previous email (look above) Edwin said that the directive User for this file should be zimbra so the owner´s db and log directories. The owner´s directory is zimbra. But at the ./conf/clamd.conf file I have the following line: # Run as a selected user (clamd must be started by root). # Default: disabled User zimbra At the ./clamav-0.93/etc/clamd.conf: # Run as a selected user (clamd must be started by root). # Default: disabled User zimbra And finally, in a previous version of clamAV (./clamav-0.91.2/etc/clamd.conf) # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges #User clamav So I´m a little bit confused (again), what should I do ??? Thks, H. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Creating custom Phish DB signatures (pdb format)
Srinivasan Krishnan wrote:
> Hi all,
>
> I've been frantically grazing through the ClamAV mail archives and been
> Googling to find out how to make regex work with pdb (phishing database)
> files. I'm using ClamAV version 0.93 on Linux platform.
>
> I was reading the phishsigs_howto.pdf included in the ClamAV tarball.
>
> My custom domainlist test.pdb contains:
> ---
> R:.+\.paypal\.com:.+\.yahoo\.com---
>
> The email file which I need to scan is:
> ---
> Subject: test mail
> Content-Type: text/html
>
>
> Click here
> yahoo.com
>
> ---
>
> But somehow ClamAV doesn't detect the mail as virus. In contrast, if I use
> "H:yahoo.com" in test.pdb, the mail is detected as virus under
> Phishing.SpoofedDomain.
>
> As a sidenote, I've also tried "R .+ .+\.paypal\.com" as an entry in the
> test.pdb (as the phishsigs_howto.pdf) document says. But it is of no use.
>
> Can someone please enlighten me why this wouldn't work?
We use regular expression only for the whitelist.
What you are trying to do will work, if you apply the patch below and
use this:
R:.*yahoo\.com.*
However using regular expressions for the domainlist is not useful,
since it is a lot easier to just list a domain/subdomain,
and unlike with the whitelist only one of the URLs is matched (the
displayed URL, in your case yahoo.com).
Why do you need regular expressions for the domainlist?
--- /home/edwin/clam/svn3/trunk/libclamav/regex_list.c (revision 3891)
+++ /home/edwin/clam/svn3/trunk/libclamav/regex_list.c (working copy)
@@ -605,7 +605,7 @@
}
if((buffer[0] == 'R' && !is_whitelist) || ((buffer[0] ==
'X' || buffer[0] == 'Y') && is_whitelist)) {/*regex*/
- if(( rc = add_pattern(matcher,(const unsigned
char*)pattern,flags, buffer[0] == 'Y') ))
+ if(( rc = add_pattern(matcher,(const unsigned
char*)pattern,flags, buffer[0] == 'Y' || buffer[0]=='R') ))
return rc==CL_EMEM ? CL_EMEM : CL_EMALFDB;
}
else if( ( buffer[0] == 'H' && !is_whitelist) ||
(buffer[0] == 'M' && is_whitelist)) {/*matches displayed host*/
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] Creating custom Phish DB signatures (pdb format)
Thanks for the response! I just wanted to identify the cases where paypal.com is the real URL and yahoo.com is the displayable URL, to be identified as virus. Seems like clamscan doesn't identify cases where (real_URL != displayable_URL) as virus automatically (or am I missing something). >> Why do you need regular expressions for the domainlist? My idea of using regular expressions is to match cases where you might have numbers or some special characters (like hyphens) before a subdomain. Thanks, Srini ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Fwd: [Clamav-devel] 0.93.1 / libclamav: no CL_EMAX*-Error-Codes for Applications?]
no answer does mean: there is no chance to change it? Marcus Neukert schrieb: > please take a look at the following scenario: > I receive a zip-archive containing more files than configured in > MaxFiles. the files at the end of the archive (after the limit) are > viruses. the scanner will abort the scan when reaching the > max-files-limit and will return CL_CLEAN. i have no information from the > scanner that the scan is aborted and not all files have been scanned. > > but in my use-case I need this information. I think the scanner should > return the corresponding error-codes (CL_EMAX*), that the application > has the posssibility to handle it. applications which are not interested > or annoyed by these errors can ignore it. > > Marcus Neukert > > aCaB schrieb: >> Marcus Neukert wrote: >>> Forwarding to clamav-users-list, hoping for an answer ... >> Please take a look at >> http://lurker.clamav.net/message/20080129.163022.5183157e.en.html >> >> -aCaB >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://lurker.clamav.net/list/clamav-users.html > > -- Marcus Neukert Softwareentwickler - Development Services Tel. +49-721-91374-3943 · Fax +49-721-91374-2740 [EMAIL PROTECTED] · http://www.web.de/ 1&1 Internet AG Brauerstraße 48 76135 Karlsruhe Amtsgericht Montabaur HRB 6484 Vorstand: Henning Ahlert, Ralph Dommermuth, Matthias Ehrlich, Thomas Gottschlich, Matthias Greve, Robert Hoffmann, Markus Huhn, Oliver Mauss, Achim Weiss Aufsichtsratsvorsitzender: Michael Scheeren ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Creating custom Phish DB signatures (pdb format)
Srinivasan Krishnan wrote: > Thanks for the response! > > I just wanted to identify the cases where paypal.com is the real URL and > yahoo.com is the displayable URL, to be identified as virus. Seems like > clamscan doesn't identify cases where (real_URL != displayable_URL) as virus > automatically (or am I missing something). > That is correct, it would cause too many false positives to flag all cases where real_URL != displayable_URL as phishing. However you only need to list the domain you wish to protect in daily.pdb, and not each (real_URL, displayable_URL) pair that could cause problems. > >>> Why do you need regular expressions for the domainlist? >>> > My idea of using regular expressions is to match cases where you might have > numbers or some special characters (like hyphens) before a subdomain. When you list a domain, all possible subdomains are included too, so yahoo.com would include mail.yahoo.com, www.yahoo.com, and anything else that ends in .yahoo.com. So listing H:yahoo.com would be equivalent to something like this as a regular expression: ^(.+\.|[^.]+)yahoo\.com([/?].+)?$ I think this is more generic, if you just want to blacklist a certain url combination you can use type 3 signatures (see the Phishing.RB.* signatures). Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Fwd: [Clamav-devel] 0.93.1 / libclamav: no CL_EMAX*-Error-Codes for Applications?]
Marcus Neukert wrote: no answer does mean: there is no chance to change it? There may have been a chance to change it when the developers proposed the change in the functionality originally on this list. The change was to get rid of the "ZipTooLarge" virus definition; which caused more confusion than it solved. And also; unfortunately, many milters consider any non-zero value as a VIRUS regardless of the return code. So even if we had the granularity we would still end up with a lot of complaints about the issue. The solution you are posing would require all the milters be updated to have a three stage error message: 1) Successful, NO VIRUS. 2) Unsuccessful, due to space or limits set. 3) VIRUS detected. The case 1 would be the message would be delivered, 2 the message may be delivered with a "warning" about the reason for the failure, 3 the message would be rejected for a VIRUS. James signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Creating custom Phish DB signatures (pdb format)
>>However you only need to list the domain you wish to protect in daily.pdb I guess u actually meant daily.wdb!! :-) I also checked out Phishing.RB.* signatures. Now I get a feel of the phishing mechanism of ClamAV. Thanks for the information, Edwin! That was really useful. Thanks, Srini ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
