[Clamav-users] encrypted zip embedded in other files not detected
Hi, 0.95.2, clamav has closed a bug #1554 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1554 where an archive embedded in say a bitmap file was not detected and searched for viruses , but the archive would be detected by popular unarchivers. However, when I test, an ecrypted zip embedded in another file is not reported as Encrypted.Zip when ArchiveBlockEncrypted is on in clamd.conf, so it would still be possible to send a virus within an encrypted zip by simply appending a few bytes to the start of the archive. -- David Shrimpton Systems Programmer ITS University of Queensland ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] encrypted zip embedded in other files not detected
On Tue, 14 Jul 2009 17:27:04 +1000 (EST) David Shrimpton d.shrimp...@its.uq.edu.au wrote: Hi, 0.95.2, clamav has closed a bug #1554 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1554 where an archive embedded in say a bitmap file was not detected and searched for viruses , but the archive would be detected by popular unarchivers. However, when I test, an ecrypted zip embedded in another file is not reported as Encrypted.Zip when ArchiveBlockEncrypted is on in clamd.conf, so it would still be possible to send a virus within an encrypted zip by simply appending a few bytes to the start of the archive. Hi David, indeed, something's wrong with the detection of encrypted zips embedded into other files. Please open a bug report at bugs.clamav.net and we'll investigate it. The problem can be worked around with this basic signature: $ echo Encrypted.Zip:1:*:*:*:*:*:*:* /usr/local/share/clamav/encrypted.zmd (you may need to replace /usr/local/share/clamav with your local db directory) Thanks, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Jul 14 09:58:35 CEST 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] cannot get clamsmtp to work properly
On 13.07.09 20:17, ceilingcat wrote: Here is the thing. clamav clamsmtp work perfectly in my virtual linux machine, but not when I install them in my desktop box. The error from /var/log/mail.log which I cannot resolve is dark_matter clamsmtpd: 11: CLAMAV: couldn't connect to: /var/run/clamav/clamd.ctl: Permission denied clamsmtp doesn't have permision to open the socket. do ls -ld /var/run/clamav/ ls -l /var/run/clamav/clamd.ctl and see what user/group is clamsmtp running under. I have read that the socket can take some time to establish. Could that be a problem? no, the messzage clearsly says it's permission problem. Btw, why clamsmtp? which MTA do you use? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] encrypted zip embedded in other files not detected
Tomasz Kojm wrote: On Tue, 14 Jul 2009 17:27:04 +1000 (EST) David Shrimpton d.shrimp...@its.uq.edu.au wrote: Hi, 0.95.2, clamav has closed a bug #1554 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1554 where an archive embedded in say a bitmap file was not detected and searched for viruses , but the archive would be detected by popular unarchivers. However, when I test, an ecrypted zip embedded in another file is not reported as Encrypted.Zip when ArchiveBlockEncrypted is on in clamd.conf, so it would still be possible to send a virus within an encrypted zip by simply appending a few bytes to the start of the archive. I was attempting to test this when I ran into another issue. On the Bugzilla page, it says, Be careful, to be read by ZIP/RAR software, the beginning of the archive file must be in the first 50k. ClamAV seems to enforce this: if the archive is embedded in a file larger than 50k, the signature won't trigger. However, many archive utilities *do* look past the first 50k of the file. In particular, the Linux command line 'unzip' and '7z' utilities (which are what I had on-hand) happily decompressed my EICAR.zip which was located at the end of a 1.4MB image. I started up a Windows VM and did some quick tests. The following programs all searched to the end of the file: 1. 7-zip (GUI) http://7-zip.org/ 2. PeaZip http://peazip.sourceforge.net/ 3. PowerArchiver http://www.powerarchiver.com/ 4. WinACE http://www.winace.com/ 5. IZArc http://www.izarc.org/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] cannot get clamsmtp to work properly
clamsmtp doesn't have permision to open the socket. do ls -ld /var/run/clamav/ ls -l /var/run/clamav/clamd.ctl and see what user/group is clamsmtp running under. I have read that the socket can take some time to establish. Could that be a problem? no, the messzage clearsly says it's permission problem. Btw, why clamsmtp? which MTA do you use? ls -ld /var/run/clamav/ drwxr-xr-x 2 clamav clamav 60 2009-07-14 12:01 /var/run/clamav/ ls -l /var/run/clamav/clamd.ctl --- -rw-r--r-- 1 clamav clamav 0 2009-07-14 11:52 /var/run/clamav/clamd.ctl I am using Postfix as the MTA. As for using clamsmtp, why not, if it intercepts viruses for me? btw .. i successfully installed clamsmtp on a virtual linux machine and I thought it would be just as easy to install on my desktop box! -- View this message in context: http://www.nabble.com/cannot-get-clamsmtp-to-work-properly-tp24473002p24490927.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] cannot get clamsmtp to work properly
ceilingcat wrote: clamsmtp doesn't have permision to open the socket. do ls -ld /var/run/clamav/ ls -l /var/run/clamav/clamd.ctl and see what user/group is clamsmtp running under. I have read that the socket can take some time to establish. Could that be a problem? no, the messzage clearsly says it's permission problem. Btw, why clamsmtp? which MTA do you use? ls -ld /var/run/clamav/ drwxr-xr-x 2 clamav clamav 60 2009-07-14 12:01 /var/run/clamav/ ls -l /var/run/clamav/clamd.ctl --- -rw-r--r-- 1 clamav clamav 0 2009-07-14 11:52 /var/run/clamav/clamd.ctl Only the clamav user is allowed to read and write to the clamd.ctl file. This means that if the clamsmtp daemon doesn't run as the clamav user, it won't be able to communicate with clamd. I believe you have two options: Run clamsmtpd as the clamav user. You should be able to do this by editing /etc/clamsmtpd.conf to have the following two lines and starting the clamsmtpd service as root. # User to switch to User: clamav You may also be able to make the clamd.ctl socket have more permissive permissions. I'm not sure exactly how to do this or what the AllowSupplementaryGroups option for /etc/clamd.conf does :-). I am using Postfix as the MTA. As for using clamsmtp, why not, if it intercepts viruses for me? People are implicitly suggesting that you use a milter which is becoming the standard replacement for filtering proxies. I think that you have a better chance of not losing an email if you use a clamav's milter, which postfix can communicate with. btw .. i successfully installed clamsmtp on a virtual linux machine and I thought it would be just as easy to install on my desktop box! -- binki ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] cannot get clamsmtp to work properly
# User to switch to User: root I changed User to root and now get dark_matter postfix/smtp[4392]: 91C3E32210: to=bla...@blaaah.com, relay=none, delay=0.06, delays=0.04/0.02/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused) g -- View this message in context: http://www.nabble.com/cannot-get-clamsmtp-to-work-properly-tp24473002p24491888.html Sent from the clamav-users mailing list archive at Nabble.com. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml