Re: [clamav-users] false possitives for CVE_2012_0773-2?
Arthur, This is a FP that we are aware about and should be fixed momentarily. Thanks, - Alain On Wed, Apr 18, 2012 at 5:27 PM, Arthur Douwes wrote: > Hi, > > After freshclam updated the virusdatabase last night (17th april) on our > server the virusscanner reported the CVE_2012_0773-2 virus in several flash > files. The problem is that some of those files are from 2007 and have never > been changed. Other virusscanners don't give any warnings on the same flash > files. > > Is the fingerprint for this virus correct? > > > -- > TyrannoDouwes, Rex > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] false possitives for CVE_2012_0773-2?
Hi, After freshclam updated the virusdatabase last night (17th april) on our server the virusscanner reported the CVE_2012_0773-2 virus in several flash files. The problem is that some of those files are from 2007 and have never been changed. Other virusscanners don't give any warnings on the same flash files. Is the fingerprint for this virus correct? -- TyrannoDouwes, Rex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Google Chrome infected?
On 18-04-2012 10:42, Alain Zidouemba wrote: What is the file being detected as? What is the MD5 for the file being detected? - Alain On Wed, Apr 18, 2012 at 1:38 PM, Frank Chan wrote: On 12-04-2012 20:09, Frank Chan wrote: On 11-04-2012 17:33, Frank Chan wrote: On 11-04-2012 16:08, Alain Zidouemba wrote: Frank, This is a FP that has already been taken care of. Please update your signatures and let us know if you run into any problems. Thanks, -Alain On Apr 11, 2012, at 7:06 PM, Frank Chanwrote: I was doing scan of my hard drive of my MS Windows XP system and noticed the scan results that some components of Google Chrome were infected by W32.Virut.Gen.D-148. Here is the excerpt of the scan results. C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.151\chrome.dll: W32.Virut.Gen.D-148 FOUND C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.151\Installer\chrome.7z: W32.Virut.Gen.D-148 FOUND I also found the same results for several other systems I have at work& home so is Google Chrome truly infected or this a false positive. I have scanned the Google Chrome for Apple Mac but it doesn't appear to be infected (when I scan with clamav). Anyone else seen this? Frank ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Thank you Alain for clearing this up. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Hi Alain, I checked it again today and it showed no infection in Google Chrome. Thank you, Frank Hi Alain, I checked it again this morning and I still get a possible false positive with Google Chrome with the same file again. Thank you, Frank ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Hi Alain, Here is the MD5 sums of the files you requested. 9652e7d2d40f72c4f4acec0e2dea28a1 chrome.7z 5974bc2d26dc0f1e9755ccc2806cfda2 chrome.dll Again this is possible false positive is in the same folder location as before and here is the excerpt from the log: C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\chrome.dll: W32.Virut.Gen.D-148 FOUND C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\Installer\chrome.7z: W32.Virut.Gen.D-148 FOUND Other MS Windows systems that I did clamscan on show the same thing. Thank you, Frank ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] False positive phishing
Hello. I am not receiving a legitimate email from hsbc.com.br that have a attachment .hmtl. This message is classificated as a Heuristics.Phishing.Email.SpoofedDomain. Can you help me? -- Daniel Gomes ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] trouble compiling clamav 0.97.4 -> Just a general comment on programming and error messages.
On Apr 18, 2012, at 10:25 AM, Jim Preston wrote: > Too many times error messages are meaningless to almost anyone who is not > part of the build team. That's may well be true in general, but ClamAV is open source: you've got the source code and build infrastructure available to inspect and determine the reason for an error message. In other words, if you're running ./configure, welcome to the build team. > In this particular instance, that is not the case, due to the big catch-all > content of the message in combination with the configure options. I agree > with Jasowicz that it would be more meaningful if it specifically pointed out > that the warning message was generated by the --disable-zlib-vcheck option > and even better if it included the results of the option check (if failing > due to incorrect/bad version). ./configure does this if the build actually > fails (e.g. missing a dependency). Wouldn't one expect a flag named "--disable-zlib-vcheck" to disable version checking of zlib? Alternatively, don't use that flag and ClamAV's configure tests will do what you ask for. See the following section: # Check whether --enable-zlib-vcheck was given. if test "${enable_zlib_vcheck+set}" = set; then : enableval=$enable_zlib_vcheck; zlib_check=$enableval else zlib_check="yes" fi if test ! -f "$ZLIB_HOME/include/zlib.h" then as_fn_error $? "Please install zlib and zlib-devel packages" "$LINENO" 5 else vuln=`grep "ZLIB_VERSION \"1.2.0" $ZLIB_HOME/include/zlib.h` if test -z "$vuln"; then vuln=`grep "ZLIB_VERSION \"1.2.1" $ZLIB_HOME/include/zlib.h` fi if test -n "$vuln"; then if test "$zlib_check" = "yes"; then as_fn_error $? "The installed zlib version may contain a security bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You\ can omit this check with --disable-zlib-vcheck but DO NOT REPORT any stability issues then!" "$LINENO" 5 else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: ** This ClamAV installation may be linked against" >&5 $as_echo "$as_me: WARNING: ** This ClamAV installation may be linked against" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: ** a broken zlib version. Please DO NOT report any" >&5 $as_echo "$as_me: WARNING: ** a broken zlib version. Please DO NOT report any" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: ** stability problems to the ClamAV developers!" >&5 $as_echo "$as_me: WARNING: ** stability problems to the ClamAV developers!" >&2;} fi fi > I am a part-time C++, C#, VB, command line script programmer and fully > realize that the cost of programming will go up incrementally with the > programmatic handling of errors to give precise granular messages . But in > response to that argument I generally respond with "If you are bothering to > capture an error, might as well make the error message mean something. If > not, just let it crash without any message rather than displaying meaningless > messages". Heh. CMU used freshman programming class to weed out prospective comp sci students. One of the ways they did so was to fail any student program which crashed. You weren't required to provide a Shakespearean sonnet of an error message, but you were expected to catch all possible exceptions and log something rather than crashing. > If a log is being generated, putting the details in the log, stating the log > contains the details AND giving the name and location of the log is a good > SOP starting point. For example one of my pet peeves is the following error > message "An error has occurred". I have to work in the MS Windows world and > sadly this is a typical error message in the Wonderful World of Windows (and > I used to think WWW stood for something else.). The programmer should not > have bothered displaying a message if that is all they are going to say about > it. It does not tell the user anything useful to try and solve the problem. I happen to be of the opinion that ClamAV's configure goes well out of it's way to clearly identify potentially buggy libraries and provide clear references to CVE #s, GCC PRs, and so forth. If you have a different opinion, well, you're welcome to update the messages being displayed by ./configure and provide a diff for the ClamAV developers to consider adopting, if they feel your changes offer more clarity. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd network mode
On Wed, 2012-04-18 at 12:13 -0500, Tom Goerger wrote: > Hi, > > We're running clamav on our mta servers right now, each in local mode. > We're experiencing some high loads causing mail delays on these servers, I can imagine if you're using clamscan. > and are trying to offload some of their resources. It seems from some of > the language in the clamd conf file that there's a way to use clamd in a > network fashion. Is this just a matter of changing the socket being used > to point to the external box? Or are there other variables that need to be > set to accomplish this? You have to configure clamd using clamd.conf and then start clamd. Clamd can use a socket or an IP:port connection, that's up to you. Personally, I find clamd.conf descriptive enough to be able to find out how to configure it. After starting clamd, you can use clamdscan instead of clamscan for scanning (the file(s) in) your email. -- Rob ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Google Chrome infected?
What is the file being detected as? What is the MD5 for the file being detected? - Alain On Wed, Apr 18, 2012 at 1:38 PM, Frank Chan wrote: > On 12-04-2012 20:09, Frank Chan wrote: >> >> On 11-04-2012 17:33, Frank Chan wrote: >>> >>> On 11-04-2012 16:08, Alain Zidouemba wrote: Frank, This is a FP that has already been taken care of. Please update your signatures and let us know if you run into any problems. Thanks, -Alain On Apr 11, 2012, at 7:06 PM, Frank Chan wrote: > I was doing scan of my hard drive of my MS Windows XP system and > noticed the scan results that some components of Google Chrome were > infected > by W32.Virut.Gen.D-148. Here is the excerpt of the scan results. > > C:\Documents and Settings\Frank\Local Settings\Application > Data\Google\Chrome\Application\18.0.1025.151\chrome.dll: > W32.Virut.Gen.D-148 > FOUND > C:\Documents and Settings\Frank\Local Settings\Application > Data\Google\Chrome\Application\18.0.1025.151\Installer\chrome.7z: > W32.Virut.Gen.D-148 FOUND > > I also found the same results for several other systems I have at work& > home so is Google Chrome truly infected or this a false positive. I have > scanned the Google Chrome for Apple Mac but it doesn't appear to be > infected > (when I scan with clamav). > Anyone else seen this? > > Frank > > > ___ > Help us build a comprehensive ClamAV guide: visit > http://wiki.clamav.net > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml >>> Thank you Alain for clearing this up. >>> ___ >>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >>> http://www.clamav.net/support/ml >>> >>> >> Hi Alain, >> I checked it again today and it showed no infection in Google Chrome. >> >> Thank you, >> Frank > > Hi Alain, > I checked it again this morning and I still get a possible false positive > with Google Chrome with the same file again. > > > Thank you, > Frank > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Google Chrome infected?
On 12-04-2012 20:09, Frank Chan wrote: On 11-04-2012 17:33, Frank Chan wrote: On 11-04-2012 16:08, Alain Zidouemba wrote: Frank, This is a FP that has already been taken care of. Please update your signatures and let us know if you run into any problems. Thanks, -Alain On Apr 11, 2012, at 7:06 PM, Frank Chan wrote: I was doing scan of my hard drive of my MS Windows XP system and noticed the scan results that some components of Google Chrome were infected by W32.Virut.Gen.D-148. Here is the excerpt of the scan results. C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.151\chrome.dll: W32.Virut.Gen.D-148 FOUND C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.151\Installer\chrome.7z: W32.Virut.Gen.D-148 FOUND I also found the same results for several other systems I have at work& home so is Google Chrome truly infected or this a false positive. I have scanned the Google Chrome for Apple Mac but it doesn't appear to be infected (when I scan with clamav). Anyone else seen this? Frank ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Thank you Alain for clearing this up. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Hi Alain, I checked it again today and it showed no infection in Google Chrome. Thank you, Frank Hi Alain, I checked it again this morning and I still get a possible false positive with Google Chrome with the same file again. Thank you, Frank ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] clamd network mode
Hi, We're running clamav on our mta servers right now, each in local mode. We're experiencing some high loads causing mail delays on these servers, and are trying to offload some of their resources. It seems from some of the language in the clamd conf file that there's a way to use clamd in a network fashion. Is this just a matter of changing the socket being used to point to the external box? Or are there other variables that need to be set to accomplish this? Thanks, Tom -- Tom Goerger University of Minnesota - Internet Services ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] trouble compiling clamav 0.97.4 -> Just a general comment on programming and error messages.
On 04/17/2012 09:15 AM, Jasowicz, Artur wrote: Jasowicz, You forced configure to skip a check which is there in order to avoid us being flooded with "clamd crashed" bug reports where bzip2 really fails. Configure obeys but it tells you that you are on your own. If you clamd crashes, good luck. Of course if you go through the trouble of tracing the crash and be sure that it's not related to bzip2 (or other configure things you might have messed around with) then you are still welcome to submit a bug report :) Cheers, -- aCaB Fair enough, makes sense. Tho it would be nice if configure output said specifically why it threw the warning. In my specific case it could have said "You're on your own because you used disable-zlib-vcheck option". To someone experienced in building clamav this may be obvious. To me - not so much. Thanks aCaB! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml Just a general comment on programming and error messages. Too many times error messages are meaningless to almost anyone who is not part of the build team. In this particular instance, that is not the case, due to the big catch-all content of the message in combination with the configure options. I agree with Jasowicz that it would be more meaningful if it specifically pointed out that the warning message was generated by the --disable-zlib-vcheck option and even better if it included the results of the option check (if failing due to incorrect/bad version). ./configure does this if the build actually fails (e.g. missing a dependency). I am a part-time C++, C#, VB, command line script programmer and fully realize that the cost of programming will go up incrementally with the programmatic handling of errors to give precise granular messages . But in response to that argument I generally respond with "If you are bothering to capture an error, might as well make the error message mean something. If not, just let it crash without any message rather than displaying meaningless messages". If a log is being generated, putting the details in the log, stating the log contains the details AND giving the name and location of the log is a good SOP starting point. For example one of my pet peeves is the following error message "An error has occurred". I have to work in the MS Windows world and sadly this is a typical error message in the Wonderful World of Windows (and I used to think WWW stood for something else.). The programmer should not have bothered displaying a message if that is all they are going to say about it. It does not tell the user anything useful to try and solve the problem. Just my 2¢ -- Jim Preston ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV detecting SSN in mail
On 04/18/2012 06:38 PM, Stephen Guglielmo wrote: > Hello, > > I have a mail system with virus filtering via ClamAV. It has been > working well, I've tested it with the EICAR check successfully. > However, ClamAV has been detecting false positives in certain emails > with the detection "Heuristics.Structured.SSN." > > This is the most recent email it flagged as > "Heuristics.Structured.SSN", but is a false positive. > http://lists.freebsd.org/pipermail/freebsd-announce/2012-April/001417.html > > It is a announcement on a FreeBSD mailing list. It has no viruses or > social security numbers. > > Is there a way to decrease the sensitivity of this? Set StructuredSSNFormatStripped to No in clamd.conf (which is the default). Parts of the MD5/SHA256 from that email are identified as valid SSNs otherwise. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] ClamAV detecting SSN in mail
Hello, I have a mail system with virus filtering via ClamAV. It has been working well, I've tested it with the EICAR check successfully. However, ClamAV has been detecting false positives in certain emails with the detection "Heuristics.Structured.SSN." This is the most recent email it flagged as "Heuristics.Structured.SSN", but is a false positive. http://lists.freebsd.org/pipermail/freebsd-announce/2012-April/001417.html It is a announcement on a FreeBSD mailing list. It has no viruses or social security numbers. Is there a way to decrease the sensitivity of this? Thank you. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml