Re: [clamav-users] Spam No Longer ID'd as Virus
Unless something has changed again that I missed, the INetMsg signatures are no longer maintained. That's still correct... just in case anyone else missed the updates, here's the last two announcements, as there were a few new databases too: http://www.freelists.org/post/sanesecurity/database-changes http://www.freelists.org/post/sanesecurity/New-database-winnow-bad-cwhdb Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Anomaly Detected by OSSEC
Hi, For me, OSSEC is continuously triggering the following alert message when it is doing its daily rootkit checks : OSSEC HIDS Notification. 2012 Aug 19 04:33:47 Received From: (web-agent) 192.168.0.115-rootcheck Rule: 510 fired (level 7) - Host-based anomaly detection event (rootcheck). Portion of the log(s): Anomaly detected in file '/tmp/clamav-e6d074726ae187561c8cdee65748cc53'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit. --END OF NOTIFICATION The name of the tmp file changes in each alert. Is it a false positive? Hoping that it is, any idea whats causing this file to be hidden from stats? Thanks in advance, Teres ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Anomaly Detected by OSSEC
On Tue, Aug 21, 2012 at 6:25 AM, teres vir teres@gmail.com wrote: Hi, For me, OSSEC is continuously triggering the following alert message when it is doing its daily rootkit checks : OSSEC HIDS Notification. 2012 Aug 19 04:33:47 Received From: (web-agent) 192.168.0.115-rootcheck Rule: 510 fired (level 7) - Host-based anomaly detection event (rootcheck). Portion of the log(s): Anomaly detected in file '/tmp/clamav-e6d074726ae187561c8cdee65748cc53'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit. --END OF NOTIFICATION The name of the tmp file changes in each alert. Is it a false positive? Hoping that it is, any idea whats causing this file to be hidden from stats? Thanks in advance, Teres ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml You should be able to confirm this with the ossec-list, but this is a fairly common false positive for ossec. It is triggered by files which show up in a call to readdir but not to a follow-up stat call. Any file that gets deleted between the two calls can cause this warning. Temp files that vanish quickly are the culprit here. What you are seeing are short-lived temp files that ClamAV is using while unpacking certain file formats. They vanish because clamd will remove them when it is no longer needed. The default location is /tmp, but you can add or change the TemporaryDirectory setting in your clamd.conf file to point to a different directory if you like. Then these files will appear in a controlled location instead of the /tmp directory, which may make it clearer that they are truly of no concern. Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] local mirror update fail
hello people, this is my first mail cause Im new in clamAV . . . i read some info to update my local machines from a local web server, from www.clamav.net i download the 4 archives main.cvd daily.cvd bytecode.cvd safebrowsing.cvd and put in my local web server under the following link http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/ now in the local machine i install clamav and config de freshclam.conf file === # Automatically created by the clamav-freshclam postinst # Comments will get lost when you reconfigure the clamav-freshclam package DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose false LogSyslog false LogFacility LOG_LOCAL6 LogFileMaxSize 0 LogTime true Foreground false Debug false MaxAttempts 5 DatabaseDirectory /var/lib/clamav DNSDatabaseInfo current.cvd.clamav.net AllowSupplementaryGroups false PidFile /var/run/clamav/freshclam.pid ConnectTimeout 30 ReceiveTimeout 30 TestDatabases no ScriptedUpdates no CompressLocalDatabase no Bytecode true # Check for new database 24 times a day Checks 24 DatabaseMirror http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/ #DatabaseMirror database.clamav.ne === now i restart de freshclam deamon and i get the following freshclam.log === Tue Aug 21 10:40:00 2012 - -- Tue Aug 21 10:40:00 2012 - freshclam daemon 0.96.5 (OS: linux-gnu, ARCH: i386, CPU: i486) Tue Aug 21 10:40:00 2012 - ClamAV update process started at Tue Aug 21 10:40:00 2012 Tue Aug 21 10:40:00 2012 - WARNING: Your ClamAV installation is OUTDATED! Tue Aug 21 10:40:00 2012 - WARNING: Local version: 0.96.5 Recommended version: 0.97.5 Tue Aug 21 10:40:00 2012 - DON'T PANIC! Read http://www.clamav.net/support/faq Tue Aug 21 10:40:00 2012 - WARNING: Can't get information about http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/: Name or service not known Tue Aug 21 10:40:00 2012 - WARNING: Can't download main.cvd from http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/ Tue Aug 21 10:40:00 2012 - Trying again in 5 secs... Tue Aug 21 10:40:05 2012 - ClamAV update process started at Tue Aug 21 10:40:05 2012 Tue Aug 21 10:40:06 2012 - WARNING: Your ClamAV installation is OUTDATED! Tue Aug 21 10:40:06 2012 - WARNING: Local version: 0.96.5 Recommended version: 0.97.5 Tue Aug 21 10:40:06 2012 - DON'T PANIC! Read http://www.clamav.net/support/faq Tue Aug 21 10:40:06 2012 - WARNING: Can't get information about http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/: Name or service not known Tue Aug 21 10:40:06 2012 - WARNING: Can't download main.cvd from http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/ Tue Aug 21 10:40:06 2012 - Trying again in 5 secs... Tue Aug 21 10:40:11 2012 - ClamAV update process started at Tue Aug 21 10:40:11 2012 Tue Aug 21 10:40:11 2012 - WARNING: Your ClamAV installation is OUTDATED! Tue Aug 21 10:40:11 2012 - WARNING: Local version: 0.96.5 Recommended version: 0.97.5 Tue Aug 21 10:40:11 2012 - DON'T PANIC! Read http://www.clamav.net/support/faq Tue Aug 21 10:40:11 2012 - WARNING: Can't get information about http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/: Name or service not known Tue Aug 21 10:40:11 2012 - WARNING: Can't download main.cvd from http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/ Tue Aug 21 10:40:11 2012 - Trying again in 5 secs... Tue Aug 21 10:40:16 2012 - ClamAV update process started at Tue Aug 21 10:40:16 2012 Tue Aug 21 10:40:16 2012 - WARNING: Your ClamAV installation is OUTDATED! Tue Aug 21 10:40:16 2012 - WARNING: Local version: 0.96.5 Recommended version: 0.97.5 Tue Aug 21 10:40:16 2012 - DON'T PANIC! Read http://www.clamav.net/support/faq Tue Aug 21 10:40:16 2012 - WARNING: Can't get information about http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/: Name or service not known Tue Aug 21 10:40:16 2012 - WARNING: Can't download main.cvd from http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/ Tue Aug 21 10:40:16 2012 - Trying again in 5 secs... Tue Aug 21 10:40:21 2012 - ClamAV update process started at Tue Aug 21 10:40:21 2012 Tue Aug 21 10:40:21 2012 - WARNING: Your ClamAV installation is OUTDATED! Tue Aug 21 10:40:21 2012 - WARNING: Local version: 0.96.5 Recommended version: 0.97.5 Tue Aug 21 10:40:21 2012 - DON'T PANIC! Read http://www.clamav.net/support/faq Tue Aug 21 10:40:21 2012 - ERROR: Can't get information about http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/: Name or service not known Tue Aug 21 10:40:21 2012 - ERROR: Can't download main.cvd from http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/ Tue Aug 21 10:40:21 2012 - Giving up on http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/... Tue Aug 21 10:40:21 2012 - Update failed. Your network may be down or none of the mirrors
Re: [clamav-users] local mirror update fail
Den 2012-08-21 16:45, infelectromed@infomed.sld.cu skrev: DatabaseMirror http://ftp.sld.cu/pub/antivirus/clamav/actualizaciones/ this is a http url, but DatabaseMirror is a dns name that resolves to multiple ips Tue Aug 21 10:40:00 2012 - WARNING: Local version: 0.96.5 time to upgrade ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Detection of Win32 Trojan / Dorifel
On 08/20/2012 02:43 PM, Joel Esler wrote: On Aug 20, 2012, at 7:46 AM, Birgelen, Jeroen van jeroen.van.birge...@ordina.nl wrote: LS, I would kindly like to request some information on whether ClamAV is detecting the Dorifel Trojan/virus which is currently spreading (at least in The Netherlands), since two weeks or so. At the moment, according to an overview on the website of virustotal.com, most major anti-virus tools can detect the virus, unfortunately ClamAV cannot (yet). If I'm correct, the specific virus has been submitted to your Anti Virus database. Any information would be much appreciated. Kind regards, Jeroen I'll take a look this morning, thanks for emailing. I'd like to know if there's any news on this. TIA.. -- Rob ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Detection of Win32 Trojan / Dorifel
I'll provide an answer shortly on this. Thanks, - Alain ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml