Re: [clamav-users] No more updates since march 1st
Normally I see multiple updates per day, and I agree in the weekend normally 1 or 2 per day. But I understand that there is no policy on how often an update is released, it is more of a random thing? -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Al Varnell Sent: maandag 3 maart 2014 8:26 To: ClamAV users ML Subject: Re: [clamav-users] No more updates since march 1st On Mar 2, 2014, at 11:19 PM, Mischa Coenen mc1...@live.nl wrote: I have noticed that the last update of the ClamAV database was at 01 Mar 2014 16-54 -0500, after that I didn't see any new updates. Are there issues with releasing new updates? Weekends are always slow, so I wouldn't get too excited unless you still haven't seen something by mid-day tomorrow. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] No more updates since march 1st
Yes, that's been my experience over the years. Once a signature writer has finished with a batch they put them through QA testing and then send them out. So it depends mostly on the work schedule of the writers, which used to be much more random when they were all volunteers. My impression of the last longer break was that it had to do with the holidays, but you are correct that it didn't start flowing until somebody asked and we didn't get an explanation. -Al- On 3/3/14 1:26 AM, Mischa Coenen wrote: Normally I see multiple updates per day, and I agree in the weekend normally 1 or 2 per day. But I understand that there is no policy on how often an update is released, it is more of a random thing? -Original Message- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Al Varnell Sent: maandag 3 maart 2014 8:26 To: ClamAV users ML Subject: Re: [clamav-users] No more updates since march 1st On Mar 2, 2014, at 11:19 PM, Mischa Coenen mc1...@live.nl wrote: I have noticed that the last update of the ClamAV database was at 01 Mar 2014 16-54 -0500, after that I didn't see any new updates. Are there issues with releasing new updates? Weekends are always slow, so I wouldn't get too excited unless you still haven't seen something by mid-day tomorrow. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
On 3/3/14, 4:28 AM, Steve Hill wrote: I'm using clamd together with exim under Scientific Linux 6.3 and I'm having problems with Clam not detecting many viruses - in fact, looking back through the logs it basically only seems to be finding a few phishing emails. Did you just send a link to a known infected file to this list? dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
On 03.03.14 12:38, Dennis Peterson wrote: Did you just send a link to a known infected file to this list? Yes, I sent a link to something I felt people answering my question would need to be able to see, with some text next to it *specifically saying it was infected*. I sent a link rather than just attaching the file to the email so that people would actually read the text before opening it. I'm unclear on how else I should reference example data? (Are people on a mailing list for virus scanning software in the habit of clicking random links in messages without reading the message text directly next to the link?!) -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
On 03.03.14 12:38, Dennis Peterson wrote: Did you just send a link to a known infected file to this list? Yes, I sent a link to something I felt people answering my question would need to be able to see, with some text next to it *specifically saying it was infected*. I think a h t t p non-clickable link might have been wise though, just in case someone hasn't had their coffee yet and clicks it...yes, I know... but it does happen ;) Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
On 03.03.14 13:49, Shawn Webb wrote: You can submit files you suspect are legitimate malware here: http://www.clamav.net/lang/en/sendvirus/ As mentioned, I've already done that, but my concern is trying to figure out why Clam only seems to be blocking phishing emails rather than actual malware - have I got something wrong in my configuration, or is Clam's detection engine and signature database *really* unable to detect all this malware? -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
On 03.03.14 13:49, Steve Basford wrote: I think a h t t p non-clickable link might have been wise though, just in case someone hasn't had their coffee yet and clicks it...yes, I know... but it does happen ;) My apologies - I will keep this in mind in future. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
Many use hxxp for http or [.] or dot for the period in the domain name. Tom On Mar 3, 2014, at 9:00 AM, Steve Hill wrote: On 03.03.14 13:49, Steve Basford wrote: I think a h t t p non-clickable link might have been wise though, just in case someone hasn't had their coffee yet and clicks it...yes, I know... but it does happen ;) My apologies - I will keep this in mind in future. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-844-9791439 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-844-4844916 / sip:supp...@opendium.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
On Mar 3, 2014, at 7:49 AM, Steve Basford steveb_cla...@sanesecurity.com wrote: On 03.03.14 12:38, Dennis Peterson wrote: Did you just send a link to a known infected file to this list? Yes, I sent a link to something I felt people answering my question would need to be able to see, with some text next to it *specifically saying it was infected*. I think a h t t p non-clickable link might have been wise though, just in case someone hasn't had their coffee yet and clicks it...yes, I know... but it does happen ;) No matter what you do, some MUA’s take anything that looks like it might be a link and turns it into a link. :-( You need to turn @ into at and . into dot and other obfuscations to be fairly sure some MUA won’t make it clickable. -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
btw that one should have been detected by winnow (distributed in Steve's rsync feed) On Mar 3, 2014, at 9:03 AM, Larry Stone wrote: On Mar 3, 2014, at 7:49 AM, Steve Basford steveb_cla...@sanesecurity.com wrote: On 03.03.14 12:38, Dennis Peterson wrote: Did you just send a link to a known infected file to this list? Yes, I sent a link to something I felt people answering my question would need to be able to see, with some text next to it *specifically saying it was infected*. I think a h t t p non-clickable link might have been wise though, just in case someone hasn't had their coffee yet and clicks it...yes, I know... but it does happen ;) No matter what you do, some MUA’s take anything that looks like it might be a link and turns it into a link. :-( You need to turn @ into at and . into dot and other obfuscations to be fairly sure some MUA won’t make it clickable. -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml signature.asc Description: Message signed with OpenPGP using GPGMail ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] as unsubscribe from list ?
thanks ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] as unsubscribe from list ?
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Bottom of the page. -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team On Mar 3, 2014, at 9:06 AM, Erwin Castillo erwincastil...@gmail.com wrote: thanks ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Keeping the ClamAV process open?
On Sun, Mar 2, 2014 at 10:55 PM, Scott Snow s_sn...@u.pacific.edu wrote: I'm working on a MapReduce project using Amazon's EC2. The only bottleneck I have is that it takes ~35-40 seconds to scan each file, which seems very high. I'm using a c program as a wrapper for ClamAV, which takes a single file and the mode. Does anyone know approximately how long it takes to initialize ClamAV and load the virus db? Would it be possible to just keep the ClamAV process loaded/running? I've been searching quite a bit, but haven't found anything so far. If anyone has any other suggestions for optimization, that would be appreciated as well. I'm not very familiar with ClamAV. This all depends on how many signatures you have loaded, it can take anywhere from 30 seconds to a minute to load the full signature set on a reasonably spec'd machine. As Dennis mentioned you should defiantly use clamd for this work to significantly reduce your overhead. Tom Thanks. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml -- Senior Research Engineer SourceFire Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] No more updates since march 1st
We are aware of and investigating the issue. We'll let you know know when it's fixed. Thanks, - Alain On Mon, Mar 3, 2014 at 2:19 AM, Mischa Coenen mc1...@live.nl wrote: I have noticed that the last update of the ClamAV database was at 01 Mar 2014 16-54 -0500, after that I didn't see any new updates. Are there issues with releasing new updates? A couple of months ago I have seen the same issue that no new updates were released, and after a post on the maillinglist it resumed again. Updating the database seems to me a very important for a virus scanner, but isn't it internally checked for issues? Thanks. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
On Mon, 03 Mar 2014 14:00:16 + Steve Hill wrote: On 03.03.14 13:49, Shawn Webb wrote: You can submit files you suspect are legitimate malware here: http://www.clamav.net/lang/en/sendvirus/ As mentioned, I've already done that, but my concern is trying to figure out why Clam only seems to be blocking phishing emails rather than actual malware - have I got something wrong in my configuration, or is Clam's detection engine and signature database *really* unable to detect all this malware? Steve is your Exim installation set up to reject mail on spamminess, using SpamAssassin or similar? I find that SA detects a lot of mail using SA rules that probably contain attachments or inline images that are virus laden, but it's cheaper on system resources to reject at SMTP time than running ClamAV on every mail received. -- Brian Morrison ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
On 3/3/14, 8:50 AM, Brian Morrison wrote: Steve is your Exim installation set up to reject mail on spamminess, using SpamAssassin or similar? I find that SA detects a lot of mail using SA rules that probably contain attachments or inline images that are virus laden, but it's cheaper on system resources to reject at SMTP time than running ClamAV on every mail received. Given that he received an attachment that is suspicious it indicates it got past all his smtp defenses. Next is to find out if that attachment is actually malware or other evil thing and if so create and distribute a signature. In my environments the unofficial signatures from Sane Security stop 10 times the volume of official signatures. This has been true for several years and several very large businesses. However - there's never been a problem that has come in via email - they've always come in on laptops and VPN-connected remote systems. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Low detection rate
Hi there, On Mon, 3 Mar 2014, Dennis Peterson wrote: In my environments the unofficial signatures from Sane Security stop 10 times the volume of official signatures. This has been true for several years and several very large businesses. Ditto. In fact I only really use ClamAV because of the third party stuff, since I don't use Microsoft products. However - there's never been a problem that has come in via email - they've always come in on laptops and VPN-connected remote systems. And deliberate, if stupid, browser downloads, and the odd USB stick. :( -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml