Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files
It's been two mondays now and no news... a new beta is posted but nothing about the issue is mentioned? On Thu, Jun 26, 2014 at 12:52:47PM -0400, Shawn Webb wrote: Hey Paul, The reason for that is likely due to my usage of ctors and dtors with 0.98.3. In that version, I had added a ctors entry in libclamav to call cl_initialize_crypto and a dtors entry to call cl_cleanup_crypto. It turns out that operating systems like AIX, HPUX, and Solaris 10 don't support ctors/dtors. In order to provide support for those OSs, I opted to remove the ctors/dtors entries and call cl_initialize_crypto directly in the applications that we distribute that consume libclamav (clamscan, clamd, clamdscan, freshclam, etc.) That means that we're no longer calling cl_initialize_crypto in the background and third-party applications will need to call cl_initialize_crypto themselves. But that may or may not change with the discussion on Monday. Thanks, Shawn On Thu, Jun 26, 2014 at 12:37 PM, Paul Kosinski cla...@iment.com wrote: Shawn, Yes indeed, HAVP calls into libclamav directly. But then why does this only fail in 0.98.4 but *not* in 0.98.3? Wasn't OpenSSL already being used in 0.98.3? An additional problem is that the HAVP developer seems to have stopped working on it, according to the HAVP forum (http://havp.hege.li/forum/). Of course, since HAVP is Open Source, I could change it for my use (but I don't want to take it over). Thanks for the quick response, Paul Hey Paul, It looks like HAVP is calling into libclamav directly. That means that HAVP will need to either initialize OpenSSL prior to calling the cl_init() function in libclamav, or it will need to call cl_initialize_crypto() prior to calling cl_init(). We have an open bug on our end to track this issue (bugzilla bug 11037). Additionally, a bug report should be opened with HAVP to document the issue on their end. I will be discussing with the team soon potential solutions going forward. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files
So you’ve tried the beta and it didn’t fix the issue? One of the reasons for announcing the beta was so folks like you can play in the bug fixing process. There are dozens of changes to each version and only a few of the major items are ever mentioned in the announcements. There are far too many bug fixes for developers to respond to all issues such as yours. It’s likely to be several weeks or even months before 0.98.5 is released. -Al- On Tue, Jul 08, 2014 at 11:32 PM, Henrik K wrote It's been two mondays now and no news... a new beta is posted but nothing about the issue is mentioned? On Thu, Jun 26, 2014 at 12:52:47PM -0400, Shawn Webb wrote: Hey Paul, The reason for that is likely due to my usage of ctors and dtors with 0.98.3. In that version, I had added a ctors entry in libclamav to call cl_initialize_crypto and a dtors entry to call cl_cleanup_crypto. It turns out that operating systems like AIX, HPUX, and Solaris 10 don't support ctors/dtors. In order to provide support for those OSs, I opted to remove the ctors/dtors entries and call cl_initialize_crypto directly in the applications that we distribute that consume libclamav (clamscan, clamd, clamdscan, freshclam, etc.) That means that we're no longer calling cl_initialize_crypto in the background and third-party applications will need to call cl_initialize_crypto themselves. But that may or may not change with the discussion on Monday. Thanks, Shawn On Thu, Jun 26, 2014 at 12:37 PM, Paul Kosinski cla...@iment.com wrote: Shawn, Yes indeed, HAVP calls into libclamav directly. But then why does this only fail in 0.98.4 but *not* in 0.98.3? Wasn't OpenSSL already being used in 0.98.3? An additional problem is that the HAVP developer seems to have stopped working on it, according to the HAVP forum (http://havp.hege.li/forum/). Of course, since HAVP is Open Source, I could change it for my use (but I don't want to take it over). Thanks for the quick response, Paul Hey Paul, It looks like HAVP is calling into libclamav directly. That means that HAVP will need to either initialize OpenSSL prior to calling the cl_init() function in libclamav, or it will need to call cl_initialize_crypto() prior to calling cl_init(). We have an open bug on our end to track this issue (bugzilla bug 11037). Additionally, a bug report should be opened with HAVP to document the issue on their end. I will be discussing with the team soon potential solutions going forward. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files
Apparently it's fixed... I'm sure someone will try it out. I'm just getting lots of questions and patches about it and was wondering why nothing was announced. So yes it looks like 0.98.4 will be an oddball version and third party software doesn't need to be modified. Thu, 03 Jul 22:14:40 EDT 2014 (swebb) * Call cl_initialize_crypto() in cl_init() On Tue, Jul 08, 2014 at 11:42:54PM -0700, Al Varnell wrote: So you?ve tried the beta and it didn?t fix the issue? One of the reasons for announcing the beta was so folks like you can play in the bug fixing process. There are dozens of changes to each version and only a few of the major items are ever mentioned in the announcements. There are far too many bug fixes for developers to respond to all issues such as yours. It?s likely to be several weeks or even months before 0.98.5 is released. -Al- On Tue, Jul 08, 2014 at 11:32 PM, Henrik K wrote It's been two mondays now and no news... a new beta is posted but nothing about the issue is mentioned? On Thu, Jun 26, 2014 at 12:52:47PM -0400, Shawn Webb wrote: Hey Paul, The reason for that is likely due to my usage of ctors and dtors with 0.98.3. In that version, I had added a ctors entry in libclamav to call cl_initialize_crypto and a dtors entry to call cl_cleanup_crypto. It turns out that operating systems like AIX, HPUX, and Solaris 10 don't support ctors/dtors. In order to provide support for those OSs, I opted to remove the ctors/dtors entries and call cl_initialize_crypto directly in the applications that we distribute that consume libclamav (clamscan, clamd, clamdscan, freshclam, etc.) That means that we're no longer calling cl_initialize_crypto in the background and third-party applications will need to call cl_initialize_crypto themselves. But that may or may not change with the discussion on Monday. Thanks, Shawn On Thu, Jun 26, 2014 at 12:37 PM, Paul Kosinski cla...@iment.com wrote: Shawn, Yes indeed, HAVP calls into libclamav directly. But then why does this only fail in 0.98.4 but *not* in 0.98.3? Wasn't OpenSSL already being used in 0.98.3? An additional problem is that the HAVP developer seems to have stopped working on it, according to the HAVP forum (http://havp.hege.li/forum/). Of course, since HAVP is Open Source, I could change it for my use (but I don't want to take it over). Thanks for the quick response, Paul Hey Paul, It looks like HAVP is calling into libclamav directly. That means that HAVP will need to either initialize OpenSSL prior to calling the cl_init() function in libclamav, or it will need to call cl_initialize_crypto() prior to calling cl_init(). We have an open bug on our end to track this issue (bugzilla bug 11037). Additionally, a bug report should be opened with HAVP to document the issue on their end. I will be discussing with the team soon potential solutions going forward. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Win.Trojan.Zwangi-432 / Osx.Exploit.CVE_2006_0848 / PHP.Shell-29
oki, thank you! I will do this in the next few minutes. - Birgit On 08. 07. 14 13:28 , Joel Esler (jesler) wrote: On Jul 8, 2014, at 5:11, DUCARROZ Birgit birgit.ducar...@unifr.ch wrote: Platform: You mean the platform where clamav is installed, not the platform the virus is for, just? Yes. The platform where ClamAV is. What do you mean I must attach with raw message? The output of the virus-scan? Or the file containing the virus (or false positive)? If it's an email, please attach the whole thing. If it's a malware, attach the malware. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Win.Trojan.Zwangi-432 / Osx.Exploit.CVE_2006_0848 / PHP.Shell-29
Tried to join the malware (an .exe file) , tried to join the email (as an .eml file). For both the form does reject, saying: The sample is empty. This file is not detected by ClamAV. Please update your CVD database before reporting false-positives. If you are using third-party databases/unofficial signatures, please contact the author of the signature. We can only process false-positives generated by ClamAV Official signatures. Please correct the above errors and retry. In your form is also an URL (What is PUA?) - When klicking on the link, the page says Search Results: Sorry, but you are looking for something that isn't here. ?? Thank you for help again.. - Birgit On 09. 07. 14 10:26 , DUCARROZ Birgit wrote: oki, thank you! I will do this in the next few minutes. - Birgit On 08. 07. 14 13:28 , Joel Esler (jesler) wrote: On Jul 8, 2014, at 5:11, DUCARROZ Birgit birgit.ducar...@unifr.ch wrote: Platform: You mean the platform where clamav is installed, not the platform the virus is for, just? Yes. The platform where ClamAV is. What do you mean I must attach with raw message? The output of the virus-scan? Or the file containing the virus (or false positive)? If it's an email, please attach the whole thing. If it's a malware, attach the malware. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml -- Birgit Ducarroz Unix Systems Administration Department of Informatics University of Fribourg Switzerland mailto:birgit.ducar...@unifr.ch Phone: +41 (26) 300 8342 https://diuf.unifr.ch/people/ducarroz/ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV®: ClamAV 0.98.5 beta has been posted!
On Tue, 8 Jul 2014 23:15:12 + Joel Esler (jesler) wrote: ClamAV 0.98.5 beta has been posted! The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing! Fedora 17, compiled ok, but # service clamav restart Stopping ClamAV[ OK ] Starting ERROR: This tool requires libclamav with functionality level 78 or higher (current f-level: 77) [FAILED] # Regards, Frank Elsner ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files
On Wednesday, July 09, 2014 10:13:28 Henrik K wrote: Apparently it's fixed... I'm sure someone will try it out. I'm just getting lots of questions and patches about it and was wondering why nothing was announced. So yes it looks like 0.98.4 will be an oddball version and third party software doesn't need to be modified. Thu, 03 Jul 22:14:40 EDT 2014 (swebb) * Call cl_initialize_crypto() in cl_init() That's correct. For Debian/Ubuntu we've backported that patch to our 0.98.4 packages. Other distributors should do the same. Scott K ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV®: ClamAV 0.98.5 beta has been posted!
On Tue, 8 Jul 2014 23:15:12 + Joel Esler (jesler) wrote: ClamAV 0.98.5 beta has been posted! The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing! On 09.07.14 13:07, Frank Elsner wrote: Fedora 17, compiled ok, but # service clamav restart Stopping ClamAV[ OK ] Starting ERROR: This tool requires libclamav with functionality level 78 or higher (current f-level: 77) [FAILED] do you have older clamav (library) installation somewhere by any chance? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV®: ClamAV 0.98.5 beta has been posted!
On Wed, 9 Jul 2014 14:48:31 +0200 Matus UHLAR - fantomas wrote: On Tue, 8 Jul 2014 23:15:12 + Joel Esler (jesler) wrote: ClamAV 0.98.5 beta has been posted! The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing! On 09.07.14 13:07, Frank Elsner wrote: Fedora 17, compiled ok, but # service clamav restart Stopping ClamAV[ OK ] Starting ERROR: This tool requires libclamav with functionality level 78 or higher (current f-level: 77) [FAILED] do you have older clamav (library) installation somewhere by any chance? No. Same call to configure as for clamav-0.98.4. --Frank Elsner ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV(R): ClamAV 0.98.5 beta has been posted!
On Wed, Jul 9, 2014 at 9:01 AM, Frank Elsner fr...@moltke28.b.shuttle.de wrote: On Wed, 9 Jul 2014 14:48:31 +0200 Matus UHLAR - fantomas wrote: On Tue, 8 Jul 2014 23:15:12 + Joel Esler (jesler) wrote: ClamAV 0.98.5 beta has been posted! The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing! On 09.07.14 13:07, Frank Elsner wrote: Fedora 17, compiled ok, but # service clamav restart Stopping ClamAV[ OK ] Starting ERROR: This tool requires libclamav with functionality level 78 or higher (current f-level: 77) [FAILED] do you have older clamav (library) installation somewhere by any chance? No. Same call to configure as for clamav-0.98.4. --Frank Elsner Hey Frank, Where is ClamAV installed to? Can you show me the output of: ls [installbase]/lib/libclamav* Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV®: ClamAV 0.98.5 beta has been posted!
On Wed, 2014-07-09 at 15:01 +0200, Frank Elsner wrote: On Wed, 9 Jul 2014 14:48:31 +0200 Matus UHLAR - fantomas wrote: On Tue, 8 Jul 2014 23:15:12 + Joel Esler (jesler) wrote: ClamAV 0.98.5 beta has been posted! The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing! On 09.07.14 13:07, Frank Elsner wrote: Fedora 17, compiled ok, but # service clamav restart Stopping ClamAV[ OK ] Starting ERROR: This tool requires libclamav with functionality level 78 or higher (current f-level: 77) [FAILED] do you have older clamav (library) installation somewhere by any chance? No. Same call to configure as for clamav-0.98.4. I would do some spelunking and check, assuming the answer is no, because you compiled it the same way, doesn't mean the old file was updated or removed and replaced. The Initialization scripts might have changed and look in a place earlier than it used to. Do something like updatedb and then locate libclamav and then look at the date and age of the references returned. I'm betting you'll find and old one in there some where... -- greg folkert - systems administration and support web:donor.com email: g...@donor.com phone: 877-751-3300 x416 direct: 616-328-6449 (direct dial and fax) He has achieved success who has worked well, laughed often, and loved much. -- Elbert Hubbard ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV®: ClamAV 0.98.5 beta has been posted!
On Wed, 09 Jul 2014 09:38:11 -0400 Greg Folkert wrote: On Wed, 2014-07-09 at 15:01 +0200, Frank Elsner wrote: On Wed, 9 Jul 2014 14:48:31 +0200 Matus UHLAR - fantomas wrote: On Tue, 8 Jul 2014 23:15:12 + Joel Esler (jesler) wrote: ClamAV 0.98.5 beta has been posted! The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing! On 09.07.14 13:07, Frank Elsner wrote: Fedora 17, compiled ok, but # service clamav restart Stopping ClamAV[ OK ] Starting ERROR: This tool requires libclamav with functionality level 78 or higher (current f-level: 77) [FAILED] do you have older clamav (library) installation somewhere by any chance? No. Same call to configure as for clamav-0.98.4. I would do some spelunking and check, assuming the answer is no, because you compiled it the same way, doesn't mean the old file was updated or removed and replaced. The Initialization scripts might have changed and look in a place earlier than it used to. Removed all libs in /usr/local/clamav/lib, installed clamav-0.98.5-beta1. It works. BTW, I'm amused Jul 9 17:24:18 seymour freshclam[10817]: Your ClamAV installation is OUTDATED! Jul 9 17:24:18 seymour freshclam[10817]: Local version: 0.98.5-beta1 Recommended version: 0.98.4 --FRank ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV(R): ClamAV 0.98.5 beta has been posted!
On Wed, Jul 9, 2014 at 11:32 AM, Frank Elsner fr...@moltke28.b.shuttle.de wrote: On Wed, 09 Jul 2014 09:38:11 -0400 Greg Folkert wrote: On Wed, 2014-07-09 at 15:01 +0200, Frank Elsner wrote: On Wed, 9 Jul 2014 14:48:31 +0200 Matus UHLAR - fantomas wrote: On Tue, 8 Jul 2014 23:15:12 + Joel Esler (jesler) wrote: ClamAV 0.98.5 beta has been posted! The ClamAV team is proud to announce the availability of ClamAV 0.98.5 beta ready for testing! On 09.07.14 13:07, Frank Elsner wrote: Fedora 17, compiled ok, but # service clamav restart Stopping ClamAV[ OK ] Starting ERROR: This tool requires libclamav with functionality level 78 or higher (current f-level: 77) [FAILED] do you have older clamav (library) installation somewhere by any chance? No. Same call to configure as for clamav-0.98.4. I would do some spelunking and check, assuming the answer is no, because you compiled it the same way, doesn't mean the old file was updated or removed and replaced. The Initialization scripts might have changed and look in a place earlier than it used to. Removed all libs in /usr/local/clamav/lib, installed clamav-0.98.5-beta1. It works. BTW, I'm amused Jul 9 17:24:18 seymour freshclam[10817]: Your ClamAV installation is OUTDATED! Jul 9 17:24:18 seymour freshclam[10817]: Local version: 0.98.5-beta1 Recommended version: 0.98.4 --FRank I'm glad to see your issue resolved. The reason why freshclam is stating your ClamAV installation is outdated because it just a very basic string compare against the version numbers. If they don't match at all, then freshclam will tell you that your installation is outdated. This will be addressed in a future release of ClamAV. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with ClamAV 0.98.4 - HAVP won't load CVD files
A few days ago, I looked at the ClamAV stuff on GitHub and found the patch that moved the declarations of cl_initialize_crypto() etc. from crypto.h to clamav.h. I then added a call to cl_initialize_crypto() to clamlibscanner.cpp (see diff below), recompiled and now HAVP starts up properly, and has been running OK for about 3 days. I didn't add any call to cl_cleanup_crypto() because it didn't see any obvious place to put it. I hope that whatever it cleans up (like memory allocation) will happen automatically when HAVP exits and the processes terminate. -- diff -c havp-0.92b/havp/scanners/clamlibscanner.cpp havp-0.92b/havp/scanners/clamlibscanner.cpp.orig *** havp-0.92b/havp/scanners/clamlibscanner.cpp 2014-07-06 20:50:59.118992203 -0400 --- havp-0.92b/havp/scanners/clamlibscanner.cpp.orig2009-03-13 06:35:00.0 -0400 *** *** 27,40 if (LL2) cl_debug(); #ifdef CL_INIT_DEFAULT - - /* PRK 6 Jul 2014 - added to work around ClamAV change */ - if ( (ret = cl_initialize_crypto()) != 0 ) - { - printf(ClamAV: cl_initialize_crypto() error: %s\n, cl_strerror(ret)); - return false; - } - if ( (ret = cl_init(CL_INIT_DEFAULT)) != CL_SUCCESS ) { printf(ClamAV: cl_init() error: %s\n, cl_strerror(ret)); --- 27,32 Diff finished. Wed Jul 9 12:13:10 2014 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV®: Compiling OpenSSL For Windows
Compiling OpenSSL For Windows In order to support more advanced features planned in future releases, ClamAV has switched to using OpenSSL for hashing. The ClamAV Visual Studio project included with ClamAV's source code requires the OpenSSL distributables to be placed in a specific directory. This article will teach you how to compile OpenSSL on a Microsoft Windows system and how to link ClamAV against OpenSSL. Read More here: http://blog.clamav.net/2014/07/compiling-openssl-for-windows.html http://blog.clamav.net/2014/07/compiling-openssl-for-windows.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml