Re: [clamav-users] PLEASE REMOVE
On 03/09/2014 01:38, YSPSC IT wrote: There's no unsubscribe there... Please just do it, Al. Al isn't a list administrator, just someone who understands how things work, so he can't remove you from the list, but he's told you what to do - it takes about 10 seconds (if that). Go to http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Put your email address into the box just to the left of the Unsubscribe or edit options button, and press that button - hey presto, magicko You can also send a message to clamav-users-requ...@lists.clamav.net with the subject: unsubscribe In case you're interested (or other people are), the message headers of mailing list messages should show you what to do, eg messages from this list will have the header: List-Unsubscribe: http://lists.clamav.net/cgi-bin/mailman/options/clamav-users, mailto:clamav-users-requ...@lists.clamav.net?subject=unsubscribe which lists the two links you can use for unsubscribing. Thus, you never need to embarrass yourself by sending an unsubscribe message to the list members ever again. - Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news updates at http://www.pscs.co.uk/go/subscribe ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] False positive for sure
Greetings; This report from last nights clamscan is absolutely a false positive: /home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz: PUA.Misc.DoubleExtension-zippwd-3 FOUND Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
That's a PUA alert. That's not on by default. -- Joel Esler Sent from my iPhone On Sep 3, 2014, at 6:40, Gene Heskett ghesk...@wdtv.com wrote: Greetings; This report from last nights clamscan is absolutely a false positive: /home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz: PUA.Misc.DoubleExtension-zippwd-3 FOUND Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
On Wednesday 03 September 2014 06:51:45 Joel Esler (jesler) did opine And Gene did reply: That's a PUA alert. That's not on by default. Ok, I'll byte, whats a PUA? -- Joel Esler Sent from my iPhone On Sep 3, 2014, at 6:40, Gene Heskett ghesk...@wdtv.com wrote: Greetings; This report from last nights clamscan is absolutely a false positive: /home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz: PUA.Misc.DoubleExtension-zippwd-3 FOUND Cheers, Gene Heskett ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
On 03.09.14 10:51, Joel Esler (jesler) wrote: That's a PUA alert. That's not on by default. well, if it's THE .tar.gz that caused the PUA alert, it apparently should be ignored. On Sep 3, 2014, at 6:40, Gene Heskett ghesk...@wdtv.com wrote: This report from last nights clamscan is absolutely a false positive: /home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz: PUA.Misc.DoubleExtension-zippwd-3 FOUND aren't there any files with double extension inside? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
On Wed, September 3, 2014 11:56 am, Gene Heskett wrote: Ok, I'll byte, whats a PUA? Here's a good description... Q. What is a Potentially Unwanted Application (PUA)? A. The Sophos definition of a PUA is (quote) a term used to describe an application that is not inherently malicious, but is generally considered unsuitable for the majority of business networks. Potentially unwanted applications include adware, diallers, remote administration tools and hacking tools. PUAs shouldn't be confused with viruses, which are always malicious and never wanted. They are merely things which are installed alongside other applications (typically freeware and shareware applications) which you most likely do not want installing as well. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
On Wednesday 03 September 2014 06:57:59 Matus UHLAR - fantomas did opine And Gene did reply: On 03.09.14 10:51, Joel Esler (jesler) wrote: That's a PUA alert. That's not on by default. well, if it's THE .tar.gz that caused the PUA alert, it apparently should be ignored. On Sep 3, 2014, at 6:40, Gene Heskett ghesk...@wdtv.com wrote: This report from last nights clamscan is absolutely a false positive: /home/gene/Downloads/Download/DriveWire4_linux_i386.tar.gz: PUA.Misc.DoubleExtension-zippwd-3 FOUND aren't there any files with double extension inside? This is linux, probably in excess of 1000 tar.gz's here on this machine. That particular one had a java .jar file inside it, but because of development in the DriveWire protocol, there are probably more than 20 such files here. I ran that jar for several months. Its clean. Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
On Wednesday 03 September 2014 07:01:00 Steve Basford did opine And Gene did reply: On Wed, September 3, 2014 11:56 am, Gene Heskett wrote: Ok, I'll byte, whats a PUA? Here's a good description... Q. What is a Potentially Unwanted Application (PUA)? A. The Sophos definition of a PUA is (quote) a term used to describe an application that is not inherently malicious, but is generally considered unsuitable for the majority of business networks. Potentially unwanted applications include adware, diallers, remote administration tools and hacking tools. PUAs shouldn't be confused with viruses, which are always malicious and never wanted. They are merely things which are installed alongside other applications (typically freeware and shareware applications) which you most likely do not want installing as well. Cheers, Steve Sanesecurity Well in this case it wasn't unwanted. The jar file within it sets up a unique comm protocol over a serial port, usable only with a TRS-80 Color Computer, which if matching drivers are installed in its boot file, allows the use of the linux box as a server for up to 16 virtual devices, disk drivers, terminal screens, access to modern printers etc, from this old (as in 30 yo) computer. These virtual devices are, because of the serial port speed used, actually slightly (10% maybe) slower than a real floppy drive would be. Back in its day, the CoCo, running os9 taught me how a unix-like, multitasking and multiuser system worked, and is the major reason this user went from it to the amiga, then to linux in 1998. Because of that experience, any machine I bought, that came with windows on it, was soon (same day) formatted and had linux installed. That was an HP Laptop. But usually I build from scratch. This one was. And the next one will be too if I don't fall over first since my next birthday will make 80 of them. So as its been yonks since I setup the daily machine scan, where do I turn off this particular PUA feature? Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
On Wed, September 3, 2014 12:38 pm, Gene Heskett wrote: So as its been yonks since I setup the daily machine scan, where do I turn off this particular PUA feature? detect-pua switch for clamscan or disable it in the clamd.conf file. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
On Wednesday 03 September 2014 07:41:36 Steve Basford did opine And Gene did reply: On Wed, September 3, 2014 12:38 pm, Gene Heskett wrote: So as its been yonks since I setup the daily machine scan, where do I turn off this particular PUA feature? ”—detect-pua” switch for clamscan or disable it in the clamd.conf file. Which one?, I have 3 of them. This is an old ubuntu 10.04 LTS install. Also its reported as version 98.1. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
On Wed, September 3, 2014 12:54 pm, Gene Heskett wrote: detect-pua switch for clamscan or disable it in the clamd.conf file. Which one?, I have 3 of them. This is an old ubuntu 10.04 LTS install. Also its reported as version 98.1. If you are using clamscan then I guess you've got a script somewhere, calling clamscan, you need to add: --detect-pua=no If it's clamdscan you are using then edit the clamd.conf file... and restart clamd... # Detect Possibly Unwanted Applications. # Default: no DetectPUA No Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
We're working on some signatures for our users who run ClamAV on their mail servers. We'll be tweaking them over the next few weeks to minimize false positives, but with loose signatures like this, it is difficult to eliminate them completely. If you're not concerned about double extension files in zips, or suspicious file names (eg. INVOICE_01.exe) then it would be best that you white list any signatures that cause you problems. In the meantime, we appreciate the feedback as these signatures will need some modification. Thank you, Douglas On Wed, Sep 3, 2014 at 8:02 AM, Steve Basford steveb_cla...@sanesecurity.com wrote: On Wed, September 3, 2014 12:54 pm, Gene Heskett wrote: ”—detect-pua” switch for clamscan or disable it in the clamd.conf file. Which one?, I have 3 of them. This is an old ubuntu 10.04 LTS install. Also its reported as version 98.1. If you are using clamscan then I guess you've got a script somewhere, calling clamscan, you need to add: --detect-pua=no If it's clamdscan you are using then edit the clamd.conf file... and restart clamd... # Detect Possibly Unwanted Applications. # Default: no DetectPUA No Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV®: The new ClamAV.net is here!
Ed, Thanks, we’ll have a look. On Sep 2, 2014, at 2:18 PM, Ed Christiansen MS edwa...@ll.mit.edu wrote: You might want to fix the website. When I click on the red text source code on download page and then the big red download source button I still get the clamav-0.98.4-win32.msi which isn't very useful for an of my unix flavors. On 8/31/2014 6:35 AM, Alessandro Vesely wrote: On Tue 26/Aug/2014 20:56:27 +0200 Joel Esler (jesler) wrote: http://blog.clamav.net/2014/08/the-new-clamavnet-is-here.html Thanks for that web site refurbishing. But let me note a couple of points about the mailing list: *No DKIM signature*. In some cases there is an author DKIM signature, which is broken by the mailing list massaging, as usual. Adding DKIM signatures might help deliverability, but watch out for senders with strong DMARC policies. *Broken SPF record*. The relevant records are lists.clamav.net. IN TXT v=spf1 mx a -all IN A 198.148.79.53 There is no MX record, which causes SPF verifications to fail; given how the mx mechanism works, I'd suggest to just remove it from the SPF record. The A suffices if the list sends out from that address only. To tolerate relaying from different 198.148.79.53/32 addresses as well as some 3rd party forwarders, you may want to consider something like: lists.clamav.net. IN TXT v=spf1 a ~exists:%{ir}.list.dnswl.org -all Last and least, I understand your stance toward top-posting, Joel, but would appreciate if you can manage to configure your own mailer to apply Internet style quoting (' ') so as to improve your replies' readability. Thank you for your commitment and dedication Ale ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamd crashed
Dear ClamAv Users, In my environment I have 2 external mail gateway in the DMZ, forwarding all e-mails to an internal mail server. All of them are running Solaris 11 with sendmail and mimedefang as milter. I am running this constellation since about more than a year very successfully without any downtime till 2 weeks. Around 2 weeks ago all 3 servers stopped working for mail forwarding because the process clamd core dumped. At that time I had in use a beta version of 0.98.4 it was clamav-0.98.4-rc1 I traced back the problem due to the fact I didn't use the latest version. So I upgraded to clamav-0.98.4 and in the same step also mimedefang to the latest version 2.75 This is how mimedefang involves clamd in /usr/local/bin/mimedefang.pl $Features{'Virus:CLAMD'}= ('/usr/local/sbin/clamd' ne '/bin/false' ? '/usr/local/sbin/clamd' : 0); The system worked stable for 2 weeks. Yesterday evening I noticed the same problem. A restart didn't help. After short time clamed crashed again. As short solution I disabled the virus scanning overnight. Today I have a stable situation without changing anything. Of course pattern updates are running. I assume an ugly attachment did crash the virus scanning process. Now this mail is passed and it's running fine. I am worried about the fact that the ClamAV solution becomes more and more instable. How can I support the ClamAV team with additional information to reach a stable system again ? What I have is a 305 MB core dump from clamd for Sparc platform. But I think, this will not help. In the meantime I started clamd with the option --debug Till now I didn't find any entries in the syslog. Kind regards Hans ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] False positive for sure
On Wednesday 03 September 2014 10:44:21 Douglas Goddard did opine And Gene did reply: We're working on some signatures for our users who run ClamAV on their mail servers. We'll be tweaking them over the next few weeks to minimize false positives, but with loose signatures like this, it is difficult to eliminate them completely. If you're not concerned about double extension files in zips, or suspicious file names (eg. INVOICE_01.exe) then it would be best that you white list any signatures that cause you problems. In the meantime, we appreciate the feedback as these signatures will need some modification. Thank you, Douglas I found the crontab entry, and changed the PUA containing line in the clamd.conf it referenced, from 'false' to 'No'. No clue what the diff might be, but the log of a restart say its not now loading the PUA signatures. So far, every false detection it has reported has been PUA related. The file was both old, and unused, so I have been nuking them as they arise. I also run incoming mail past clamd. But it doesn't send me an email when it sends something to /var/spool/virii. And freshclam has sent root about 1.2 megs of mail it should only send on error, plus nsd is sending mail to itself because an alias that would fwd hostmaster to me doesn't exist. I'll see if those are fixable. On Wed, Sep 3, 2014 at 8:02 AM, Steve Basford steveb_cla...@sanesecurity.com wrote: On Wed, September 3, 2014 12:54 pm, Gene Heskett wrote: â€â€”detect-pua†switch for clamscan or disable it in the clamd.conf file. Which one?, I have 3 of them. This is an old ubuntu 10.04 LTS install. Also its reported as version 98.1. If you are using clamscan then I guess you've got a script somewhere, calling clamscan, you need to add: --detect-pua=no If it's clamdscan you are using then edit the clamd.conf file... and restart clamd... # Detect Possibly Unwanted Applications. # Default: no DetectPUA No Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Cheers, Gene Heskett -- There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Genes Web page http://geneslinuxbox.net:6309/gene US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd crashed
Hello Hans, Please send your clamd.conf to me at smor...@sourcefire.com. If you can identify a file or email that causes the failure, that will help as well. In the meantime, I'll find a place where you can send your core file. Thanks, Steve On Wed, Sep 3, 2014 at 11:46 AM, MAYER Hans ma...@iiasa.ac.at wrote: Dear ClamAv Users, In my environment I have 2 external mail gateway in the DMZ, forwarding all e-mails to an internal mail server. All of them are running Solaris 11 with sendmail and mimedefang as milter. I am running this constellation since about more than a year very successfully without any downtime till 2 weeks. Around 2 weeks ago all 3 servers stopped working for mail forwarding because the process clamd core dumped. At that time I had in use a beta version of 0.98.4 it was clamav-0.98.4-rc1 I traced back the problem due to the fact I didn't use the latest version. So I upgraded to clamav-0.98.4 and in the same step also mimedefang to the latest version 2.75 This is how mimedefang involves clamd in /usr/local/bin/mimedefang.pl $Features{'Virus:CLAMD'}= ('/usr/local/sbin/clamd' ne '/bin/false' ? '/usr/local/sbin/clamd' : 0); The system worked stable for 2 weeks. Yesterday evening I noticed the same problem. A restart didn't help. After short time clamed crashed again. As short solution I disabled the virus scanning overnight. Today I have a stable situation without changing anything. Of course pattern updates are running. I assume an ugly attachment did crash the virus scanning process. Now this mail is passed and it's running fine. I am worried about the fact that the ClamAV solution becomes more and more instable. How can I support the ClamAV team with additional information to reach a stable system again ? What I have is a 305 MB core dump from clamd for Sparc platform. But I think, this will not help. In the meantime I started clamd with the option --debug Till now I didn't find any entries in the syslog. Kind regards Hans ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV®: The new ClamAV.net is here!
Am 26.08.2014 20:56, schrieb Joel Esler (jesler): * Simple Navigation Thanks for the next site only usable with mainstream browsers and JavaScript enabled :-/ * Elimination of dead links and pages I was told the old website contained the current patternversion somewhere. That function is also gone away. It's handy to point a user to the official Website to proof that he's running outdated viresscanner. Andreas ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml