Re: [clamav-users] Daily.cvd file

[Al Varnell]

On Sep 17, 2014, at 9:59 PM, Paul Kosinski  wrote:
> I'm running ClamAV 0.98.4, yet when I built it the main.cvd file was
> from 17 Sep 2013 (now a year old!), and the daily.cvd files have been
> about 28 MB each. Even though I have been running a local mirror on our
> LAN for years now, it's really annoying that the daily.cvd files are so
> big.
> 
> When ClamAV was independent, every new release had an updated
> main.cvd, and the daily.cvd files were of modest size. Now the whole
> 0.98.x series has the same main.cvd, and the daily.cvds keep getting
> bigger. The immediately previous main.cvd, in the 0.97.x series, was
> shipped with 0.97.3 and was dated Oct 2011.

You are not remembering correctly. That may have been true a decade ago, but 
for the last half dozen years or so the main stayed the same for every new 
release and was only updated when it was more efficient to update it than to 
continue downloading large daily’s. I seem to recall that the last update was 
late and that there was approximately a year between updates in earlier days, 
but even that varied. 

You may be correct in that it’s time for another update, but since it mostly 
impacts the load on network servers and not you and other clients, that’s 
something the team will need to analyze and decide. 


-Al-
— 
Al Varnell
Mountain View
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Daily.cvd file

[Paul Kosinski]

Hi,

I'm running ClamAV 0.98.4, yet when I built it the main.cvd file was
from 17 Sep 2013 (now a year old!), and the daily.cvd files have been
about 28 MB each. Even though I have been running a local mirror on our
LAN for years now, it's really annoying that the daily.cvd files are so
big.

When ClamAV was independent, every new release had an updated
main.cvd, and the daily.cvd files were of modest size. Now the whole
0.98.x series has the same main.cvd, and the daily.cvds keep getting
bigger. The immediately previous main.cvd, in the 0.97.x series, was
shipped with 0.97.3 and was dated Oct 2011.

So now we've had the same main.cvd for a year, and before that, almost
2 years!

May I suggest that it would save everybody a lot of bandwidth if
main.cvd was updated at least with each release, and probably whenever
the daily.cvd gets so big that updating it several times a day exceeds
the bandwidth for one update of main.cvd. 

For example, on 17 Sep 2014 (yesterday), we updated daily.cvd 5 times
(checking once per hour at HH:07), for a total of about 140 MB!
Furthermore, according to Wireshark, a download was indeed about 28 MB
(no RSYNC-style compression apparently).

So, as you improve the Website and the servers, consider reducing the
total bandwidth used in some way. It will help everybody.

Paul Kosinski

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Joomla Templates - False Possitive

[Douglas Goddard]

Thank you for the submissions James.

It looks like it is alerting on this:

libraries/gantry/js/belated-png.js

I removed the 'top level' extension .html from this signature, and
considered removing .js but didn't. I'll revise these later today to not
have .js, as that is not a huge threat in terms of executables and is
causing enough FPs.

- Douglas

On Wed, Sep 17, 2014 at 9:14 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:

>
> On Wed, September 17, 2014 1:53 pm, James Meason wrote:
>
> > Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND)
>
> Hi James,
>
> ClamAV team have created a signature which helps block double attachments,
> in much the same way that the Sanesecurity foxhole sigs have been
> doing for a while now.
>
> However, I think they'd gone slightly overboard...
>
> here's the sig...
>
> daily.zmd:Zip.Suspect.MiscDoubleExtension-zippwd-4:*:(?i)((\.doc)|([
> _.-](7z|avi
>
> |bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|t
> ar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
> _.-]*\.(action|air|apk|app|as|awk|bin|c
>
> ommand|csh|deb|dmg|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh
> |swf):*:*:*:*:*:*
>
> foxhole_filename.cdb will do a similar job, but has been made as flexable
> as possible for the end_user to whitelist for extension type and only
> contains double extensions that have been actually seen carrying malware.
>
> To whitelist...
>
> printf Zip.Suspect.MiscDoubleExtension-zippwd-4 > localign.ign2
> restart clamd
>
> Cheers,
>
> Steve
> Sanesecurity.com
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily.cvd file.

[Joel Esler (jesler)]

The CVD is updated roughly every four hours.  Chances are, you are getting a 
new one ;)

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

On Sep 16, 2014, at 3:10 PM, Volcy, Georges 
mailto:georges.vo...@pseg.com>> wrote:

Thank you so much for your help!
Very much appreciated!
Thanks!

Georges Volcy
SCADA Engineer - EMS
PSEG Long Island
CNI - EMS Provisioning & Support
(516) 545-4481 (Desk)
(516) 492-9773 (Cell)
(516) 545-4064 (Office)
Note: As of January 1, 2014, my email address is now 
georges.vo...@pseg.com


-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Ed Christiansen LX
Sent: Tuesday, September 16, 2014 1:28
To: ClamAV users ML
Subject: Re: [clamav-users] daily.cvd file.

You are receiving this email from someone outside of PSEG. Refrain from opening 
attachments, clicking on links, or responding to requests for personal 
information or credentials if from an unknown sender or if message is 
unexpected.



here you go.  These extract the info from the files.  You will have to unwrap 
them however.

head -1 main.cvd | cut -c1-100 | awk -F: '{split($2,d," ");printf "ClamAV 
main.cvd %s %s %s, version %s, total %s\n", d[1], d[2], d[3] , $3, $4}'

head -1 daily.cvd | cut -c1-100 | awk -F: '{split($2,d," ");printf "ClamAV 
daily.cvd %s %s %s, version %s, total %s\n", d[1], d[2], d[3] , $3, $4}'

The output looks like this:

ClamAV main.cvd 17 Sep 2013, version 55, total 2424225 ClamAV daily.cvd 15 Sep 
2014, version 19367, total 1099036


On 9/16/2014 1:07 PM, Volcy, Georges wrote:
I did notice the daily.cvd, however it no longer says what day it was release.
I'm also installing the daily.cvd file to a server that  is on an isolated 
system with no access to the internet.
Also,  I'm uploading the daily.cvd , bytecode.cvd, and main.cvd to a server 
with a hardened firmware and can only obtain new clamav engine version through 
that company's firmware update.
I guess my main question is how can I tell when if I'm downloading a new .cvd 
file.
Thanks,

Georges Volcy
SCADA Engineer - EMS
PSEG Long Island
CNI - EMS Provisioning & Support
(516) 545-4481 (Desk)
(516) 492-9773 (Cell)
(516) 545-4064 (Office)
Note: As of January 1, 2014, my email address is now
georges.vo...@pseg.com

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
Behalf Of Joel Esler (jesler)
Sent: Monday, September 15, 2014 4:10
To: ClamAV users ML
Subject: Re: [clamav-users] daily.cvd file.

You are receiving this email from someone outside of PSEG. Refrain from opening 
attachments, clicking on links, or responding to requests for personal 
information or credentials if from an unknown sender or if message is 
unexpected.



Correct.  We plan on removing these after teaching people how to set up their 
own private mirror.


On Sep 15, 2014, at 2:07 PM, Ed Christiansen MS  wrote:

They hide them really really well - like they don't want you to know they are 
there.

http://www.clamav.net/index.html -> Download

Under the text that loudly proclaims "Set Up Freshclam" there is, in very light 
unassuming grey text: "main.cvd | daily.cvd | bytecode.cvd"



On 9/15/2014 2:03 PM, Volcy, Georges wrote:
I've been unable to find and download daily.cvd  files on the clamav.net site.
I wanted to know if clamav is no longer providing the daily.cvd  files.
I'm still running clamav version 0.97.
Thanks,
Georges Volcy
SCADA Engineer - EMS
PSEG Long Island
CNI - EMS Provisioning & Support
(516) 545-4481 (Desk)
(516) 492-9773 (Cell)
(516) 545-4064 (Office)
Note: As of January 1, 2014, my email address is now
georges.vo...@pseg.com



-
The information contained in this e-mail, including any attachment(s), is 
intended solely for use by the named addressee(s).  If you are not the intended 
recipient, or a person designated as responsible for delivering such messages 
to the intended recipient, you are not authorized to disclose, copy, distribute 
or retain this message, in whole or in part, without written authorization from 
PSEG.  This e-mail may contain proprietary, confidential or privileged 
information. If you have received this message in error, please notify the 
sender immediately. This notice is included in all e-mail messages leaving 
PSEG.  Thank you for your cooperation.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Joomla Templates - False Possitive

[Steve Basford]

On Wed, September 17, 2014 1:53 pm, James Meason wrote:

> Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND)

Hi James,

ClamAV team have created a signature which helps block double attachments,
in much the same way that the Sanesecurity foxhole sigs have been
doing for a while now.

However, I think they'd gone slightly overboard...

here's the sig...

daily.zmd:Zip.Suspect.MiscDoubleExtension-zippwd-4:*:(?i)((\.doc)|([
_.-](7z|avi
|bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|t
ar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[
_.-]*\.(action|air|apk|app|as|awk|bin|c
ommand|csh|deb|dmg|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh
|swf):*:*:*:*:*:*

foxhole_filename.cdb will do a similar job, but has been made as flexable
as possible for the end_user to whitelist for extension type and only
contains double extensions that have been actually seen carrying malware.

To whitelist...

printf Zip.Suspect.MiscDoubleExtension-zippwd-4 > localign.ign2
restart clamd

Cheers,

Steve
Sanesecurity.com

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Joomla Templates - False Possitive

[James Meason]

Hi guys,
I have seen a similar thread about tweaks you are making to CLAMAV signitures.


Hi, we run a cpanel webhosting server..  We have never had trouble 
uploading Rockettheme joomla template zips before but now suddenly they 
are being blocked from upload with 

Upload Status
osmosis-1.1-rocketlauncher_j32.zip
 (osmosis-1.1-rocketlauncher_j32.zip): Virus Detected; File not 
Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND)

This is not a virus infected file however,and affects all of the rocket theme 
launcher packs 


We definately nned to be able to upload these Joomla installers

 Any help to get this fixed would be appreciated...

 Thanks

James Meason


  
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml