Re: [clamav-users] Joomla Templates - False Possitive
Hi Steve, Thanks for your quick reply, This appears to affect any tar.gz joomla component being installed to Joomla also just for the record... I will get our linux guy to make that whitelist update.. Will this stop all such double zip uploads from failing for example the .tar.gz? Thanks again for your help On 2014-09-17 13:14, Steve Basford wrote: On Wed, September 17, 2014 1:53 pm, James Meason wrote: Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND) Hi James, ClamAV team have created a signature which helps block double attachments, in much the same way that the Sanesecurity foxhole sigs have been doing for a while now. However, I think they'd gone slightly overboard... here's the sig... daily.zmd:Zip.Suspect.MiscDoubleExtension-zippwd-4:*:(?i)((\.doc)|([ _.-](7z|avi |bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|t ar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ _.-]*\.(action|air|apk|app|as|awk|bin|c ommand|csh|deb|dmg|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh |swf):*:*:*:*:*:* foxhole_filename.cdb will do a similar job, but has been made as flexable as possible for the end_user to whitelist for extension type and only contains double extensions that have been actually seen carrying malware. To whitelist... printf Zip.Suspect.MiscDoubleExtension-zippwd-4 localign.ign2 restart clamd Cheers, Steve Sanesecurity.com http://www.clamav.net/contact.html#ml Thankyou for your time. God Bless NodnoL aka James/JamEZ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Joomla Templates - False Possitive
Do you have some examples of files that are still causing problems? I removed the .js extension - I'm happy to revise things further if it is still causing problems. On Wed, Sep 17, 2014 at 9:22 AM, James Meason nod...@hotmail.com wrote: Hi Steve, Thanks for your quick reply, This appears to affect any tar.gz joomla component being installed to Joomla also just for the record... I will get our linux guy to make that whitelist update.. Will this stop all such double zip uploads from failing for example the .tar.gz? Thanks again for your help On 2014-09-17 13:14, Steve Basford wrote: On Wed, September 17, 2014 1:53 pm, James Meason wrote: Uploaded! (Zip.Suspect.MiscDoubleExtension-zippwd-4 FOUND) Hi James, ClamAV team have created a signature which helps block double attachments, in much the same way that the Sanesecurity foxhole sigs have been doing for a while now. However, I think they'd gone slightly overboard... here's the sig... daily.zmd:Zip.Suspect.MiscDoubleExtension-zippwd-4:*:(?i)((\.doc)|([ _.-](7z|avi |bmp|csv|docx|gif|gz|jpeg|jpg|mov|mp3|mp4|mpg|pdf|png|pps|ppt|pptx|psd|rar|tar|t ar\.gz|tif|tiff|txt|wav|xls|xlsx|zip)))[ _.-]*\.(action|air|apk|app|as|awk|bin|c ommand|csh|deb|dmg|ipa|jar|js|jsx|ksh|nexe|osx|out|pkg|plx|prg|rpm|run|script|sh |swf):*:*:*:*:*:* foxhole_filename.cdb will do a similar job, but has been made as flexable as possible for the end_user to whitelist for extension type and only contains double extensions that have been actually seen carrying malware. To whitelist... printf Zip.Suspect.MiscDoubleExtension-zippwd-4 localign.ign2 restart clamd Cheers, Steve Sanesecurity.com http://www.clamav.net/contact.html#ml Thankyou for your time. God Bless NodnoL aka James/JamEZ ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd vs main.cvd
We use rsync to move the cvd’s out to the mirrors. Using freshclam to get it from the mirrors is the preferred method. Unless you want to donate the time and resources (and bandwidth) to become a mirror. On Sep 18, 2014, at 6:28 PM, Al Varnell alvarn...@mac.com wrote: OK, so I’m a bit confused by this. I realize that many of us have different approaches to updating the database, due to different circumstances in network access, etc., but why are you downloading daily.cvd five times a day instead of using freshclam to incrementally update as recommended to all users, if bandwidth is such an important resource to you? It certainly has a negative impact to the mirror network if many users are doing this routinely. When the main.cvd is updated it will be an incremental update resulting in a significantly larger main.cld in the database for most users. In a separate thread we were told this week that at some point the daily.cvd would not be routinely available to end users. How is the freshclam approach any different from using rsync to you? -Al- On Thu, Sep 18, 2014 at 02:53 PM, Paul Kosinski wrote: On Thu, 18 Sep 2014 12:00:00 -0400 Joel Esler wrote: You are not remembering correctly. That may have been true a decade ago, but for the last half dozen years or so the main stayed the same for every new release and was only updated when it was more efficient to update it than to continue downloading large daily?s. I seem to recall that the last update was late and that there was approximately a year between updates in earlier days, but even that varied. According to our backup records (see below), in the 2 year period from April 2008 to April 2010, there were *7* different main.cvd files (at least), or more often than one every two releases (see below). You may be correct in that it's time for another update, but since it mostly impacts the load on network servers and not you and other clients, that?s something the team will need to analyze and decide. All is correct here. I'll check with the team of when the 'rollover' will take place, as this has a substantial impact on the mirror infrastructure, we have to let the mirrors know before we do it. As you can imagine, the 7M+ users of ClamAV all downloading a main.cvd from a mirror is quite heavy on bandwidth if you aren?t expecting it. I don't know exactly how big a new main.cvd file would be, but even if it were as big as the current main.cvd (62 MB) *plus* the current daily.cvd (28 MB) taken together, it would still be only 90 MB, which is significantly less than the 140 MB for the 5 updates to the daily.cvd file downloaded in one 24 hour period this week. Paul Kosinski P.S. Maybe it's time for an 'rsync' or 'drpm' approach for daliy.cvd? ++ From our records of CLAMAV files backed up 0.93 -rw-r--r-- 1 clamav clamav 13050207 Apr 15 2008 main.cvd 0.93.1 -rw-r--r-- 1 clamav clamav 13050207 Jun 10 2008 main.cvd.080610-2315 0.93.2 -rw-r--r-- 1 clamav clamav 15200793 Jul 12 2008 main.cvd.080712-1625 0.94 -rw-r--r-- 1 clamav clamav 15200793 Sep 6 2008 main.cvd.orig -rw-r--r-- 1 clamav clamav 17457430 Sep 4 2008 main.cvd.080904-1709 0.94.1 -rw-r--r-- 1 clamav clamav 18462921 Nov 7 2008 main.cvd 0.94.2 -rw-r--r-- 1 clamav clamav 18462921 Nov 28 2008 main.cvd.081128-2131 0.95 -rw-r--r-- 1 clamav clamav 20091559 Mar 26 2009 main.cvd 0.95.1 -rw-r--r-- 1 clamav clamav 20091559 Apr 10 2009 main.cvd.090410-2321 0.95.2 -rw-r--r-- 1 clamav clamav 21253696 May 14 2009 main.cvd 0.95.3 -rw-r--r-- 1 clamav clamav 21253696 May 14 2009 main.cvd.090514-1231 0.96 -rw-r--r-- 1 clamav clamav 22906487 Apr 3 2010 main.cvd 0.96.1 -rw-r--r-- 1 clamav clamav 22906487 Apr 3 2010 main.cvd ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily.cvd vs main.cvd
On Fri, 19 Sep 2014 12:00:00 -0400 Al Varnell alvarn...@mac.com wrote: OK, so I?m a bit confused by this. I realize that many of us have different approaches to updating the database, due to different circumstances in network access, etc., but why are you downloading daily.cvd five times a day instead of using freshclam to incrementally update as recommended to all users, if bandwidth is such an important resource to you? It certainly has a negative impact to the mirror network if many users are doing this routinely. [SNIP] We *are* using freshclam to acquire daily.cvd. I used the term 'download' to denote the concept of acquiring data from a remote computer, it doesn't mean that we go to the mysterious URL which is being discontinued to retrieve daily.cvd. In particular, every hour at 7 minutes past the hour (see crontab entry below) a wrapper script is executed via cron which in turn invokes freshclam. The wrapper script logs various information every time it runs, whether or not anything is actually pulled from the ClamAV mirror. (See below for log excerpts.) The statement in my earlier posting about 'downloading' 5 times in one day was merely a reference to the fact that on that particular day freshclam decided to retrieve a new daily.cvd 5 times, out of 24 hourly checks. And, in spite of the use of freshclam, the daily.cvd that got retrieved was quite large (28 MB, according to Wireshark's Follow TCP Stream function). Using cron ensures that our master freshclam runs on a schedule so that the other NTP-synced machines on our LAN can run their cron-driven freshclams a few minutes later to pull the latest daily.cvd from our local mirror. Hope this clarifies what we are doing. Paul Kosinski P.S. I could provide our getfreshclam script if anyone is interested. Besides logging etc., it keeps backups of daily.cvd (and main.cvd) just in case. ++ CRONTAB entry OCBG='/opt/clamav/bin/getfreshclam' 7 * * * * root test -x $OCBG/usr/bin/sudo -u clamav $OCBG /usr/bin/killall -HUP havp80 havp86/usr/bin/killall -USR2 clamd ++ Log excerpts (3 successive hours, only 1 'download') -- Wednesday 17 September 2014 at 22:07:01 -- Current working dir is /opt/clamav.d/clamav.0.98.4a/share/clamav Max retries == 2 ClamAV update process started at Wed Sep 17 22:07:01 2014 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 1383 Software version from DNS: 0.98.4 main.cvd version from DNS: 55 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cvd version from DNS: 19386 daily.cvd is up to date (version: 19386, sigs: 1141411, f-level: 63, builder: neo) bytecode.cvd version from DNS: 242 bytecode.cvd is up to date (version: 242, sigs: 46, f-level: 63, builder: dgoddard) -- Wednesday 17 September 2014 at 22:07:04 -- -- Wednesday 17 September 2014 at 23:07:01 -- Current working dir is /opt/clamav.d/clamav.0.98.4a/share/clamav Max retries == 2 ClamAV update process started at Wed Sep 17 23:07:01 2014 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 229 Software version from DNS: 0.98.4 main.cvd version from DNS: 55 main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60, builder: neo) daily.cvd version from DNS: 19387 Retrieving http://db.us.clamav.net/daily.cvd Ignoring mirror 104.131.196.175 (due to previous errors) Ignoring mirror 128.199.133.36 (due to previous errors) Ignoring mirror 66.18.18.59 (due to previous errors) Ignoring mirror 209.198.147.20 (due to previous errors) nonblock_connect: connect timing out (30 secs) Can't connect to port 80 of host db.us.clamav.net (IP: 65.19.179.67) nonblock_connect: connect timing out (30 secs) Can't connect to port 80 of host db.us.clamav.net (IP: 78.46.84.244) Trying host db.us.clamav.net (155.98.64.87)... Trying to download http://db.us.clamav.net/daily.cvd (IP: 155.98.64.87) Downloading daily.cvd [100%] Loading signatures from daily.cvd Properly loaded 1141431 signatures from new daily.cvd daily.cvd updated (version: 19387, sigs: 1141408, f-level: 63, builder: neo) Querying daily.19387.77.1.0.9B624057.ping.clamav.net bytecode.cvd version from DNS: 242 bytecode.cvd is up to date (version: 242, sigs: 46, f-level: 63, builder: dgoddard) Database updated (3565679 signatures) from db.us.clamav.net (IP: 155.98.64.87) OnUpdateExecute: EXIT_1 -- Wednesday 17 September 2014 at 23:10:38 -- -- Thursday 18 September 2014 at 00:07:01 -- Current working dir is /opt/clamav.d/clamav.0.98.4a/share/clamav Max retries == 2 ClamAV update process started at Thu Sep 18 00:07:01 2014 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 1429 Software version from DNS: 0.98.4
Re: [clamav-users] daily.cvd vs main.cvd
On Fri, Sep 19, 2014 at 11:30 AM, Paul Kosinski wrote: On Fri, 19 Sep 2014 12:00:00 -0400 Al Varnell alvarn...@mac.com wrote: OK, so I?m a bit confused by this. I realize that many of us have different approaches to updating the database, due to different circumstances in network access, etc., but why are you downloading daily.cvd five times a day instead of using freshclam to incrementally update as recommended to all users, if bandwidth is such an important resource to you? It certainly has a negative impact to the mirror network if many users are doing this routinely. [SNIP] We *are* using freshclam to acquire daily.cvd. I used the term 'download' to denote the concept of acquiring data from a remote computer, it doesn't mean that we go to the mysterious URL which is being discontinued to retrieve daily.cvd. In particular, every hour at 7 minutes past the hour (see crontab entry below) a wrapper script is executed via cron which in turn invokes freshclam. The wrapper script logs various information every time it runs, whether or not anything is actually pulled from the ClamAV mirror. (See below for log excerpts.) That sounds like a reasonable approach to keeping thing “fresh” and could be increased to up to four times an hour without having to change your Country Code, but based on what I have seen so far today (twelve incremental updates so far) that would just cause even more download issues. The statement in my earlier posting about 'downloading' 5 times in one day was merely a reference to the fact that on that particular day freshclam decided to retrieve a new daily.cvd 5 times, out of 24 hourly checks. And, in spite of the use of freshclam, the daily.cvd that got retrieved was quite large (28 MB, according to Wireshark's Follow TCP Stream function). I don’t know overall statistics, but for freshclam to download the complete daily.cvd five times in a twenty-four hour period would be very unusual for most users. I just checked two of my installations and have only had to do that twice since June. Have you disabled “scripted updates” for some reason? Using cron ensures that our master freshclam runs on a schedule so that the other NTP-synced machines on our LAN can run their cron-driven freshclams a few minutes later to pull the latest daily.cvd from our local mirror. Hope this clarifies what we are doing. For the most part. Is there some reason those other NTP-synced machines on your LAN can’t use a daily.cld instead? -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml