Re: [clamav-users] Scan of RAR problem
On 04/29/2015 06:20 PM, René Bellora wrote: El 29/04/15 a las 13:04, jose-marcio martins da cruz escibió: Hello, I'm getting different results when scanning a infected email message. On a Sparc Solaris 10 (32 bits compiled), clamdscan tels me that the message is infected : Heuristics.Encrypted.RAR FOUND Testing it on two 64 bits linux boxes (fedora and ubuntu), both tels me that the message is clean. linux 32bits also report the message clean (with ArchiveBlockEncrypted yes in clamd.conf) Hmmm... On the Solaris boxes, there are libclamunrar* libraries, while there aren't at Linux boxes... Clamav on Solaris boxes were compiled and installed from sources, while at Linux boxes they come from distros... If I remember, there is a kind of licence problem with rar libraries... Cheers, José-Marcio -- Envoyé de ma machine à écrire. --- Spam : Classement statistique de messages électroniques - Une approche pragmatique Chez Amazon.fr : http://amzn.to/LEscRu ou http://bit.ly/SpamJM --- Jose Marcio MARTINS DA CRUZhttp://www.j-chkmail.org Ecole des Mines de Paris http://bit.ly/SpamJM 60, bd Saint Michel 75272 - PARIS CEDEX 06 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan of RAR problem
El 29/04/15 a las 13:04, jose-marcio martins da cruz escibió: Hello, I'm getting different results when scanning a infected email message. On a Sparc Solaris 10 (32 bits compiled), clamdscan tels me that the message is infected : Heuristics.Encrypted.RAR FOUND Testing it on two 64 bits linux boxes (fedora and ubuntu), both tels me that the message is clean. linux 32bits also report the message clean (with ArchiveBlockEncrypted yes in clamd.conf) ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Clamd Segmentation Fault when built on Mac OS X Yosemite
Clamd throws a Segmentation Fault: 11 error when attempting to run it when built on Mac OS X 10.10 Yosemite. This happens with both 0.98.6 and 0.98.7 when built on Yosemite (my version of 0.98.6 built on 10.9 ran fine on 10.10). But I just upgraded my server from 10.9 to 10.10 and with today's relase of 0.98.7, this was my first time attempting to build ClamAV under Yosemite. Various articles I've found are pointing to an issue with libtool where 10.10 gets treated as if it's 10.1. This article (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63610) seems to describe the issue but a lot of it is beyond me. I've attempted defining MACOSX_DEPLOYMENT_TARGET=10.9 as described in that article but that didn't make a difference (nor am I seeing anything else defining it to 10.10 so I didn't expect it make a difference). ./configure is happy and make generates a lot of warning but no errors. The error only happens when trying to run it. Note this is ClamAV, not ClamXav. -- Larry Stone lston...@stonejongleux.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] using clamdscan and clamd to do complete file system scan
Hi there, On Wed, 29 Apr 2015, John McGowan wrote: ... I suspect that most people use clamdscan to do one off scanning, (mail servers, etc) My suspicion is that most people don't do it at all on Linux boxes. There is absolutely no point in scanning the entire filesystem on a typical Linux box for millions of Windows viruses, since they won't be there. It would be a complete waste of effort and resources, and I certainly never do it on the dozens of Linux boxes that I run. There might be a case for scanning parts of a Linux filesystem if it's used for example as a file server for Windows clients. Amongst other scanners I use clamd via a Sendmail milter to scan both incoming and outgoing mail on my mail servers, but mainly because the third-party signatures catch lots of unwanted mail. And even now there are a few people Out There who are still using Windows boxes; it would be bad if any person in my employ unwittingly passed a virus-ridden message from one Windows user to another, even if the machines which my people use are completely immune to infection by practically all of the malware for which the mail systems are scanning. The mail is scanned on the fly and it never gets as far as being written to the filesystem if any of the scanners detects something which one might consider unpleasant. ... I'm looking for more of a traditional daily scan the entire file system solution. I'm not sure that there's anything 'traditional' about scanning Linux boxes for viruses. I've never found one in that way, but I've found literally many thousands by scanning Windows boxes in the same way. Incidentally if you do scan a Linux filesystem, don't scan things like /proc and /dev because you might not like the results. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan of RAR problem
On Wed, 29 Apr 2015, jose-marcio martins da cruz wrote: On 04/29/2015 06:20 PM, René Bellora wrote: El 29/04/15 a las 13:04, jose-marcio martins da cruz escibió: Hello, I'm getting different results when scanning a infected email message. On a Sparc Solaris 10 (32 bits compiled), clamdscan tels me that the message is infected : Heuristics.Encrypted.RAR FOUND Testing it on two 64 bits linux boxes (fedora and ubuntu), both tels me that the message is clean. linux 32bits also report the message clean (with ArchiveBlockEncrypted yes in clamd.conf) Hmmm... On the Solaris boxes, there are libclamunrar* libraries, while there aren't at Linux boxes... Clamav on Solaris boxes were compiled and installed from sources, while at Linux boxes they come from distros... If I remember, there is a kind of licence problem with rar libraries... Debian has put the rar support in the libclamunrar6 package in the non-free section of the repository. The clamav package doesn't even mention libclamunrar6 as a dependency or a recommended package. I guess that a formal dependancy on the non-free libclamunrar6 package would have made clamav non-free too. I didn't check ubuntu but most likely ubuntu has a libclamunrar6 package too as ubuntu is derived from debian. And I don't know anything about clamav in fedora. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)30 6096724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 1207, 3430 BE Nieuwegein, NL visitors address: Edisonbaan 14, 3439 MN Nieuwegein, NL ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan of RAR problem
On 04/29/2015 06:41 PM, jose-marcio martins da cruz wrote: On 04/29/2015 06:20 PM, René Bellora wrote: ... linux 32bits also report the message clean (with ArchiveBlockEncrypted yes in clamd.conf) Hmmm... On the Solaris boxes, there are libclamunrar* libraries, while there aren't at Linux boxes... Clamav on Solaris boxes were compiled and installed from sources, while at Linux boxes they come from distros... OK ! That's the problem. To have it working you shall compile it from source, probably in most Linux distributions, and enable the unrar option : --enable-unrar To see if you need this, just look for libclamunrar.so*. Sometimes one should not rely only on packages from distributions Well, for fedora, and probably CenOS, I'll solve it compiling from source. For Ubuntu, I'll try Kees hint or, probably compile from source, the same for all... Cheers José-Marcio -- Envoyé de ma machine à écrire. --- Spam : Classement statistique de messages électroniques - Une approche pragmatique Chez Amazon.fr : http://amzn.to/LEscRu ou http://bit.ly/SpamJM --- Jose Marcio MARTINS DA CRUZhttp://www.j-chkmail.org Ecole des Mines de Paris http://bit.ly/SpamJM 60, bd Saint Michel 75272 - PARIS CEDEX 06 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamd Segmentation Fault when built on Mac OS X Yosemite
I received a report from a ClamXav user today who attempted to install engine 0.98.7 is having the same issues with clamd segmentation fault 11 and Yosemite 10.10. Although there were scattered reports of this same error early on with ClamXav Sentry use with the 0.98.6 engine, the developer was able to work through that one. The build info on that are as follows: Build information - Clang: 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56) (4.2.1) GNU C++: 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56) (4.2.1) CPPFLAGS: CFLAGS: -O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 -w -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE CXXFLAGS: LDFLAGS: Configure: '--disable-dependency-tracking' '--enable-llvm' '--enable-clamdtop' '--with-user=_clamav' '--with-group=_clamav' '--enable-all-jit-targets' '--prefix=/usr/local/clamXav' 'CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 -w' --enable-ltdl-convenience sizeof(void*) = 8 Engine flevel: 79, dconf: 79 -Al- On Wed, Apr 29, 2015 at 01:03PM, Larry Stone wrote: Clamd throws a Segmentation Fault: 11 error when attempting to run it when built on Mac OS X 10.10 Yosemite. This happens with both 0.98.6 and 0.98.7 when built on Yosemite (my version of 0.98.6 built on 10.9 ran fine on 10.10). But I just upgraded my server from 10.9 to 10.10 and with today's relase of 0.98.7, this was my first time attempting to build ClamAV under Yosemite. Various articles I've found are pointing to an issue with libtool where 10.10 gets treated as if it's 10.1. This article (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63610) seems to describe the issue but a lot of it is beyond me. I've attempted defining MACOSX_DEPLOYMENT_TARGET=10.9 as described in that article but that didn't make a difference (nor am I seeing anything else defining it to 10.10 so I didn't expect it make a difference). ./configure is happy and make generates a lot of warning but no errors. The error only happens when trying to run it. Note this is ClamAV, not ClamXav. -- Larry Stone lston...@stonejongleux.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamd Segmentation Fault when built on Mac OS X Yosemite
So how can I use what the information your provided. I am more of a system administrator type rather than a developer. I mostly expect configure and make to work as documented. Debugging them is beyond my current skill set. -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ On Apr 29, 2015, at 4:03 PM, Al Varnell alvarn...@mac.com wrote: I received a report from a ClamXav user today who attempted to install engine 0.98.7 is having the same issues with clamd segmentation fault 11 and Yosemite 10.10. Although there were scattered reports of this same error early on with ClamXav Sentry use with the 0.98.6 engine, the developer was able to work through that one. The build info on that are as follows: Build information - Clang: 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56) (4.2.1) GNU C++: 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56) (4.2.1) CPPFLAGS: CFLAGS: -O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 -w -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE CXXFLAGS: LDFLAGS: Configure: '--disable-dependency-tracking' '--enable-llvm' '--enable-clamdtop' '--with-user=_clamav' '--with-group=_clamav' '--enable-all-jit-targets' '--prefix=/usr/local/clamXav' 'CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 -w' --enable-ltdl-convenience sizeof(void*) = 8 Engine flevel: 79, dconf: 79 -Al- On Wed, Apr 29, 2015 at 01:03PM, Larry Stone wrote: Clamd throws a Segmentation Fault: 11 error when attempting to run it when built on Mac OS X 10.10 Yosemite. This happens with both 0.98.6 and 0.98.7 when built on Yosemite (my version of 0.98.6 built on 10.9 ran fine on 10.10). But I just upgraded my server from 10.9 to 10.10 and with today's relase of 0.98.7, this was my first time attempting to build ClamAV under Yosemite. Various articles I've found are pointing to an issue with libtool where 10.10 gets treated as if it's 10.1. This article (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63610) seems to describe the issue but a lot of it is beyond me. I've attempted defining MACOSX_DEPLOYMENT_TARGET=10.9 as described in that article but that didn't make a difference (nor am I seeing anything else defining it to 10.10 so I didn't expect it make a difference). ./configure is happy and make generates a lot of warning but no errors. The error only happens when trying to run it. Note this is ClamAV, not ClamXav. -- Larry Stone lston...@stonejongleux.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamd Segmentation Fault when built on Mac OS X Yosemite
I wouldn’t spend a lot of time on it until we get some confirmation from ClamAV®, but the instructions on the ClamXav site for Bring Your Own Engine http://www.clamxav.com/docs_byo.html might help. -Al- On Wed, Apr 29, 2015 at 05:00PM, Larry Stone wrote: So how can I use what the information your provided. I am more of a system administrator type rather than a developer. I mostly expect configure and make to work as documented. Debugging them is beyond my current skill set. Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ On Apr 29, 2015, at 4:03 PM, Al Varnell alvarn...@mac.com wrote: I received a report from a ClamXav user today who attempted to install engine 0.98.7 is having the same issues with clamd segmentation fault 11 and Yosemite 10.10. Although there were scattered reports of this same error early on with ClamXav Sentry use with the 0.98.6 engine, the developer was able to work through that one. The build info on that are as follows: Build information - Clang: 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56) (4.2.1) GNU C++: 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56) (4.2.1) CPPFLAGS: CFLAGS: -O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 -w -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE CXXFLAGS: LDFLAGS: Configure: '--disable-dependency-tracking' '--enable-llvm' '--enable-clamdtop' '--with-user=_clamav' '--with-group=_clamav' '--enable-all-jit-targets' '--prefix=/usr/local/clamXav' 'CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 -w' --enable-ltdl-convenience sizeof(void*) = 8 Engine flevel: 79, dconf: 79 -Al- On Wed, Apr 29, 2015 at 01:03PM, Larry Stone wrote: Clamd throws a Segmentation Fault: 11 error when attempting to run it when built on Mac OS X 10.10 Yosemite. This happens with both 0.98.6 and 0.98.7 when built on Yosemite (my version of 0.98.6 built on 10.9 ran fine on 10.10). But I just upgraded my server from 10.9 to 10.10 and with today's relase of 0.98.7, this was my first time attempting to build ClamAV under Yosemite. Various articles I've found are pointing to an issue with libtool where 10.10 gets treated as if it's 10.1. This article (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63610) seems to describe the issue but a lot of it is beyond me. I've attempted defining MACOSX_DEPLOYMENT_TARGET=10.9 as described in that article but that didn't make a difference (nor am I seeing anything else defining it to 10.10 so I didn't expect it make a difference). ./configure is happy and make generates a lot of warning but no errors. The error only happens when trying to run it. Note this is ClamAV, not ClamXav. -- Larry Stone lston...@stonejongleux.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] ClamAV® blog: ClamAV 0.98.7 has been released!
http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html ClamAV 0.98.7 is here! This release contains new scanning features and bug fixes. - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted xz archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. - Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305. - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. - Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. - Improve detections within xar/pkg files. As always, we appreciate contributions of bug reports, code fixes, and sample submissions from the ClamAV community members: Sebastian Andrzej Siewior Minzhaun Gong Dimitri Kirchner Goulven Guiheux John E. Krokes Kai Risku ClamAV 0.98.7 is always available from ClamAV.net on the downloads page. -- The ClamAV Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Scan of RAR problem
Hello, I'm getting different results when scanning a infected email message. On a Sparc Solaris 10 (32 bits compiled), clamdscan tels me that the message is infected : Heuristics.Encrypted.RAR FOUND Testing it on two 64 bits linux boxes (fedora and ubuntu), both tels me that the message is clean. All boxes are running the same ClamAV version (0.98.6), with the same set of malware databases, and the same relevant configuration options both in clamd.conf and freshclam.conf (sorted for easier comparison) : AlgorithmicDetection yes AllowSupplementaryGroups yes ArchiveBlockEncrypted yes DetectBrokenExecutablesyes DetectPUA yes ExtendedDetectionInfo yes FixStaleSocket yes HeuristicScanPrecedenceyes IdleTimeout60 LogClean yes LogFile/export/spool/log/clamd.log LogFileMaxSize 2M LogTimeyes MaxFiles 15000 MaxFileSize30M MaxRecursion 16 PhishingScanURLs yes PhishingSignatures yes ScanArchiveyes ScanELFyes ScanHTML yes ScanMail yes ScanOLE2 yes ScanPDFyes ScanPE yes ScanPE yes SelfCheck 600 TCPAddr127.0.0.1 TCPSocket 3310 User clamscan Clamav on Virustotal says that it's OK : https://www.virustotal.com/en/file/d143c2b9f8e6c26e471fd02c02ebb5c9f9528fcd55658b666e1595b3c3255e3f/analysis/1430322076/ You can find two samples of this at : http://www.j-chkmail.org/users/oitc/5523C74B.000..xfile http://www.j-chkmail.org/users/oitc/5523C833.000..xfile This comes at a moment we're migrating our mail servers to linux... :-( All hints are wellcome Regards José-Marcio ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamd Segmentation Fault when built on Mac OS X Yosemite
I tried building with the options from ClamXav article you referenced below but it was no help. Still “Segmentation Fault: 11”. I have 0.98.6 restored from backup so OK for now. Probably no time to work further on this until the weekend. -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ On Apr 29, 2015, at 7:22 PM, Al Varnell alvarn...@mac.com wrote: I wouldn’t spend a lot of time on it until we get some confirmation from ClamAV®, but the instructions on the ClamXav site for Bring Your Own Engine http://www.clamxav.com/docs_byo.html might help. -Al- … ... On Wed, Apr 29, 2015 at 01:03PM, Larry Stone wrote: Clamd throws a Segmentation Fault: 11 error when attempting to run it when built on Mac OS X 10.10 Yosemite. This happens with both 0.98.6 and 0.98.7 when built on Yosemite (my version of 0.98.6 built on 10.9 ran fine on 10.10). But I just upgraded my server from 10.9 to 10.10 and with today's relase of 0.98.7, this was my first time attempting to build ClamAV under Yosemite. Various articles I've found are pointing to an issue with libtool where 10.10 gets treated as if it's 10.1. This article (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63610) seems to describe the issue but a lot of it is beyond me. I've attempted defining MACOSX_DEPLOYMENT_TARGET=10.9 as described in that article but that didn't make a difference (nor am I seeing anything else defining it to 10.10 so I didn't expect it make a difference). ./configure is happy and make generates a lot of warning but no errors. The error only happens when trying to run it. Note this is ClamAV, not ClamXav. -- Larry Stone lston...@stonejongleux.com smime.p7s Description: S/MIME cryptographic signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml