Re: [clamav-users] Writing EICAR Text to CLAMAV Socket/JAVA
I am writing my files to be scanned in to the Java/Socket based on hostname/port wrt which CLAMD is running. It was working fine till yesterday evening, but suddenly today morning the stream response is OK for EICAR files, yesterday I was getting as VIRUS FOUND. Is there any configuration we do have to have virus check skipped clamav-daemon end. ?? I am thinking of options like, skipping scans based on specific window period based on some config, or skipping at the time of automated virus database update. Anyone has faced such issues. ? Please put some lights/ Regards, kk Regards, kk On Tue, Nov 24, 2015 at 11:58 AM, Krishnakumar Nair wrote: > Hi Guys, > > Regards, > kk > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Writing EICAR Text to CLAMAV Socket/JAVA
Hi Guys, Regards, kk ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Fw: RE: Re: clamdscan t...
On Mon, November 23, 2015 4:18 pm, Matus UHLAR - fantomas wrote: > seems that someone with ***idiotic antispam rules** has subscribed to this > list... aka how to let a user down gently... :) Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] how to narrow down the signature database?
Bond, You can use 'sigtool --unpack-current [daily|main|bytecode]' to unpack the virus database. Then remove/edit out the files/sigs that are not of interest. Then use the clamd.conf DatabaseDir parameter to point to the result. docs/signatures.pdf may help. Also, look at ./configure --help to remove any other software you don't think you'll need for your clamd. The largest memory saving will be from './configure --enable-llvm=no'. Steve On Fri, Nov 20, 2015 at 9:00 PM, Bond Masuda wrote: > my question is in the subject line, but my goal is to reduce the memory > footprint of clamd. it current takes over 350MB and that's a bit too much. > > so, i'm wondering how I can narrow down the signature database to reduce > this memory footprint. specifically, i only care about malware that is > relevant to Linux platform, and not other OSes like Windows. is there a > way for me to reduce the signature database just to signatures relevant > to my OS platform? I'm currently using clamav/clamd on CentOS 6 and my > signatures are updated via the cron freshclam. > > are there other ways to reduce the memory footprint of clamd? > > thanks, > Bond > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Fw: RE: Re: clamdscan t...
seems that someone with idiotic antispam rules has subscribed to this list... - Forwarded message from Jean philippe Catteau - Received: from behost5.spamenmoins.net (behost5.spamenmoins.net [80.67.189.171]) by fantomas.fantomas.sk (8.14.4/8.14.4/Debian-4) with ESMTP id tANGFqQ3001436 for ; Mon, 23 Nov 2015 17:15:57 +0100 To: uh...@fantomas.sk Subject: RE: Re: [clamav-users] clamdscan t... From: Jean philippe Catteau Date: Mon, 23 Nov 2015 17:15:51 +0100 (CET) [deleted] Hello, Jean philippe Catteau here, To cope with high amounts of spam mail, I have subscribed to the filter service Spamenmoins.com. This service blocks all emails with the exception of trusted correspondents. So I have not yet received your last email, "Re: [clamav-users] clamdscan t..." In order to prove you are a genuine sender and not a spam-sending machine, please click on link below and follow the instructions on the page which opens. http://www.SpamEnMoins.com/Autoriser.php?E=dWhsYXJAZmFudG9tYXMuc2t8cHVwdXNzZWNhdHNAd2FuYWRvby5mcnxwdXB1c3NlY2F0c0B3YW5hZG9vLmZyfA== You will then be immediately and permanently added to my list of trusted correspondants. Your last email "Re: [clamav-users] clamdscan t..." will also be delivered without delay. thank you Jean philippe Catteau - End forwarded message - -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamdscan troubleshooting
On 21.11.15 20:29, Daniel L. Srebnick wrote: To followup, I found that clamdscan works with either --fdpass or --stream. If one of those parameters is not included on the command linem then I get the permissions error. yes, clamd needs permission to open a file you want it to scan. you can open the file and either pass the opened file with your permissions by --fdpass or send the file content to it via --stream. otherwise, you must give clamd proper permissions... -Original Message- From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Bond Masuda Sent: Saturday, November 21, 2015 13:02 To: ClamAV users ML Subject: Re: [clamav-users] clamdscan troubleshooting Daniel, You might want to look at these two SELinux booleans: antivirus_can_scan_system antivirus_use_jit You can use 'getsebool': $ getsebool antivirus_can_scan_system antivirus_can_scan_system --> on And you can use 'setsebool' to toggle the boolean setting. Additionally, see man page for clamdscan and look at the "--fdpass" option. Note that the clamd daemon is usually running as a different user. Hope that points you in a useful direction. Bond On 11/21/2015 08:17 AM, Daniel L. Srebnick wrote: I'm having some issues verifying a clamav install under FC 22. I am doing some testing using clamdscan and have been running into some kind of permission error as far as I can tell. For now, I have set selinux to permissive to eliminate that as an issue. I have an eicar.com file that I have scanned with clamscan and it verifies that one file has been scanned and that one virus has been found. Next, I want to submit a scan of eicar.com using clamdscan. [root@zzz tmp]# ls -l eicar.com -rw-rw-r--. 1 clamscan clamscan 68 Sep 4 2006 eicar.com [root@zzz tmp]# [root@ears tmp]# clamdscan -c /etc/clamd.d/scan.conf /tmp/eicar.com /tmp/eicar.com: lstat() failed: No such file or directory. ERROR --- SCAN SUMMARY --- Infected files: 0 Total errors: 1 Time: 0.001 sec (0 m 0 s) [root@ears tmp]# ls -l eicar.com -rw-rw-r--. 1 clamscan clamscan 68 Sep 4 2006 eicar.com [root@ears tmp]# clamdscan -c /etc/clamd.d/scan.conf /tmp/eicar.com /tmp/eicar.com: lstat() failed: No such file or directory. ERROR --- SCAN SUMMARY --- Infected files: 0 Total errors: 1 Time: 0.001 sec (0 m 0 s) Note that the file is not found. If I scan the directory instead: [root@ears tmp]# clamdscan -c /etc/clamd.d/scan.conf /tmp /tmp: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.000 sec (0 m 0 s) You have new mail in /var/spool/mail/dan [root@ears tmp]# No infected file is found and no errors. clamd is running as clamscan. Ready for any suggestions about what is happening here. I've been working on this for a few days. Thank you. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
