Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM
Allmatch will not work with clamd fd passing either. Please open a buzilla request for allmatch when using fd passing or instream. bugzilla.clamav.net. Thanks, Steve On Wed, Feb 3, 2016 at 12:09 PM, Torge Husfeldt wrote: > Hi, > > what about passing an (alredy open) filehandle through the clamd-socket? > Currently we're facing the tradeoff between giving the clamd-process > more permissons or running multiple instances of the scanning-engine > (clamd + clamscan) and parsing the output of clamscan with "tainted" > filenames. > > Thanks > > Am 01.02.2016 um 21:54 schrieb Steven Morgan: > > Bernhard, > > > > Clamd does not currently support ALLMATCH mode with the INSTREAM > protocol. > > The only other suggestion I can offer is to preserve those files found to > > contain viruses and research them separately using ALLMATCH. > > > > Steve > > > > On Mon, Feb 1, 2016 at 5:27 AM, Bernhard Vogel > > wrote: > > > >> Hi, > >> > >> is there an option in clamd to combine INSTREAM and ALLMATCHSCAN? > >> > >> We scan files which have already been locked (permission: 200 or > similar) > >> by another process/shellscript. Clamd runs with user "clamav" > priviledges. > >> At the moment we stream the content of the locked files to CLAMD with > the > >> INSTREAM option. > >> > >> Since I also require to do an allmatchscan to review our malware > >> signatures, I need to combine INSTREAM and ALLMATCHSCAN. > >> > >> How can I ALLMATCHSCAN files only accesible by root, without doing > >> something like "sudo clamscan -z " > >> > >> > >> > >> > >> Regards, > >> Bernhard > >> ___ > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml > >> > > ___ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > > -- > Torge Husfeldt > > Senior Anti-Abuse Engineer > Hosting Security > > 1&1 Internet Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany > Phone: +49 721 91374-4795 > E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de > > Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141 > > Geschäftsführer: Christian Bigatà Joseph, Hans-Henning Kettler, Uwe Lamnek > > > Member of United Internet > > Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte > Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat > sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte > den Absender und vernichten Sie diese E-Mail. Anderen als dem > bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, > weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. > > This e-mail may contain confidential and/or privileged information. If > you are not the intended recipient of this e-mail, you are hereby > notified that saving, distribution or use of the content of this e-mail > in any way is prohibited. If you have received this e-mail in error, > please notify the sender and delete the e-mail. > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM
Hi, what about passing an (alredy open) filehandle through the clamd-socket? Currently we're facing the tradeoff between giving the clamd-process more permissons or running multiple instances of the scanning-engine (clamd + clamscan) and parsing the output of clamscan with "tainted" filenames. Thanks Am 01.02.2016 um 21:54 schrieb Steven Morgan: > Bernhard, > > Clamd does not currently support ALLMATCH mode with the INSTREAM protocol. > The only other suggestion I can offer is to preserve those files found to > contain viruses and research them separately using ALLMATCH. > > Steve > > On Mon, Feb 1, 2016 at 5:27 AM, Bernhard Vogel > wrote: > >> Hi, >> >> is there an option in clamd to combine INSTREAM and ALLMATCHSCAN? >> >> We scan files which have already been locked (permission: 200 or similar) >> by another process/shellscript. Clamd runs with user "clamav" priviledges. >> At the moment we stream the content of the locked files to CLAMD with the >> INSTREAM option. >> >> Since I also require to do an allmatchscan to review our malware >> signatures, I need to combine INSTREAM and ALLMATCHSCAN. >> >> How can I ALLMATCHSCAN files only accesible by root, without doing >> something like "sudo clamscan -z " >> >> >> >> >> Regards, >> Bernhard >> ___ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Torge Husfeldt Senior Anti-Abuse Engineer Hosting Security 1&1 Internet Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany Phone: +49 721 91374-4795 E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141 Geschäftsführer: Christian Bigatà Joseph, Hans-Henning Kettler, Uwe Lamnek Member of United Internet Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte den Absender und vernichten Sie diese E-Mail. Anderen als dem bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that saving, distribution or use of the content of this e-mail in any way is prohibited. If you have received this e-mail in error, please notify the sender and delete the e-mail. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] undefined signature ? Win.Trojan.Win64-166
@Al True, i didn't receive thoses mails, and i didn't find it into mailling list archive. @Joel sad news. It explain everything. I was worried someone "inject" ghosts signatures. Is there a place where we could track updates changelogs ? Some signatures sounds false positive for me, i want to track who send it and why it was created. I use actually the maillingList as a changelog. Bests, Gaëtan On 02/02/2016 07:32 PM, Joel Esler (jesler) wrote: Unfortunately, the system that presently publishes the ruleset (which we are building a replacement for (more details to come)), and sends the email, does not perform this function as a single step. Someone may have published without clicking the “send email” button. -- Joel Esler Manager, Talos Group On Feb 2, 2016, at 11:26 AM, Al Varnell mailto:alvarn...@mac.com>> wrote: I’ve noticed that not all updates seem to be sent to the list. For example, did you get Updates (daily:21307) or (daily:21304)? -Al- On Tue, Feb 02, 2016 at 05:02 AM, Gaetan Trivino wrote: Hello everyone, I'm using clamav since a year now, and we are really happy with the service. i've done a full search on my mail and archives, i never see the signature comming in clamav-virusdb mailling list. my definitions are up to date and signature seems to be a false positive. How is it possible to have a signature available in my daily.cvd but not announced in clamav-virusdb ? I have this case 10 time a year with signatures defined in my daily.cvd but not announced in clamav-virusdb. Bests regards, Gaëtan Trivino ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml Cordialement, -- Gaëtan Trivino OVH ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
