Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Al Varnell]

The new database was just made available, so I recommend you hold off until you 
have the new mail.cvd v57 and daily.cvd v21466 before getting too excited about 
this.

-Al-

On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> 
> As of the latest daily update, running ClamAV against the EICAR test string
> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> 
> -J


smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam error

[Steven Morgan]

This is a wild guess, but try to configure ClamAV with --enable-llvm=no.

Otherwise, open a bug at bugzilla.clamav.net.

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] URL Links

[Jerry]

I just did a fresh install of ClamAV on a FreeBSD machine. While
configuring the program,I found that the following URLs were broken:

http://www.clamav.net/download/cvd/3rdparty
http://www.stats.clamav.net

-- 
Jerry
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [SPAM] javascript ZIP virus not caught?

[Jan Hejl]

Hello,

try to use these signatures http://sanesecurity.com/foxhole-databases/

Jan

Dne 15.3.2016 v 04:03 Scott Galambos napsal(a):
I've upgraded to the latest Clamav 0.99.1 on Linux/Sendmail and it 
still is not catching all these ZIP files with .js files inside them.  
Is clamav suppose to stop these?


I constantly get these messages with .ZIP attachments that I would 
think clamav should stop.  Am I expecting too much?  missing something?


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml





smime.p7s
Description: Elektronicky podpis S/MIME
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] no new signatures

[Frank Elsner]

On Fri, 18 Mar 2016 14:45:49 +0100 polloxx wrote:
> Dear,
> 
> Since the migration we have no new signatures:
> freshclam.log shows:
> 
> Fri Mar 18 14:34:15 2016 -> --
> Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar 18
> 14:34:15 2016
> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is OUTDATED!
> Fri Mar 18 14:34:15 2016 -> WARNING: Local version: 0.98.1 Recommended
> version: 0.99.1
> Fri Mar 18 14:34:15 2016 -> DON'T PANIC! Read
> http://www.clamav.net/support/faq
> Fri Mar 18 14:34:15 2016 -> main.cvd is up to date (version: 57, sigs:
> 4218790, f-level: 60, builder: amishhammer)
> Fri Mar 18 14:34:15 2016 -> daily.cvd is up to date (version: 21466, sigs:
> 83889, f-level: 63, builder: amishhammer)
> Fri Mar 18 14:34:15 2016 -> bytecode.cvd is up to date (version: 275, sigs:
> 45, f-level: 63, builder: amishhammer)
> 
> What's wrong with our config?

Nothing. Same here after last update:

Mar 17 12:08:48 main.cvd is up to date (version: 57, sigs: 4218790, f-level: 
60, builder: amishhammer)
Mar 17 12:20:52 daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, 
builder: amishhammer)
Mar 17 12:21:34 bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, 
builder: amishhammer)

Last run today:

Mar 18 14:15:05 seymour freshclam[2666]: main.cvd is up to date (version: 57, 
sigs: 4218790, f-level: 60, builder: amishhammer)
Mar 18 14:15:05 seymour freshclam[2666]: daily.cvd is up to date (version: 
21466, sigs: 83889, f-level: 63, builder: amishhammer)
Mar 18 14:15:05 seymour freshclam[2666]: bytecode.cvd is up to date (version: 
275, sigs: 45, f-level: 63, builder: amishhammer)


Have a nice weekend, Frank
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam error

[Steven Morgan]

I'm thinking this is the same problem as
https://bugzilla.clamav.net/show_bug.cgi?id=11309 . You'll find a few other
./configure options there.

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with mirrors overnight?

[Matthias Hank]

Hi,

On Thu, Mar 17, 2016 at 12:49:11PM +, Joel Esler (jesler) wrote:
> It's possible they are overloaded.  We released a new main.cvd and daily late 
> last night.

But why are always the same 3 of 13 german mirrors are probed from freshclam?
All of them are failing since last night on all of our servers.

Probed are:
178.63.73.246
84.39.110.99
88.198.17.100

DNS seems to be ok:

database.clamav.net is an alias for db.local.clamav.net.
db.local.clamav.net is an alias for db.de.clamav.net.
db.de.clamav.net has address 178.63.73.246
db.de.clamav.net has address 193.27.49.165
db.de.clamav.net has address 195.30.97.3
db.de.clamav.net has address 212.227.138.145
db.de.clamav.net has address 213.174.32.130
db.de.clamav.net has address 62.27.56.14
db.de.clamav.net has address 62.201.161.84
db.de.clamav.net has address 62.245.181.53
db.de.clamav.net has address 84.39.110.99
db.de.clamav.net has address 88.198.17.100
db.de.clamav.net has address 130.133.110.67
db.de.clamav.net has address 144.76.28.11
db.de.clamav.net has address 176.9.115.53

Regards,

Matze
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Jason J. W. Williams]

Does anyone that's chimed in work on the signatures team?

-J

On Thu, Mar 17, 2016 at 10:31 AM, Al Varnell  wrote:

> There have not been any additional updates released yet, so nothing could
> have changed.
>
> -Al-
>
> On Thu, Mar 17, 2016 at 10:25 AM, Jason Williams wrote:
> >
> > Is anyone still seeing this or have they fixed it?
> >
> > -J
> >
> > Sent via iPhone
> >
> >> On Mar 17, 2016, at 02:44, Mark Allan  wrote:
> >>
> >> Just to confirm, I'm also seeing everything being flagged as
> Win.Trojan.Trojan-476 with the new main/daily.cvd files.
> >>
> >> Mark
> >>
> >>> On 17 Mar 2016, at 6:49 am, Al Varnell  wrote:
> >>>
> >>> I just ran a scan against the ClamAV test files contained in the
> 0.99.1 source file and I’m getting all Win.Trojan.Trojan-476:
> >>>
> >>> File NameInfection NameStatus
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio
>   Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe
> Win.Trojan.Trojan-476
> >>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z
> Win.Trojan.Trojan-476
> >>>
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz

[clamav-users] virus submission email acknowledgement

[C.D. Cochrane]

Hi,
I used to receive an email acknowledging my submission of a virus file to 
clamav.net.  For the past 3 days I have submitted new virus files, but not 
received any email confirmation.  Is this new policy, or a symptom of a system 
that is overwhelmed?
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV(R) blog: ClamAV Signature Interface maintenance is now complete! New Main.cvd!

[polloxx]

Still no updates?

On Thu, Mar 17, 2016 at 4:24 AM, Joel Esler (jesler) 
wrote:

>
> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.htm<
> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html?m=1
> >l
>
> ClamAV Signature Interface maintenance is now complete! New Main.cvd!
> Our ClamAV Signature Interface maintenance is now complete.  While we
> apologize for the delay, the rollout of the the new Signature Interface
> inside of ClamAV will result in several new features for the community, and
> I wanted to tell you about some of them:
>
> First, the first new “main.cvd” in about two years.  This main.cvd has
> been completely re-written from scratch, and while the function of the
> “main” is largely the same, it’s been rewritten to not only enforce order
> to the signatures, but naming convention as well.  For example:
>
> W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan
> Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor
> Adware.Smshoax has moved to Win.Adware.Smshoax
>
> Re-naming of the signatures may affect a local user’s whitelist.  If you
> have excluded certain signatures in the past that are now firing, we ask
> that you both submit the file to us for false positive remediation (if you
> believe it to be a false positive), and rename the signature whitelist on
> your side.
>
> This new main is 109Mb in size, and contains 4 million signatures for
> ClamAV.  Now that the main.cvd has been rewritten, it is now easier for us
> to create diffs, which means upgrading the main more often, and making the
> “daily.cvd” smaller more often.
>
> Second,  we now have the ability to offer different types of CVDs.  For
> instance, we now have the ability to distribute 3rd party signatures that
> are officially signed by ClamAV, but updated through the ClamAV global
> mirror network.  If we wanted to separate out “policy” type signatures from
> the daily.cvd into their own cvd, we can now do that.
>
> Third, while we have not removed some of the older signature formats, we
> did convert those older signatures to the newer formats to empty those
> older “cvd”s out.
>
> For example:
> “db" signatures were consolidated into “ndb" signatures
> “zmd" and “rmd"  archive signatures we moved to the “cdb" container
> signature format
>
> These formats are not new, they simply have never been published before.
> This includes other formats such as “hsb", “msb", “sfp", and “crb".  The
> older formats are supported for now, we are simply no longer publishing
> them.
>
> Fourth, newer features, like the ability to write signatures based on the
> SHA256 of a file have been added to the system, and we can now publish that
> type of detection.
>
> We’d like to thank you for your patience.
>
> ClamAV team
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URL Links

[Jerry]

On Thu, 17 Mar 2016 11:10:32 +, Joel Esler (jesler) stated:

> Where are those?  We need to remove them.

In the "freshclam.conf" file.

-- 
Jerry
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [Community-sigs] ClamAV® blog: ClamAV Signature Interface maintenance is now complete! New Main.cvd!

[Joel Esler (jesler)]

Thank you, and you're right.  This project has been close to two years in the 
making.

As far as the name of the cvd's, I don't believe the names are changing.

--
Joel Esler
iPhone

On Mar 16, 2016, at 11:58 PM, Rafael Ferreira 
mailto:r...@uvasoftware.com>> wrote:

Joel,

First congrats to you and the team, from the sounds of it, this took a lot of 
late nights and caffeine. Quick question, are any of the official sigs 
{main/daily/bytecode} changing names (or extensions)? That does not seem to be 
the case but I figure it would be good to confirm in order to avoid any 
surprises.

Cheers,

- Rafael

Rafael Ferreira
Uva Software, LLC | scanii.com 
? 623.252.0441


On Mar 16, 2016, at 8:24 PM, Joel Esler (jesler) 
mailto:jes...@cisco.com>> wrote:


http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html

ClamAV Signature Interface maintenance is now complete! New Main.cvd!
Our ClamAV Signature Interface maintenance is now complete.  While we apologize 
for the delay, the rollout of the the new Signature Interface inside of ClamAV 
will result in several new features for the community, and I wanted to tell you 
about some of them:

First, the first new "main.cvd" in about two years.  This main.cvd has been 
completely re-written from scratch, and while the function of the "main" is 
largely the same, it's been rewritten to not only enforce order to the 
signatures, but naming convention as well.  For example:

W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan
Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor
Adware.Smshoax has moved to Win.Adware.Smshoax

Re-naming of the signatures may affect a local user's whitelist.  If you have 
excluded certain signatures in the past that are now firing, we ask that you 
both submit the file to us for false positive remediation (if you believe it to 
be a false positive), and rename the signature whitelist on your side.

This new main is 109Mb in size, and contains 4 million signatures for ClamAV.  
Now that the main.cvd has been rewritten, it is now easier for us to create 
diffs, which means upgrading the main more often, and making the "daily.cvd" 
smaller more often.

Second,  we now have the ability to offer different types of CVDs.  For 
instance, we now have the ability to distribute 3rd party signatures that are 
officially signed by ClamAV, but updated through the ClamAV global mirror 
network.  If we wanted to separate out "policy" type signatures from the 
daily.cvd into their own cvd, we can now do that.

Third, while we have not removed some of the older signature formats, we did 
convert those older signatures to the newer formats to empty those older "cvd"s 
out.

For example:
"db" signatures were consolidated into "ndb" signatures
"zmd" and "rmd"  archive signatures we moved to the "cdb" container signature 
format

These formats are not new, they simply have never been published before. This 
includes other formats such as "hsb", "msb", "sfp", and "crb".  The older 
formats are supported for now, we are simply no longer publishing them.

Fourth, newer features, like the ability to write signatures based on the 
SHA256 of a file have been added to the system, and we can now publish that 
type of detection.

We'd like to thank you for your patience.

ClamAV team
___
Community-sigs mailing list
community-s...@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] no new signatures

[polloxx]

Thanks for the answers folks.
One last question: will the new databases still work on version 0.98.1?

On Fri, Mar 18, 2016 at 4:01 PM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:

>
> On Fri, March 18, 2016 2:05 pm, Helmut Hullen wrote:
> > Hallo, polloxx,
> >
> >
> > Du meintest am 18.03.16:
> >
> >
> >> Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar
> >> 18 14:34:15 2016
> >> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is
> >> OUTDATED!
> >>
> >
> >
> > So what - updated or not updated?
>
> > Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is
> OUTDATED!
> > Fri Mar 18 14:34:15 2016 -> WARNING: Local version: 0.98.1 Recommended
> > version: 0.99.1
>
> The above just means that 0.98.1 is currently being used, but should
> be upgraded to 0.99.1 which is the latest version of the engine.
>
> The signatures haven't been updated since Friday.
>
> Cheers,
>
> Steve
> Web : sanesecurity.com
> Blog: sanesecurity.blogspot.com
> Twitter: @sanesecurity
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Al Varnell]

No. I'm sure they are trying to recover from this week's activities and rarely 
have time to follow this list anyway. It would likely be Alain Zidouemba the 
sig team lead. 

To get feedback on FP's you would need to subscribe to the clamav-virusdb list 
and it often takes weeks under normal circumstances. 

The main contributor here is Joel Esler, Manager, Talos Group.

Sent from Janet's iPad

-Al-

On Mar 17, 2016, at 1:09 PM, "Jason J. W. Williams"  
wrote:
> Does anyone that's chimed in work on the signatures team?
> 
> -J
> 
> On Thu, Mar 17, 2016 at 10:31 AM, Al Varnell  wrote:
> 
>> There have not been any additional updates released yet, so nothing could
>> have changed.
>> 
>> -Al-
>> 
>> On Thu, Mar 17, 2016 at 10:25 AM, Jason Williams wrote:
>>> 
>>> Is anyone still seeing this or have they fixed it?
>>> 
>>> -J
>>> 
>>> Sent via iPhone
>>> 
 On Mar 17, 2016, at 02:44, Mark Allan  wrote:
 
 Just to confirm, I'm also seeing everything being flagged as
>> Win.Trojan.Trojan-476 with the new main/daily.cvd files.
 
 Mark
 
> On 17 Mar 2016, at 6:49 am, Al Varnell  wrote:
> 
> I just ran a scan against the ClamAV test files contained in the
>> 0.99.1 source file and I’m getting all Win.Trojan.Trojan-476:
> 
> File NameInfection NameStatus
> 
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip
>> Win.Trojan.Trojan-476
> 
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio
>> Win.Trojan.Trojan-476
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe
>> Win.Trojan.Trojan-476
> 
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISc

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Well, so?

ClamAV Community Threat Tracking System is down?

The answer is yes or no?

20.03.16 2:24, Dennis Peterson ?:
> My proxy had stale cache data as shown in the last post and that is why I was 
> seeing what appeared to
be an active site. I should have explained better in that post rather
than assume everyone knows what squid logs show us. The stats site web
server is down but clamav.net DNS is providing the IP to what is now a
ghost server somewhere in Germany that responds to a ping. That's a bad
idea because that IP could be repurposed in alarming ways. The
clamav.net NS records need to be updated to reflect the current
configuration - that is to say stats.clamav.net along with the www cname
should be dropped or repointed to a Sourcefire web server page that
explains the situation. That's why I say the DNS is wonky.
>
> dp
>
> On 3/19/16 1:08 PM, Yuri Voinov wrote:
> root @ cthulhu / # dig www.stats.clamav.net
>
> ; <<>> DiG 9.6-ESV-R11-P4 <<>> www.stats.clamav.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37863
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.stats.clamav.net.  IN  A
>
> ;; ANSWER SECTION:
> www.stats.clamav.net.   86400   IN  CNAME   vm01.stats.clamav.net.
> vm01.stats.clamav.net.  86400   IN  A   188.40.140.240
>
> ;; Query time: 547 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Mar 20 02:03:03 ALMT 2016
> ;; MSG SIZE  rcvd: 73
>
> root @ cthulhu / # ping 188.40.140.240
> 188.40.140.240 is alive
> root @ cthulhu / # telnet 188.40.140.240 80
> Trying 188.40.140.240...
> telnet: Unable to connect to remote host: Connection refused
> root @ cthulhu / # telnet 188.40.140.240 443
> Trying 188.40.140.240...
> telnet: Unable to connect to remote host: Connection refused
>
> I remember it uses Open ID as authenthcation.
>
> But this host is not listening port 80 or 443 as shown above.
>
> 19.03.16 21:51, Dennis Peterson ?:
> >>> The DNS configuration for www.stats.clamav.net are suspect
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW7bYwAAoJENNXIZxhPexGN4wH/AprgR+vBAneOsfGctmeCOkn
7nWw9gamyzKkVDCEzRJ6lvRiBajlRmRjvZ5Ma3BZCK3pePBbYvy6pydIrkqK7U0V
oJ0agg0khGf5PZxhMCGO/7dy/jWagRcdSw+rXIto76yv8jsoFbTZEI60y93HalxT
SfKlcCtT7DguIosrh4QgA0rbN7At7xLgcndYV4OHgjFRqKyLsfBbVdtMX0hZLfMa
vvtqNsQ5y/RD6hUwOAnym0R8A1I6MtkFCBbEnrT5gRjgaLsv5eeV++p4o7jt+LTs
IQbqWMTOE3P/uVdvDWk4r0/kppTWrd18LxqbmZE7iFs4V4GPREKq074bY+n2x0E=
=4L3E
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Dennis Peterson]

It no longer exists by design but the IP is still on an active system just to 
confuse things.


dp

On 3/19/16 1:27 PM, Yuri Voinov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
  
Well, so?


ClamAV Community Threat Tracking System is down?

The answer is yes or no?

20.03.16 2:24, Dennis Peterson ?:

My proxy had stale cache data as shown in the last post and that is why I was 
seeing what appeared to

be an active site. I should have explained better in that post rather
than assume everyone knows what squid logs show us. The stats site web
server is down but clamav.net DNS is providing the IP to what is now a
ghost server somewhere in Germany that responds to a ping. That's a bad
idea because that IP could be repurposed in alarming ways. The
clamav.net NS records need to be updated to reflect the current
configuration - that is to say stats.clamav.net along with the www cname
should be dropped or repointed to a Sourcefire web server page that
explains the situation. That's why I say the DNS is wonky.

dp

On 3/19/16 1:08 PM, Yuri Voinov wrote:
root @ cthulhu / # dig www.stats.clamav.net

; <<>> DiG 9.6-ESV-R11-P4 <<>> www.stats.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37863
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.stats.clamav.net.  IN  A

;; ANSWER SECTION:
www.stats.clamav.net.   86400   IN  CNAME   vm01.stats.clamav.net.
vm01.stats.clamav.net.  86400   IN  A   188.40.140.240

;; Query time: 547 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 20 02:03:03 ALMT 2016
;; MSG SIZE  rcvd: 73

root @ cthulhu / # ping 188.40.140.240
188.40.140.240 is alive
root @ cthulhu / # telnet 188.40.140.240 80
Trying 188.40.140.240...
telnet: Unable to connect to remote host: Connection refused
root @ cthulhu / # telnet 188.40.140.240 443
Trying 188.40.140.240...
telnet: Unable to connect to remote host: Connection refused

I remember it uses Open ID as authenthcation.

But this host is not listening port 80 or 443 as shown above.

19.03.16 21:51, Dennis Peterson ?:

The DNS configuration for www.stats.clamav.net are suspect

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
  
iQEcBAEBCAAGBQJW7bYwAAoJENNXIZxhPexGN4wH/AprgR+vBAneOsfGctmeCOkn

7nWw9gamyzKkVDCEzRJ6lvRiBajlRmRjvZ5Ma3BZCK3pePBbYvy6pydIrkqK7U0V
oJ0agg0khGf5PZxhMCGO/7dy/jWagRcdSw+rXIto76yv8jsoFbTZEI60y93HalxT
SfKlcCtT7DguIosrh4QgA0rbN7At7xLgcndYV4OHgjFRqKyLsfBbVdtMX0hZLfMa
vvtqNsQ5y/RD6hUwOAnym0R8A1I6MtkFCBbEnrT5gRjgaLsv5eeV++p4o7jt+LTs
IQbqWMTOE3P/uVdvDWk4r0/kppTWrd18LxqbmZE7iFs4V4GPREKq074bY+n2x0E=
=4L3E
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Dennis Peterson]

sigtool --unpack=main.cvd
rm -f main.cvd

grep EICAR main.*
main.hdb:44d88612fea8a8f36de82e1278abb02f:68:Win.Test.EICAR_HDB-1
main.hsb:275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f:68:Win.Test.EICAR_HSB-1
main.mdb:45056:3ea7d00dedd30bcdf46191358c36ffa4:Win.Test.EICAR_MDB-1
main.msb:45056:f9b304ced34fcce3ab75c6dc58ad59e4d62177ffed35494f79f09bc4e8986c16:Win.Test.EICAR_MSB-1
main.ndb:Win.Test.EICAR_NDB-1:0:0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a


On 3/16/16 11:49 PM, Al Varnell wrote:

I just ran a scan against the ClamAV test files contained in the 0.99.1 source 
file and I’m getting all Win.Trojan.Trojan-476:




___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Dennis Peterson]

My proxy had stale cache data as shown in the last post and that is why I was 
seeing what appeared to be an active site. I should have explained better in 
that post rather than assume everyone knows what squid logs show us. The stats 
site web server is down but clamav.net DNS is providing the IP to what is now a 
ghost server somewhere in Germany that responds to a ping. That's a bad idea 
because that IP could be repurposed in alarming ways. The clamav.net NS records 
need to be updated to reflect the current configuration - that is to say 
stats.clamav.net along with the www cname should be dropped or repointed to a 
Sourcefire web server page that explains the situation. That's why I say the DNS 
is wonky.


dp

On 3/19/16 1:08 PM, Yuri Voinov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
  
Are you really sure this host is works?


root @ cthulhu / # dig www.stats.clamav.net

; <<>> DiG 9.6-ESV-R11-P4 <<>> www.stats.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37863
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.stats.clamav.net.  IN  A

;; ANSWER SECTION:
www.stats.clamav.net.   86400   IN  CNAME   vm01.stats.clamav.net.
vm01.stats.clamav.net.  86400   IN  A   188.40.140.240

;; Query time: 547 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 20 02:03:03 ALMT 2016
;; MSG SIZE  rcvd: 73

root @ cthulhu / # ping 188.40.140.240
188.40.140.240 is alive
root @ cthulhu / # telnet 188.40.140.240 80
Trying 188.40.140.240...
telnet: Unable to connect to remote host: Connection refused
root @ cthulhu / # telnet 188.40.140.240 443
Trying 188.40.140.240...
telnet: Unable to connect to remote host: Connection refused

I remember it uses Open ID as authenthcation.

But this host is not listening port 80 or 443 as shown above.

19.03.16 21:51, Dennis Peterson ?:

The DNS configuration for www.stats.clamav.net are suspect

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
  
iQEcBAEBCAAGBQJW7bG3AAoJENNXIZxhPexGkP0IAMW37bTc3/qi3lm4tIHxxUdY

bNT+JnbEeQmY6XJ7XMnYrL6RxuDsGumk2VgIONg49/arc5o667/ODBxc0/mlXBLr
W9ELIapF+wSCyUYnH3StkphjeyQyiAWZkgiEkMoZo7RPfghnnt9UbEvIoEcrpd/k
I6jYZcTAKrruGmm/WqTGYdkziet2Ys4QDGIcjJjY997TUt7/dW6/Nz0Mcxc0qTtc
/QaywmHEx83Ec0O0tu1YAqkZ7aVQj77IMEVp4jSJo49oGdIon/igyrAmJflSVRTE
7Yml/u2ReJEBTfLcYPgx4cvauaEwbxX6DB8m1gH9TvAWdCNcPzcj6npdC687fz8=
=Vi7E
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav on virus total

[Joel Esler (jesler)]

Those are unique.

--
Joel Esler
iPhone

On Mar 17, 2016, at 4:41 PM, C.D. Cochrane 
mailto:c...@post.com>> wrote:

Thank you all for the replies.  Just wanted to make sure my approach was 
logical, and VT is a reliable reference point for clamav comparison scanning.

"millions of samples" received daily, wow!  But how many are unique?  Or, 
putting on my "pretend bad guy" hat - if I was a virus writer I would submit a 
few thousand red herrings to clamav every day.  Must be challenging to keep up 
and I can never complain about a free tool.
thanks again,
Chris

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Are you really sure this host is works?

root @ cthulhu / # dig www.stats.clamav.net

; <<>> DiG 9.6-ESV-R11-P4 <<>> www.stats.clamav.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37863
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.stats.clamav.net.  IN  A

;; ANSWER SECTION:
www.stats.clamav.net.   86400   IN  CNAME   vm01.stats.clamav.net.
vm01.stats.clamav.net.  86400   IN  A   188.40.140.240

;; Query time: 547 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 20 02:03:03 ALMT 2016
;; MSG SIZE  rcvd: 73

root @ cthulhu / # ping 188.40.140.240
188.40.140.240 is alive
root @ cthulhu / # telnet 188.40.140.240 80
Trying 188.40.140.240...
telnet: Unable to connect to remote host: Connection refused
root @ cthulhu / # telnet 188.40.140.240 443
Trying 188.40.140.240...
telnet: Unable to connect to remote host: Connection refused

I remember it uses Open ID as authenthcation.

But this host is not listening port 80 or 443 as shown above.

19.03.16 21:51, Dennis Peterson ?:
> The DNS configuration for www.stats.clamav.net are suspect

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW7bG3AAoJENNXIZxhPexGkP0IAMW37bTc3/qi3lm4tIHxxUdY
bNT+JnbEeQmY6XJ7XMnYrL6RxuDsGumk2VgIONg49/arc5o667/ODBxc0/mlXBLr
W9ELIapF+wSCyUYnH3StkphjeyQyiAWZkgiEkMoZo7RPfghnnt9UbEvIoEcrpd/k
I6jYZcTAKrruGmm/WqTGYdkziet2Ys4QDGIcjJjY997TUt7/dW6/Nz0Mcxc0qTtc
/QaywmHEx83Ec0O0tu1YAqkZ7aVQj77IMEVp4jSJo49oGdIon/igyrAmJflSVRTE
7Yml/u2ReJEBTfLcYPgx4cvauaEwbxX6DB8m1gH9TvAWdCNcPzcj6npdC687fz8=
=Vi7E
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FYI clamdmon not working - due to change in Eicar name

[Mark Moshe Kaye]

Hi all,

I use the clamdmon utility for monitoring the health of my clamd daemon.

Since receiving the new main, daily, and bytecode this evening my 
clamdmon is no longer working.


I found the source code for clamdmon which shows the issue. The code is 
looking for a "Eicar-Test-Signature" string which is now 
"Win.Test.EICAR_NDB-1". As soon as I hacked the clamdmon code and 
recompiled it works as it did previously.


so:
1) FYI in case you use clamdmon as i do!
2) Can I rely that Win.Test.EICAR_NDB-1 is the new name going forward or 
is this likely to change back to Eicar-Test-Signature?


Thank you,
~Moshe

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Where do I send the latest zip with a ransomware viri in it?

[Gene Heskett]

On Wednesday 16 March 2016 18:43:04 James Brown wrote:

> http://www.clamav.net/reports/malware

Site will not take it, shows the crossout cursor, red circle with 
slashbar when I move the mouse to the submit button.  Let me know on the 
list when it works..
>
> Also email it to samp...@sanesecurity.me.uk
>
> James.
>
> > On 17 Mar 2016, at 9:30 AM, Gene Heskett  wrote:
> >
> > Greetings all;
> >
> > I got a zip this morning, addressed to me from me.  Dropped on
> > virustotal, show 9 hits from other viri detectors.
> >
> > Opening this will ruin your day.  Its ransomware.
> >
> > I'm now nuking that real source address on the mail server.  No clue
> > if that will help, but when a class D attacks me, that whole class C
> > gets sent to /dev/null on the mail server, forever.
> >
> > But I have saved it, and you need to develop a detector pretty fast,
> >  so where do I send it?
> >
> > Cheers, Gene Heskett
> > --
> > "There are four boxes to be used in defense of liberty:
> > soap, ballot, jury, and ammo. Please use in that order."
> > -Ed Howdershelt (Author)
> > Genes Web page 
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Jason Williams]

Is anyone still seeing this or have they fixed it?

-J

Sent via iPhone

> On Mar 17, 2016, at 02:44, Mark Allan  wrote:
> 
> Just to confirm, I'm also seeing everything being flagged as 
> Win.Trojan.Trojan-476 with the new main/daily.cvd files.
> 
> Mark
> 
>> On 17 Mar 2016, at 6:49 am, Al Varnell  wrote:
>> 
>> I just ran a scan against the ClamAV test files contained in the 0.99.1 
>> source file and I’m getting all Win.Trojan.Trojan-476:
>> 
>> File NameInfection NameStatus
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz
>> Win.Trojan.Trojan-476
>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso
>> Win.Troj

Re: [clamav-users] Problem with mirrors overnight?

[Joel Esler (jesler)]

It's possible they are overloaded.  We released a new main.cvd and daily late 
last night.

--
Joel Esler
iPhone

On Mar 17, 2016, at 8:41 AM, Alex 
mailto:mysqlstud...@gmail.com>> wrote:

Hi,
Is there currently an issue with the mirrors? I have at least two
systems on two different networks that are having difficulty
downloading updates from the clamav mirrors. The sanesecurity and
other rulesets aren't having the same problem.

This is after a series of "Ignoring mirror 200.236.31.1 (due to
previous errors)":

Trying to download http://db.us.clamav.net/daily.cvd (IP: 69.163.100.14)
nonblock_recv: recv timing out (30 secs)
ERROR: getfile: Download interrupted: Operation now in progress (IP:
69.163.100.14)
ERROR: Can't download daily.cvd from db.us.clamav.net
Querying daily.0.81.0.0.45A3640E.ping.clamav.net
Giving up on db.us.clamav.net...
Update failed. Your network may be down or none of the mirrors listed
in /etc/freshclam.conf is working. Check
http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

This also isn't a DNS problem.

# host db.us.clamav.net
db.us.clamav.net is an alias for 
db.us.big.clamav.net.
db.us.big.clamav.net has address 128.199.133.36
db.us.big.clamav.net has address 64.22.33.90
db.us.big.clamav.net has address 69.12.162.28
db.us.big.clamav.net has address 150.214.142.197
db.us.big.clamav.net has address 168.143.19.95
db.us.big.clamav.net has address 194.8.197.22
db.us.big.clamav.net has address 172.110.204.67
db.us.big.clamav.net has address 78.46.82.212
db.us.big.clamav.net has address 155.98.64.87
db.us.big.clamav.net has address 207.57.106.31
db.us.big.clamav.net has address 198.148.78.4
db.us.big.clamav.net has address 69.163.100.14
db.us.big.clamav.net has address 200.236.31.1
db.us.big.clamav.net has address 208.72.56.53
db.us.big.clamav.net has address 209.198.147.20
db.us.big.clamav.net has address 64.6.100.177
db.us.big.clamav.net has address 104.131.196.175
db.us.big.clamav.net has address 194.186.47.19

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] no new signatures

[polloxx]

Dear,

Since the migration we have no new signatures:
freshclam.log shows:

Fri Mar 18 14:34:15 2016 -> --
Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar 18
14:34:15 2016
Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is OUTDATED!
Fri Mar 18 14:34:15 2016 -> WARNING: Local version: 0.98.1 Recommended
version: 0.99.1
Fri Mar 18 14:34:15 2016 -> DON'T PANIC! Read
http://www.clamav.net/support/faq
Fri Mar 18 14:34:15 2016 -> main.cvd is up to date (version: 57, sigs:
4218790, f-level: 60, builder: amishhammer)
Fri Mar 18 14:34:15 2016 -> daily.cvd is up to date (version: 21466, sigs:
83889, f-level: 63, builder: amishhammer)
Fri Mar 18 14:34:15 2016 -> bytecode.cvd is up to date (version: 275, sigs:
45, f-level: 63, builder: amishhammer)

What's wrong with our config?
P.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav on virus total

[Al Varnell]

My impression has always been yes, but you would probably have to ask VT about 
that.

Sent from Janet's iPad

-Al-

On Mar 17, 2016, at 1:05 PM, "C.D. Cochrane" wrote:
> Hi,
> Over the last 2 months of use I have collected and submitted 20+ virus 
> attachments to clamav. I always check the files on virustotal dot com before 
> submitting to clamav. To date, only one of the files is detected by clamav as 
> a virus on virustotal (and on my server), while other vendor detection counts 
> have increased there when I re-check.
> 
> My only question: Is clamav on virustotal kept up to date with the latest 
> versions of things?
> thanks,
> Chris
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Joel Esler (jesler)]

That's the way it used to be.  Used to have openid as a log in option.

--
Joel Esler
iPhone

On Mar 19, 2016, at 10:52 AM, Dennis Peterson 
mailto:denni...@inetnw.com>> wrote:

The DNS configuration for www.stats.clamav.net are 
suspect. I just looked at the squid logs and see this:

1458401557.097598  TCP_CLIENT_REFRESH_MISS/503 890 GET 
http://www.stats.clamav.net/ - DIRECT/188.40.140.240 text/html

1458401566.520599 TCP_REFRESH_HIT/200 1431 GET http://www.stats.clamav.net/ 
- DIRECT/188.40.140.240 text/html
1458401567.162597 TCP_REFRESH_HIT/200 7030 GET 
http://www.stats.clamav.net/js/openid-jquery.js - DIRECT/188.40.140.240 
application/javascript
1458401567.239719 TCP_REFRESH_HIT/200 1104 GET 
http://www.stats.clamav.net/css/openid.css - DIRECT/188.40.140.240 text/css
1458401567.351786 TCP_REFRESH_HIT/200 56215 GET 
http://www.stats.clamav.net/js/jquery-1.2.6.min.js - DIRECT/188.40.140.240 
application/javascript

Follow the DNS trail.

The URIs shown in the squid log are part of the results I see which is a login 
page that requires some kind of social media login. An ID scraper, perhaps.

dp

On 3/19/16 8:22 AM, Yuri Voinov wrote:


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV Signature Interface maintenance is now complete! New Main.cvd!

[Joel Esler (jesler)]

http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html

ClamAV Signature Interface maintenance is now complete! New Main.cvd!
Our ClamAV Signature Interface maintenance is now complete.  While we apologize 
for the delay, the rollout of the the new Signature Interface inside of ClamAV 
will result in several new features for the community, and I wanted to tell you 
about some of them:

First, the first new “main.cvd” in about two years.  This main.cvd has been 
completely re-written from scratch, and while the function of the “main” is 
largely the same, it’s been rewritten to not only enforce order to the 
signatures, but naming convention as well.  For example:

W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan
Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor
Adware.Smshoax has moved to Win.Adware.Smshoax

Re-naming of the signatures may affect a local user’s whitelist.  If you have 
excluded certain signatures in the past that are now firing, we ask that you 
both submit the file to us for false positive remediation (if you believe it to 
be a false positive), and rename the signature whitelist on your side.

This new main is 109Mb in size, and contains 4 million signatures for ClamAV.  
Now that the main.cvd has been rewritten, it is now easier for us to create 
diffs, which means upgrading the main more often, and making the “daily.cvd” 
smaller more often.

Second,  we now have the ability to offer different types of CVDs.  For 
instance, we now have the ability to distribute 3rd party signatures that are 
officially signed by ClamAV, but updated through the ClamAV global mirror 
network.  If we wanted to separate out “policy” type signatures from the 
daily.cvd into their own cvd, we can now do that.

Third, while we have not removed some of the older signature formats, we did 
convert those older signatures to the newer formats to empty those older “cvd”s 
out.

For example:
“db" signatures were consolidated into “ndb" signatures
“zmd" and “rmd"  archive signatures we moved to the “cdb" container signature 
format

These formats are not new, they simply have never been published before. This 
includes other formats such as “hsb", “msb", “sfp", and “crb".  The older 
formats are supported for now, we are simply no longer publishing them.

Fourth, newer features, like the ability to write signatures based on the 
SHA256 of a file have been added to the system, and we can now publish that 
type of detection.

We’d like to thank you for your patience.

ClamAV team
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan false positives

[Joel Esler (jesler)]

Best thing to do is submit them as false positives on 
ClamAV.net

--
Joel Esler
iPhone

On Mar 17, 2016, at 6:54 AM, Thomas Stein 
mailto:himbe...@meine-oma.de>> wrote:

Hello Clamav users.

Last week i started to check a gentoo distfiles directory with clamscan.
To my big surprise clamscan found a lot of infected files. Taking a
closer look leads to the assumption all of them are false positives
because most of them are debugging tools.

ClamAV update process started at Sun Mar 13 22:00:01 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99 Recommended version: 0.99.1
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
builder: neo)
daily.cld is up to date (version: 21464, sigs: 1878899, f-level: 63,
builder: neo)
bytecode.cld is up to date (version: 274, sigs: 49, f-level: 63,
builder: anvilleg)
/var/www/gentoomirror/distfiles/sbd-1.37.tar.gz: Win.Trojan.Agent-558335
FOUND
/var/www/gentoomirror/distfiles/libzip-1.0.1.tar.xz:
Php.Exploit.CVE_2015_2331-2 FOUND
/var/www/gentoomirror/distfiles/sqlninja-0.2.6-r1.tgz:
W32.Hacktool.KiTrap-1 FOUND
/var/www/gentoomirror/distfiles/File-Scan-ClamAV-1.93.tar.gz:
ClamAV-Test-Signature FOUND
/var/www/gentoomirror/distfiles/olsrd-0.9.0.2.tar.bz2:
Java.Exploit.CVE_2013_2472-1 FOUND
/var/www/gentoomirror/distfiles/clamav-0.91.2.tar.gz: ClamAV-Test-File FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.19.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/clamav-0.92.tar.gz: ClamAV-Test-File FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.21.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/afl-1.80b.tgz: Win.Exploit.CVE_2015_0076
FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.22.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/olsrd-0.6.4.tar.bz2:
Java.Exploit.CVE_2013_2472-1 FOUND
/var/www/gentoomirror/distfiles/libwbxml-0.11.2.tar.bz2:
Win.Trojan.Ramnit-5837 FOUND
/var/www/gentoomirror/distfiles/framework-2.7.tar.gz:
Exploit.Alpha_Mixed FOUND
/var/www/gentoomirror/distfiles/libzip-1.1.1.tar.xz:
Php.Exploit.CVE_2015_2331-2 FOUND
/var/www/gentoomirror/distfiles/wbxml2-0.9.2.tar.gz:
Win.Trojan.Ramnit-5837 FOUND
/var/www/gentoomirror/distfiles/File-Scan-ClamAV-1.91.tar.gz:
ClamAV-Test-Signature FOUND
/var/www/gentoomirror/distfiles/anomy-sanitizer-1.76.tar.gz:
Exploit.WMF.Gen-1 FOUND
/var/www/gentoomirror/distfiles/LinkChecker-9.3.tar.gz: ClamAV-Test-File
FOUND
/var/www/gentoomirror/distfiles/lg-112.tar.gz: HTML.Phishing.Pay-239 FOUND
/var/www/gentoomirror/distfiles/afl-2.07b.tgz: Win.Exploit.CVE_2015_0076
FOUND
/var/www/gentoomirror/distfiles/wbxml2-0.9.0-src.tar.gz:
Win.Trojan.Ramnit-5837 FOUND
/var/www/gentoomirror/distfiles/MailScanner-install-4.84.5-2.tar.gz:
Eicar-Test-Signature-1 FOUND
/var/www/gentoomirror/distfiles/lg-108.tar.gz: HTML.Phishing.Bank-1 FOUND
/var/www/gentoomirror/distfiles/Mail-ClamAV-0.21.tar.gz:
Eicar-Test-Signature FOUND
/var/www/gentoomirror/distfiles/lg-130.tar.gz: HTML.Phishing.Bank-791 FOUND
/var/www/gentoomirror/distfiles/Mail-ClamAV-0.22.tar.gz:
Eicar-Test-Signature FOUND
/var/www/gentoomirror/distfiles/nepenthes-0.2.2.tar.bz2:
Trojan.Downloader.Bat FOUND
/var/www/gentoomirror/distfiles/Mail-ClamAV-0.20.tar.gz:
Eicar-Test-Signature FOUND
/var/www/gentoomirror/distfiles/lg-issue86.tar.gz: Exploit.IFrame.Gen FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.15.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/clamav-0.92.1.tar.gz: ClamAV-Test-File FOUND
/var/www/gentoomirror/distfiles/lg-141.tar.gz: HTML.Phishing.Bank-473 FOUND
/var/www/gentoomirror/distfiles/libzip-1.1.tar.xz:
Php.Exploit.CVE_2015_2331-2 FOUND

Is this a known behaviour?

thanks and cheers
t.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav on virus total

[Joel Esler (jesler)]

Yes.  They update constantly. We just aren't able to get to the millions of 
samples we receive a day.

--
Joel Esler
iPhone

On Mar 17, 2016, at 4:04 PM, Helmut Hullen 
mailto:hul...@t-online.de>> wrote:

Hallo, C.D.,

Du meintest am 17.03.16:

My only question: Is clamav on virustotal kept up to date with the
latest versions of things? thanks,

virustotal tells how old the signature file is.

Viele Gruesse!
Helmut

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan false positives

[Thomas Stein]

Am 17.03.16 um 12:01 schrieb Joel Esler (jesler):
> Best thing to do is submit them as false positives on 
> ClamAV.net

Thanks for the tipp. Will do so.

cheers
t.

> --
> Joel Esler
> iPhone
> 
> On Mar 17, 2016, at 6:54 AM, Thomas Stein 
> mailto:himbe...@meine-oma.de>> wrote:
> 
> Hello Clamav users.
> 
> Last week i started to check a gentoo distfiles directory with clamscan.
> To my big surprise clamscan found a lot of infected files. Taking a
> closer look leads to the assumption all of them are false positives
> because most of them are debugging tools.
> 
> ClamAV update process started at Sun Mar 13 22:00:01 2016
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.99 Recommended version: 0.99.1
> DON'T PANIC! Read http://www.clamav.net/support/faq
> main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
> builder: neo)
> daily.cld is up to date (version: 21464, sigs: 1878899, f-level: 63,
> builder: neo)
> bytecode.cld is up to date (version: 274, sigs: 49, f-level: 63,
> builder: anvilleg)
> /var/www/gentoomirror/distfiles/sbd-1.37.tar.gz: Win.Trojan.Agent-558335
> FOUND
> /var/www/gentoomirror/distfiles/libzip-1.0.1.tar.xz:
> Php.Exploit.CVE_2015_2331-2 FOUND
> /var/www/gentoomirror/distfiles/sqlninja-0.2.6-r1.tgz:
> W32.Hacktool.KiTrap-1 FOUND
> /var/www/gentoomirror/distfiles/File-Scan-ClamAV-1.93.tar.gz:
> ClamAV-Test-Signature FOUND
> /var/www/gentoomirror/distfiles/olsrd-0.9.0.2.tar.bz2:
> Java.Exploit.CVE_2013_2472-1 FOUND
> /var/www/gentoomirror/distfiles/clamav-0.91.2.tar.gz: ClamAV-Test-File FOUND
> /var/www/gentoomirror/distfiles/metasploit-payloads-1.0.19.gem:
> Java.Trojan.Agent-31 FOUND
> /var/www/gentoomirror/distfiles/clamav-0.92.tar.gz: ClamAV-Test-File FOUND
> /var/www/gentoomirror/distfiles/metasploit-payloads-1.0.21.gem:
> Java.Trojan.Agent-31 FOUND
> /var/www/gentoomirror/distfiles/afl-1.80b.tgz: Win.Exploit.CVE_2015_0076
> FOUND
> /var/www/gentoomirror/distfiles/metasploit-payloads-1.0.22.gem:
> Java.Trojan.Agent-31 FOUND
> /var/www/gentoomirror/distfiles/olsrd-0.6.4.tar.bz2:
> Java.Exploit.CVE_2013_2472-1 FOUND
> /var/www/gentoomirror/distfiles/libwbxml-0.11.2.tar.bz2:
> Win.Trojan.Ramnit-5837 FOUND
> /var/www/gentoomirror/distfiles/framework-2.7.tar.gz:
> Exploit.Alpha_Mixed FOUND
> /var/www/gentoomirror/distfiles/libzip-1.1.1.tar.xz:
> Php.Exploit.CVE_2015_2331-2 FOUND
> /var/www/gentoomirror/distfiles/wbxml2-0.9.2.tar.gz:
> Win.Trojan.Ramnit-5837 FOUND
> /var/www/gentoomirror/distfiles/File-Scan-ClamAV-1.91.tar.gz:
> ClamAV-Test-Signature FOUND
> /var/www/gentoomirror/distfiles/anomy-sanitizer-1.76.tar.gz:
> Exploit.WMF.Gen-1 FOUND
> /var/www/gentoomirror/distfiles/LinkChecker-9.3.tar.gz: ClamAV-Test-File
> FOUND
> /var/www/gentoomirror/distfiles/lg-112.tar.gz: HTML.Phishing.Pay-239 FOUND
> /var/www/gentoomirror/distfiles/afl-2.07b.tgz: Win.Exploit.CVE_2015_0076
> FOUND
> /var/www/gentoomirror/distfiles/wbxml2-0.9.0-src.tar.gz:
> Win.Trojan.Ramnit-5837 FOUND
> /var/www/gentoomirror/distfiles/MailScanner-install-4.84.5-2.tar.gz:
> Eicar-Test-Signature-1 FOUND
> /var/www/gentoomirror/distfiles/lg-108.tar.gz: HTML.Phishing.Bank-1 FOUND
> /var/www/gentoomirror/distfiles/Mail-ClamAV-0.21.tar.gz:
> Eicar-Test-Signature FOUND
> /var/www/gentoomirror/distfiles/lg-130.tar.gz: HTML.Phishing.Bank-791 FOUND
> /var/www/gentoomirror/distfiles/Mail-ClamAV-0.22.tar.gz:
> Eicar-Test-Signature FOUND
> /var/www/gentoomirror/distfiles/nepenthes-0.2.2.tar.bz2:
> Trojan.Downloader.Bat FOUND
> /var/www/gentoomirror/distfiles/Mail-ClamAV-0.20.tar.gz:
> Eicar-Test-Signature FOUND
> /var/www/gentoomirror/distfiles/lg-issue86.tar.gz: Exploit.IFrame.Gen FOUND
> /var/www/gentoomirror/distfiles/metasploit-payloads-1.0.15.gem:
> Java.Trojan.Agent-31 FOUND
> /var/www/gentoomirror/distfiles/clamav-0.92.1.tar.gz: ClamAV-Test-File FOUND
> /var/www/gentoomirror/distfiles/lg-141.tar.gz: HTML.Phishing.Bank-473 FOUND
> /var/www/gentoomirror/distfiles/libzip-1.1.tar.xz:
> Php.Exploit.CVE_2015_2331-2 FOUND
> 
> Is this a known behaviour?
> 
> thanks and cheers
> t.
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] no new signatures

[Helmut Hullen]

Hallo, polloxx,

Du meintest am 18.03.16:

> Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar
> 18 14:34:15 2016
> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is
> OUTDATED!


So what - updated or not updated?

Viele Gruesse!
Helmut

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] no new signatures

[Steve basford]

On 18 March 2016 13:46:42 polloxx  wrote:


Dear,

Since the migration we have no new >signatures:

It's not your config, it's just that sig updates were put on hold on Friday.

I would think it's wise to have hold off updates until the team know all 
went well with the sig changes and until the load on the mirrors drops a 
little.


So, just need to wait a little longer :]


Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Dennis Peterson]

The DNS configuration for www.stats.clamav.net are suspect. I just looked at the 
squid logs and see this:


1458401557.097598  TCP_CLIENT_REFRESH_MISS/503 890 GET 
http://www.stats.clamav.net/ - DIRECT/188.40.140.240 text/html


1458401566.520599 TCP_REFRESH_HIT/200 1431 GET http://www.stats.clamav.net/ 
- DIRECT/188.40.140.240 text/html
1458401567.162597 TCP_REFRESH_HIT/200 7030 GET 
http://www.stats.clamav.net/js/openid-jquery.js - DIRECT/188.40.140.240 
application/javascript
1458401567.239719 TCP_REFRESH_HIT/200 1104 GET 
http://www.stats.clamav.net/css/openid.css - DIRECT/188.40.140.240 text/css
1458401567.351786 TCP_REFRESH_HIT/200 56215 GET 
http://www.stats.clamav.net/js/jquery-1.2.6.min.js - DIRECT/188.40.140.240 
application/javascript


Follow the DNS trail.

The URIs shown in the squid log are part of the results I see which is a login 
page that requires some kind of social media login. An ID scraper, perhaps.


dp

On 3/19/16 8:22 AM, Yuri Voinov wrote:




___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Al Varnell]

Disregard, I found it here after they got the new main.cvd:


I’ll see what I get once my main.cvd finishes.

-Al-

On Wed, Mar 16, 2016 at 09:32 PM, Al Varnell wrote:
> 
> I’m still looking, but so far I can’t find any Win.Trojan.Trojan signatures 
> in the ClamAV Official database or listed in clamav-virusdb e-mail list.  
> 
> Nor can I confirm your results using my own EICAR.
> 
> Are you using any Unofficial signatures from a different source?
> 
> -Al-
> 
> On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote:
>> 
>> Pulled down 21466 (and force restarted clamd) but it's still classifying
>> EICAR as Win.Trojan.Trojan:
>> 
>> https://gist.github.com/williamsjj/b8104402e80f44475df5
>> 
>> Databases are up to date now:
>> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
>> amishhammer)
>> Empty script daily-21465.cdiff, need to download entire database
>> Downloading daily.cvd [100%]
>> daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder:
>> amishhammer)
>> Empty script bytecode-275.cdiff, need to download entire database
>> Downloading bytecode.cvd [100%]
>> bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder:
>> amishhammer)
>> Database updated (4302724 signatures) from db.local.clamav.net (IP:
>> 193.1.193.64)
>> 
>> 
>> 
>> On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell  wrote:
>> 
>>> Those are normal messages for an update of this kind.  The 21465.cdiff was
>>> purposely blank in order to force you to download the entire daily.cvd.
>>> Give it plenty of time as the main.cvd is 109MB.
>>> 
>>> Technical details: <
>>> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
 
>>> 
>>> -Al-
>>> 
>>> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote:
 
 Thanks. Hopefully it'll sync up soon. I'm getting weird download errors
>>> out
 of freshclam:
 
 WARNING: getfile: Error while reading database from db.local.clamav.net
 (IP: 200.236.31.1): Operation now in progress
 WARNING: getpatch: Can't download daily-21465.cdiff from
>>> db.local.clamav.net
 nonblock_recv: recv timing out (30 secs)
 WARNING: getfile: Error while reading database from db.local.clamav.net
 (IP: 194.186.47.19): Operation now in progress
 WARNING: getpatch: Can't download daily-21465.cdiff from
>>> db.local.clamav.net
 Empty script daily-21465.cdiff, need to download entire database
 
 On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell  wrote:
 
> The new database was just made available, so I recommend you hold off
> until you have the new mail.cvd v57 and daily.cvd v21466 before getting
>>> too
> excited about this.
> 
> -Al-
> 
> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
>> 
>> As of the latest daily update, running ClamAV against the EICAR test
> string
>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
>> 
>> -J



smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] DIgest mode not working

[Paul Kosinski]

I have long had a subscription to the ClamAV users mailing list in
"digest" mode, but starting about 3 Feb 2016, I no longer got any
postings. Thinking that something had gone wrong with the list server,
I unsubscribed, got an emailed notice, created a new email address
(this one) and resubscribed with the new address.

Success: I once again received postings. Individually.

Since getting lots of individual emails is rather burdensome, I tried
switching to digest mode. Nothing -- for over 24 hours. (And yes, I did
check the March 2016 Archives Web page, and there were several postings
in that period I didn't get.)

So I turned off digest mode, and again I get lots of email from the
ClamAV Users list.

What's going on?

Paul Kosinski
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Where do I send the latest zip with a ransomware viri in it?

[Gene Heskett]

Greetings all;

I got a zip this morning, addressed to me from me.  Dropped on 
virustotal, show 9 hits from other viri detectors.

Opening this will ruin your day.  Its ransomware.

I'm now nuking that real source address on the mail server.  No clue if 
that will help, but when a class D attacks me, that whole class C gets 
sent to /dev/null on the mail server, forever.

But I have saved it, and you need to develop a detector pretty fast,  so 
where do I send it?

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
http://i.imgur.com/1IujS9w.png
http://i.imgur.com/dWI5TZx.png

There is no matter.

You really sure this URL works now?

19.03.16 21:19, Dennis Peterson ?:
> The png file shows you're using the wrong URL. http://www.stats.clamav.net
>
> dp
>
> On 3/19/16 8:12 AM, Yuri Voinov wrote:
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW7W6pAAoJENNXIZxhPexGc7EH/3Hu8F6zMyurP8fkZ7ablxDO
90nmPXCyqJYG6XJLIEVKtWAi43MqfnXS4Iurqx148Oo7SThuFbyhqedrKyACa1tz
qvRJDCwq906xL8qIPX2OjYNgSi+jju3SW3W7r3p0IhPu2xt8S0KJjo/1ewQbe2z0
9TtVyg3mQCnpzjiSwFroX4ViaO4G7INOC0wbU1oGS4JHixnhFAG651H7gE/ig5Dj
LX5lkBezLx8ufeG0jlFoy7e/3SkB5P37bBht80kLbcSDhKCfVhetXvD/jMzGWBRB
Pn60XecjuO1u9eq7NDIlvy+XFtRKa7HN+tDW5qcqfpPxDBm9ZCzv5xJVgbPIOG8=
=60Wy
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Dennis Peterson]

The png file shows you're using the wrong URL. http://www.stats.clamav.net

dp

On 3/19/16 8:12 AM, Yuri Voinov wrote:

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Dennis Peterson]

Yes - I just looked a short time ago. Is that (stats) site still not working for 
you? It does respond here.


dp

On 3/19/16 8:09 AM, Yuri Voinov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
  
BTW,


freshclam.conf.sample still contains old info abot this service. You
know that?

19.03.16 20:37, Dennis Peterson ?:

A reference to it is in legacy freshclam.conf files. Some people don't update 
the conf files during

RPM updates so that information lingers forever.

dp

On 3/18/16 6:41 PM, Joel Esler (jesler) wrote:

Afaik, this hasn't been up in a long time.  We took it down, I

thought, when we redid the website.

--
Joel Esler
iPhone

On Mar 18, 2016, at 6:30 PM, Dennis Peterson

mailto:denni...@inetnw.com>> wrote:

Subject line was URL links on 3/17/2016.

That was when Joel suggested the stats link should be removed.

dp

On 3/18/16 3:38 PM, Al Varnell wrote:
Check the archives as I believe that was reported/discussed earlier.

Sent from Janet's iPad

-Al-

On Mar 18, 2016, at 2:50 PM, Yuri Voinov wrote:
http://www.stats.clamav.net is not responding either via HTTP or HTTPS.

Is


   ClamAV Community Threat Tracking System

down?

WBR, Yuri
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
  
iQEcBAEBCAAGBQJW7Wu7AAoJENNXIZxhPexGd0wIAIYLcuDK//znoM7mmu5C1jQH

ALI56KK3iP7LO9D2Lit5eWoA8TTyiuqbQcGOcyZ10TE3rKtAC/Mv3Z+LD6yty3gM
KlCYRJn3VDBRihderIlylyke5o9boxnpJlhIXf8KLRxeua0HazEZdzb7X3lxoe0Q
TfReosC7oNlYq/FobnOXYGqcHw2QxhqML+bFTTIkpYWRZxT6mqothlMhKK3uWStN
hlM43ekGBhDN3/eXMcmL3DW3c5XRWtPLuiM9qTnjtwigo4V2kQRfBFhHw6Zj0NUt
gJqkrQr6o2p0NrtO/UPGE5pxcsGqsT6E4UQddsiBClGnRdnhRiIUQ3jmUDfkDRA=
=7j9Z
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
http://i.imgur.com/HOLS7Qk.png

19.03.16 21:11, Dennis Peterson ?:
> Yes - I just looked a short time ago. Is that (stats) site still not working 
> for you? It does
respond here.
>
> dp
>
> On 3/19/16 8:09 AM, Yuri Voinov wrote:
> freshclam.conf.sample still contains old info abot this service. You
> know that?
>
> 19.03.16 20:37, Dennis Peterson ?:
> >>> A reference to it is in legacy freshclam.conf files. Some people
don't update the conf files during
> RPM updates so that information lingers forever.
> >>> dp
> >>>
> >>> On 3/18/16 6:41 PM, Joel Esler (jesler) wrote:
>  Afaik, this hasn't been up in a long time.  We took it down, I
> thought, when we redid the website.
>  --
>  Joel Esler
>  iPhone
> 
>  On Mar 18, 2016, at 6:30 PM, Dennis Peterson
> mailto:denni...@inetnw.com>> wrote:
>  Subject line was URL links on 3/17/2016.
> 
>  That was when Joel suggested the stats link should be removed.
> 
>  dp
> 
>  On 3/18/16 3:38 PM, Al Varnell wrote:
>  Check the archives as I believe that was reported/discussed earlier.
> 
>  Sent from Janet's iPad
> 
>  -Al-
> 
>  On Mar 18, 2016, at 2:50 PM, Yuri Voinov wrote:
>  http://www.stats.clamav.net is not responding either via HTTP or
HTTPS.
> 
>  Is
> 
> 
> ClamAV Community Threat Tracking System
> 
>  down?
> 
>  WBR, Yuri
>  ___
>  Help us build a comprehensive ClamAV guide:
>  https://github.com/vrtadmin/clamav-faq
> 
>  http://www.clamav.net/contact.html#ml
> 
>  ___
>  Help us build a comprehensive ClamAV guide:
>  https://github.com/vrtadmin/clamav-faq
> 
>  http://www.clamav.net/contact.html#ml
>  ___
>  Help us build a comprehensive ClamAV guide:
>  https://github.com/vrtadmin/clamav-faq
> 
>  http://www.clamav.net/contact.html#ml
> >>> ___
> >>> Help us build a comprehensive ClamAV guide:
> >>> https://github.com/vrtadmin/clamav-faq
> >>>
> >>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW7W1lAAoJENNXIZxhPexGeEsH/A9K6nPhtZ+tYzJzov2K5VeU
qs8r9QHnEclJllmtLO05Dz8+DGSxOnekYDQzGuHyUL8Pd2nIl1h5hBNJWiCnXaJa
hhdHDpyBM0evlIrUNVcTGHET1EgmOxFQSK1qZDNGp1ZUdt3tU/aSzMMApwObnj0T
osVNLBtaKIOd1dCTFI2pFL2xHMb384pPJbgxntWYkitp/5qjibiGROevTc/Fk/Wl
fu2Z3eQ1+zsBek8GVFTV85udXyw3pHP9DsIlsMjPyNJ8q4y9K6fDZltpvAmMHxLE
WZTL/dkRJ5US9EveeuekRg1EsZ9q7hDs7tZg2Bs4uY9wzzyX/SR/2vPDlv2JX1Q=
=S+aE
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
BTW,

freshclam.conf.sample still contains old info abot this service. You
know that?

19.03.16 20:37, Dennis Peterson ?:
> A reference to it is in legacy freshclam.conf files. Some people don't update 
> the conf files during
RPM updates so that information lingers forever.
>
> dp
>
> On 3/18/16 6:41 PM, Joel Esler (jesler) wrote:
>> Afaik, this hasn't been up in a long time.  We took it down, I
thought, when we redid the website.
>>
>> --
>> Joel Esler
>> iPhone
>>
>> On Mar 18, 2016, at 6:30 PM, Dennis Peterson
mailto:denni...@inetnw.com>> wrote:
>>
>> Subject line was URL links on 3/17/2016.
>>
>> That was when Joel suggested the stats link should be removed.
>>
>> dp
>>
>> On 3/18/16 3:38 PM, Al Varnell wrote:
>> Check the archives as I believe that was reported/discussed earlier.
>>
>> Sent from Janet's iPad
>>
>> -Al-
>>
>> On Mar 18, 2016, at 2:50 PM, Yuri Voinov wrote:
>> http://www.stats.clamav.net is not responding either via HTTP or HTTPS.
>>
>> Is
>>
>>
>>   ClamAV Community Threat Tracking System
>>
>> down?
>>
>> WBR, Yuri
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW7Wu7AAoJENNXIZxhPexGd0wIAIYLcuDK//znoM7mmu5C1jQH
ALI56KK3iP7LO9D2Lit5eWoA8TTyiuqbQcGOcyZ10TE3rKtAC/Mv3Z+LD6yty3gM
KlCYRJn3VDBRihderIlylyke5o9boxnpJlhIXf8KLRxeua0HazEZdzb7X3lxoe0Q
TfReosC7oNlYq/FobnOXYGqcHw2QxhqML+bFTTIkpYWRZxT6mqothlMhKK3uWStN
hlM43ekGBhDN3/eXMcmL3DW3c5XRWtPLuiM9qTnjtwigo4V2kQRfBFhHw6Zj0NUt
gJqkrQr6o2p0NrtO/UPGE5pxcsGqsT6E4UQddsiBClGnRdnhRiIUQ3jmUDfkDRA=
=7j9Z
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
http://i.imgur.com/msYVACr.png

19.03.16 21:11, Dennis Peterson ?:
> Yes - I just looked a short time ago. Is that (stats) site still not working 
> for you? It does
respond here.
>
> dp
>
> On 3/19/16 8:09 AM, Yuri Voinov wrote:
> freshclam.conf.sample still contains old info abot this service. You
> know that?
>
> 19.03.16 20:37, Dennis Peterson ?:
> >>> A reference to it is in legacy freshclam.conf files. Some people
don't update the conf files during
> RPM updates so that information lingers forever.
> >>> dp
> >>>
> >>> On 3/18/16 6:41 PM, Joel Esler (jesler) wrote:
>  Afaik, this hasn't been up in a long time.  We took it down, I
> thought, when we redid the website.
>  --
>  Joel Esler
>  iPhone
> 
>  On Mar 18, 2016, at 6:30 PM, Dennis Peterson
> mailto:denni...@inetnw.com>> wrote:
>  Subject line was URL links on 3/17/2016.
> 
>  That was when Joel suggested the stats link should be removed.
> 
>  dp
> 
>  On 3/18/16 3:38 PM, Al Varnell wrote:
>  Check the archives as I believe that was reported/discussed earlier.
> 
>  Sent from Janet's iPad
> 
>  -Al-
> 
>  On Mar 18, 2016, at 2:50 PM, Yuri Voinov wrote:
>  http://www.stats.clamav.net is not responding either via HTTP or
HTTPS.
> 
>  Is
> 
> 
> ClamAV Community Threat Tracking System
> 
>  down?
> 
>  WBR, Yuri
>  ___
>  Help us build a comprehensive ClamAV guide:
>  https://github.com/vrtadmin/clamav-faq
> 
>  http://www.clamav.net/contact.html#ml
> 
>  ___
>  Help us build a comprehensive ClamAV guide:
>  https://github.com/vrtadmin/clamav-faq
> 
>  http://www.clamav.net/contact.html#ml
>  ___
>  Help us build a comprehensive ClamAV guide:
>  https://github.com/vrtadmin/clamav-faq
> 
>  http://www.clamav.net/contact.html#ml
> >>> ___
> >>> Help us build a comprehensive ClamAV guide:
> >>> https://github.com/vrtadmin/clamav-faq
> >>>
> >>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW7Wx7AAoJENNXIZxhPexGGYAH/j9NVqZMf9HyZMKtSSSZpqiw
Qbv6TPnV6wCXqotw9e7cpify2UKWKyUttkQ4OwaG7wfCsdB/xO1yfO07q2Z+A0qK
DItANlUnc+7rqP8JkE3dmiTpizuN9AnSFRQ5GGiawVOq1s0x8XwJncEQ0Hm9mecE
zJ2vO/zVY0HJFDi7k6Q1PW74d1za2rArTAAXX2GRHC7kLEdZiO6fwv4Q/vAXrE/h
4KrZk9WZ3vvJY80HaZTqNwVuiEb/1G6gwkz+7IubU/NO+tMlSuYQEMtgbb7AYHr6
OmPyLNJG5LGYBqUbX998yyx/yqjeXE89tRvHcw9tqkFQWnQsJt3jdzlfSey3LjY=
=pbRz
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Wow. :)

But what is RPM you said?

19.03.16 20:37, Dennis Peterson ?:
> A reference to it is in legacy freshclam.conf files. Some people don't update 
> the conf files during
RPM updates so that information lingers forever.
>
> dp
>
> On 3/18/16 6:41 PM, Joel Esler (jesler) wrote:
>> Afaik, this hasn't been up in a long time.  We took it down, I
thought, when we redid the website.
>>
>> --
>> Joel Esler
>> iPhone
>>
>> On Mar 18, 2016, at 6:30 PM, Dennis Peterson
mailto:denni...@inetnw.com>> wrote:
>>
>> Subject line was URL links on 3/17/2016.
>>
>> That was when Joel suggested the stats link should be removed.
>>
>> dp
>>
>> On 3/18/16 3:38 PM, Al Varnell wrote:
>> Check the archives as I believe that was reported/discussed earlier.
>>
>> Sent from Janet's iPad
>>
>> -Al-
>>
>> On Mar 18, 2016, at 2:50 PM, Yuri Voinov wrote:
>> http://www.stats.clamav.net is not responding either via HTTP or HTTPS.
>>
>> Is
>>
>>
>>   ClamAV Community Threat Tracking System
>>
>> down?
>>
>> WBR, Yuri
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJW7WkOAAoJENNXIZxhPexGSsQH/iEpPZU1rxpzqLzT+UZqsIIl
6GzcgipoX0iiVAOJs0KLaU3lLFiET2G2IJYEdWzB0v0NZxhjOAVt8JOKCrRcX1as
sVQnGgBr57F7m2P1FH1TCVT4Z1bUFQF/gFvTSR8evy0yspNx98dmyLhNOi3N5hCk
QajsQgrWbwDWoXIo3K782QGWoYGutGQffdD5NUDruJN0nHHTQCr4+LeEdFqhg54x
eHLowsO/jt058aJIh9JZYtYua68KsiGDu/oOoHR3SDnmYWFsKlVG1Gro8cfYafh0
2gPL2JVBUnzXdlASrFiYORpcU/suHG9utk2aqS52QCVPm4cKEGX5p9UoUBo21e4=
=VM3w
-END PGP SIGNATURE-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Dennis Peterson]

A reference to it is in legacy freshclam.conf files. Some people don't update 
the conf files during RPM updates so that information lingers forever.


dp

On 3/18/16 6:41 PM, Joel Esler (jesler) wrote:

Afaik, this hasn't been up in a long time.  We took it down, I thought, when we 
redid the website.

--
Joel Esler
iPhone

On Mar 18, 2016, at 6:30 PM, Dennis Peterson 
mailto:denni...@inetnw.com>> wrote:

Subject line was URL links on 3/17/2016.

That was when Joel suggested the stats link should be removed.

dp

On 3/18/16 3:38 PM, Al Varnell wrote:
Check the archives as I believe that was reported/discussed earlier.

Sent from Janet's iPad

-Al-

On Mar 18, 2016, at 2:50 PM, Yuri Voinov wrote:
http://www.stats.clamav.net is not responding either via HTTP or HTTPS.

Is


  ClamAV Community Threat Tracking System

down?

WBR, Yuri
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Signature updates?`

[Paul Kosinski]

Am I right that there have been no new signatures available in the past
5 days (60 hours)?

Paul Kosinski

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with mirrors overnight?

[Ralf Hildebrandt]

* Matthias Hank :
> Hi,
> 
> On Thu, Mar 17, 2016 at 12:49:11PM +, Joel Esler (jesler) wrote:
> > It's possible they are overloaded.  We released a new main.cvd and daily 
> > late last night.
> 
> But why are always the same 3 of 13 german mirrors are probed from freshclam?
> All of them are failing since last night on all of our servers.
> 
> Probed are:
> 178.63.73.246
> 84.39.110.99
> 88.198.17.100

http://lutz.donnerhacke.de/Blog/ClamAV-aktualisiert-sich-nicht-mehr

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why does this happen?

[Benny Pedersen]

On 2016-03-16 23:04, Steven Morgan wrote:


server(/tmp): clamdscan --config-file=/apps/clamav/etc/clamd.conf
testfile.pdf
/temp/testfile.pdf: Heuristics.Encrypted.PDF FOUND
Why?  How do I stop this?


is clamconf saying this clamd.conf is default config ?

is there diff results from using clamscan --config foo and clamdscan 
--config foo ?

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Al Varnell]

There have not been any additional updates released yet, so nothing could have 
changed.

-Al-

On Thu, Mar 17, 2016 at 10:25 AM, Jason Williams wrote:
> 
> Is anyone still seeing this or have they fixed it?
> 
> -J
> 
> Sent via iPhone
> 
>> On Mar 17, 2016, at 02:44, Mark Allan  wrote:
>> 
>> Just to confirm, I'm also seeing everything being flagged as 
>> Win.Trojan.Trojan-476 with the new main/daily.cvd files.
>> 
>> Mark
>> 
>>> On 17 Mar 2016, at 6:49 am, Al Varnell  wrote:
>>> 
>>> I just ran a scan against the ClamAV test files contained in the 0.99.1 
>>> source file and I’m getting all Win.Trojan.Trojan-476:
>>> 
>>> File NameInfection NameStatus
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe   
>>>  Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64   
>>>  Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe
>>> Win.Trojan.Trojan-476
>>> /Users/avarnell/Desk

Re: [clamav-users] no new signatures

[Steve Basford]

On Fri, March 18, 2016 2:05 pm, Helmut Hullen wrote:
> Hallo, polloxx,
>
>
> Du meintest am 18.03.16:
>
>
>> Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar
>> 18 14:34:15 2016
>> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is
>> OUTDATED!
>>
>
>
> So what - updated or not updated?

> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is OUTDATED!
> Fri Mar 18 14:34:15 2016 -> WARNING: Local version: 0.98.1 Recommended
> version: 0.99.1

The above just means that 0.98.1 is currently being used, but should
be upgraded to 0.99.1 which is the latest version of the engine.

The signatures haven't been updated since Friday.

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Dennis Peterson]

We're not yet sure if it's broken or a result of renaming signatures.

dp

On 3/17/16 10:25 AM, Jason Williams wrote:

Is anyone still seeing this or have they fixed it?

-J

Sent via iPhone


On Mar 17, 2016, at 02:44, Mark Allan  wrote:

Just to confirm, I'm also seeing everything being flagged as 
Win.Trojan.Trojan-476 with the new main/daily.cvd files.

Mark


On 17 Mar 2016, at 6:49 am, Al Varnell  wrote:

I just ran a scan against the ClamAV test files contained in the 0.99.1 source 
file and I’m getting all Win.Trojan.Trojan-476:



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] freshclam error

[Jerry]

This is a new installation of clamav on a FreeBSD 11 amd64 system. I am
encountering errors in the freshclam.log file. This is the output from
a clean start with debug messages enabled.

Fri Mar 18 10:30:49 2016 -> --
Fri Mar 18 10:30:49 2016 -> Current working dir is /var/db/clamav
Fri Mar 18 10:30:49 2016 -> freshclam daemon 0.99 (OS: freebsd11.0, ARCH: 
amd64, CPU: amd64)
Fri Mar 18 10:30:49 2016 -> Max retries == 3
Fri Mar 18 10:30:49 2016 -> ClamAV update process started at Fri Mar 18 
10:30:49 2016
Fri Mar 18 10:30:49 2016 -> Using IPv6 aware code
Fri Mar 18 10:30:49 2016 -> Querying current.cvd.clamav.net
Fri Mar 18 10:30:49 2016 -> TTL: 1017
Fri Mar 18 10:30:49 2016 -> Software version from DNS: 0.99.1
Fri Mar 18 10:30:49 2016 -> WARNING: Your ClamAV installation is OUTDATED!
Fri Mar 18 10:30:49 2016 -> WARNING: Local version: 0.99 Recommended version: 
0.99.1
Fri Mar 18 10:30:49 2016 -> DON'T PANIC! Read http://www.clamav.net/support/faq
Fri Mar 18 10:30:49 2016 -> main.cvd version from DNS: 57
Fri Mar 18 10:30:49 2016 -> main.cvd is up to date (version: 57, sigs: 4218790, 
f-level: 60, builder: amishhammer)
Fri Mar 18 10:30:49 2016 -> daily.cvd version from DNS: 21466
Fri Mar 18 10:30:49 2016 -> daily.cvd is up to date (version: 21466, sigs: 
83889, f-level: 63, builder: amishhammer)
Fri Mar 18 10:30:49 2016 -> safebrowsing.cvd version from DNS: 44501
Fri Mar 18 10:30:49 2016 -> safebrowsing.cvd is up to date (version: 44501, 
sigs: 1935466, f-level: 63, builder: google)
Fri Mar 18 10:30:49 2016 -> Retrieving http://db.US.clamav.net/bytecode.cvd
Fri Mar 18 10:30:50 2016 -> Trying to download 
http://db.US.clamav.net/bytecode.cvd (IP: 128.199.133.36)
Fri Mar 18 10:31:20 2016 -> nonblock_recv: recv timing out (30 secs)
Fri Mar 18 10:31:20 2016 -> WARNING: getfile: Error while reading database from 
db.US.clamav.net (IP: 128.199.133.36): Operation now in progress
Fri Mar 18 10:31:20 2016 -> WARNING: Can't download bytecode.cvd from 
db.US.clamav.net
Fri Mar 18 10:31:20 2016 -> Querying bytecode.0.81.0.0.80C78524.ping.clamav.net
Fri Mar 18 10:31:20 2016 -> Trying again in 5 secs...
Fri Mar 18 10:31:25 2016 -> ClamAV update process started at Fri Mar 18 
10:31:25 2016
Fri Mar 18 10:31:25 2016 -> Using IPv6 aware code
Fri Mar 18 10:31:25 2016 -> Querying current.cvd.clamav.net
Fri Mar 18 10:31:25 2016 -> TTL: 981
Fri Mar 18 10:31:25 2016 -> Software version from DNS: 0.99.1
Fri Mar 18 10:31:25 2016 -> WARNING: Your ClamAV installation is OUTDATED!
Fri Mar 18 10:31:25 2016 -> WARNING: Local version: 0.99 Recommended version: 
0.99.1
Fri Mar 18 10:31:25 2016 -> DON'T PANIC! Read http://www.clamav.net/support/faq
Fri Mar 18 10:31:25 2016 -> main.cvd version from DNS: 57
Fri Mar 18 10:31:25 2016 -> main.cvd is up to date (version: 57, sigs: 4218790, 
f-level: 60, builder: amishhammer)
Fri Mar 18 10:31:25 2016 -> daily.cvd version from DNS: 21466
Fri Mar 18 10:31:25 2016 -> daily.cvd is up to date (version: 21466, sigs: 
83889, f-level: 63, builder: amishhammer)
Fri Mar 18 10:31:25 2016 -> safebrowsing.cvd version from DNS: 44501
Fri Mar 18 10:31:25 2016 -> safebrowsing.cvd is up to date (version: 44501, 
sigs: 1935466, f-level: 63, builder: google)
Fri Mar 18 10:31:25 2016 -> Retrieving http://db.US.clamav.net/bytecode.cvd
Fri Mar 18 10:31:25 2016 -> Trying to download 
http://db.US.clamav.net/bytecode.cvd (IP: 200.236.31.1)
Fri Mar 18 10:31:26 2016 -> Downloading bytecode.cvd [100%]
Fri Mar 18 10:31:26 2016 -> Loading signatures from bytecode.cvd
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: Initializing phishcheck module
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: Phishcheck: Compiling regex: ^ 
*(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: Phishcheck module initialized
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: Bytecode initialized in JIT mode
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: in cli_cvdload()
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: MD5(.tar.gz) = 
f6452312a7a8c1e0a00b9c2402e0f2ed
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: cli_versig: Decoded signature: 
f6452312a7a8c1e0a00b9c2402e0f2ed
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: cli_versig: Digital signature is 
correct.
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: in cli_tgzload()
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: bytecode.info loaded
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: in cli_tgzload_cleanup()
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: in cli_tgzload()
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: Initializing engine->root[0]
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: Initialising AC pattern matcher of 
root[0]
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: cli_initroots: Initializing BM 
tables of root[0]
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: Initializing engine->root[1]
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: Initialising AC pattern matcher of 
root[1]
Fri Mar 18 10:31:26 2016 -> LibClamAV debug: cli_

[clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Jason J. W. Williams]

As of the latest daily update, running ClamAV against the EICAR test string
reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.

-J
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] New ClamnAV database....test results for Clamwin

[Groach]

For your info:

I run Clamwin, with the additional Clamd, and supplemented with Sane 
security definitions.


I was VERY apprehensive about today and the pessamist inside (for good 
reason!) was expecting a range of problems.


However, I just performed a forced DB update download, and an EICAR test 
(through my MTA) and an email with a kown virus (that I know SANE 
(only!) used to catch.


Results:   ALL OK

Update:  without problems
Eicar: new report: "Win-test-eicar-ndb-1" found
Sane:   yep, that was detected too.

So my feedback is GOOD for Clamwin users.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Signature updates?`

[Joel Esler (jesler)]

Paul,


You are correct.   We're going through testing right now, expect an 
announcement from me shortly.

--
Joel Esler
iPhone

On Mar 16, 2016, at 11:04 AM, Paul Kosinski 
mailto:clamav-us...@iment.com>> wrote:

Paul Kosinski

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav on virus total

[Helmut Hullen]

Hallo, C.D.,

Du meintest am 17.03.16:

> My only question: Is clamav on virustotal kept up to date with the
> latest versions of things? thanks,

virustotal tells how old the signature file is.

Viele Gruesse!
Helmut

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV Signature Interface maintenance is now complete! New Main.cvd!

[Gene Heskett]

On Wednesday 16 March 2016 23:24:37 Joel Esler (jesler) wrote:

> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.
>htmce.html?m=1>l
>
> ClamAV Signature Interface maintenance is now complete! New Main.cvd!
> Our ClamAV Signature Interface maintenance is now complete.  While we
> apologize for the delay, the rollout of the the new Signature
> Interface inside of ClamAV will result in several new features for the
> community, and I wanted to tell you about some of them:
>
> First, the first new “main.cvd” in about two years.  This main.cvd has
> been completely re-written from scratch, and while the function of the
> “main” is largely the same, it’s been rewritten to not only enforce
> order to the signatures, but naming convention as well.  For example:
>
> W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan
> Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor
> Adware.Smshoax has moved to Win.Adware.Smshoax
>
> Re-naming of the signatures may affect a local user’s whitelist.  If
> you have excluded certain signatures in the past that are now firing,
> we ask that you both submit the file to us for false positive
> remediation (if you believe it to be a false positive), and rename the
> signature whitelist on your side.
>
> This new main is 109Mb in size, and contains 4 million signatures for
> ClamAV.  Now that the main.cvd has been rewritten, it is now easier
> for us to create diffs, which means upgrading the main more often, and
> making the “daily.cvd” smaller more often.
>
> Second,  we now have the ability to offer different types of CVDs. 
> For instance, we now have the ability to distribute 3rd party
> signatures that are officially signed by ClamAV, but updated through
> the ClamAV global mirror network.  If we wanted to separate out
> “policy” type signatures from the daily.cvd into their own cvd, we can
> now do that.
>
> Third, while we have not removed some of the older signature formats,
> we did convert those older signatures to the newer formats to empty
> those older “cvd”s out.
>
> For example:
> “db" signatures were consolidated into “ndb" signatures
> “zmd" and “rmd"  archive signatures we moved to the “cdb" container
> signature format
>
> These formats are not new, they simply have never been published
> before. This includes other formats such as “hsb", “msb", “sfp", and
> “crb".  The older formats are supported for now, we are simply no
> longer publishing them.
>
> Fourth, newer features, like the ability to write signatures based on
> the SHA256 of a file have been added to the system, and we can now
> publish that type of detection.
>
> We’d like to thank you for your patience.
>
> ClamAV team

Unfortunately as of 1:20 or so this morning, the server is probably 
overloaded:
Thu Mar 17 01:20:25 2016 -> Received signal: wake up
Thu Mar 17 01:20:25 2016 -> ClamAV update process started at Thu Mar 17 
01:20:25 2016
Thu Mar 17 01:20:25 2016 -> WARNING: Your ClamAV installation is 
OUTDATED!
Thu Mar 17 01:20:25 2016 -> WARNING: Local version: 0.99 Recommended 
version: 0.99.1
Thu Mar 17 01:20:25 2016 -> DON'T PANIC! Read 
http://www.clamav.net/support/faq
Thu Mar 17 01:20:57 2016 -> nonblock_connect: connect timing out (30 
secs)
Thu Mar 17 01:20:57 2016 -> Can't connect to port 80 of host 
db.us.clamav.net (IP: 194.186.47.19)
Thu Mar 17 01:20:57 2016 -> Trying host db.us.clamav.net 
(194.8.197.22)...
Thu Mar 17 01:21:00 2016 -> Empty script main-56.cdiff, need to download 
entire database
Thu Mar 17 01:21:42 2016 -> nonblock_recv: recv timing out (30 secs)
Thu Mar 17 01:21:42 2016 -> WARNING: getfile: Download interrupted: 
Operation now in progress (IP: 194.8.197.22)
Thu Mar 17 01:21:42 2016 -> WARNING: Can't download main.cvd from 
db.us.clamav.net
Thu Mar 17 01:21:42 2016 -> Trying again in 5 secs...
Thu Mar 17 01:21:47 2016 -> ClamAV update process started at Thu Mar 17 
01:21:47 2016
Thu Mar 17 01:21:47 2016 -> WARNING: Your ClamAV installation is 
OUTDATED!
Thu Mar 17 01:21:47 2016 -> WARNING: Local version: 0.99 Recommended 
version: 0.99.1
Thu Mar 17 01:21:47 2016 -> DON'T PANIC! Read 
http://www.clamav.net/support/faq
Thu Mar 17 01:22:19 2016 -> nonblock_connect: connect timing out (30 
secs)
Thu Mar 17 01:22:19 2016 -> Can't connect to port 80 of host 
db.us.clamav.net (IP: 209.198.147.20)
Thu Mar 17 01:22:19 2016 -> Trying host db.us.clamav.net 
(69.12.162.28)...
Thu Mar 17 01:22:49 2016 -> nonblock_connect: connect timing out (30 
secs)
Thu Mar 17 01:22:49 2016 -> Can't connect to port 80 of host 
db.us.clamav.net (IP: 69.12.162.28)
Thu Mar 17 01:22:49 2016 -> Trying host db.us.clamav.net 
(150.214.142.197)...
Thu Mar 17 01:23:11 2016 -> Empty script main-56.cdiff, need to download 
entire database
Thu Mar 17 01:23:41 2016 -> nonblock_connect: connect timing out (30 
secs)
Thu Mar 17 01:23:41 2016 -> Can't connect to port 80 of host 
150.214.142.197 (IP: 150.214.142.197)
Thu Mar 17 01:

Re: [clamav-users] [Community-sigs] ClamAV® blog: ClamAV Signature Interface maintenance is now complete! New Main.cvd!

[Rafael Ferreira]

Joel, 

First congrats to you and the team, from the sounds of it, this took a lot of 
late nights and caffeine. Quick question, are any of the official sigs 
{main/daily/bytecode} changing names (or extensions)? That does not seem to be 
the case but I figure it would be good to confirm in order to avoid any 
surprises. 

Cheers,

- Rafael 

Rafael Ferreira
Uva Software, LLC | scanii.com  
☎ 623.252.0441


> On Mar 16, 2016, at 8:24 PM, Joel Esler (jesler)  wrote:
> 
> 
> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
> 
> ClamAV Signature Interface maintenance is now complete! New Main.cvd!
> Our ClamAV Signature Interface maintenance is now complete.  While we 
> apologize for the delay, the rollout of the the new Signature Interface 
> inside of ClamAV will result in several new features for the community, and I 
> wanted to tell you about some of them:
> 
> First, the first new “main.cvd” in about two years.  This main.cvd has been 
> completely re-written from scratch, and while the function of the “main” is 
> largely the same, it’s been rewritten to not only enforce order to the 
> signatures, but naming convention as well.  For example:
> 
> W97M.Ethan.AK-1 has moved to Doc.Trojan.Ethan
> Worm.Padowor.A-zippwd has moved to Win.Worm.Padowor
> Adware.Smshoax has moved to Win.Adware.Smshoax
> 
> Re-naming of the signatures may affect a local user’s whitelist.  If you have 
> excluded certain signatures in the past that are now firing, we ask that you 
> both submit the file to us for false positive remediation (if you believe it 
> to be a false positive), and rename the signature whitelist on your side.
> 
> This new main is 109Mb in size, and contains 4 million signatures for ClamAV. 
>  Now that the main.cvd has been rewritten, it is now easier for us to create 
> diffs, which means upgrading the main more often, and making the “daily.cvd” 
> smaller more often.
> 
> Second,  we now have the ability to offer different types of CVDs.  For 
> instance, we now have the ability to distribute 3rd party signatures that are 
> officially signed by ClamAV, but updated through the ClamAV global mirror 
> network.  If we wanted to separate out “policy” type signatures from the 
> daily.cvd into their own cvd, we can now do that.
> 
> Third, while we have not removed some of the older signature formats, we did 
> convert those older signatures to the newer formats to empty those older 
> “cvd”s out.
> 
> For example:
> “db" signatures were consolidated into “ndb" signatures
> “zmd" and “rmd"  archive signatures we moved to the “cdb" container signature 
> format
> 
> These formats are not new, they simply have never been published before. This 
> includes other formats such as “hsb", “msb", “sfp", and “crb".  The older 
> formats are supported for now, we are simply no longer publishing them.
> 
> Fourth, newer features, like the ability to write signatures based on the 
> SHA256 of a file have been added to the system, and we can now publish that 
> type of detection.
> 
> We’d like to thank you for your patience.
> 
> ClamAV team
> ___
> Community-sigs mailing list
> community-s...@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Problem with mirrors overnight?

[Alex]

Hi,
Is there currently an issue with the mirrors? I have at least two
systems on two different networks that are having difficulty
downloading updates from the clamav mirrors. The sanesecurity and
other rulesets aren't having the same problem.

This is after a series of "Ignoring mirror 200.236.31.1 (due to
previous errors)":

Trying to download http://db.us.clamav.net/daily.cvd (IP: 69.163.100.14)
nonblock_recv: recv timing out (30 secs)
ERROR: getfile: Download interrupted: Operation now in progress (IP:
69.163.100.14)
ERROR: Can't download daily.cvd from db.us.clamav.net
Querying daily.0.81.0.0.45A3640E.ping.clamav.net
Giving up on db.us.clamav.net...
Update failed. Your network may be down or none of the mirrors listed
in /etc/freshclam.conf is working. Check
http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

This also isn't a DNS problem.

# host db.us.clamav.net
db.us.clamav.net is an alias for db.us.big.clamav.net.
db.us.big.clamav.net has address 128.199.133.36
db.us.big.clamav.net has address 64.22.33.90
db.us.big.clamav.net has address 69.12.162.28
db.us.big.clamav.net has address 150.214.142.197
db.us.big.clamav.net has address 168.143.19.95
db.us.big.clamav.net has address 194.8.197.22
db.us.big.clamav.net has address 172.110.204.67
db.us.big.clamav.net has address 78.46.82.212
db.us.big.clamav.net has address 155.98.64.87
db.us.big.clamav.net has address 207.57.106.31
db.us.big.clamav.net has address 198.148.78.4
db.us.big.clamav.net has address 69.163.100.14
db.us.big.clamav.net has address 200.236.31.1
db.us.big.clamav.net has address 208.72.56.53
db.us.big.clamav.net has address 209.198.147.20
db.us.big.clamav.net has address 64.6.100.177
db.us.big.clamav.net has address 104.131.196.175
db.us.big.clamav.net has address 194.186.47.19

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] no new signatures

[Al Varnell]

It should.  I’ve heard no complaints so far.  But it still won’t be able to use 
some of the new signature formats introduced with 0.99.

-Al-

On Fri, Mar 18, 2016 at 08:16 AM, polloxx wrote:
> 
> Thanks for the answers folks.
> One last question: will the new databases still work on version 0.98.1?
> 
> On Fri, Mar 18, 2016 at 4:01 PM, Steve Basford <
> steveb_cla...@sanesecurity.com> wrote:
> 
>> 
>> On Fri, March 18, 2016 2:05 pm, Helmut Hullen wrote:
>>> Hallo, polloxx,
>>> 
>>> 
>>> Du meintest am 18.03.16:
>>> 
>>> 
 Fri Mar 18 14:34:15 2016 -> ClamAV update process started at Fri Mar
 18 14:34:15 2016
 Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is
 OUTDATED!
 
>>> 
>>> 
>>> So what - updated or not updated?
>> 
>>> Fri Mar 18 14:34:15 2016 -> WARNING: Your ClamAV installation is
>> OUTDATED!
>>> Fri Mar 18 14:34:15 2016 -> WARNING: Local version: 0.98.1 Recommended
>>> version: 0.99.1
>> 
>> The above just means that 0.98.1 is currently being used, but should
>> be upgraded to 0.99.1 which is the latest version of the engine.
>> 
>> The signatures haven't been updated since Friday.
>> 
>> Cheers,
>> 
>> Steve
>> Web : sanesecurity.com
>> Blog: sanesecurity.blogspot.com
>> Twitter: @sanesecurity
>> 
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Jason J. W. Williams]

Thanks. Hopefully it'll sync up soon. I'm getting weird download errors out
of freshclam:

WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 200.236.31.1): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from db.local.clamav.net
nonblock_recv: recv timing out (30 secs)
WARNING: getfile: Error while reading database from db.local.clamav.net
(IP: 194.186.47.19): Operation now in progress
WARNING: getpatch: Can't download daily-21465.cdiff from db.local.clamav.net
Empty script daily-21465.cdiff, need to download entire database

On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell  wrote:

> The new database was just made available, so I recommend you hold off
> until you have the new mail.cvd v57 and daily.cvd v21466 before getting too
> excited about this.
>
> -Al-
>
> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> >
> > As of the latest daily update, running ClamAV against the EICAR test
> string
> > reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> >
> > -J
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Al Varnell]

I just ran a scan against the ClamAV test files contained in the 0.99.1 source 
file and I’m getting all Win.Trojan.Trojan-476:

File Name   Infection Name  Status
/Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd  
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe  
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe 
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail  
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef  
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe  
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe  
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip  
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html  
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio 
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio  
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe 
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe 
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe 
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe 
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v3.rar
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.bz2   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bz2.zip   
Win.Trojan.Trojan-476   
/Users/avarnell/Desktop/•Download/clamav-0.99.1/test/.split/split.clam_IScab_int.exeaa
  Win.Trojan.T

Re: [clamav-users] [clamav-virusdb] Signatures Published daily - 21467

[Al Varnell]

FYI, if I ignore "Win.Trojan.Trojan-476” ([main.hdb] 
aa15bcf478d165efd2065190eb473bcb:544) all of the test files below are 
identified as “Clamav.Test.File-6” ([daily.hdb] 
aa15bcf478d165efd2065190eb473bcb:544).

-Al-

On Fri, Mar 18, 2016 at 07:40 PM, Al Varnell wrote:
> 
> Not sure exactly what this update was about (suspect a test), and perhaps I 
> don’t have the correct Clamav.Text.File (s) but scanning the 0.99.1 source 
> file I am still getting the following:
> 
>> File NameInfection Name  Status
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam_cache_emax.tgz  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.ea05.exe
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.bin-be.cpio 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-aspack.exe  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-mew.exe 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.rtf 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.pdf 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clamjol.iso  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.chm 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.odc.cpio
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.ole.doc 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.impl.zip
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-nsis.exe
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.zip 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.ppt 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-v3.rar  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.tar.gz  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.mbox.uu 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.ea06.exe
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam_IScab_int.exe   
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.sis 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-fsg.exe 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-pespin.exe  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-petite.exe  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-upack.exe   
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-upx.exe 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-v2.rar  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-wwpack.exe  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam-yc.exe  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.7z  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.arj 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.bin-le.cpio 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.bz2.zip 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.cab 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.d64.zip 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.binhex  
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.bz2 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.html
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.mbox.base64 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.exe.szdd
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.iso 
>> Win.Trojan.Trojan-476   
>> /Users/avarnell/Downloads/2016-03-02/clamav-0.99.1/test/clam.mail
>> Win.Trojan.Tro

Re: [clamav-users] URL Links

[Joel Esler (jesler)]

Where are those?  We need to remove them.

--
Joel Esler
iPhone

On Mar 17, 2016, at 7:05 AM, Jerry 
mailto:je...@seibercom.net>> wrote:

I just did a fresh install of ClamAV on a FreeBSD machine. While
configuring the program,I found that the following URLs were broken:

http://www.clamav.net/download/cvd/3rdparty
http://www.stats.clamav.net

--
Jerry
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with mirrors overnight?

[Matthias Hank]

Hi Ralf,

On Thu, Mar 17, 2016 at 04:10:32PM +0100, Ralf Hildebrandt wrote:

> > But why are always the same 3 of 13 german mirrors are probed from 
> > freshclam?
> > All of them are failing since last night on all of our servers.

> http://lutz.donnerhacke.de/Blog/ClamAV-aktualisiert-sich-nicht-mehr

Thank you, that solved the problem!

Quoting Lutz:

> Na prima. Könntet ihr bitte Eure Links und Eure Mirrors fixen? Danke.

Regards,

Matze
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamscan false positives

[Thomas Stein]

Hello Clamav users.

Last week i started to check a gentoo distfiles directory with clamscan.
To my big surprise clamscan found a lot of infected files. Taking a
closer look leads to the assumption all of them are false positives
because most of them are debugging tools.

ClamAV update process started at Sun Mar 13 22:00:01 2016
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99 Recommended version: 0.99.1
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 55, sigs: 2424225, f-level: 60,
builder: neo)
daily.cld is up to date (version: 21464, sigs: 1878899, f-level: 63,
builder: neo)
bytecode.cld is up to date (version: 274, sigs: 49, f-level: 63,
builder: anvilleg)
/var/www/gentoomirror/distfiles/sbd-1.37.tar.gz: Win.Trojan.Agent-558335
FOUND
/var/www/gentoomirror/distfiles/libzip-1.0.1.tar.xz:
Php.Exploit.CVE_2015_2331-2 FOUND
/var/www/gentoomirror/distfiles/sqlninja-0.2.6-r1.tgz:
W32.Hacktool.KiTrap-1 FOUND
/var/www/gentoomirror/distfiles/File-Scan-ClamAV-1.93.tar.gz:
ClamAV-Test-Signature FOUND
/var/www/gentoomirror/distfiles/olsrd-0.9.0.2.tar.bz2:
Java.Exploit.CVE_2013_2472-1 FOUND
/var/www/gentoomirror/distfiles/clamav-0.91.2.tar.gz: ClamAV-Test-File FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.19.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/clamav-0.92.tar.gz: ClamAV-Test-File FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.21.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/afl-1.80b.tgz: Win.Exploit.CVE_2015_0076
FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.22.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/olsrd-0.6.4.tar.bz2:
Java.Exploit.CVE_2013_2472-1 FOUND
/var/www/gentoomirror/distfiles/libwbxml-0.11.2.tar.bz2:
Win.Trojan.Ramnit-5837 FOUND
/var/www/gentoomirror/distfiles/framework-2.7.tar.gz:
Exploit.Alpha_Mixed FOUND
/var/www/gentoomirror/distfiles/libzip-1.1.1.tar.xz:
Php.Exploit.CVE_2015_2331-2 FOUND
/var/www/gentoomirror/distfiles/wbxml2-0.9.2.tar.gz:
Win.Trojan.Ramnit-5837 FOUND
/var/www/gentoomirror/distfiles/File-Scan-ClamAV-1.91.tar.gz:
ClamAV-Test-Signature FOUND
/var/www/gentoomirror/distfiles/anomy-sanitizer-1.76.tar.gz:
Exploit.WMF.Gen-1 FOUND
/var/www/gentoomirror/distfiles/LinkChecker-9.3.tar.gz: ClamAV-Test-File
FOUND
/var/www/gentoomirror/distfiles/lg-112.tar.gz: HTML.Phishing.Pay-239 FOUND
/var/www/gentoomirror/distfiles/afl-2.07b.tgz: Win.Exploit.CVE_2015_0076
FOUND
/var/www/gentoomirror/distfiles/wbxml2-0.9.0-src.tar.gz:
Win.Trojan.Ramnit-5837 FOUND
/var/www/gentoomirror/distfiles/MailScanner-install-4.84.5-2.tar.gz:
Eicar-Test-Signature-1 FOUND
/var/www/gentoomirror/distfiles/lg-108.tar.gz: HTML.Phishing.Bank-1 FOUND
/var/www/gentoomirror/distfiles/Mail-ClamAV-0.21.tar.gz:
Eicar-Test-Signature FOUND
/var/www/gentoomirror/distfiles/lg-130.tar.gz: HTML.Phishing.Bank-791 FOUND
/var/www/gentoomirror/distfiles/Mail-ClamAV-0.22.tar.gz:
Eicar-Test-Signature FOUND
/var/www/gentoomirror/distfiles/nepenthes-0.2.2.tar.bz2:
Trojan.Downloader.Bat FOUND
/var/www/gentoomirror/distfiles/Mail-ClamAV-0.20.tar.gz:
Eicar-Test-Signature FOUND
/var/www/gentoomirror/distfiles/lg-issue86.tar.gz: Exploit.IFrame.Gen FOUND
/var/www/gentoomirror/distfiles/metasploit-payloads-1.0.15.gem:
Java.Trojan.Agent-31 FOUND
/var/www/gentoomirror/distfiles/clamav-0.92.1.tar.gz: ClamAV-Test-File FOUND
/var/www/gentoomirror/distfiles/lg-141.tar.gz: HTML.Phishing.Bank-473 FOUND
/var/www/gentoomirror/distfiles/libzip-1.1.tar.xz:
Php.Exploit.CVE_2015_2331-2 FOUND

Is this a known behaviour?

thanks and cheers
t.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] New ClamnAV database....test results for Clamwin

[Gene Heskett]

On Thursday 17 March 2016 07:16:42 Groach wrote:

> No problem.  See, I can do praise too.  :-)
>
> I even did a scan of my usual drive that is susceptible to showing
> false positives and it all completed without unwanted reports.
>
> A relief, a surprise, and a happy chap (for today) ;-)
>
> So, @clamwin users:  no problems, go for it.  And those non-clamwin
> users that have problems., try CLAMWIN!!  :-D
>
I'm on linux, wheezy TBE, freshclam finally did get it about half an hour 
after I posted about 4:20 am.  No problems so far, so I believe the 
re-organization was likely worth it.

> On 17/03/2016 12:08, Joel Esler (jesler) wrote:
> > Thanks for the feedback!
> >
> > --
> > Joel Esler
> > iPhone
> >
> > On Mar 17, 2016, at 4:55 AM, Groach
> > mailto:groachmail-stopspammingm
> >e...@yahoo.com>> wrote:
> >
> > For your info:
> >
> > I run Clamwin, with the additional Clamd, and supplemented with Sane
> > security definitions.
> >
> > I was VERY apprehensive about today and the pessamist inside (for
> > good reason!) was expecting a range of problems.
> >
> > However, I just performed a forced DB update download, and an EICAR
> > test (through my MTA) and an email with a kown virus (that I know
> > SANE (only!) used to catch.
> >
> > Results:   ALL OK
> >
> > Update:  without problems
> > Eicar: new report: "Win-test-eicar-ndb-1" found
> > Sane:   yep, that was detected too.
> >
> > So my feedback is GOOD for Clamwin users.
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] no new signatures

[Helmut Hullen]

Hallo, SternData,

Du meintest am 18.03.16:

>> The signatures haven't been updated since Friday.

[...]

> I had a similar issue. After deleting /var/lib/clamav/mirrors.dat,
> the updates started working again.

No - that's another problem.

I've just tried "freshclam" with deleted "mirrors.dat" - all three *.cvd  
files are up to date, since 7 o'clock. Unchanged versions, levels 60, 63  
and 63.

Viele Gruesse!
Helmut

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav on virus total

[C.D. Cochrane]

Thank you all for the replies.  Just wanted to make sure my approach was 
logical, and VT is a reliable reference point for clamav comparison scanning.
 
"millions of samples" received daily, wow!  But how many are unique?  Or, 
putting on my "pretend bad guy" hat - if I was a virus writer I would submit a 
few thousand red herrings to clamav every day.  Must be challenging to keep up 
and I can never complain about a free tool.
thanks again,
Chris

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Jason J. W. Williams]

Pulled down 21466 (and force restarted clamd) but it's still classifying
EICAR as Win.Trojan.Trojan:

https://gist.github.com/williamsjj/b8104402e80f44475df5

Databases are up to date now:
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
Empty script daily-21465.cdiff, need to download entire database
Downloading daily.cvd [100%]
daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder:
amishhammer)
Empty script bytecode-275.cdiff, need to download entire database
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder:
amishhammer)
Database updated (4302724 signatures) from db.local.clamav.net (IP:
193.1.193.64)



On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell  wrote:

> Those are normal messages for an update of this kind.  The 21465.cdiff was
> purposely blank in order to force you to download the entire daily.cvd.
> Give it plenty of time as the main.cvd is 109MB.
>
> Technical details: <
> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
> >
>
> -Al-
>
> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote:
> >
> > Thanks. Hopefully it'll sync up soon. I'm getting weird download errors
> out
> > of freshclam:
> >
> > WARNING: getfile: Error while reading database from db.local.clamav.net
> > (IP: 200.236.31.1): Operation now in progress
> > WARNING: getpatch: Can't download daily-21465.cdiff from
> db.local.clamav.net
> > nonblock_recv: recv timing out (30 secs)
> > WARNING: getfile: Error while reading database from db.local.clamav.net
> > (IP: 194.186.47.19): Operation now in progress
> > WARNING: getpatch: Can't download daily-21465.cdiff from
> db.local.clamav.net
> > Empty script daily-21465.cdiff, need to download entire database
> >
> > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell  wrote:
> >
> >> The new database was just made available, so I recommend you hold off
> >> until you have the new mail.cvd v57 and daily.cvd v21466 before getting
> too
> >> excited about this.
> >>
> >> -Al-
> >>
> >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> >>>
> >>> As of the latest daily update, running ClamAV against the EICAR test
> >> string
> >>> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> >>>
> >>> -J
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamav on virus total

[C.D. Cochrane]

Hi,
Over the last 2 months of use I have collected and submitted 20+ virus 
attachments to clamav. I always check the files on virustotal dot com before 
submitting to clamav. To date, only one of the files is detected by clamav as a 
virus on virustotal (and on my server), while other vendor detection counts 
have increased there when I re-check.

My only question: Is clamav on virustotal kept up to date with the latest 
versions of things?
thanks,
Chris
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why does this happen?

[Steven Morgan]

Scott,

In that case, please open a bug report.

On Tue, Mar 15, 2016 at 5:37 PM, Scott Galambos  wrote:

> testfile.pdf is an encrypted and password protected file.  I have
> "ArchiveBlockEncrypted No" in clamd.conf.
>
> And a scan still finds it infected.
>
> server(/tmp): clamdscan --config-file=/apps/clamav/etc/clamd.conf
> testfile.pdf
> /temp/testfile.pdf: Heuristics.Encrypted.PDF FOUND
>
> Why?  How do I stop this?
>
>
>
> On 2016-03-15 2:13 PM, Steven Morgan wrote:
>
>> Hi,
>>
>> I took a quick look at the code. The "Heuristics.Encrypted.PDF" is off by
>> default. Try clamscan --block-encrypted. If you have
>> 'ArchiveBlockEncrypted
>> yes' in your clamd.conf, it would explain the results you are seeing with
>> clamdscan.
>>
>> Is testfile.pdf encrypted?
>>
>> Check these things out and if it still does not make sense, please open a
>> bug report at bugzilla.clamav.net.
>>
>> On Tue, Mar 15, 2016 at 2:07 PM, Scott Galambos <
>> sco...@particlesoftware.com
>>
>>> wrote:
>>>
>>
>> Trying to wrap my head around this.
>>>
>>> central(/temp): clamdscan testfile.pdf
>>> /temp/testfile.pdf: Heuristics.Encrypted.PDF FOUND
>>>
>>> central(/temp): clamscan testfile.pdf
>>> testfile.pdf: OK
>>>
>>>
>>> Why does clamdscan find a virus, but clamscan not??
>>>
>>> ___
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why does this happen?

[Scott Galambos]

I had to completely restart the server, not just restart the daemons for 
some reason.  Its off now and not scanning encrypted PDF's.


Thank you.

On 2016-03-16 6:18 PM, Benny Pedersen wrote:

On 2016-03-16 23:04, Steven Morgan wrote:


server(/tmp): clamdscan --config-file=/apps/clamav/etc/clamd.conf
testfile.pdf
/temp/testfile.pdf: Heuristics.Encrypted.PDF FOUND
Why?  How do I stop this?


is clamconf saying this clamd.conf is default config ?

is there diff results from using clamscan --config foo and clamdscan
--config foo ?
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is ClamAV Community Threat Tracking System down?

[Al Varnell]

Check the archives as I believe that was reported/discussed earlier.

Sent from Janet's iPad

-Al-

On Mar 18, 2016, at 2:50 PM, Yuri Voinov wrote:
> 
> http://www.stats.clamav.net is not responding either via HTTP or HTTPS.
> 
> Is
> 
> 
>  ClamAV Community Threat Tracking System
> 
> down?
> 
> WBR, Yuri
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Jason Williams]

Hey Al,

I submitted a FP report with one attached. Just put the EICAR string into a txt 
file and that'll trigger it. 

-J

Sent via iPhone

> On Mar 16, 2016, at 22:16, Al Varnell  wrote:
> 
> I don’t know why sanesecurity-porcupine.ndb is causing this, but I can now 
> see that the signatures for Win.Test.EICAR_LDB-1 and Win.Trojan.Trojan-605 
> are identical, so this is an FP situation which would be reported.  
> 
> 
> However, I’m not sure where to find a copy of a Win.Test.EICAR_LDB-1 file to 
> submit.
> 
> -Al-
> 
> 
>> On Wed, Mar 16, 2016 at 09:44 PM, Jason J. W. Williams wrote:
>> 
>> Culprit seems to be sanesecurity-porcupine.ndb (
>> http://sanesecurity.com/usage/signatures/). Moving it out causes
>> Win.Test.EICAR_NDB-1
>> FOUND to be found, moving it back in triggers the Win.Trojan.Trojan-605 FP.
>> Since the Win.Trojan.Trojan sig isn't in the DB I'm not sure why that is.
>> 
>> -J
>> 
>>> On Wed, Mar 16, 2016 at 9:38 PM, Al Varnell  wrote:
>>> 
>>> Disregard, I found it here after they got the new main.cvd:
>>> <
>>> http://clamav-du.securesites.net/cgi-bin/clamgrok?virus=Win.Trojan.Trojan-605&search-type=contains&case-sensitivity=No&database=daily&database=main&display=database&display=virus&display=signature&.submit=Submit&.cgifields=database&.cgifields=search-type&.cgifields=case-sensitivity&.cgifields=display
 
>>> 
>>> I’ll see what I get once my main.cvd finishes.
>>> 
>>> -Al-
>>> 
 On Wed, Mar 16, 2016 at 09:32 PM, Al Varnell wrote:
 
 I’m still looking, but so far I can’t find any Win.Trojan.Trojan
>>> signatures in the ClamAV Official database or listed in clamav-virusdb
>>> e-mail list.
 
 Nor can I confirm your results using my own EICAR.
 
 Are you using any Unofficial signatures from a different source?
 
 -Al-
 
> On Wed, Mar 16, 2016 at 09:06 PM, Jason J. W. Williams wrote:
> 
> Pulled down 21466 (and force restarted clamd) but it's still classifying
> EICAR as Win.Trojan.Trojan:
> 
> https://gist.github.com/williamsjj/b8104402e80f44475df5
> 
> Databases are up to date now:
> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60,
>>> builder:
> amishhammer)
> Empty script daily-21465.cdiff, need to download entire database
> Downloading daily.cvd [100%]
> daily.cvd updated (version: 21466, sigs: 83889, f-level: 63, builder:
> amishhammer)
> Empty script bytecode-275.cdiff, need to download entire database
> Downloading bytecode.cvd [100%]
> bytecode.cvd updated (version: 275, sigs: 45, f-level: 63, builder:
> amishhammer)
> Database updated (4302724 signatures) from db.local.clamav.net (IP:
> 193.1.193.64)
> 
> 
> 
>> On Wed, Mar 16, 2016 at 9:00 PM, Al Varnell  wrote:
>> 
>> Those are normal messages for an update of this kind.  The 21465.cdiff
>>> was
>> purposely blank in order to force you to download the entire daily.cvd.
>> Give it plenty of time as the main.cvd is 109MB.
>> 
>> Technical details: <
>> 
>>> http://blog.clamav.net/2016/03/clamav-signature-interface-maintenance.html
>>> 
>> 
>> -Al-
>> 
>>> On Wed, Mar 16, 2016 at 08:56 PM, Jason J. W. Williams wrote:
>>> 
>>> Thanks. Hopefully it'll sync up soon. I'm getting weird download
>>> errors
>> out
>>> of freshclam:
>>> 
>>> WARNING: getfile: Error while reading database from
>>> db.local.clamav.net
>>> (IP: 200.236.31.1): Operation now in progress
>>> WARNING: getpatch: Can't download daily-21465.cdiff from
>> db.local.clamav.net
>>> nonblock_recv: recv timing out (30 secs)
>>> WARNING: getfile: Error while reading database from
>>> db.local.clamav.net
>>> (IP: 194.186.47.19): Operation now in progress
>>> WARNING: getpatch: Can't download daily-21465.cdiff from
>> db.local.clamav.net
>>> Empty script daily-21465.cdiff, need to download entire database
>>> 
>>> On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell 
>>> wrote:
>>> 
 The new database was just made available, so I recommend you hold off
 until you have the new mail.cvd v57 and daily.cvd v21466 before
>>> getting
>> too
 excited about this.
 
 -Al-
 
> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams wrote:
> 
> As of the latest daily update, running ClamAV against the EICAR test
 string
> reports  Win.Trojan.Trojan-605 instead of Eicar-Test-Signature.
> 
> -J
>>> 
>>> 
>>> ___
>>> Help us build a comprehensive ClamAV guide:
>>> https://git

Re: [clamav-users] Why does this happen?

[Benny Pedersen]

On 2016-03-16 23:30, Scott Galambos wrote:

I had to completely restart the server, not just restart the daemons
for some reason.  Its off now and not scanning encrypted PDF's.


glad you found the issues about it

another time you can make a new default config from clamconf -g 
clamd.conf >/tmp/clamd.conf and then diff this with your own config to 
see if new or settings is changed or missing in your own config



Thank you.


no problem
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml