Re: [clamav-users] Scanning very large files in chunks

[Paul Kosinski]

After posting a while ago about scanning (extremely) large disk images,
I realized that files need not be contiguous in a disk image. It all
depends on the block allocation algorithm of the file system and, in
many cases, to fragmentation that occurs as the disk is used.

So, even if you could scan a terabyte+ disk image as one long stream,
a virus signature might escape detection due to being split in half.


On Thu, 11 Aug 2016 18:15:08 +0100 (BST)
"G.W. Haywood"  wrote:

> Hello once again,
> 
> On Thu, 11 Aug 2016, sapientdust+cla...@gmail.com wrote:
> 
> > I scan a 4.5 GB file in multiple instream calls, by scanning the
> > first 3 GB in one call, and then making a second instream call that
> > provides the first N  MB followed by the last 2 GB of the file.
> 
> > Would clamav be expected to work similarly in the two cases in terms
> > of identifying a virus, assuming the virus is the same in the two
> > scenarios and it's in ClamAV's database? Or are there technical
> > reasons why ClamAV wouldn't detect the virus in the second scenario
> > but would in the first, even though the virus bytes are identical?
> 
> There's a possibility of failing to find it in the second scenario.
> It's anybody's guess what the probability will be; my guess would be
> that the probability of that failure would be small compared with the
> relatively large probability of not finding it at all in both cases.
> 
> > This is a question for clamav developers or those who understand the
> > codebase sufficiently to know the impact of scanning a partial file.
> 
> I don't think so.  Just think about it a bit:
> 
> Much of ClamAV's operation is looking for pattern matches.
> Suppose you scan a 4.5GB file in two chunks.
> Suppose half this mysterious 'huge file virus' is in the first chunk.
> Presumably the other half is in the second chunk.
> What happens if the pattern is designed to match the entire virus?
> 
> > Should I have asked this question on the developer list?
> 
> No.  You're a user, the developers' list is for working on ClamAV.
> 
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

thank you :)
I went to see and read the archive mailing list and found the help i
needed with my bad English :)

2016-08-11 17:45 UTC+02:00, Benny Pedersen :
> On 2016-08-11 10:18, ancien compte wrote:
>> i'v forgot  :)
>>
>> wget -qO- http://www.kaspersky.fr/internet-security/  | clamscan -
>> stdin: Html.Exploit.CVE_2016_3326-3 FOUND
>
> hopefully thay read it here sooneer or later ? :=)
>
> i am not good at france so hopefully there webmaster can recieve mail
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

[Steve basford]

This was on the blog

YARA rules using any of the following features will be flagged in error, 
and the respective rules will be disabled:


Single byte YARA string components – currently in the ClamAV matcher, all 
strings, as well as components of strings delimited by wild cards, must be 
at least two bytes in length


External variables – variables referenced in YARA conditions whose value 
may be set using the ‘yara –d’ command line option.


Cheers,

Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity



On 11 August 2016 18:33:49 Axb  wrote:


In that post aithor states:

"I created some YARA rules that use the external variable „filename“ to
work. LOKI and THOR use the „filename“ and other external variables by
default."

hmm...  now how the heck do we get to happen with ClamAv? :)

.. talking to myself...


On 08/11/2016 07:29 PM, Axb wrote:

Found it!

https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/


see "rule Suspicious_Size_chrome_exe" and others...

Assumed it was a "legal" keyword.


On 08/11/2016 07:26 PM, Axb wrote:

I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...

Will try to find it again.


On 08/11/2016 05:08 PM, Steven Morgan wrote:

filename does not appear as a yara keyword:

http://yara.readthedocs.io/en/latest/writingrules.html

Is it a new keyword not yet in a released version of yara? Did you mean
filesize?

On Thu, Aug 11, 2016 at 5:21 AM, Axb  wrote:


Guys,

clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error
count 1
test.yar: OK
blah.html: OK

test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
 condition:
 $BLAH and filename == "blah.html"
}

Am I missing something? or is filename unsupported by ClamAV's YARA
engine?

Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml








___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

[Benny Pedersen]

On 2016-08-11 19:32, Axb wrote:

In that post aithor states:

"I created some YARA rules that use the external variable „filename“
to work. LOKI and THOR use the „filename“ and other external variables
by default."

hmm...  now how the heck do we get to happen with ClamAv? :)

.. talking to myself...


+1

try see foxhole rules, imho it can match filenames and sizes, but i wish 
it was more dokumented


also logical signatures in clamav is very simple, just wish it was more 
dokumented


try compiled yara rules with clamav, not source rules, dont know if that 
makes a diffrence for clamav



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

[Axb]

In that post aithor states:

"I created some YARA rules that use the external variable „filename“ to 
work. LOKI and THOR use the „filename“ and other external variables by 
default."


hmm...  now how the heck do we get to happen with ClamAv? :)

.. talking to myself...


On 08/11/2016 07:29 PM, Axb wrote:

Found it!

https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/


see "rule Suspicious_Size_chrome_exe" and others...

Assumed it was a "legal" keyword.


On 08/11/2016 07:26 PM, Axb wrote:

I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...

Will try to find it again.


On 08/11/2016 05:08 PM, Steven Morgan wrote:

filename does not appear as a yara keyword:

http://yara.readthedocs.io/en/latest/writingrules.html

Is it a new keyword not yet in a released version of yara? Did you mean
filesize?

On Thu, Aug 11, 2016 at 5:21 AM, Axb  wrote:


Guys,

clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error
count 1
test.yar: OK
blah.html: OK

test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
 condition:
 $BLAH and filename == "blah.html"
}

Am I missing something? or is filename unsupported by ClamAV's YARA
engine?

Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml








___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

[Axb]

Found it!

https://www.bsk-consulting.de/2015/12/22/yara-rules-to-detect-uncommon-system-file-sizes/

see "rule Suspicious_Size_chrome_exe" and others...

Assumed it was a "legal" keyword.


On 08/11/2016 07:26 PM, Axb wrote:

I picked the filename condition from a sample rule on a web site with a
number of yara rules.
Too bad I didn't bookmark it...

Will try to find it again.


On 08/11/2016 05:08 PM, Steven Morgan wrote:

filename does not appear as a yara keyword:

http://yara.readthedocs.io/en/latest/writingrules.html

Is it a new keyword not yet in a released version of yara? Did you mean
filesize?

On Thu, Aug 11, 2016 at 5:21 AM, Axb  wrote:


Guys,

clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar,
error
count 1
test.yar: OK
blah.html: OK

test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
 condition:
 $BLAH and filename == "blah.html"
}

Am I missing something? or is filename unsupported by ClamAV's YARA
engine?

Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml





___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

[Axb]

I picked the filename condition from a sample rule on a web site with a 
number of yara rules.

Too bad I didn't bookmark it...

Will try to find it again.


On 08/11/2016 05:08 PM, Steven Morgan wrote:

filename does not appear as a yara keyword:

http://yara.readthedocs.io/en/latest/writingrules.html

Is it a new keyword not yet in a released version of yara? Did you mean
filesize?

On Thu, Aug 11, 2016 at 5:21 AM, Axb  wrote:


Guys,

clamscan --database=test.yar blah.html
LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
"filename"
LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
count 1
test.yar: OK
blah.html: OK

test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
 condition:
 $BLAH and filename == "blah.html"
}

Am I missing something? or is filename unsupported by ClamAV's YARA engine?

Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scanning very large files in chunks

[G.W. Haywood]

Hello once again,

On Thu, 11 Aug 2016, sapientdust+cla...@gmail.com wrote:


I scan a 4.5 GB file in multiple instream calls, by scanning the first
3 GB in one call, and then making a second instream call that provides
the first N  MB followed by the last 2 GB of the file.



Would clamav be expected to work similarly in the two cases in terms
of identifying a virus, assuming the virus is the same in the two
scenarios and it's in ClamAV's database? Or are there technical
reasons why ClamAV wouldn't detect the virus in the second scenario
but would in the first, even though the virus bytes are identical?


There's a possibility of failing to find it in the second scenario.
It's anybody's guess what the probability will be; my guess would be
that the probability of that failure would be small compared with the
relatively large probability of not finding it at all in both cases.


This is a question for clamav developers or those who understand the
codebase sufficiently to know the impact of scanning a partial file.


I don't think so.  Just think about it a bit:

Much of ClamAV's operation is looking for pattern matches.
Suppose you scan a 4.5GB file in two chunks.
Suppose half this mysterious 'huge file virus' is in the first chunk.
Presumably the other half is in the second chunk.
What happens if the pattern is designed to match the entire virus?


Should I have asked this question on the developer list?


No.  You're a user, the developers' list is for working on ClamAV.

--

73,
Ged.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[Benny Pedersen]

On 2016-08-11 10:18, ancien compte wrote:

i'v forgot  :)

wget -qO- http://www.kaspersky.fr/internet-security/  | clamscan -
stdin: Html.Exploit.CVE_2016_3326-3 FOUND


hopefully thay read it here sooneer or later ? :=)

i am not good at france so hopefully there webmaster can recieve mail
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

[Steven Morgan]

filename does not appear as a yara keyword:

http://yara.readthedocs.io/en/latest/writingrules.html

Is it a new keyword not yet in a released version of yara? Did you mean
filesize?

On Thu, Aug 11, 2016 at 5:21 AM, Axb  wrote:

> Guys,
>
> clamscan --database=test.yar blah.html
> LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
> "filename"
> LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
> count 1
> test.yar: OK
> blah.html: OK
>
> test.yar
> rule TEST_BLAH_FILENAME
> {
> strings:
> $BLAH = "blah"
>  condition:
>  $BLAH and filename == "blah.html"
> }
>
> Am I missing something? or is filename unsupported by ClamAV's YARA engine?
>
> Thanks!
> Axb
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

good job
thx
Le jeu. 11 août 2016 à 15:54, Alain Zidouemba  a
écrit :

> The signature "Html.Exploit.CVE_2016_3326-3" has been removed and will be
> update to take into account the false positives reported.
>
> Thanks,
>
> - Alain
>
> On Thu, Aug 11, 2016 at 6:36 AM, ancien compte 
> wrote:
>
> > and http://www.kaspersky.fr/internet-security etc  is accessible now
> > :)
> >
> > 2016-08-11 12:35 UTC+02:00, ancien compte :
> > > it's works fine from freshclam update database
> > > my daughter thx you too :)
> > >
> > >
> > > Thu Aug 11 12:07:51 2016 -> Update process terminated
> > > Thu Aug 11 12:07:52 2016 -> --
> > > Thu Aug 11 12:07:52 2016 -> Current working dir is /var/lib/clamav
> > > Thu Aug 11 12:07:52 2016 -> freshclam daemon 0.99.2 (OS:
> > > linux-gnueabihf, ARCH: arm, CPU: arm)
> > > Thu Aug 11 12:07:52 2016 -> Max retries == 5
> > > Thu Aug 11 12:07:52 2016 -> ClamAV update process started at Thu Aug
> > > 11 12:07:52 2016
> > > Thu Aug 11 12:07:52 2016 -> Using IPv6 aware code
> > > Thu Aug 11 12:07:52 2016 -> Querying current.cvd.clamav.net
> > > Thu Aug 11 12:07:52 2016 -> TTL: 300
> > > Thu Aug 11 12:07:52 2016 -> Software version from DNS: 0.99.2
> > > Thu Aug 11 12:07:52 2016 -> Trying to download
> > >
> http://www.securiteinfo.com/get/signatures/XX0/securiteinfo.hdb
> > > (IP: 62.210.244.190)
> > > Thu Aug 11 12:09:22 2016 -> Downloading securiteinfo.hdb [*]
> > > Thu Aug 11 12:09:22 2016 -> Loading signatures from securiteinfo.hdb
> > > Thu Aug 11 12:09:30 2016 -> Properly loaded 2271876 signatures from
> > > new securiteinfo.hdb
> > > Thu Aug 11 12:09:33 2016 -> securiteinfo.hdb updated (version: custom
> > > database, sigs: 2271876)
> > > Thu Aug 11 12:09:33 2016 -> Trying to download
> > >
> http://www.securiteinfo.com/get/signatures/XX0/securiteinfo.ign2
> > > (IP: 62.210.244.190)
> > > Thu Aug 11 12:09:33 2016 -> Downloading securiteinfo.ign2 [*]
> > > Thu Aug 11 12:09:33 2016 -> Loading signatures from securiteinfo.ign2
> > > Thu Aug 11 12:09:33 2016 -> Properly loaded 0 signatures from new
> > > securiteinfo.ign2
> > > Thu Aug 11 12:09:33 2016 -> securiteinfo.ign2 updated (version: custom
> > > database, sigs: 235)
> > > Thu Aug 11 12:09:33 2016 -> Trying to download
> > > http://www.securiteinfo.com/get/signatures/XX0/javascript.ndb
> > > (IP: 62.210.244.190)
> > > Thu Aug 11 12:09:38 2016 -> Downloading javascript.ndb [*]
> > > Thu Aug 11 12:09:38 2016 -> Loading signatures from javascript.ndb
> > > Thu Aug 11 12:09:53 2016 -> Properly loaded 24217 signatures from new
> > > javascript.ndb
> > > Thu Aug 11 12:09:53 2016 -> javascript.ndb updated (version: custom
> > > database, sigs: 24218)
> > > Thu Aug 11 12:09:53 2016 -> Trying to download
> > > http://www.securiteinfo.com/get/signatures/XX0/
> > spam_marketing.ndb
> > > (IP: 62.210.244.190)
> > > Thu Aug 11 12:09:53 2016 -> Downloading spam_marketing.ndb [*]
> > > Thu Aug 11 12:09:53 2016 -> Loading signatures from spam_marketing.ndb
> > > Thu Aug 11 12:09:53 2016 -> Properly loaded 3584 signatures from new
> > > spam_marketing.ndb
> > > Thu Aug 11 12:09:53 2016 -> spam_marketing.ndb updated (version:
> > > custom database, sigs: 3584)
> > > Thu Aug 11 12:09:53 2016 -> Trying to download
> > > http://www.securiteinfo.com/get/signatures/XX0/
> > securiteinfohtml.hdb
> > > (IP: 62.210.244.190)
> > > Thu Aug 11 12:09:55 2016 -> Downloading securiteinfohtml.hdb [*]
> > > Thu Aug 11 12:09:55 2016 -> Loading signatures from
> securiteinfohtml.hdb
> > > Thu Aug 11 12:09:55 2016 -> Properly loaded 58245 signatures from new
> > > securiteinfohtml.hdb
> > > Thu Aug 11 12:09:55 2016 -> securiteinfohtml.hdb updated (version:
> > > custom database, sigs: 58245)
> > > Thu Aug 11 12:09:55 2016 -> Trying to download
> > > http://www.securiteinfo.com/get/signatures/XX0/
> > securiteinfoascii.hdb
> > > (IP: 62.210.244.190)
> > > Thu Aug 11 12:09:58 2016 -> Downloading securiteinfoascii.hdb [*]
> > > Thu Aug 11 12:09:58 2016 -> Loading signatures from
> securiteinfoascii.hdb
> > > Thu Aug 11 12:09:58 2016 -> Properly loaded 77057 signatures from new
> > > securiteinfoascii.hdb
> > > Thu Aug 11 12:09:59 2016 -> securiteinfoascii.hdb updated (version:
> > > custom database, sigs: 77057)
> > > Thu Aug 11 12:09:59 2016 -> Trying to download
> > > http://www.securiteinfo.com/get/signatures/XX0/
> > securiteinfoandroid.hdb
> > > (IP: 62.210.244.190)
> > > Thu Aug 11 12:10:02 2016 -> Downloading securiteinfoandroid.hdb [*]
> > > Thu Aug 11 12:10:02 2016 -> Loading signatures from
> > securiteinfoandroid.hdb
> > > Thu Aug 11 12:10:02 2016 -> Properly loaded 81713 signatures from new
> > > securiteinfoandroid.hdb
> > > Thu Aug 11 12:10:02 2016 -> securiteinfoandroid.hdb updated (version:
> > > custom database, sigs: 81713)
> > > Thu Aug 11 12:10:02 2016 -> main.cvd version from DNS: 57
> > > Thu Aug 11 12:10:02 2016 -> main.cvd is up to date (version: 57, 

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[Alain Zidouemba]

The signature "Html.Exploit.CVE_2016_3326-3" has been removed and will be
update to take into account the false positives reported.

Thanks,

- Alain

On Thu, Aug 11, 2016 at 6:36 AM, ancien compte 
wrote:

> and http://www.kaspersky.fr/internet-security etc  is accessible now
> :)
>
> 2016-08-11 12:35 UTC+02:00, ancien compte :
> > it's works fine from freshclam update database
> > my daughter thx you too :)
> >
> >
> > Thu Aug 11 12:07:51 2016 -> Update process terminated
> > Thu Aug 11 12:07:52 2016 -> --
> > Thu Aug 11 12:07:52 2016 -> Current working dir is /var/lib/clamav
> > Thu Aug 11 12:07:52 2016 -> freshclam daemon 0.99.2 (OS:
> > linux-gnueabihf, ARCH: arm, CPU: arm)
> > Thu Aug 11 12:07:52 2016 -> Max retries == 5
> > Thu Aug 11 12:07:52 2016 -> ClamAV update process started at Thu Aug
> > 11 12:07:52 2016
> > Thu Aug 11 12:07:52 2016 -> Using IPv6 aware code
> > Thu Aug 11 12:07:52 2016 -> Querying current.cvd.clamav.net
> > Thu Aug 11 12:07:52 2016 -> TTL: 300
> > Thu Aug 11 12:07:52 2016 -> Software version from DNS: 0.99.2
> > Thu Aug 11 12:07:52 2016 -> Trying to download
> > http://www.securiteinfo.com/get/signatures/XX0/securiteinfo.hdb
> > (IP: 62.210.244.190)
> > Thu Aug 11 12:09:22 2016 -> Downloading securiteinfo.hdb [*]
> > Thu Aug 11 12:09:22 2016 -> Loading signatures from securiteinfo.hdb
> > Thu Aug 11 12:09:30 2016 -> Properly loaded 2271876 signatures from
> > new securiteinfo.hdb
> > Thu Aug 11 12:09:33 2016 -> securiteinfo.hdb updated (version: custom
> > database, sigs: 2271876)
> > Thu Aug 11 12:09:33 2016 -> Trying to download
> > http://www.securiteinfo.com/get/signatures/XX0/securiteinfo.ign2
> > (IP: 62.210.244.190)
> > Thu Aug 11 12:09:33 2016 -> Downloading securiteinfo.ign2 [*]
> > Thu Aug 11 12:09:33 2016 -> Loading signatures from securiteinfo.ign2
> > Thu Aug 11 12:09:33 2016 -> Properly loaded 0 signatures from new
> > securiteinfo.ign2
> > Thu Aug 11 12:09:33 2016 -> securiteinfo.ign2 updated (version: custom
> > database, sigs: 235)
> > Thu Aug 11 12:09:33 2016 -> Trying to download
> > http://www.securiteinfo.com/get/signatures/XX0/javascript.ndb
> > (IP: 62.210.244.190)
> > Thu Aug 11 12:09:38 2016 -> Downloading javascript.ndb [*]
> > Thu Aug 11 12:09:38 2016 -> Loading signatures from javascript.ndb
> > Thu Aug 11 12:09:53 2016 -> Properly loaded 24217 signatures from new
> > javascript.ndb
> > Thu Aug 11 12:09:53 2016 -> javascript.ndb updated (version: custom
> > database, sigs: 24218)
> > Thu Aug 11 12:09:53 2016 -> Trying to download
> > http://www.securiteinfo.com/get/signatures/XX0/
> spam_marketing.ndb
> > (IP: 62.210.244.190)
> > Thu Aug 11 12:09:53 2016 -> Downloading spam_marketing.ndb [*]
> > Thu Aug 11 12:09:53 2016 -> Loading signatures from spam_marketing.ndb
> > Thu Aug 11 12:09:53 2016 -> Properly loaded 3584 signatures from new
> > spam_marketing.ndb
> > Thu Aug 11 12:09:53 2016 -> spam_marketing.ndb updated (version:
> > custom database, sigs: 3584)
> > Thu Aug 11 12:09:53 2016 -> Trying to download
> > http://www.securiteinfo.com/get/signatures/XX0/
> securiteinfohtml.hdb
> > (IP: 62.210.244.190)
> > Thu Aug 11 12:09:55 2016 -> Downloading securiteinfohtml.hdb [*]
> > Thu Aug 11 12:09:55 2016 -> Loading signatures from securiteinfohtml.hdb
> > Thu Aug 11 12:09:55 2016 -> Properly loaded 58245 signatures from new
> > securiteinfohtml.hdb
> > Thu Aug 11 12:09:55 2016 -> securiteinfohtml.hdb updated (version:
> > custom database, sigs: 58245)
> > Thu Aug 11 12:09:55 2016 -> Trying to download
> > http://www.securiteinfo.com/get/signatures/XX0/
> securiteinfoascii.hdb
> > (IP: 62.210.244.190)
> > Thu Aug 11 12:09:58 2016 -> Downloading securiteinfoascii.hdb [*]
> > Thu Aug 11 12:09:58 2016 -> Loading signatures from securiteinfoascii.hdb
> > Thu Aug 11 12:09:58 2016 -> Properly loaded 77057 signatures from new
> > securiteinfoascii.hdb
> > Thu Aug 11 12:09:59 2016 -> securiteinfoascii.hdb updated (version:
> > custom database, sigs: 77057)
> > Thu Aug 11 12:09:59 2016 -> Trying to download
> > http://www.securiteinfo.com/get/signatures/XX0/
> securiteinfoandroid.hdb
> > (IP: 62.210.244.190)
> > Thu Aug 11 12:10:02 2016 -> Downloading securiteinfoandroid.hdb [*]
> > Thu Aug 11 12:10:02 2016 -> Loading signatures from
> securiteinfoandroid.hdb
> > Thu Aug 11 12:10:02 2016 -> Properly loaded 81713 signatures from new
> > securiteinfoandroid.hdb
> > Thu Aug 11 12:10:02 2016 -> securiteinfoandroid.hdb updated (version:
> > custom database, sigs: 81713)
> > Thu Aug 11 12:10:02 2016 -> main.cvd version from DNS: 57
> > Thu Aug 11 12:10:02 2016 -> main.cvd is up to date (version: 57, sigs:
> > 4218790, f-level: 60, builder: amishhammer)
> > Thu Aug 11 12:10:02 2016 -> daily.cvd version from DNS: 22066
> > Thu Aug 11 12:10:02 2016 -> daily.cld is up to date (version: 22066,
> > sigs: 500202, f-level: 63, builder: neo)
> > Thu Aug 11 12:10:02 2016 -> safeb

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

and http://www.kaspersky.fr/internet-security etc  is accessible now :)

2016-08-11 12:35 UTC+02:00, ancien compte :
> it's works fine from freshclam update database
> my daughter thx you too :)
>
>
> Thu Aug 11 12:07:51 2016 -> Update process terminated
> Thu Aug 11 12:07:52 2016 -> --
> Thu Aug 11 12:07:52 2016 -> Current working dir is /var/lib/clamav
> Thu Aug 11 12:07:52 2016 -> freshclam daemon 0.99.2 (OS:
> linux-gnueabihf, ARCH: arm, CPU: arm)
> Thu Aug 11 12:07:52 2016 -> Max retries == 5
> Thu Aug 11 12:07:52 2016 -> ClamAV update process started at Thu Aug
> 11 12:07:52 2016
> Thu Aug 11 12:07:52 2016 -> Using IPv6 aware code
> Thu Aug 11 12:07:52 2016 -> Querying current.cvd.clamav.net
> Thu Aug 11 12:07:52 2016 -> TTL: 300
> Thu Aug 11 12:07:52 2016 -> Software version from DNS: 0.99.2
> Thu Aug 11 12:07:52 2016 -> Trying to download
> http://www.securiteinfo.com/get/signatures/XX0/securiteinfo.hdb
> (IP: 62.210.244.190)
> Thu Aug 11 12:09:22 2016 -> Downloading securiteinfo.hdb [*]
> Thu Aug 11 12:09:22 2016 -> Loading signatures from securiteinfo.hdb
> Thu Aug 11 12:09:30 2016 -> Properly loaded 2271876 signatures from
> new securiteinfo.hdb
> Thu Aug 11 12:09:33 2016 -> securiteinfo.hdb updated (version: custom
> database, sigs: 2271876)
> Thu Aug 11 12:09:33 2016 -> Trying to download
> http://www.securiteinfo.com/get/signatures/XX0/securiteinfo.ign2
> (IP: 62.210.244.190)
> Thu Aug 11 12:09:33 2016 -> Downloading securiteinfo.ign2 [*]
> Thu Aug 11 12:09:33 2016 -> Loading signatures from securiteinfo.ign2
> Thu Aug 11 12:09:33 2016 -> Properly loaded 0 signatures from new
> securiteinfo.ign2
> Thu Aug 11 12:09:33 2016 -> securiteinfo.ign2 updated (version: custom
> database, sigs: 235)
> Thu Aug 11 12:09:33 2016 -> Trying to download
> http://www.securiteinfo.com/get/signatures/XX0/javascript.ndb
> (IP: 62.210.244.190)
> Thu Aug 11 12:09:38 2016 -> Downloading javascript.ndb [*]
> Thu Aug 11 12:09:38 2016 -> Loading signatures from javascript.ndb
> Thu Aug 11 12:09:53 2016 -> Properly loaded 24217 signatures from new
> javascript.ndb
> Thu Aug 11 12:09:53 2016 -> javascript.ndb updated (version: custom
> database, sigs: 24218)
> Thu Aug 11 12:09:53 2016 -> Trying to download
> http://www.securiteinfo.com/get/signatures/XX0/spam_marketing.ndb
> (IP: 62.210.244.190)
> Thu Aug 11 12:09:53 2016 -> Downloading spam_marketing.ndb [*]
> Thu Aug 11 12:09:53 2016 -> Loading signatures from spam_marketing.ndb
> Thu Aug 11 12:09:53 2016 -> Properly loaded 3584 signatures from new
> spam_marketing.ndb
> Thu Aug 11 12:09:53 2016 -> spam_marketing.ndb updated (version:
> custom database, sigs: 3584)
> Thu Aug 11 12:09:53 2016 -> Trying to download
> http://www.securiteinfo.com/get/signatures/XX0/securiteinfohtml.hdb
> (IP: 62.210.244.190)
> Thu Aug 11 12:09:55 2016 -> Downloading securiteinfohtml.hdb [*]
> Thu Aug 11 12:09:55 2016 -> Loading signatures from securiteinfohtml.hdb
> Thu Aug 11 12:09:55 2016 -> Properly loaded 58245 signatures from new
> securiteinfohtml.hdb
> Thu Aug 11 12:09:55 2016 -> securiteinfohtml.hdb updated (version:
> custom database, sigs: 58245)
> Thu Aug 11 12:09:55 2016 -> Trying to download
> http://www.securiteinfo.com/get/signatures/XX0/securiteinfoascii.hdb
> (IP: 62.210.244.190)
> Thu Aug 11 12:09:58 2016 -> Downloading securiteinfoascii.hdb [*]
> Thu Aug 11 12:09:58 2016 -> Loading signatures from securiteinfoascii.hdb
> Thu Aug 11 12:09:58 2016 -> Properly loaded 77057 signatures from new
> securiteinfoascii.hdb
> Thu Aug 11 12:09:59 2016 -> securiteinfoascii.hdb updated (version:
> custom database, sigs: 77057)
> Thu Aug 11 12:09:59 2016 -> Trying to download
> http://www.securiteinfo.com/get/signatures/XX0/securiteinfoandroid.hdb
> (IP: 62.210.244.190)
> Thu Aug 11 12:10:02 2016 -> Downloading securiteinfoandroid.hdb [*]
> Thu Aug 11 12:10:02 2016 -> Loading signatures from securiteinfoandroid.hdb
> Thu Aug 11 12:10:02 2016 -> Properly loaded 81713 signatures from new
> securiteinfoandroid.hdb
> Thu Aug 11 12:10:02 2016 -> securiteinfoandroid.hdb updated (version:
> custom database, sigs: 81713)
> Thu Aug 11 12:10:02 2016 -> main.cvd version from DNS: 57
> Thu Aug 11 12:10:02 2016 -> main.cvd is up to date (version: 57, sigs:
> 4218790, f-level: 60, builder: amishhammer)
> Thu Aug 11 12:10:02 2016 -> daily.cvd version from DNS: 22066
> Thu Aug 11 12:10:02 2016 -> daily.cld is up to date (version: 22066,
> sigs: 500202, f-level: 63, builder: neo)
> Thu Aug 11 12:10:02 2016 -> safebrowsing.cvd version from DNS: 44910
> Thu Aug 11 12:10:02 2016 -> safebrowsing.cvd is up to date (version:
> 44910, sigs: 2930264, f-level: 63, builder: google)
> Thu Aug 11 12:10:02 2016 -> bytecode.cvd version from DNS: 283
> Thu Aug 11 12:10:02 2016 -> bytecode.cvd is up to date (version: 283,
> sigs: 53, f-level: 63, builder: neo)
> Thu Aug 11 12:10:16 2016 -> Database updated (10166237 signat

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

it's works fine from freshclam update database
my daughter thx you too :)


Thu Aug 11 12:07:51 2016 -> Update process terminated
Thu Aug 11 12:07:52 2016 -> --
Thu Aug 11 12:07:52 2016 -> Current working dir is /var/lib/clamav
Thu Aug 11 12:07:52 2016 -> freshclam daemon 0.99.2 (OS:
linux-gnueabihf, ARCH: arm, CPU: arm)
Thu Aug 11 12:07:52 2016 -> Max retries == 5
Thu Aug 11 12:07:52 2016 -> ClamAV update process started at Thu Aug
11 12:07:52 2016
Thu Aug 11 12:07:52 2016 -> Using IPv6 aware code
Thu Aug 11 12:07:52 2016 -> Querying current.cvd.clamav.net
Thu Aug 11 12:07:52 2016 -> TTL: 300
Thu Aug 11 12:07:52 2016 -> Software version from DNS: 0.99.2
Thu Aug 11 12:07:52 2016 -> Trying to download
http://www.securiteinfo.com/get/signatures/XX0/securiteinfo.hdb
(IP: 62.210.244.190)
Thu Aug 11 12:09:22 2016 -> Downloading securiteinfo.hdb [*]
Thu Aug 11 12:09:22 2016 -> Loading signatures from securiteinfo.hdb
Thu Aug 11 12:09:30 2016 -> Properly loaded 2271876 signatures from
new securiteinfo.hdb
Thu Aug 11 12:09:33 2016 -> securiteinfo.hdb updated (version: custom
database, sigs: 2271876)
Thu Aug 11 12:09:33 2016 -> Trying to download
http://www.securiteinfo.com/get/signatures/XX0/securiteinfo.ign2
(IP: 62.210.244.190)
Thu Aug 11 12:09:33 2016 -> Downloading securiteinfo.ign2 [*]
Thu Aug 11 12:09:33 2016 -> Loading signatures from securiteinfo.ign2
Thu Aug 11 12:09:33 2016 -> Properly loaded 0 signatures from new
securiteinfo.ign2
Thu Aug 11 12:09:33 2016 -> securiteinfo.ign2 updated (version: custom
database, sigs: 235)
Thu Aug 11 12:09:33 2016 -> Trying to download
http://www.securiteinfo.com/get/signatures/XX0/javascript.ndb
(IP: 62.210.244.190)
Thu Aug 11 12:09:38 2016 -> Downloading javascript.ndb [*]
Thu Aug 11 12:09:38 2016 -> Loading signatures from javascript.ndb
Thu Aug 11 12:09:53 2016 -> Properly loaded 24217 signatures from new
javascript.ndb
Thu Aug 11 12:09:53 2016 -> javascript.ndb updated (version: custom
database, sigs: 24218)
Thu Aug 11 12:09:53 2016 -> Trying to download
http://www.securiteinfo.com/get/signatures/XX0/spam_marketing.ndb
(IP: 62.210.244.190)
Thu Aug 11 12:09:53 2016 -> Downloading spam_marketing.ndb [*]
Thu Aug 11 12:09:53 2016 -> Loading signatures from spam_marketing.ndb
Thu Aug 11 12:09:53 2016 -> Properly loaded 3584 signatures from new
spam_marketing.ndb
Thu Aug 11 12:09:53 2016 -> spam_marketing.ndb updated (version:
custom database, sigs: 3584)
Thu Aug 11 12:09:53 2016 -> Trying to download
http://www.securiteinfo.com/get/signatures/XX0/securiteinfohtml.hdb
(IP: 62.210.244.190)
Thu Aug 11 12:09:55 2016 -> Downloading securiteinfohtml.hdb [*]
Thu Aug 11 12:09:55 2016 -> Loading signatures from securiteinfohtml.hdb
Thu Aug 11 12:09:55 2016 -> Properly loaded 58245 signatures from new
securiteinfohtml.hdb
Thu Aug 11 12:09:55 2016 -> securiteinfohtml.hdb updated (version:
custom database, sigs: 58245)
Thu Aug 11 12:09:55 2016 -> Trying to download
http://www.securiteinfo.com/get/signatures/XX0/securiteinfoascii.hdb
(IP: 62.210.244.190)
Thu Aug 11 12:09:58 2016 -> Downloading securiteinfoascii.hdb [*]
Thu Aug 11 12:09:58 2016 -> Loading signatures from securiteinfoascii.hdb
Thu Aug 11 12:09:58 2016 -> Properly loaded 77057 signatures from new
securiteinfoascii.hdb
Thu Aug 11 12:09:59 2016 -> securiteinfoascii.hdb updated (version:
custom database, sigs: 77057)
Thu Aug 11 12:09:59 2016 -> Trying to download
http://www.securiteinfo.com/get/signatures/XX0/securiteinfoandroid.hdb
(IP: 62.210.244.190)
Thu Aug 11 12:10:02 2016 -> Downloading securiteinfoandroid.hdb [*]
Thu Aug 11 12:10:02 2016 -> Loading signatures from securiteinfoandroid.hdb
Thu Aug 11 12:10:02 2016 -> Properly loaded 81713 signatures from new
securiteinfoandroid.hdb
Thu Aug 11 12:10:02 2016 -> securiteinfoandroid.hdb updated (version:
custom database, sigs: 81713)
Thu Aug 11 12:10:02 2016 -> main.cvd version from DNS: 57
Thu Aug 11 12:10:02 2016 -> main.cvd is up to date (version: 57, sigs:
4218790, f-level: 60, builder: amishhammer)
Thu Aug 11 12:10:02 2016 -> daily.cvd version from DNS: 22066
Thu Aug 11 12:10:02 2016 -> daily.cld is up to date (version: 22066,
sigs: 500202, f-level: 63, builder: neo)
Thu Aug 11 12:10:02 2016 -> safebrowsing.cvd version from DNS: 44910
Thu Aug 11 12:10:02 2016 -> safebrowsing.cvd is up to date (version:
44910, sigs: 2930264, f-level: 63, builder: google)
Thu Aug 11 12:10:02 2016 -> bytecode.cvd version from DNS: 283
Thu Aug 11 12:10:02 2016 -> bytecode.cvd is up to date (version: 283,
sigs: 53, f-level: 63, builder: neo)
Thu Aug 11 12:10:16 2016 -> Database updated (10166237 signatures)
from db.local.clamav.net
Thu Aug 11 12:10:16 2016 -> Clamd successfully notified about the update.
Thu Aug 11 12:10:16 2016 -> --


Thu Aug 11 12:11:28 2016 -> Reading databases from /var/lib/clamav


Thu Aug 11 12:23:44 2016 -> Received 0 file descriptor(s) fr

[clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

[Axb]

Guys,

clamscan --database=test.yar blah.html 

LibClamAV Error: yyerror(): test.yar line 6 undefined identifier 
"filename" 

LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, 
error count 1

test.yar: OK
blah.html: OK

test.yar
rule TEST_BLAH_FILENAME
{
strings:
$BLAH = "blah"
 condition:
 $BLAH and filename == "blah.html"
}

Am I missing something? or is filename unsupported by ClamAV's YARA engine?

Thanks!
Axb
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

thx a lot

2016-08-11 11:14 UTC+02:00, Al Varnell :
> That server does not belong to Cisco/SourceFire/ClamAV.  You need to report
> it to i...@securiteinfo.com.
>
> -Al-
>
> On Thu, Aug 11, 2016 at 02:07 AM, ancien compte wrote:
>>
>> Also, the mirror clamav.securiteinfo.com not work, can't resolv it
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

ok thx :)
i was using script from jessie debian's repo

2016-08-11 11:14 UTC+02:00, Steve Basford :
>
> On Thu, August 11, 2016 10:07 am, ancien compte wrote:
>> Also, the mirror clamav.securiteinfo.com not work, can't resolv it
>>
> That's an old 3rd party signature domain... it's been gone a while..
>
> Latest download scripts here:
>
> http://sanesecurity.com/usage/linux-scripts/
>
> Cheers,
>
> Steve
> Web : sanesecurity.com
> Twitter: @sanesecurity
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[Steve Basford]

On Thu, August 11, 2016 10:07 am, ancien compte wrote:
> Also, the mirror clamav.securiteinfo.com not work, can't resolv it
>
That's an old 3rd party signature domain... it's been gone a while..

Latest download scripts here:

http://sanesecurity.com/usage/linux-scripts/

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[Al Varnell]

That server does not belong to Cisco/SourceFire/ClamAV.  You need to report it 
to i...@securiteinfo.com.

-Al-

On Thu, Aug 11, 2016 at 02:07 AM, ancien compte wrote:
> 
> Also, the mirror clamav.securiteinfo.com not work, can't resolv it


smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

Also, the mirror clamav.securiteinfo.com not work, can't resolv it

Best Regards


2016-08-11 10:22 UTC+02:00, Al Varnell :
> Submit to .
>
> -Al-
>
> On Thu, Aug 11, 2016 at 01:18 AM, ancien compte wrote:
>>
>> wget -qO- http://www.kaspersky.fr/internet-security/  | clamscan -
>> stdin: Html.Exploit.CVE_2016_3326-3 FOUND
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

ok,

thx i did it one hour ago :)

have a nice day

2016-08-11 10:22 UTC+02:00, Al Varnell :
> Submit to .
>
> -Al-
>
> On Thu, Aug 11, 2016 at 01:18 AM, ancien compte wrote:
>>
>> wget -qO- http://www.kaspersky.fr/internet-security/  | clamscan -
>> stdin: Html.Exploit.CVE_2016_3326-3 FOUND
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[Al Varnell]

Submit to .

-Al-

On Thu, Aug 11, 2016 at 01:18 AM, ancien compte wrote:
> 
> wget -qO- http://www.kaspersky.fr/internet-security/  | clamscan -
> stdin: Html.Exploit.CVE_2016_3326-3 FOUND


smime.p7s
Description: S/MIME cryptographic signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

i'v forgot  :)

wget -qO- http://www.kaspersky.fr/internet-security/  | clamscan -
stdin: Html.Exploit.CVE_2016_3326-3 FOUND

--- SCAN SUMMARY ---
Known viruses: 7809215
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.09 MB
Data read: 0.11 MB (ratio 0.81:1)
Time: 47.320 sec (0 m 47 s)

Best Regards

2016-08-11 10:12 UTC+02:00, ancien compte :
> hi,
>
> from every links inside "particular's links"
>
> http://www.kaspersky.fr/internet-security
> http://www.kaspersky.fr/total-security-multi-device
> http://www.kaspersky.fr/multi-device-security
>
> Nom du virus: Html.Exploit.CVE_2016_3326-3
>
> may we trust it on /var/lib/clamav/sigwhitelist.ign2 ?
>
> squid+c-icap+squidclamav
>
> - windows 10 family up to date = > Microsoft Windows [version 10.0.14393]
> - clamav-unofficial-sigs 3.7.2-2
> - squidclamav 6.15 from squid c-icap <= module clamd < = ClamAV
> 0.99.2/22065/Thu
> --- SCAN SUMMARY ---
> Known viruses: 7808960
> Engine version: 0.99.2
>
>
> Thu Aug 11 05:07:36 2016 -> Querying
> safebrowsing.44909.82.1.0.B2216984.ping.clamav.net
> Thu Aug 11 06:07:49 2016 -> Querying current.cvd.clamav.net
> Thu Aug 11 06:07:53 2016 -> Querying
> daily.22065.82.1.0.C39A07B0.ping.clamav.net
> Thu Aug 11 07:08:07 2016 -> Querying current.cvd.clamav.net
> Thu Aug 11 08:08:08 2016 -> Querying current.cvd.clamav.net
> Thu Aug 11 09:08:08 2016 -> Querying current.cvd.clamav.net
>
> LibClamAV debug: /var/lib/clamav/sigwhitelist.ign2 loaded
> LibClamAV debug: daily.info loaded
> LibClamAV debug: daily.cfg loaded
> LibClamAV debug: daily.ign loaded
> LibClamAV debug: daily.ign2 loaded
> LibClamAV debug: daily.ftm loaded
> LibClamAV debug: daily.hdb loaded
> LibClamAV debug: daily.hsb loaded
> LibClamAV debug: daily.mdb loaded
> LibClamAV debug: daily.msb loaded
> LibClamAV debug: daily.ndb loaded
> LibClamAV debug: daily.ldb loaded
> LibClamAV debug: daily.idb loaded
> LibClamAV debug: daily.fp loaded
> LibClamAV debug: daily.sfp loaded
> LibClamAV debug: daily.pdb loaded
> LibClamAV debug: daily.wdb loaded
> LibClamAV debug: daily.crb loaded
> LibClamAV debug: daily.cdb loaded
> LibClamAV debug: /var/lib/clamav/daily.cld loaded
> LibClamAV debug: /var/lib/clamav/sanesecurity.ftm loaded
> LibClamAV debug: /var/lib/clamav/blurl.ndb loaded
> LibClamAV debug: main.info loaded
> LibClamAV debug: main.hdb loaded
> LibClamAV debug: main.hsb loaded
> LibClamAV debug: main.mdb loaded
> LibClamAV debug: main.msb loaded
> LibClamAV debug: main.ndb loaded
> LibClamAV debug: main.fp loaded
> LibClamAV debug: main.sfp loaded
> LibClamAV debug: main.crb loaded
> LibClamAV debug: /var/lib/clamav/main.cvd loaded
> LibClamAV debug: bytecode.info loaded
> LibClamAV debug: 3986185.cbc loaded
> LibClamAV debug: 3986187.cbc loaded
> LibClamAV debug: 3986188.cbc loaded
> LibClamAV debug: 3986206.cbc loaded
> LibClamAV debug: 3986212.cbc loaded
> LibClamAV debug: 3986214.cbc loaded
> LibClamAV debug: 3986215.cbc loaded
> LibClamAV debug: 3986216.cbc loaded
> LibClamAV debug: 3986217.cbc loaded
> LibClamAV debug: 3986218.cbc loaded
> LibClamAV debug: 3986219.cbc loaded
> LibClamAV debug: 3986220.cbc loaded
> LibClamAV debug: 3986221.cbc loaded
> LibClamAV debug: 3986222.cbc loaded
> LibClamAV debug: 3986223.cbc loaded
> LibClamAV debug: 3986224.cbc loaded
> LibClamAV debug: 3986229.cbc loaded
> LibClamAV debug: 3986230.cbc loaded
> LibClamAV debug: 3986231.cbc loaded
> LibClamAV debug: 3986232.cbc loaded
> LibClamAV debug: 3986233.cbc loaded
> LibClamAV debug: 3986234.cbc loaded
> LibClamAV debug: 3986235.cbc loaded
> LibClamAV debug: 3986236.cbc loaded
> LibClamAV debug: 3986242.cbc loaded
> LibClamAV debug: 3986244.cbc loaded
> LibClamAV debug: 3986249.cbc loaded
> LibClamAV debug: 3986259.cbc loaded
> LibClamAV debug: 3986282.cbc loaded
> LibClamAV debug: 3986283.cbc loaded
> LibClamAV debug: 3986289.cbc loaded
> LibClamAV debug: 3986292.cbc loaded
> LibClamAV debug: 3986301.cbc loaded
> LibClamAV debug: 3986303.cbc loaded
> LibClamAV debug: 3986305.cbc loaded
> LibClamAV debug: 3986306.cbc loaded
> LibClamAV debug: 3986310.cbc loaded
> LibClamAV debug: 3986318.cbc loaded
> LibClamAV debug: 3986321.cbc loaded
> LibClamAV debug: 3986322.cbc loaded
> LibClamAV debug: 3986326.cbc loaded
> LibClamAV debug: 3986327.cbc loaded
> LibClamAV debug: 3986328.cbc loaded
> LibClamAV debug: 3986334.cbc loaded
> LibClamAV debug: 3986337.cbc loaded
> LibClamAV debug: 4306126.cbc loaded
> LibClamAV debug: 4306157.cbc loaded
> LibClamAV debug: 4307467.cbc loaded
> LibClamAV debug: 4310114.cbc loaded
> LibClamAV debug: 4416867.cbc loaded
> LibClamAV debug: 4510302.cbc loaded
> LibClamAV debug: 4526683.cbc loaded
> LibClamAV debug: 4553522.cbc loaded
> LibClamAV debug: /var/lib/clamav/bytecode.cvd loaded
> LibClamAV debug: /var/lib/clamav/junk.ndb loaded
> LibClamAV debug: /var/lib/clamav/jurlbl.ndb loaded
> LibClamAV debug: /var/lib/clamav/phish.ndb loaded
> LibClamAV debug:

[clamav-users] daily sig 22066 and kaspersky site Html.Exploit.CVE_2016_3326-3

[ancien compte]

hi,

from every links inside "particular's links"

http://www.kaspersky.fr/internet-security
http://www.kaspersky.fr/total-security-multi-device
http://www.kaspersky.fr/multi-device-security

Nom du virus: Html.Exploit.CVE_2016_3326-3

may we trust it on /var/lib/clamav/sigwhitelist.ign2 ?

squid+c-icap+squidclamav

- windows 10 family up to date = > Microsoft Windows [version 10.0.14393]
- clamav-unofficial-sigs 3.7.2-2
- squidclamav 6.15 from squid c-icap <= module clamd < = ClamAV 0.99.2/22065/Thu
--- SCAN SUMMARY ---
Known viruses: 7808960
Engine version: 0.99.2


Thu Aug 11 05:07:36 2016 -> Querying
safebrowsing.44909.82.1.0.B2216984.ping.clamav.net
Thu Aug 11 06:07:49 2016 -> Querying current.cvd.clamav.net
Thu Aug 11 06:07:53 2016 -> Querying daily.22065.82.1.0.C39A07B0.ping.clamav.net
Thu Aug 11 07:08:07 2016 -> Querying current.cvd.clamav.net
Thu Aug 11 08:08:08 2016 -> Querying current.cvd.clamav.net
Thu Aug 11 09:08:08 2016 -> Querying current.cvd.clamav.net

LibClamAV debug: /var/lib/clamav/sigwhitelist.ign2 loaded
LibClamAV debug: daily.info loaded
LibClamAV debug: daily.cfg loaded
LibClamAV debug: daily.ign loaded
LibClamAV debug: daily.ign2 loaded
LibClamAV debug: daily.ftm loaded
LibClamAV debug: daily.hdb loaded
LibClamAV debug: daily.hsb loaded
LibClamAV debug: daily.mdb loaded
LibClamAV debug: daily.msb loaded
LibClamAV debug: daily.ndb loaded
LibClamAV debug: daily.ldb loaded
LibClamAV debug: daily.idb loaded
LibClamAV debug: daily.fp loaded
LibClamAV debug: daily.sfp loaded
LibClamAV debug: daily.pdb loaded
LibClamAV debug: daily.wdb loaded
LibClamAV debug: daily.crb loaded
LibClamAV debug: daily.cdb loaded
LibClamAV debug: /var/lib/clamav/daily.cld loaded
LibClamAV debug: /var/lib/clamav/sanesecurity.ftm loaded
LibClamAV debug: /var/lib/clamav/blurl.ndb loaded
LibClamAV debug: main.info loaded
LibClamAV debug: main.hdb loaded
LibClamAV debug: main.hsb loaded
LibClamAV debug: main.mdb loaded
LibClamAV debug: main.msb loaded
LibClamAV debug: main.ndb loaded
LibClamAV debug: main.fp loaded
LibClamAV debug: main.sfp loaded
LibClamAV debug: main.crb loaded
LibClamAV debug: /var/lib/clamav/main.cvd loaded
LibClamAV debug: bytecode.info loaded
LibClamAV debug: 3986185.cbc loaded
LibClamAV debug: 3986187.cbc loaded
LibClamAV debug: 3986188.cbc loaded
LibClamAV debug: 3986206.cbc loaded
LibClamAV debug: 3986212.cbc loaded
LibClamAV debug: 3986214.cbc loaded
LibClamAV debug: 3986215.cbc loaded
LibClamAV debug: 3986216.cbc loaded
LibClamAV debug: 3986217.cbc loaded
LibClamAV debug: 3986218.cbc loaded
LibClamAV debug: 3986219.cbc loaded
LibClamAV debug: 3986220.cbc loaded
LibClamAV debug: 3986221.cbc loaded
LibClamAV debug: 3986222.cbc loaded
LibClamAV debug: 3986223.cbc loaded
LibClamAV debug: 3986224.cbc loaded
LibClamAV debug: 3986229.cbc loaded
LibClamAV debug: 3986230.cbc loaded
LibClamAV debug: 3986231.cbc loaded
LibClamAV debug: 3986232.cbc loaded
LibClamAV debug: 3986233.cbc loaded
LibClamAV debug: 3986234.cbc loaded
LibClamAV debug: 3986235.cbc loaded
LibClamAV debug: 3986236.cbc loaded
LibClamAV debug: 3986242.cbc loaded
LibClamAV debug: 3986244.cbc loaded
LibClamAV debug: 3986249.cbc loaded
LibClamAV debug: 3986259.cbc loaded
LibClamAV debug: 3986282.cbc loaded
LibClamAV debug: 3986283.cbc loaded
LibClamAV debug: 3986289.cbc loaded
LibClamAV debug: 3986292.cbc loaded
LibClamAV debug: 3986301.cbc loaded
LibClamAV debug: 3986303.cbc loaded
LibClamAV debug: 3986305.cbc loaded
LibClamAV debug: 3986306.cbc loaded
LibClamAV debug: 3986310.cbc loaded
LibClamAV debug: 3986318.cbc loaded
LibClamAV debug: 3986321.cbc loaded
LibClamAV debug: 3986322.cbc loaded
LibClamAV debug: 3986326.cbc loaded
LibClamAV debug: 3986327.cbc loaded
LibClamAV debug: 3986328.cbc loaded
LibClamAV debug: 3986334.cbc loaded
LibClamAV debug: 3986337.cbc loaded
LibClamAV debug: 4306126.cbc loaded
LibClamAV debug: 4306157.cbc loaded
LibClamAV debug: 4307467.cbc loaded
LibClamAV debug: 4310114.cbc loaded
LibClamAV debug: 4416867.cbc loaded
LibClamAV debug: 4510302.cbc loaded
LibClamAV debug: 4526683.cbc loaded
LibClamAV debug: 4553522.cbc loaded
LibClamAV debug: /var/lib/clamav/bytecode.cvd loaded
LibClamAV debug: /var/lib/clamav/junk.ndb loaded
LibClamAV debug: /var/lib/clamav/jurlbl.ndb loaded
LibClamAV debug: /var/lib/clamav/phish.ndb loaded
LibClamAV debug: /var/lib/clamav/rogue.hdb loaded
LibClamAV debug: /var/lib/clamav/spamattach.hdb loaded
LibClamAV debug: /var/lib/clamav/scam.ndb loaded
LibClamAV debug: /var/lib/clamav/winnow.attachments.hdb loaded
LibClamAV debug: /var/lib/clamav/spamimg.hdb loaded
LibClamAV debug: /var/lib/clamav/winnow_extended_malware.hdb loaded
LibClamAV debug: /var/lib/clamav/winnow_bad_cw.hdb loaded
LibClamAV debug: /var/lib/clamav/winnow_malware_links.ndb loaded
LibClamAV debug: /var/lib/clamav/winnow_malware.hdb loaded
LibClamAV debug: /var/lib/clamav/bofhland_cracked_URL.ndb loaded
LibClamAV debug: /var/lib/clamav/doppelstern.hdb loaded
LibClamAV debug: safebr