date:20161107

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

2016-11-07 Thread bitfuzzy

Actually it appears that only "part" of AVG detects it.

Virustotal indicates that AVG cleared the file as being "clean" however
the second site (garyshood.com) seemed to use AVG "command line"

Given the reputation of some of the scanners referenced by Virustotal,
not to mention the sheer number of negative results for the file, I'd
have to question the legitimacy of garyshood.com in general

On 11/07/2016 02:10 PM, Al Varnell wrote:

So it seems to me if only one scanner detects this “test” file then it’s far
from being the universal industry standard test file that EICAR is. Maybe I’m
missing something, but your penetration testers would appear to be a fraud or
shill for AVG or both? I’m not sure why the Cisco/ClamAV folks would be
interested in it without a more persuasive argument.

-Al-

On Mon, Nov 07, 2016 at 08:26 AM, Richard McCombie wrote:

Thanks Al.

virustotal.com doesn't show any problems with the file, but a site called
Gary's Hood does:

https://www.virustotal.com/en/file/14b2420f7490e612b9f0c65af180268b2ad41c3ec209b42f4d085aacb8ef973f/analysis/1478535605/

http://www.garyshood.com/virus/results.php?r=13710b10bf25b727cbf32c29d9ba3a56

The penetration testers use the file (MD5 #:
13710b10bf25b727cbf32c29d9ba3a56) as part of their AV testing.

On 7 November 2016 at 16:12, Al Varnell wrote:

Try uploading it to and give us the link to
the analysis page. I don’t find that anything with that MD5 has been
uploaded.

-Al-

On Mon, Nov 07, 2016 at 07:25 AM, Richard McCombie wrote:

I uploaded a small ASCII-format file, which, like the EICAR test file, is
supposed to trigger a warning from AV software. I'd be happy to email

this

to the appropriate address, but I won't do that until someone can confirm
which address I can use without breaking any rules.

Thank you for your help.

On 7 November 2016 at 15:21, Al Varnell wrote:

I’m a bit confused by this. Did you send a virus signature or did you
upload malware? Those are not at all the same thing.

-Al-

On Mon, Nov 07, 2016 at 06:05 AM, Richard McCombie wrote:

Thanks Joel.

I have subscribed to community-sigs; the welcome message informs me

that

virus samples are not to be sent to the list:

Welcome to the community-s...@lists.clamav.net mailing list! DO NOT
SEND VIRUS SAMPLES HERE!!! Send them through our web interface at
http://www.clamav.net/sendvirus

On 7 November 2016 at 14:01, Joel Esler (jesler) wrote:

The processing that comes in through the website is largely automated.
Submitting signatures should be done through the community-sigs list,
until
we make a submission method through the website.

Sent from my iPad

On Nov 7, 2016, at 6:45 AM, Richard McCombie wrote:

Good morning,

I submitted a virus signature (at http://www.clamav.net/reports/
malware
)
on 17th October. I used the name Richard McCombie for this.

It would be great if you could incorporate this virus sample into

your

database of virus signatures. I am working on helping a client pass
their
penetration test; they are currently failing the test, because this
virus
sample, which is detected as a virus by other scanners, passes the
ClamAV
scan undetected.

The MD5 hash of the file I submitted is:

13710b10bf25b727cbf32c29d9ba3a

If you want me to resubmit this file, that is no problem.

Many thanks, in advance,

Richard

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

2016-11-07 Thread Al Varnell

So it seems to me if only one scanner detects this “test” file then it’s far 
from being the universal industry standard test file that EICAR is.  Maybe I’m 
missing something, but your penetration testers would appear to be a fraud or 
shill for AVG or both?  I’m not sure why the Cisco/ClamAV folks would be 
interested in it without a more persuasive argument.

-Al-

On Mon, Nov 07, 2016 at 08:26 AM, Richard McCombie wrote:
> 
> Thanks Al.
> 
> virustotal.com doesn't show any problems with the file, but a site called
> Gary's Hood does:
> 
> https://www.virustotal.com/en/file/14b2420f7490e612b9f0c65af180268b2ad41c3ec209b42f4d085aacb8ef973f/analysis/1478535605/
> 
> http://www.garyshood.com/virus/results.php?r=13710b10bf25b727cbf32c29d9ba3a56
> 
> 
> The penetration testers use the file (MD5 #:
> 13710b10bf25b727cbf32c29d9ba3a56) as part of their AV testing.
> 
> 
> R
> 
> On 7 November 2016 at 16:12, Al Varnell  wrote:
> 
>> Try uploading it to  and give us the link to
>> the analysis page.  I don’t find that anything with that MD5 has been
>> uploaded.
>> 
>> -Al-
>> 
>> On Mon, Nov 07, 2016 at 07:25 AM, Richard McCombie wrote:
>>> 
>>> I uploaded a small ASCII-format file, which, like the EICAR test file, is
>>> supposed to trigger a warning from AV software. I'd be happy to email
>> this
>>> to the appropriate address, but I won't do that until someone can confirm
>>> which address I can use without breaking any rules.
>>> 
>>> Thank you for your help.
>>> 
>>> On 7 November 2016 at 15:21, Al Varnell wrote:
>>> 
 I’m a bit confused by this. Did you send a virus signature or did you
 upload malware? Those are not at all the same thing.
 
 -Al-
 
 On Mon, Nov 07, 2016 at 06:05 AM, Richard McCombie wrote:
> 
> Thanks Joel.
> 
> I have subscribed to community-sigs; the welcome message informs me
>> that
> virus samples are not to be sent to the list:
> 
> Welcome to the community-s...@lists.clamav.net mailing list! DO NOT
> SEND VIRUS SAMPLES HERE!!! Send them through our web interface at
> http://www.clamav.net/sendvirus
> 
> On 7 November 2016 at 14:01, Joel Esler (jesler) wrote:
> 
>> The processing that comes in through the website is largely automated.
>> Submitting signatures should be done through the community-sigs list,
>> until
>> we make a submission method through the website.
>> 
>> Sent from my iPad
>> 
>> On Nov 7, 2016, at 6:45 AM, Richard McCombie wrote:
>>> 
>>> Good morning,
>>> 
>>> I submitted a virus signature (at http://www.clamav.net/reports/
>>> malware
>>> )
>>> on 17th October. I used the name Richard McCombie for this.
>>> 
>>> It would be great if you could incorporate this virus sample into
>> your
>>> database of virus signatures. I am working on helping a client pass
>>> their
>>> penetration test; they are currently failing the test, because this
>>> virus
>>> sample, which is detected as a virus by other scanners, passes the
>>> ClamAV
>>> scan undetected.
>>> 
>>> The MD5 hash of the file I submitted is:
>> 13710b10bf25b727cbf32c29d9ba3a
>>> 56
>>> 
>>> If you want me to resubmit this file, that is no problem.
>>> 
>>> Many thanks, in advance,
>>> 
>>> 
>>> Richard
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA







smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

2016-11-07 Thread Richard McCombie

Thanks Al.

virustotal.com doesn't show any problems with the file, but a site called
Gary's Hood does:

https://www.virustotal.com/en/file/14b2420f7490e612b9f0c65af180268b2ad41c3ec209b42f4d085aacb8ef973f/analysis/1478535605/

http://www.garyshood.com/virus/results.php?r=13710b10bf25b727cbf32c29d9ba3a56


The penetration testers use the file (MD5 #:
13710b10bf25b727cbf32c29d9ba3a56) as part of their AV testing.


R

On 7 November 2016 at 16:12, Al Varnell  wrote:

> Try uploading it to  and give us the link to
> the analysis page.  I don’t find that anything with that MD5 has been
> uploaded.
>
> -Al-
>
> On Mon, Nov 07, 2016 at 07:25 AM, Richard McCombie wrote:
> >
> > I uploaded a small ASCII-format file, which, like the EICAR test file, is
> > supposed to trigger a warning from AV software. I'd be happy to email
> this
> > to the appropriate address, but I won't do that until someone can confirm
> > which address I can use without breaking any rules.
> >
> > Thank you for your help.
> >
> > On 7 November 2016 at 15:21, Al Varnell wrote:
> >
> >> I’m a bit confused by this. Did you send a virus signature or did you
> >> upload malware? Those are not at all the same thing.
> >>
> >> -Al-
> >>
> >> On Mon, Nov 07, 2016 at 06:05 AM, Richard McCombie wrote:
> >>>
> >>> Thanks Joel.
> >>>
> >>> I have subscribed to community-sigs; the welcome message informs me
> that
> >>> virus samples are not to be sent to the list:
> >>>
> >>> Welcome to the community-s...@lists.clamav.net mailing list! DO NOT
> >>> SEND VIRUS SAMPLES HERE!!! Send them through our web interface at
> >>> http://www.clamav.net/sendvirus
> >>>
> >>> On 7 November 2016 at 14:01, Joel Esler (jesler) wrote:
> >>>
>  The processing that comes in through the website is largely automated.
>  Submitting signatures should be done through the community-sigs list,
>  until
>  we make a submission method through the website.
> 
>  Sent from my iPad
> 
>  On Nov 7, 2016, at 6:45 AM, Richard McCombie wrote:
> >
> > Good morning,
> >
> > I submitted a virus signature (at http://www.clamav.net/reports/
> > malware
> > )
> > on 17th October. I used the name Richard McCombie for this.
> >
> > It would be great if you could incorporate this virus sample into
> your
> > database of virus signatures. I am working on helping a client pass
> > their
> > penetration test; they are currently failing the test, because this
> > virus
> > sample, which is detected as a virus by other scanners, passes the
> > ClamAV
> > scan undetected.
> >
> > The MD5 hash of the file I submitted is:
> 13710b10bf25b727cbf32c29d9ba3a
> > 56
> >
> > If you want me to resubmit this file, that is no problem.
> >
> > Many thanks, in advance,
> >
> >
> > Richard
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 
Richard McCombie

DevOps Engineer


Do you want to work at Onfido?
Check out our open positions 

If you received this communication by mistake, please don't forward it to
anyone else (it may contain confidential or privileged information), please
erase all copies of it, including all attachments, and please let the
sender know it went to the wrong person. Thanks.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

2016-11-07 Thread Al Varnell

Try uploading it to  and give us the link to the 
analysis page.  I don’t find that anything with that MD5 has been uploaded.

-Al-

On Mon, Nov 07, 2016 at 07:25 AM, Richard McCombie wrote:
> 
> I uploaded a small ASCII-format file, which, like the EICAR test file, is
> supposed to trigger a warning from AV software. I'd be happy to email this
> to the appropriate address, but I won't do that until someone can confirm
> which address I can use without breaking any rules.
> 
> Thank you for your help.
> 
> On 7 November 2016 at 15:21, Al Varnell wrote:
> 
>> I’m a bit confused by this. Did you send a virus signature or did you
>> upload malware? Those are not at all the same thing.
>> 
>> -Al-
>> 
>> On Mon, Nov 07, 2016 at 06:05 AM, Richard McCombie wrote:
>>> 
>>> Thanks Joel.
>>> 
>>> I have subscribed to community-sigs; the welcome message informs me that
>>> virus samples are not to be sent to the list:
>>> 
>>> Welcome to the community-s...@lists.clamav.net mailing list! DO NOT
>>> SEND VIRUS SAMPLES HERE!!! Send them through our web interface at
>>> http://www.clamav.net/sendvirus
>>> 
>>> On 7 November 2016 at 14:01, Joel Esler (jesler) wrote:
>>> 
 The processing that comes in through the website is largely automated.
 Submitting signatures should be done through the community-sigs list,
 until
 we make a submission method through the website.
 
 Sent from my iPad
 
 On Nov 7, 2016, at 6:45 AM, Richard McCombie wrote:
> 
> Good morning,
> 
> I submitted a virus signature (at http://www.clamav.net/reports/
> malware
> )
> on 17th October. I used the name Richard McCombie for this.
> 
> It would be great if you could incorporate this virus sample into your
> database of virus signatures. I am working on helping a client pass
> their
> penetration test; they are currently failing the test, because this
> virus
> sample, which is detected as a virus by other scanners, passes the
> ClamAV
> scan undetected.
> 
> The MD5 hash of the file I submitted is: 13710b10bf25b727cbf32c29d9ba3a
> 56
> 
> If you want me to resubmit this file, that is no problem.
> 
> Many thanks, in advance,
> 
> 
> Richard


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Issue with daily-22474

2016-11-07 Thread Al Varnell

Thanks for the explanation, but all the user issues observed by Mark and I 
involved scan engine 0.99.2.

-Al-

On Mon, Nov 07, 2016 at 06:48 AM, Joel Esler (jesler) wrote:
> 
> We split the daily into two, essentially, from what I understand.   Then 
> changed the flevel on the second set.  This will allow older versions of 
> ClamAV to receive updates, without crashing and newer versions of ClamAV to 
> handle everything.  
> 
> Maybe the speed of the connection or the mirror?
> 
> Sent from my iPhone
> 
>> On Nov 7, 2016, at 9:12 AM, Mark Allan  wrote:
>> 
>> Hi Joel,
>> 
>> Thanks for the explanation.  I'm still confused/surprised as to why such a 
>> large cdiff should cause freshclam to hang though.  What is the file size 
>> limit that freshclam can handle safely? Also, given the cdiff file was 
>> approximately the same size as the entire daily db, would it have been 
>> better simply to skip that cdiff, causing everyone to re-download a new 
>> daily.cvd?  Or is that not advisable for some reason?
>> 
>> Thanks.
>> Mark
>> 
>>> On 7 Nov 2016, at 1:58 pm, Joel Esler (jesler)  wrote:
>>> 
>>> Oh my, I apologize, it just dawned on me that I sent a note to the mirrors 
>>> list, but not to the users list.
>>> 
>>> A "larger than normal" cdiff to the Daily.cvd was published.  Unfortunately 
>>> with the timeline that we had to publish it, and my personal travel 
>>> schedule, I was not able to put out a note prior to it being published, but 
>>> I wanted to take a second to explain what happened.
>>> 
>>> The failure condition symptom in ClamAV was the message "LibClamAV Error: 
>>> mpool_malloc(): Attempt to allocate 8388608 bytes.", and was 
>>> documented as ClamAV bug 11647: 
>>> https://bugzilla.clamav.net/show_bug.cgi?id=11647.
>>> 
>>> This affects ClamAV versions before 0.98. There is a maximum mpool size 
>>> limit that was reached based on the total signatures combined in memory of 
>>> ClamAV holding the main and daily CVD.
>>> 
>>> Those versions of ClamAV are EOL, and we knew we wanted to continue to add 
>>> coverage for ClamAV users. We found a way to fit a smaller working 
>>> signature set within the memory limits for the unsupported older versions, 
>>> while still providing all signature content for supported and future 
>>> versions. Therefore many new signatures will be marked for ClamAV 0.98 and 
>>> forward (flevel increase) , and we have shifted a large number of 
>>> signatures to allow prior versions to load the smaller signature set.
>>> 
>>> We still strongly recommend that ClamAV users update their software in 
>>> order to get full coverage from ClamAV. We cannot change the hard limits of 
>>> the old versions, but from the comments on the mailing list and Bugzilla 
>>> this should smooth the upgrade path. For any users running into issues 
>>> upgrading ClamAV, look on the ClamAV Bugzilla for details. Several other 
>>> tricky upgrade related questions have already been raised and settled in 
>>> the comment section.
>>> 
>>> Bottom line is, if you are using a version of ClamAV prior to 0.98.0 (0.97, 
>>> 0.96, etc) you need to upgrade _now_.
>>> 
>>> Please do not hesitate to ask me any questions concerning this.
>>> 
>>> Sent from my iPad
>>> 
>>> On Nov 7, 2016, at 6:52 AM, Mark Allan 
>>> mailto:markjal...@gmail.com>> wrote:
>>> 
>>> Hi folks,
>>> 
>>> Was "daily-22474.cdiff" supposed to be ~20MB in size? The freshclam binary 
>>> seems to hang whilst processing it, and if left long enough, you end up 
>>> with a corrupt daily.cld database.
>>> 
>>> I'm surprised no-one else has reported this here, so I'm wondering was it 
>>> only the UK mirrors that were affected? Has anyone any idea what went wrong?
>>> 
>>> Mark
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

2016-11-07 Thread Richard McCombie

I uploaded a small ASCII-format file, which, like the EICAR test file, is
supposed to trigger a warning from AV software. I'd be happy to email this
to the appropriate address, but I won't do that until someone can confirm
which address I can use without breaking any rules.

Thank you for your help.

On 7 November 2016 at 15:21, Al Varnell  wrote:

> I’m a bit confused by this. Did you send a virus signature or did you
> upload malware? Those are not at all the same thing.
>
> -Al-
>
> On Mon, Nov 07, 2016 at 06:05 AM, Richard McCombie wrote:
> >
> > Thanks Joel.
> >
> > I have subscribed to community-sigs; the welcome message informs me that
> > virus samples are not to be sent to the list:
> >
> > Welcome to the community-s...@lists.clamav.net mailing list! DO NOT
> > SEND VIRUS SAMPLES HERE!!! Send them through our web interface at
> > http://www.clamav.net/sendvirus
> >
> > On 7 November 2016 at 14:01, Joel Esler (jesler) 
> wrote:
> >
> >> The processing that comes in through the website is largely automated.
> >> Submitting signatures should be done through the community-sigs list,
> until
> >> we make a submission method through the website.
> >>
> >> Sent from my iPad
> >>
> >>> On Nov 7, 2016, at 6:45 AM, Richard McCombie <
> >> richard.mccom...@onfido.com> wrote:
> >>>
> >>> Good morning,
> >>>
> >>> I submitted a virus signature (at http://www.clamav.net/reports/
> malware
> >> )
> >>> on 17th October. I used the name Richard McCombie for this.
> >>>
> >>> It would be great if you could incorporate this virus sample into your
> >>> database of virus signatures. I am working on helping a client pass
> their
> >>> penetration test; they are currently failing the test, because this
> virus
> >>> sample, which is detected as a virus by other scanners, passes the
> ClamAV
> >>> scan undetected.
> >>>
> >>> The MD5 hash of the file I submitted is: 13710b10bf25b727cbf32c29d9ba3a
> >> 56
> >>>
> >>> If you want me to resubmit this file, that is no problem.
> >>>
> >>> Many thanks, in advance,
> >>>
> >>>
> >>> Richard
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 
Richard McCombie

DevOps Engineer


Do you want to work at Onfido?
Check out our open positions 

If you received this communication by mistake, please don't forward it to
anyone else (it may contain confidential or privileged information), please
erase all copies of it, including all attachments, and please let the
sender know it went to the wrong person. Thanks.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

2016-11-07 Thread Al Varnell

I’m a bit confused by this. Did you send a virus signature or did you upload 
malware? Those are not at all the same thing.

-Al-

On Mon, Nov 07, 2016 at 06:05 AM, Richard McCombie wrote:
> 
> Thanks Joel.
> 
> I have subscribed to community-sigs; the welcome message informs me that
> virus samples are not to be sent to the list:
> 
> Welcome to the community-s...@lists.clamav.net mailing list! DO NOT
> SEND VIRUS SAMPLES HERE!!! Send them through our web interface at
> http://www.clamav.net/sendvirus
> 
> On 7 November 2016 at 14:01, Joel Esler (jesler)  wrote:
> 
>> The processing that comes in through the website is largely automated.
>> Submitting signatures should be done through the community-sigs list, until
>> we make a submission method through the website.
>> 
>> Sent from my iPad
>> 
>>> On Nov 7, 2016, at 6:45 AM, Richard McCombie <
>> richard.mccom...@onfido.com> wrote:
>>> 
>>> Good morning,
>>> 
>>> I submitted a virus signature (at http://www.clamav.net/reports/malware
>> )
>>> on 17th October. I used the name Richard McCombie for this.
>>> 
>>> It would be great if you could incorporate this virus sample into your
>>> database of virus signatures. I am working on helping a client pass their
>>> penetration test; they are currently failing the test, because this virus
>>> sample, which is detected as a virus by other scanners, passes the ClamAV
>>> scan undetected.
>>> 
>>> The MD5 hash of the file I submitted is: 13710b10bf25b727cbf32c29d9ba3a
>> 56
>>> 
>>> If you want me to resubmit this file, that is no problem.
>>> 
>>> Many thanks, in advance,
>>> 
>>> 
>>> Richard


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Issue with daily-22474

2016-11-07 Thread Joel Esler (jesler)

We split the daily into two, essentially, from what I understand.   Then 
changed the flevel on the second set.  This will allow older versions of ClamAV 
to receive updates, without crashing and newer versions of ClamAV to handle 
everything.  

Maybe the speed of the connection or the mirror?

Sent from my iPhone

> On Nov 7, 2016, at 9:12 AM, Mark Allan  wrote:
> 
> Hi Joel,
> 
> Thanks for the explanation.  I'm still confused/surprised as to why such a 
> large cdiff should cause freshclam to hang though.  What is the file size 
> limit that freshclam can handle safely? Also, given the cdiff file was 
> approximately the same size as the entire daily db, would it have been better 
> simply to skip that cdiff, causing everyone to re-download a new daily.cvd?  
> Or is that not advisable for some reason?
> 
> Thanks.
> Mark
> 
>> On 7 Nov 2016, at 1:58 pm, Joel Esler (jesler)  wrote:
>> 
>> Oh my, I apologize, it just dawned on me that I sent a note to the mirrors 
>> list, but not to the users list.
>> 
>> A "larger than normal" cdiff to the Daily.cvd was published.  Unfortunately 
>> with the timeline that we had to publish it, and my personal travel 
>> schedule, I was not able to put out a note prior to it being published, but 
>> I wanted to take a second to explain what happened.
>> 
>> The failure condition symptom in ClamAV was the message "LibClamAV Error: 
>> mpool_malloc(): Attempt to allocate 8388608 bytes.", and was 
>> documented as ClamAV bug 11647: 
>> https://bugzilla.clamav.net/show_bug.cgi?id=11647.
>> 
>> This affects ClamAV versions before 0.98. There is a maximum mpool size 
>> limit that was reached based on the total signatures combined in memory of 
>> ClamAV holding the main and daily CVD.
>> 
>> Those versions of ClamAV are EOL, and we knew we wanted to continue to add 
>> coverage for ClamAV users. We found a way to fit a smaller working signature 
>> set within the memory limits for the unsupported older versions, while still 
>> providing all signature content for supported and future versions. Therefore 
>> many new signatures will be marked for ClamAV 0.98 and forward (flevel 
>> increase) , and we have shifted a large number of signatures to allow prior 
>> versions to load the smaller signature set.
>> 
>> We still strongly recommend that ClamAV users update their software in order 
>> to get full coverage from ClamAV. We cannot change the hard limits of the 
>> old versions, but from the comments on the mailing list and Bugzilla this 
>> should smooth the upgrade path. For any users running into issues upgrading 
>> ClamAV, look on the ClamAV Bugzilla for details. Several other tricky 
>> upgrade related questions have already been raised and settled in the 
>> comment section.
>> 
>> Bottom line is, if you are using a version of ClamAV prior to 0.98.0 (0.97, 
>> 0.96, etc) you need to upgrade _now_.
>> 
>> Please do not hesitate to ask me any questions concerning this.
>> 
>> Sent from my iPad
>> 
>> On Nov 7, 2016, at 6:52 AM, Mark Allan 
>> mailto:markjal...@gmail.com>> wrote:
>> 
>> Hi folks,
>> 
>> Was "daily-22474.cdiff" supposed to be ~20MB in size? The freshclam binary 
>> seems to hang whilst processing it, and if left long enough, you end up with 
>> a corrupt daily.cld database.
>> 
>> I'm surprised no-one else has reported this here, so I'm wondering was it 
>> only the UK mirrors that were affected? Has anyone any idea what went wrong?
>> 
>> Mark
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Issue with daily-22474

2016-11-07 Thread Mark Allan

Hi Joel,

Thanks for the explanation.  I'm still confused/surprised as to why such a 
large cdiff should cause freshclam to hang though.  What is the file size limit 
that freshclam can handle safely? Also, given the cdiff file was approximately 
the same size as the entire daily db, would it have been better simply to skip 
that cdiff, causing everyone to re-download a new daily.cvd?  Or is that not 
advisable for some reason?

Thanks.
Mark

> On 7 Nov 2016, at 1:58 pm, Joel Esler (jesler)  wrote:
> 
> Oh my, I apologize, it just dawned on me that I sent a note to the mirrors 
> list, but not to the users list.
> 
> A "larger than normal" cdiff to the Daily.cvd was published.  Unfortunately 
> with the timeline that we had to publish it, and my personal travel schedule, 
> I was not able to put out a note prior to it being published, but I wanted to 
> take a second to explain what happened.
> 
> The failure condition symptom in ClamAV was the message "LibClamAV Error: 
> mpool_malloc(): Attempt to allocate 8388608 bytes.", and was 
> documented as ClamAV bug 11647: 
> https://bugzilla.clamav.net/show_bug.cgi?id=11647.
> 
> This affects ClamAV versions before 0.98. There is a maximum mpool size limit 
> that was reached based on the total signatures combined in memory of ClamAV 
> holding the main and daily CVD.
> 
> Those versions of ClamAV are EOL, and we knew we wanted to continue to add 
> coverage for ClamAV users. We found a way to fit a smaller working signature 
> set within the memory limits for the unsupported older versions, while still 
> providing all signature content for supported and future versions. Therefore 
> many new signatures will be marked for ClamAV 0.98 and forward (flevel 
> increase) , and we have shifted a large number of signatures to allow prior 
> versions to load the smaller signature set.
> 
> We still strongly recommend that ClamAV users update their software in order 
> to get full coverage from ClamAV. We cannot change the hard limits of the old 
> versions, but from the comments on the mailing list and Bugzilla this should 
> smooth the upgrade path. For any users running into issues upgrading ClamAV, 
> look on the ClamAV Bugzilla for details. Several other tricky upgrade related 
> questions have already been raised and settled in the comment section.
> 
> Bottom line is, if you are using a version of ClamAV prior to 0.98.0 (0.97, 
> 0.96, etc) you need to upgrade _now_.
> 
> Please do not hesitate to ask me any questions concerning this.
> 
> Sent from my iPad
> 
> On Nov 7, 2016, at 6:52 AM, Mark Allan 
> mailto:markjal...@gmail.com>> wrote:
> 
> Hi folks,
> 
> Was "daily-22474.cdiff" supposed to be ~20MB in size? The freshclam binary 
> seems to hang whilst processing it, and if left long enough, you end up with 
> a corrupt daily.cld database.
> 
> I'm surprised no-one else has reported this here, so I'm wondering was it 
> only the UK mirrors that were affected? Has anyone any idea what went wrong?
> 
> Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

2016-11-07 Thread Richard McCombie

Thanks Joel.

I have subscribed to community-sigs; the welcome message informs me that
virus samples are not to be sent to the list:

Welcome to the community-s...@lists.clamav.net mailing list! DO NOT
SEND VIRUS SAMPLES HERE!!! Send them through our web interface at
http://www.clamav.net/sendvirus

On 7 November 2016 at 14:01, Joel Esler (jesler)  wrote:

> The processing that comes in through the website is largely automated.
> Submitting signatures should be done through the community-sigs list, until
> we make a submission method through the website.
>
> Sent from my iPad
>
> > On Nov 7, 2016, at 6:45 AM, Richard McCombie <
> richard.mccom...@onfido.com> wrote:
> >
> > Good morning,
> >
> >  I submitted a virus signature (at http://www.clamav.net/reports/malware
> )
> > on 17th October. I used the name Richard McCombie for this.
> >
> >  It would be great if you could incorporate this virus sample into your
> > database of virus signatures. I am working on helping a client pass their
> > penetration test; they are currently failing the test, because this virus
> > sample, which is detected as a virus by other scanners, passes the ClamAV
> > scan undetected.
> >
> >  The MD5 hash of the file I submitted is: 13710b10bf25b727cbf32c29d9ba3a
> 56
> >
> >  If you want me to resubmit this file, that is no problem.
> >
> >  Many thanks, in advance,
> >
> >
> > Richard
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

-- 
Richard McCombie

DevOps Engineer

Do you want to work at Onfido?
Check out our open positions 

If you received this communication by mistake, please don't forward it to
anyone else (it may contain confidential or privileged information), please
erase all copies of it, including all attachments, and please let the
sender know it went to the wrong person. Thanks.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

2016-11-07 Thread Joel Esler (jesler)

The processing that comes in through the website is largely automated. 
Submitting signatures should be done through the community-sigs list, until we 
make a submission method through the website. 

Sent from my iPad

> On Nov 7, 2016, at 6:45 AM, Richard McCombie  
> wrote:
> 
> Good morning,
> 
>  I submitted a virus signature (at http://www.clamav.net/reports/malware)
> on 17th October. I used the name Richard McCombie for this.
> 
>  It would be great if you could incorporate this virus sample into your
> database of virus signatures. I am working on helping a client pass their
> penetration test; they are currently failing the test, because this virus
> sample, which is detected as a virus by other scanners, passes the ClamAV
> scan undetected.
> 
>  The MD5 hash of the file I submitted is: 13710b10bf25b727cbf32c29d9ba3a56
> 
>  If you want me to resubmit this file, that is no problem.
> 
>  Many thanks, in advance,
> 
> 
> Richard
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Issue with daily-22474

2016-11-07 Thread Joel Esler (jesler)

Oh my, I apologize, it just dawned on me that I sent a note to the mirrors 
list, but not to the users list.

A "larger than normal" cdiff to the Daily.cvd was published.  Unfortunately 
with the timeline that we had to publish it, and my personal travel schedule, I 
was not able to put out a note prior to it being published, but I wanted to 
take a second to explain what happened.

The failure condition symptom in ClamAV was the message "LibClamAV Error: 
mpool_malloc(): Attempt to allocate 8388608 bytes.", and was 
documented as ClamAV bug 11647: 
https://bugzilla.clamav.net/show_bug.cgi?id=11647.

This affects ClamAV versions before 0.98. There is a maximum mpool size limit 
that was reached based on the total signatures combined in memory of ClamAV 
holding the main and daily CVD.

Those versions of ClamAV are EOL, and we knew we wanted to continue to add 
coverage for ClamAV users. We found a way to fit a smaller working signature 
set within the memory limits for the unsupported older versions, while still 
providing all signature content for supported and future versions. Therefore 
many new signatures will be marked for ClamAV 0.98 and forward (flevel 
increase) , and we have shifted a large number of signatures to allow prior 
versions to load the smaller signature set.

We still strongly recommend that ClamAV users update their software in order to 
get full coverage from ClamAV. We cannot change the hard limits of the old 
versions, but from the comments on the mailing list and Bugzilla this should 
smooth the upgrade path. For any users running into issues upgrading ClamAV, 
look on the ClamAV Bugzilla for details. Several other tricky upgrade related 
questions have already been raised and settled in the comment section.

Bottom line is, if you are using a version of ClamAV prior to 0.98.0 (0.97, 
0.96, etc) you need to upgrade _now_.

Please do not hesitate to ask me any questions concerning this.

Sent from my iPad

On Nov 7, 2016, at 6:52 AM, Mark Allan 
mailto:markjal...@gmail.com>> wrote:

Hi folks,

Was "daily-22474.cdiff" supposed to be ~20MB in size? The freshclam binary 
seems to hang whilst processing it, and if left long enough, you end up with a 
corrupt daily.cld database.

I'm surprised no-one else has reported this here, so I'm wondering was it only 
the UK mirrors that were affected? Has anyone any idea what went wrong?

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Issue with daily-22474

2016-11-07 Thread Mark Allan

Hi folks,

Was "daily-22474.cdiff" supposed to be ~20MB in size? The freshclam binary 
seems to hang whilst processing it, and if left long enough, you end up with a 
corrupt daily.cld database.

I'm surprised no-one else has reported this here, so I'm wondering was it only 
the UK mirrors that were affected? Has anyone any idea what went wrong?

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Virus Signature Submitted on 17/10/2016

2016-11-07 Thread Richard McCombie

Good morning,

  I submitted a virus signature (at http://www.clamav.net/reports/malware)
on 17th October. I used the name Richard McCombie for this.

  It would be great if you could incorporate this virus sample into your
database of virus signatures. I am working on helping a client pass their
penetration test; they are currently failing the test, because this virus
sample, which is detected as a virus by other scanners, passes the ClamAV
scan undetected.

  The MD5 hash of the file I submitted is: 13710b10bf25b727cbf32c29d9ba3a56

  If you want me to resubmit this file, that is no problem.

  Many thanks, in advance,


Richard
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

Re: [clamav-users] Issue with daily-22474

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

Re: [clamav-users] Issue with daily-22474

Re: [clamav-users] Issue with daily-22474

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

Re: [clamav-users] Virus Signature Submitted on 17/10/2016

Re: [clamav-users] Issue with daily-22474

[clamav-users] Issue with daily-22474

[clamav-users] Virus Signature Submitted on 17/10/2016

14 matches

Site Navigation

Mail list logo

Footer information