Re: [clamav-users] TTL of DNS recode

2016-11-23 Thread Dennis Peterson 
I should add something you probably know but others may not - your nslookup 
report states at the bottom that it is an non-authorative result which is why 
you see the time remaining in your NS cache. If you include the IP of an 
authorative NS server you will get the configured TTL.


Example: nslookup -type=txt -debug  current.cvd.clamav.net 208.201.249.238

The IP is one of the round robin addresses when doing a lookup on 
cvd.clamav.net.

Example: dig ns cvd.clamav.net



On 11/23/16 9:00 PM, Dennis Peterson wrote:
You are seeing the time remaining in the cached lookup on your system. 
Subsequent queries will show the TTL falling with time.


dp

On 11/23/16 8:57 PM, Al Varnell wrote:

Thanks Dennis, for straightening me out on that.

Strangely I get a different answer using nslookup:


$ nslookup -type=txt -debug current.cvd.clamav.net
Server:10.0.1.1
Address:10.0.1.1#53


 QUESTIONS:
current.cvd.clamav.net, type = TXT, class = IN
 ANSWERS:
 ->  current.cvd.clamav.net
text = "0.99.2:57:22592:1479958214:1:63:45271:285"
ttl = 1078
 AUTHORITY RECORDS:
 ADDITIONAL RECORDS:

Non-authoritative answer:
current.cvd.clamav.nettext = "0.99.2:57:22592:1479958214:1:63:45271:285"

Authoritative answers can be found from:


In any case, since updates occur at four hour intervals and checks are 
normally limited to once an hour, a ttl of 30 minutes should be OK for most. 
I can see where it might be a factor for those that find a need to check at 
the maximum limit of four times per hour using a country coded freshclam.conf.


-Al-

On Wed, Nov 23, 2016 at 08:08 PM, Dennis Peterson wrote:
The TTL for the TXT record at current.cvd.clamav.net is 1800 seconds. You 
can retrieve with curl or wget older versions of the signature by specifying 
the full file name, for example daily-22590.cdiff


dp

On 11/23/16 8:03 PM, Al Varnell wrote:

On Nov 23, 2016, at 7:10 PM, Tsutomu Oyamada wrote:

We know CVD version information is published in DNS TXT record, this
record's TTL values, 1800 seconds is currently is. This value is the
same from the previous?
So I think I have the answer for this one. From my research it would seem 
that TTL values are set by the DNS server you are accessing, not by the 
ClamAV and is the same for all records on that server.  You would have to 
check with the DNS ISP to find out if it has changed or not.


-Al-
ClamXav User


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] error message in freshclam's cron job ...

2016-11-23 Thread Al Varnell 
Sounds like not enough memory to load the database, which has been discussed a 
couple of times here this month. Here's one:



If you are using javascript.ndb, remove it and try again. We were told today 
that this will be fixed soon:



-Al-
ClamXav User

On Wed, Nov 23, 2016 at 08:54 PM, Walter H. wrote:
> 
> What does this
> 
> ERROR: During database load : LibClamAV Warning: RWX mapping denied: Can't 
> allocate RWX Memory: Permission denied
> 
> mean?
> 
> Thanks,
> Walter


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

2016-11-23 Thread Dennis Peterson 
You are seeing the time remaining in the cached lookup on your system. 
Subsequent queries will show the TTL falling with time.


dp

On 11/23/16 8:57 PM, Al Varnell wrote:

Thanks Dennis, for straightening me out on that.

Strangely I get a different answer using nslookup:


$ nslookup -type=txt -debug current.cvd.clamav.net
Server: 10.0.1.1
Address:10.0.1.1#53


 QUESTIONS:
current.cvd.clamav.net, type = TXT, class = IN
 ANSWERS:
 ->  current.cvd.clamav.net
text = "0.99.2:57:22592:1479958214:1:63:45271:285"
ttl = 1078
 AUTHORITY RECORDS:
 ADDITIONAL RECORDS:

Non-authoritative answer:
current.cvd.clamav.net  text = "0.99.2:57:22592:1479958214:1:63:45271:285"

Authoritative answers can be found from:



In any case, since updates occur at four hour intervals and checks are normally 
limited to once an hour, a ttl of 30 minutes should be OK for most. I can see 
where it might be a factor for those that find a need to check at the maximum 
limit of four times per hour using a country coded freshclam.conf.

-Al-

On Wed, Nov 23, 2016 at 08:08 PM, Dennis Peterson wrote:

The TTL for the TXT record at current.cvd.clamav.net is 1800 seconds. You can 
retrieve with curl or wget older versions of the signature by specifying the 
full file name, for example daily-22590.cdiff

dp

On 11/23/16 8:03 PM, Al Varnell wrote:

On Nov 23, 2016, at 7:10 PM, Tsutomu Oyamada wrote:

We know CVD version information is published in DNS TXT record, this
record's TTL values, 1800 seconds is currently is. This value is the
same from the previous?

So I think I have the answer for this one. From my research it would seem that 
TTL values are set by the DNS server you are accessing, not by the ClamAV and 
is the same for all records on that server.  You would have to check with the 
DNS ISP to find out if it has changed or not.

-Al-
ClamXav User


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

2016-11-23 Thread Al Varnell 
Thanks Dennis, for straightening me out on that. 

Strangely I get a different answer using nslookup:

> $ nslookup -type=txt -debug current.cvd.clamav.net
> Server:   10.0.1.1
> Address:  10.0.1.1#53
> 
> 
> QUESTIONS:
>   current.cvd.clamav.net, type = TXT, class = IN
> ANSWERS:
> ->  current.cvd.clamav.net
>   text = "0.99.2:57:22592:1479958214:1:63:45271:285"
>   ttl = 1078
> AUTHORITY RECORDS:
> ADDITIONAL RECORDS:
> 
> Non-authoritative answer:
> current.cvd.clamav.nettext = 
> "0.99.2:57:22592:1479958214:1:63:45271:285"
> 
> Authoritative answers can be found from:
> 
> 

In any case, since updates occur at four hour intervals and checks are normally 
limited to once an hour, a ttl of 30 minutes should be OK for most. I can see 
where it might be a factor for those that find a need to check at the maximum 
limit of four times per hour using a country coded freshclam.conf.

-Al-

On Wed, Nov 23, 2016 at 08:08 PM, Dennis Peterson wrote:
> 
> The TTL for the TXT record at current.cvd.clamav.net is 1800 seconds. You can 
> retrieve with curl or wget older versions of the signature by specifying the 
> full file name, for example daily-22590.cdiff
> 
> dp
> 
> On 11/23/16 8:03 PM, Al Varnell wrote:
>> On Nov 23, 2016, at 7:10 PM, Tsutomu Oyamada wrote:
>>> We know CVD version information is published in DNS TXT record, this
>>> record's TTL values, 1800 seconds is currently is. This value is the
>>> same from the previous?
>> So I think I have the answer for this one. From my research it would seem 
>> that TTL values are set by the DNS server you are accessing, not by the 
>> ClamAV and is the same for all records on that server.  You would have to 
>> check with the DNS ISP to find out if it has changed or not.
>> 
>> -Al-
>> ClamXav User
>> 
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] error message in freshclam's cron job ...

2016-11-23 Thread Walter H. 

What does this

ERROR: During database load : LibClamAV Warning: RWX mapping denied: 
Can't allocate RWX Memory: Permission denied


mean?

Thanks,
Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

2016-11-23 Thread Dennis Peterson 
The TTL for the TXT record at current.cvd.clamav.net is 1800 seconds. You can 
retrieve with curl or wget older versions of the signature by specifying the 
full file name, for example daily-22590.cdiff


dp

On 11/23/16 8:03 PM, Al Varnell wrote:

On Nov 23, 2016, at 7:10 PM, Tsutomu Oyamada wrote:

We know CVD version information is published in DNS TXT record, this
record's TTL values, 1800 seconds is currently is. This value is the
same from the previous?

So I think I have the answer for this one. From my research it would seem that 
TTL values are set by the DNS server you are accessing, not by the ClamAV and 
is the same for all records on that server.  You would have to check with the 
DNS ISP to find out if it has changed or not.

-Al-
ClamXav User


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

2016-11-23 Thread Al Varnell 
On Nov 23, 2016, at 7:10 PM, Tsutomu Oyamada wrote:
> 
> We know CVD version information is published in DNS TXT record, this
> record's TTL values, 1800 seconds is currently is. This value is the
> same from the previous?

So I think I have the answer for this one. From my research it would seem that 
TTL values are set by the DNS server you are accessing, not by the ClamAV and 
is the same for all records on that server.  You would have to check with the 
DNS ISP to find out if it has changed or not.

-Al-
ClamXav User

smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TTL of DNS recode

2016-11-23 Thread Al Varnell 
I'm having difficulty following some of your questions and have no answers yet, 
but what exactly is your mirror environment (IPs)?

Sent from Janet's iPad

-Al-

On Nov 23, 2016, at 7:10 PM, Tsutomu Oyamada wrote:
> Hi, All.
> 
> We know CVD version information is published in DNS TXT record, this
> record's TTL values, 1800 seconds is currently is. This value is the
> same from the previous?
> 
> Also in freshclam download old versions of CVD(one day ago) in local
> mirror environment, we will succeed.
> 
> I thought I was bound to fail.
> 
> Why not?
> 
> T.O
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] TTL of DNS recode

2016-11-23 Thread Tsutomu Oyamada 
Hi, All.

We know CVD version information is published in DNS TXT record, this
record's TTL values, 1800 seconds is currently is. This value is the
same from the previous?

Also in freshclam download old versions of CVD(one day ago) in local
mirror environment, we will succeed.

I thought I was bound to fail.

Why not?

T.O


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Many Empty Updates

2016-11-23 Thread Joel Esler (jesler) 
This has been fixed!

--
Sent from my iPhone

> On Nov 17, 2016, at 6:54 AM, Joel Esler (jesler)  wrote:
> 
> Thank you Al.  
> 
> --
> Sent from my iPhone
> 
>> On Nov 17, 2016, at 6:31 AM, Al Varnell  wrote:
>> 
>> The last significant update was daily - 22543 posted 36 hours ago. 
>> 
>> Since that time there have been only one new daily signature, three new 
>> bytecode signatures and two dropped signatures.
>> 
>> -Al-
>> -- 
>> Al Varnell
>> Mountain View, CA
>> 
>> 
>> 
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

2016-11-23 Thread Jeff Dyke 
I also submitted an FP a few days ago.  I'm not as much of a fan of
whitelisting what could be a fairly serious exploit that i'd be allowing
people to download if it were valid.  Hopefully it will be fixed up soon.
The documents i found it in are public, so if there is way to expedite the
process, i'm happy to supply other information.

On Wed, Nov 23, 2016 at 10:27 AM, Hajo Locke  wrote:

> Hello,
>
> Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt:
>
>> * Hajo Locke :
>>
>>> Hello,
>>>
>>> unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2
>>> Customer was testing at virustotal and only clamav is finding a virus.
>>> Unfortunately i can not do a FP-Report.  All PDFs are property of
>>> costumers
>>> and not public.
>>>
>> I already did a FP report. It happened with PDFs from "Springer
>> Medical". had to diable that signature.
>>
> Thanks. In most cases the clam-team response is quick. Otherwise i would
> also do a global whitelisting.
>
>>
>> I hope there are some additional FP-Reports from other people regarding
>>> this
>>> virus to review this signature.
>>>
>> Yep.
>>
>> Thanks,
> Hajo
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

2016-11-23 Thread Hajo Locke 

Hello,

Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt:

* Hajo Locke :

Hello,

unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2
Customer was testing at virustotal and only clamav is finding a virus.
Unfortunately i can not do a FP-Report.  All PDFs are property of costumers
and not public.

I already did a FP report. It happened with PDFs from "Springer
Medical". had to diable that signature.
Thanks. In most cases the clam-team response is quick. Otherwise i would 
also do a global whitelisting.



I hope there are some additional FP-Reports from other people regarding this
virus to review this signature.

Yep.


Thanks,
Hajo
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

2016-11-23 Thread Ralf Hildebrandt 
* Hajo Locke :
> Hello,
> 
> unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2
> Customer was testing at virustotal and only clamav is finding a virus.
> Unfortunately i can not do a FP-Report.  All PDFs are property of costumers
> and not public.

I already did a FP report. It happened with PDFs from "Springer
Medical". had to diable that signature.

> I hope there are some additional FP-Reports from other people regarding this
> virus to review this signature.

Yep.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

2016-11-23 Thread Hajo Locke 

Hello,

unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2
Customer was testing at virustotal and only clamav is finding a virus.
Unfortunately i can not do a FP-Report.  All PDFs are property of 
costumers and not public.
I hope there are some additional FP-Reports from other people regarding 
this virus to review this signature.


Thanks,
Hajo
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] another outdated link on freshclams ExtraDatabase option

2016-11-23 Thread Andreas Schulze 

man 5 freshclam.conf:

ExtraDatabase STRING
  Download  an additional 3rd party signature database distributed
  through the ClamAV mirrors. This option  can  be  used  multiple
  times.  Here  you  can  find  a  list  of  available  databases:
  http://www.clamav.net/download/cvd/3rdparty
  Default: disabled


$ curl -I http://www.clamav.net/download/cvd/3rdparty
HTTP/1.1 404 Not Found 


Btw:
could one explain the difference between ExtraDatabase and DatabaseCustomURL ?

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-23 Thread Mark Allan 

> On 23 Nov 2016, at 11:23 am, Al Varnell  wrote:
> 
> Sorry, I didn't realize that Html.Malware.Agent-1834906 was part of the 
> problem. It too was dropped in daily - 22584.

Oops, you're right. I must have copied any pasted that from the wrong list. 
Sorry.

> Also, Joel mentioned something about disabling an engine, but I don't really 
> know how that is accomplished and whether it's reported to us as part of a 
> daily.cdiff.

Difficult to know, but it doesn't look like it.  Scanning the same directory 
after updating via freshclam still shows the 23 remaining FPs.

Mark


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Bytecode Update [was:Many Empty Updates]

2016-11-23 Thread Al Varnell 
Although I didn't receive any feedback on this one, I did note that the 10/27 
update is now included in bytecode.cvd/.cld and DNS, but the three signatures 
from the  11/16 update to bytecode 285 still don't seem to have been added.

$ dig -t txt current.cvd.clamav.net +short
"0.99.2:57:22587:1479889740:1:63:45268:284"



-Al-

On Thu, Nov 17, 2016 at 09:32 AM, Al Varnell wrote:
> 
> Joel,
> 
> Also note that even though bytecode 284 was released on 10/27 and 285 on 
> 11/16, bytecode.cvd is still at 283 as is the DNS:
> 
> $ dig -t txt current.cvd.clamav.net +short
> "0.99.2:57:22552:1479385740:1:63:45246:283"
> 
> -Al-


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-23 Thread Al Varnell 
Sorry, I didn't realize that Html.Malware.Agent-1834906 was part of the 
problem. It too was dropped in daily - 22584.

Also, Joel mentioned something about disabling an engine, but I don't really 
know how that is accomplished and whether it's reported to us as part of a 
daily.cdiff.

-Al-

On Wed, Nov 23, 2016 at 03:04 AM, Mark Allan wrote:
> 
> Thanks for dropping those 3, Joel, however there are still at least 24 
> signatures causing problems:
> 
> Html.Malware.Agent-1835906
> Txt.Malware.Agent-1835883
> Txt.Malware.Agent-1835884
> Txt.Malware.Agent-1835885
> Txt.Malware.Agent-1835886
> Txt.Malware.Agent-1835887
> Txt.Malware.Agent-1835888
> Txt.Malware.Agent-1835889
> Txt.Malware.Agent-1835890
> Txt.Malware.Agent-1835891
> Txt.Malware.Agent-1835892
> Txt.Malware.Agent-1835893
> Txt.Malware.Agent-1835894
> Txt.Malware.Agent-1835896
> Txt.Malware.Agent-1835898
> Txt.Malware.Agent-1835899
> Txt.Malware.Agent-1835900
> Txt.Malware.Agent-1835901
> Txt.Malware.Agent-1835902
> Txt.Malware.Agent-1835903
> Txt.Malware.Agent-1835904
> Txt.Malware.Agent-1835905
> Txt.Malware.Agent-1838194
> Txt.Malware.Agent-1838195
> 
> Given the vast majority of those are consecutive numbers, it looks like 
> someone has uploaded the entire OpenLayers library and tried to report it as 
> infected.
> 
> Best regards
> Mark
> 
> 
>> On 22 Nov 2016, at 9:42 pm, Al Varnell  wrote:
>> 
>> I see that Daily - 22584 drops three of them:
>> 
>>  * Txt.Malware.Agent-1811885
>> 
>>  * Txt.Malware.Agent-1835895
>> 
>>  * Txt.Malware.Agent-1835897
>> 
>> -Al-
>> 
>> On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:
>>> 
>>> I am seeing these mostly on files that comprise the OpenLayers library in
>>> phpMyAdmin 4.
>>> 
>>> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
>>> wrote:
>>> 
 Mark,
 
 Thanks for the feedback, you are right, I am experiencing some high counts
 in the Txt.Malware.Agent family.
 
 I’ve disabled this engine for now.
 
 --
 Joel Esler | Talos: Manager | jes...@cisco.com
 
 
 
 
 
 
 On Nov 22, 2016, at 12:02 PM, Mark Allan >>> arkjal...@gmail.com>> wrote:
 
 Hi all,
 
 I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
 containing a number of files which ClamAV incorrectly detects as various
 strains of Txt.Malware.Agent
 
 My experience may be slightly skewed, but it seems that the rate of FPs
 has increased a lot lately, and they mostly appear to be being caused by
 hash-based signatures.  I'm wondering if this is related to Joel's recent
 admission that the signature generation process is almost entirely
 automated now.
 
 Is it possible that someone is targeting ClamAV and reporting known-clean
 files as if they were infected?  To what end, I'm not sure, but I can't
 shake the feeling that something's not right...
 
 Mark
 
 ___
 clamav-users mailing list
 clamav-users@lists.clamav.net
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
 
 
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 
 http://www.clamav.net/contact.html#ml
 
 ___
 clamav-users mailing list
 clamav-users@lists.clamav.net
 http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
 
 
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 
 http://www.clamav.net/contact.html#ml
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> 
>> -Al-
>> -- 
>> Al Varnell
>> Mountain View, CA
>> 
>> 
>> 
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

2016-11-23 Thread Mark Allan 
Thanks for dropping those 3, Joel, however there are still at least 24 
signatures causing problems:

Html.Malware.Agent-1835906
Txt.Malware.Agent-1835883
Txt.Malware.Agent-1835884
Txt.Malware.Agent-1835885
Txt.Malware.Agent-1835886
Txt.Malware.Agent-1835887
Txt.Malware.Agent-1835888
Txt.Malware.Agent-1835889
Txt.Malware.Agent-1835890
Txt.Malware.Agent-1835891
Txt.Malware.Agent-1835892
Txt.Malware.Agent-1835893
Txt.Malware.Agent-1835894
Txt.Malware.Agent-1835896
Txt.Malware.Agent-1835898
Txt.Malware.Agent-1835899
Txt.Malware.Agent-1835900
Txt.Malware.Agent-1835901
Txt.Malware.Agent-1835902
Txt.Malware.Agent-1835903
Txt.Malware.Agent-1835904
Txt.Malware.Agent-1835905
Txt.Malware.Agent-1838194
Txt.Malware.Agent-1838195

Given the vast majority of those are consecutive numbers, it looks like someone 
has uploaded the entire OpenLayers library and tried to report it as infected.

Best regards
Mark


> On 22 Nov 2016, at 9:42 pm, Al Varnell  wrote:
> 
> I see that Daily - 22584 drops three of them:
> 
>   * Txt.Malware.Agent-1811885
> 
>   * Txt.Malware.Agent-1835895
> 
>   * Txt.Malware.Agent-1835897
> 
> -Al-
> 
> On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:
>> 
>> I am seeing these mostly on files that comprise the OpenLayers library in
>> phpMyAdmin 4.
>> 
>> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) 
>> wrote:
>> 
>>> Mark,
>>> 
>>> Thanks for the feedback, you are right, I am experiencing some high counts
>>> in the Txt.Malware.Agent family.
>>> 
>>> I’ve disabled this engine for now.
>>> 
>>> --
>>> Joel Esler | Talos: Manager | jes...@cisco.com
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Nov 22, 2016, at 12:02 PM, Mark Allan >> arkjal...@gmail.com>> wrote:
>>> 
>>> Hi all,
>>> 
>>> I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
>>> containing a number of files which ClamAV incorrectly detects as various
>>> strains of Txt.Malware.Agent
>>> 
>>> My experience may be slightly skewed, but it seems that the rate of FPs
>>> has increased a lot lately, and they mostly appear to be being caused by
>>> hash-based signatures.  I'm wondering if this is related to Joel's recent
>>> admission that the signature generation process is almost entirely
>>> automated now.
>>> 
>>> Is it possible that someone is targeting ClamAV and reporting known-clean
>>> files as if they were infected?  To what end, I'm not sure, but I can't
>>> shake the feeling that something's not right...
>>> 
>>> Mark
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Slow database loading

2016-11-23 Thread Arnaud Jacques / SecuriteInfo.com 
Hello Ferdinand,

> After I put it back, reloading took over one minute again:
> While reloading with the javascript.ndb in place the CPU usage of the clamd
> process really goes up:

javascript.ndb will soon be smaller in Basic subsciption. Keep an eye on it.
Pro subscription has this problem resolved.

-- 
Best regards,

Arnaud Jacques
SecuriteInfo.com

Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml