Re: [clamav-users] Win.Trojan.URLspoof-2 signtuare and WARC files

[Al Varnell]

One correction to the Group 2 signature, it's just '%00@'.

The only available method for having a signature removed or modified is by 
submitting one or more False Positives at 
 and include the details you have covered 
below.  If you would like to be notified of changes in the virus database, you 
will need to join the clamav-virusdb mailing-list 
.

You can submit any suggested revised signature through the ClamAV Community 
Signatures program 
.

Although I'm not a signature expert by any means, but I would have to agree 
that both the art and ClamAV engine capabilities have improved since this one 
was apparently written and it should be easily improved.

-Al-


On Mon, Dec 19, 2016 at 05:40 PM, Jay Gattuso wrote:
> 
> Win.Trojan.URLspoof-2
> We’re encountering some issues with this particular “virus”, and having 
> worked through what we’re seeing, I wanted to ask a couple of questions..
> The signature is pretty weak.
> 
> [main.ndb] Win.Trojan.URLspoof-2:0:*:20687265663d22*0125303040*223e*3c2f
> 
> 
> We’ve seen hits against this signature 14 times in 8 years (I’m not sure how 
> long it’s been in the defs, but we’ve been checking our ~20Mil files against 
> ClamAV for 8 years).
> Every hit for Win.Trojan.URLspoof-2 we’ve seen is a false positive.
> Breaking the signature sequence into parts reveals the weakness of this 
> particular signature:
> 
> Group 1:  20687265663d22 = ’ href=’
> Group 2:  0125303040 = ‘\x01%00@’
> Group 3: 223e = ‘">’
> Group 4: 3c2f = ‘ 
> This false positives is appearing in WARC files 
> (http://iipc.github.io/warc-specifications/), and its earlier variant ARC 
> (http://archive.org/web/researcher/ArcFileFormat.php)
> I’ve been pulling these containers apart, and can see that we only get a hit 
> when the signature parts are found across the content container, so for us,  
> group 1 appearing in any piece of HTML, group 2 appearing in a variety of 
> file formats including PDF, MP3, MP4 and JPG. Groups 3 and 4 are trivial and 
> appear everywhere. The point here, is that it is never caused by a single 
> file as would found in the wild, only through the aggregation we undertake 
> ourselves when creating these WARC files.
> 
> We run a slightly non-standard conf:
> 
> # MaxScanSize
> # Default: 100M
> MaxScanSize 2048M
> 
> And
> 
> # MaxFileSize
> # Default: 25M
> MaxFileSize 2048M
> 
> Questions:
> 
> 1)  How would I go about getting this signature either removed or 
> hardened? For example, if the signature is specifically hunting for a URL, 
> perhaps it could be confined to the max URL length * 2 or some such 
> (http://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers)
>  say 4000 bytes. As I’ve never seen a positive hit against this signature, 
> and I have no idea how common it is or what its actually looking for. 
> Removing it might not be a great idea.
> 
> Is there any resources that might help me to work on a stronger signature for 
> this particular threat, and what’s the process for suggesting a 
> revision/removal?
> 
> 2)  These hits all happen in the W/ARC container. These containers are 
> simple serialisations of arbitrary files harvested from websites, and their 
> associated HTTP transaction. These are used to “replay” web harvests (like 
> the wayback machine etc). Is there any way we can handle these particular 
> file types differently? As these files are aggregations of any number of 
> binary items we are much more likely to encounter false positives, especially 
> for weak signatures. We’ve only seen false positives for the Trojan URL 
> signature, but I anticipate seeing more when we process the 80Tbs of WARCs we 
> have waiting to come in – these will translate into ~2billion files housed in 
> several hundred thousand WARC files.
> 
> Ideally we ought to be ripping the (W)ARC into its binary parts – by parsing 
> an arbitrary aggregation of many files as a coherent file of single payload I 
> think we’re doing ourselves a disservice. I wondered if there was a method 
> within the ClamAV architecture that would support the construction of a WARC 
> parser. This might allow WARC files to be “properly” consumed as a series of 
> disconnected binary items, reducing the likelihood of false positives.
> 
> We are also looking at what it would mean for our workflow to explode the 
> W/ARCs into their parts before they are presented for scanning, and that’s a 
> viable option. For now I’m mainly interested in knowing what we could/could 
> not do.
> 
> 
> Jay Gattuso | Digital Preservation Analyst | Preservation, Research and 
> Consultancy
> National Library of New Zealand | Te Puna Mātauranga o Aotearoa
> PO Box 1467 Wellington 6140 New Zealand | +64 (0)4 474 3064
> jay.gatt...@dia.govt.nz

Re: [clamav-users] No notice of OLE2.ContainsMacros

[Mark Foley]

Ah ha! Some progress:

# First, I'll extract the attachment:
$ ripmime -v -i /var/spool/mqueue/dfuBJBh64e020058
Decoding filename=textfile0
Decoding filename=textfile1
Decoding filename=Payslip_Dec_2016_84286914.doc

# try vanilla clamscan (nothing found):

$ clamscan Payslip_Dec_2016_84286914.doc
Payslip_Dec_2016_84286914.doc: OK

--- SCAN SUMMARY ---
Known viruses: 5314698
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.18 MB
Data read: 0.03 MB (ratio 5.75:1)
Time: 6.143 sec (0 m 6 s)
1 21:44:18 root@mail:~

# Next try with block-macros:

$ clamscan --block-macros=yes Payslip_Dec_2016_84286914.doc
Payslip_Dec_2016_84286914.doc: Heuristics.OLE2.ContainsMacros FOUND

--- SCAN SUMMARY ---
Known viruses: 5314698
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 MB
Data read: 0.03 MB (ratio 0.25:1)
Time: 5.380 sec (0 m 5 s)

Extracting the attachment, then running clamscan --block-macros=yes does
find the "ContainsMacros" notice. Also, reconstructing the email file using both
header and data components as you've instructed also works (if I specify
--block-macros=yes, apparently the settings in /usr/local/etc/clamd.conf aren't
used). 

Too bad I cannot scan a email datafile directly as that is what is readily
accesible when dealing with the quarantine queue. Perhaps something the clamav
dev folk could look into some day.

My best bet, then, is to extract the df file, then run clamscan on it directly.
That's easier than reconsituting the email.

Thanks for the help. That's what I was looking for!

--Mark

-Original Message-
Date: Tue, 20 Dec 2016 07:26:29 +1000 (AEST)
From: David Shrimpton 
To: ClamAV users ML 
Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros

> $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058
> Scanning /var/spool/mqueue/dfuBJBh64e020058
> /var/spool/mqueue/dfuBJBh64e020058: OK


The dfuBJBh64e020058 file looks like a sendmail queue datafile, in which
case it would have no email headers and contain only mime encoding eg base64
and just be a plain text file and not an email file to clamav, so scan negative.

If you extract the email file from the queue files, or extract the Office file
from the mime part in the df file  and re-scan
this may work.

For sendmail quarantined queue file something like the
following will extract the email file:

cat hfuBJBh64e020058 dfuBJBh64e020058 > somefile
Edit somefile to remove the unwanted lines down to the
start of the email headers eg the first H??Received: , then
remove H?? at start of lines and change the '.' on its own at
the end to just a newline (to mark the end of headers)

(Use qf instead of hf for a non quarantine queue file,
 but also bear in mind that queue processing by the mail daemon
 may be writing to a qf but not a hf file.)

Rescan and clamav should recognize as email file and extract
and scan any attachments.


--
David Shrimpton
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Win.Trojan.URLspoof-2 signtuare and WARC files

[Jay Gattuso]

Win.Trojan.URLspoof-2
We’re encountering some issues with this particular “virus”, and having worked 
through what we’re seeing, I wanted to ask a couple of questions..
The signature is pretty weak.

[main.ndb] Win.Trojan.URLspoof-2:0:*:20687265663d22*0125303040*223e*3c2f


We’ve seen hits against this signature 14 times in 8 years (I’m not sure how 
long it’s been in the defs, but we’ve been checking our ~20Mil files against 
ClamAV for 8 years).
Every hit for Win.Trojan.URLspoof-2 we’ve seen is a false positive.
Breaking the signature sequence into parts reveals the weakness of this 
particular signature:

Group 1:  20687265663d22 = ’ href=’
Group 2:  0125303040 = ‘\x01%00@’
Group 3: 223e = ‘">’
Group 4: 3c2f = ‘http://iipc.github.io/warc-specifications/), and its earlier variant ARC 
(http://archive.org/web/researcher/ArcFileFormat.php)
I’ve been pulling these containers apart, and can see that we only get a hit 
when the signature parts are found across the content container, so for us,  
group 1 appearing in any piece of HTML, group 2 appearing in a variety of file 
formats including PDF, MP3, MP4 and JPG. Groups 3 and 4 are trivial and appear 
everywhere. The point here, is that it is never caused by a single file as 
would found in the wild, only through the aggregation we undertake ourselves 
when creating these WARC files.

We run a slightly non-standard conf:

# MaxScanSize
# Default: 100M
MaxScanSize 2048M

And

# MaxFileSize
# Default: 25M
MaxFileSize 2048M

Questions:

1)  How would I go about getting this signature either removed or hardened? 
For example, if the signature is specifically hunting for a URL, perhaps it 
could be confined to the max URL length * 2 or some such 
(http://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers)
 say 4000 bytes. As I’ve never seen a positive hit against this signature, and 
I have no idea how common it is or what its actually looking for. Removing it 
might not be a great idea.

Is there any resources that might help me to work on a stronger signature for 
this particular threat, and what’s the process for suggesting a 
revision/removal?

2)  These hits all happen in the W/ARC container. These containers are 
simple serialisations of arbitrary files harvested from websites, and their 
associated HTTP transaction. These are used to “replay” web harvests (like the 
wayback machine etc). Is there any way we can handle these particular file 
types differently? As these files are aggregations of any number of binary 
items we are much more likely to encounter false positives, especially for weak 
signatures. We’ve only seen false positives for the Trojan URL signature, but I 
anticipate seeing more when we process the 80Tbs of WARCs we have waiting to 
come in – these will translate into ~2billion files housed in several hundred 
thousand WARC files.

Ideally we ought to be ripping the (W)ARC into its binary parts – by parsing an 
arbitrary aggregation of many files as a coherent file of single payload I 
think we’re doing ourselves a disservice. I wondered if there was a method 
within the ClamAV architecture that would support the construction of a WARC 
parser. This might allow WARC files to be “properly” consumed as a series of 
disconnected binary items, reducing the likelihood of false positives.

We are also looking at what it would mean for our workflow to explode the 
W/ARCs into their parts before they are presented for scanning, and that’s a 
viable option. For now I’m mainly interested in knowing what we could/could not 
do.


Jay Gattuso | Digital Preservation Analyst | Preservation, Research and 
Consultancy
National Library of New Zealand | Te Puna Mātauranga o Aotearoa
PO Box 1467 Wellington 6140 New Zealand | +64 (0)4 474 3064
jay.gatt...@dia.govt.nz

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] the problem of endless loop

[Al Varnell]

See How to Report a Bug  
and then file at Bugzilla .

-Al-

On Mon, Dec 19, 2016 at 03:56 PM, Tsutomu Oyamada wrote:
> 
> Hi, all.
> 
> I have a question about the error which is caused by the shotage of the size 
> acquired by mpool_malloc function on clamd version 0.97.8.
> 
> the message:
> mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to 
> http://bugs.clamav.net
> 
> This error does not exist in version 0.98 and later, but we think that the 
> problem of endless loop is not fixed even on the latest version.
> When the .hdb data of CVD file is read, the number of HASH table is not be 
> enough, then the cli_htu32_insert function of libclamav/hashdb.c loops and 
> cannot detect the error, and it leads to endless loop.
> We found that the code is not fixed on version 0.99.2.
> 
> We think that the following code of cli_htu32_grow function should be 
> negative value when it returns;
> 
> 391: if(new_capacity == s->capacity || !htable)
> 392: return CL_EMEM;
> 
> Will this fix be released?
> If yes, could you tell us on what version will this fix be released?
> 
> T.O


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] the problem of endless loop

[Tsutomu Oyamada]

Hi, all.

I have a question about the error which is caused by the shotage of the size 
acquired by mpool_malloc function on clamd version 0.97.8.

the message:
mpool_malloc(): Attempt to allocate 8388608 bytes. Please report to 
http://bugs.clamav.net

This error does not exist in version 0.98 and later, but we think that the 
problem of endless loop is not fixed even on the latest version.
When the .hdb data of CVD file is read, the number of HASH table is not be 
enough, then the cli_htu32_insert function of libclamav/hashdb.c loops and 
cannot detect the error, and it leads to endless loop.
We found that the code is not fixed on version 0.99.2.

We think that the following code of cli_htu32_grow function should be negative 
value when it returns;

391: if(new_capacity == s->capacity || !htable)
392: return CL_EMEM;

Will this fix be released?
If yes, could you tell us on what version will this fix be released?

T.O

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No notice of OLE2.ContainsMacros

[David Shrimpton]

> $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058
> Scanning /var/spool/mqueue/dfuBJBh64e020058
> /var/spool/mqueue/dfuBJBh64e020058: OK


The dfuBJBh64e020058 file looks like a sendmail queue datafile, in which
case it would have no email headers and contain only mime encoding eg base64
and just be a plain text file and not an email file to clamav, so scan negative.

If you extract the email file from the queue files, or extract the Office file
from the mime part in the df file  and re-scan
this may work.

For sendmail quarantined queue file something like the
following will extract the email file:

cat hfuBJBh64e020058 dfuBJBh64e020058 > somefile
Edit somefile to remove the unwanted lines down to the
start of the email headers eg the first H??Received: , then
remove H?? at start of lines and change the '.' on its own at
the end to just a newline (to mark the end of headers)

(Use qf instead of hf for a non quarantine queue file,
 but also bear in mind that queue processing by the mail daemon
 may be writing to a qf but not a hf file.)

Rescan and clamav should recognize as email file and extract
and scan any attachments.


--
David Shrimpton
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Porting LibClamAV for Android

[G.W. Haywood]

Hi there,

On Mon, 19 Dec 2016, crazy thinker wrote:


... could anyone of you please help ...


https://en.wikipedia.org/wiki/Android_%28operating_system%29#Technical_security_features

On Mon, 19 Dec 2016, Al Varnell wrote:


Perhaps you would find more interest on the clamav-devel list


He's been there too.  Quite a lot.

--

73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Porting LibClamAV for Android

[Al Varnell]

Perhaps you would find more interest on the clamav-devel list than here where 
most of us are users.


-Al-

On Dec 19, 2016, at 4:42 AM, crazy thinker  wrote:

> Hi
> 
> 
> I have heard that a lot  of open surce  libraries (in c/c++) ported to
> android using ndk-build tool and would like to get help from
> 
> ClamAV Developers to build clamav from source for android platform. it
> would be so useful if we build liblcamav.so for android. and we can see
> ClamAV mobile app in future
> 
> On 19 December 2016 at 16:36, Al Varnell  wrote:
> 
>> You asked a similar question on November 22nd with one response from Noel
>> Jones:
>> 
>>> I doubt running clam on an android device would be useful due to the
>>> resources required.  Maybe a fun time-waster though, just to see
>>> what happens.  There's several free and apparently competent
>>> antivirus programs better suited for a mobile device.
>> 
>> so I’d have to guess that nobody here is going to be able to give you a
>> hand with this one.
>> 
>> -Al-
>> 
>> On Dec 19, 2016, at 1:42 AM, crazy thinker 
>> wrote:
>> 
>>> Hi all,
>>> 
>>> I am new to android and ndk build .i am  planning to use libclamav in my
>>> ndk project
>>> 
>>> could anyone of you please help me  to build libclamav for android
>>> 
>>> 
>>> Thanks
>>> Crazy Thiner Inc.
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]

[Matteo Dessalvi]

Sorry, I forgot to add: you cannot unsubscribe from the list
just by sending an email and adding in the body the word
'unsubscribe'.

The process involves sending an email to 
"clamav-users-requ...@lists.clamav.net"

with the subject: unsubscribe

Well, you can also use the web interface:
http://lists.clamav.net/cgi-bin/mailman/options/clamav-users

Anyway.yes these random email which pop up here and there
are certainly confusing and quite annoying at this point, I would say.

Best regards,
 Matteo

On 12/19/2016 04:18 PM, Mark Foley wrote:

Well, *that's* confusing! I suppose if I hadn't changed the subject line back to
my original subject my reply might have unsubscribed be as well.

Thanks for the clarification.

--Mark

-Original Message-
To: 
From: Matteo Dessalvi 
Date: Mon, 19 Dec 2016 16:15:37 +0100
Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]

Mark, I believe it was not a suggestion. It often happens here that
a user which want to unsubscribe {him,her}self from the ClamAV
mailing list just reply to whatever message is crossing the list, asking
to be 'unsubscribed'.

Best regards,
 Matteo

On 12/19/2016 04:05 PM, Mark Foley wrote:

Please elaborate a bit on your suggestion "unsubscrib". I don't understand.

--Mark

-Original Message-
Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST)
From: "ca...@toursupply.com" 
To: "ClamAV users ML" 
Subject: [clamav-users] unsubscribe

unsubscribe


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


--
Matteo Dessalvi
Abteilung: HPC
Ort: SB2.4.109
Tel.: 06159-712030
Fax.: +49 6159 71 2986
E-Mail: m.dessa...@gsi.de

GSI Helmholtzzentrum für Schwerionenforschung GmbH
Planckstraße 1, 64291 Darmstadt, Germany, www.gsi.de

Gesellschaft mit beschränkter Haftung
Sitz der Gesellschaft: Darmstadt
Handelsregister: Amtsgericht Darmstadt, HRB 1528

Geschäftsführung:
Ursula Weyrich
Professor Dr. Karlheinz Langanke
Jörg Blaurock

Vorsitzende des Aufsichtsrates: St Dr. Georg Schütte
Stellvertreter: Ministerialdirigent Dr. Rolf Bernhardt

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]

[Mark Foley]

Well, *that's* confusing! I suppose if I hadn't changed the subject line back to
my original subject my reply might have unsubscribed be as well.

Thanks for the clarification.

--Mark

-Original Message-
To: 
From: Matteo Dessalvi 
Date: Mon, 19 Dec 2016 16:15:37 +0100
Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]

Mark, I believe it was not a suggestion. It often happens here that
a user which want to unsubscribe {him,her}self from the ClamAV
mailing list just reply to whatever message is crossing the list, asking
to be 'unsubscribed'.

Best regards,
Matteo

On 12/19/2016 04:05 PM, Mark Foley wrote:
> Please elaborate a bit on your suggestion "unsubscrib". I don't understand.
>
> --Mark
>
> -Original Message-
> Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST)
> From: "ca...@toursupply.com" 
> To: "ClamAV users ML" 
> Subject: [clamav-users] unsubscribe
>
> unsubscribe
>

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]

[Matteo Dessalvi]

Mark, I believe it was not a suggestion. It often happens here that
a user which want to unsubscribe {him,her}self from the ClamAV
mailing list just reply to whatever message is crossing the list, asking
to be 'unsubscribed'.

Best regards,
   Matteo

On 12/19/2016 04:05 PM, Mark Foley wrote:

Please elaborate a bit on your suggestion "unsubscrib". I don't understand.

--Mark

-Original Message-
Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST)
From: "ca...@toursupply.com" 
To: "ClamAV users ML" 
Subject: [clamav-users] unsubscribe

unsubscribe



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] No notice of OLE2.ContainsMacros

[Mark Foley]

Please elaborate a bit on your suggestion "unsubscrib". I don't understand.

--Mark

-Original Message-
Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST)
From: "ca...@toursupply.com" 
To: "ClamAV users ML" 
Subject: [clamav-users] unsubscribe

unsubscribe

-Original Message-
From: "Mark Foley" 
Sent: Monday, December 19, 2016 8:36am
To: clamav-users@lists.clamav.net
Subject: [clamav-users] No notice of OLE2.ContainsMacros

Before I submit a bug report on this, I thought I'd see if any list members 
have ideas.

I'm running clamav 0.99.2 on Linux Slackware64 14.1.  I'm running clamav-milter
for sendmail.  I have "OLE2BlockMacros yes" set in /usr/local/etc/clamd.conf.
This is working fine, I get:

fd[10]: Heuristics.OLE2.ContainsMacros(fa7491778b806ca1fdc4a809ea3213d5:47944) 
FOUND

in /var/log/clamd.log when it finds such macros, and the email is put in the
quarantine mail queue.

My problem is that when I run clamscan manually I can never see these files as
having blocked macros. I've tried all the switch settings I can thing of,
especially --block-macros=yes, but I get nothing, e.g.:

$ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058
Scanning /var/spool/mqueue/dfuBJBh64e020058
/var/spool/mqueue/dfuBJBh64e020058: OK

--- SCAN SUMMARY ---
Known viruses: 5304016
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.09 MB
Data read: 0.04 MB (ratio 2.00:1)
Time: 5.775 sec (0 m 5 s)

This message is in the quarantine mail queue and got there because
clamav-milter/clamd found a macro -- which it logged in /var/log/clamd.log, but
I cannot get clamscan to output any indiciation of this condition. I always get
"Infected files: 0" -- nothing about macros.

Is there something I can do, or is this just a bug?

THX - Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] unsubscribe

[ca...@toursupply.com]

unsubscribe

-Original Message-
From: "Mark Foley" 
Sent: Monday, December 19, 2016 8:36am
To: clamav-users@lists.clamav.net
Subject: [clamav-users] No notice of OLE2.ContainsMacros

Before I submit a bug report on this, I thought I'd see if any list members 
have ideas.

I'm running clamav 0.99.2 on Linux Slackware64 14.1.  I'm running clamav-milter
for sendmail.  I have "OLE2BlockMacros yes" set in /usr/local/etc/clamd.conf.
This is working fine, I get:

fd[10]: Heuristics.OLE2.ContainsMacros(fa7491778b806ca1fdc4a809ea3213d5:47944) 
FOUND

in /var/log/clamd.log when it finds such macros, and the email is put in the
quarantine mail queue.

My problem is that when I run clamscan manually I can never see these files as
having blocked macros. I've tried all the switch settings I can thing of,
especially --block-macros=yes, but I get nothing, e.g.:

$ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058
Scanning /var/spool/mqueue/dfuBJBh64e020058
/var/spool/mqueue/dfuBJBh64e020058: OK

--- SCAN SUMMARY ---
Known viruses: 5304016
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.09 MB
Data read: 0.04 MB (ratio 2.00:1)
Time: 5.775 sec (0 m 5 s)

This message is in the quarantine mail queue and got there because
clamav-milter/clamd found a macro -- which it logged in /var/log/clamd.log, but
I cannot get clamscan to output any indiciation of this condition. I always get
"Infected files: 0" -- nothing about macros.

Is there something I can do, or is this just a bug?

THX - Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] No notice of OLE2.ContainsMacros

[Mark Foley]

Before I submit a bug report on this, I thought I'd see if any list members 
have ideas.

I'm running clamav 0.99.2 on Linux Slackware64 14.1.  I'm running clamav-milter
for sendmail.  I have "OLE2BlockMacros yes" set in /usr/local/etc/clamd.conf.
This is working fine, I get:

fd[10]: Heuristics.OLE2.ContainsMacros(fa7491778b806ca1fdc4a809ea3213d5:47944) 
FOUND

in /var/log/clamd.log when it finds such macros, and the email is put in the
quarantine mail queue.

My problem is that when I run clamscan manually I can never see these files as
having blocked macros. I've tried all the switch settings I can thing of,
especially --block-macros=yes, but I get nothing, e.g.:

$ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058
Scanning /var/spool/mqueue/dfuBJBh64e020058
/var/spool/mqueue/dfuBJBh64e020058: OK

--- SCAN SUMMARY ---
Known viruses: 5304016
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.09 MB
Data read: 0.04 MB (ratio 2.00:1)
Time: 5.775 sec (0 m 5 s)

This message is in the quarantine mail queue and got there because
clamav-milter/clamd found a macro -- which it logged in /var/log/clamd.log, but
I cannot get clamscan to output any indiciation of this condition. I always get
"Infected files: 0" -- nothing about macros.

Is there something I can do, or is this just a bug?

THX - Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Porting LibClamAV for Android

[Ralf Hildebrandt]

* Bengt H. :
> Unsubscribe please

List-Unsubscribe: 
,

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Porting LibClamAV for Android

[Bengt H.]

Unsubscribe please

Skickat från min iPhone

> 19 dec. 2016 kl. 13:48 skrev crazy thinker :
> 
> i still don't  understand that  why clamav developers not intersted in
> this?  '
> 
> On 19 December 2016 at 18:12, crazy thinker 
> wrote:
> 
>> Hi
>> 
>> 
>> I have heard that a lot  of open surce  libraries (in c/c++) ported to
>> android using ndk-build tool and would like to get help from
>> 
>> ClamAV Developers to build clamav from source for android platform. it
>> would be so useful if we build liblcamav.so for android. and we can see
>> ClamAV mobile app in future
>> 
>>> On 19 December 2016 at 16:36, Al Varnell  wrote:
>>> 
>>> You asked a similar question on November 22nd with one response from Noel
>>> Jones:
>>> 
 I doubt running clam on an android device would be useful due to the
 resources required.  Maybe a fun time-waster though, just to see
 what happens.  There's several free and apparently competent
 antivirus programs better suited for a mobile device.
>>> 
>>> so I’d have to guess that nobody here is going to be able to give you a
>>> hand with this one.
>>> 
>>> -Al-
>>> 
>>> On Dec 19, 2016, at 1:42 AM, crazy thinker 
>>> wrote:
>>> 
 Hi all,
 
 I am new to android and ndk build .i am  planning to use libclamav in my
 ndk project
 
 could anyone of you please help me  to build libclamav for android
 
 
 Thanks
 Crazy Thiner Inc.
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>> 
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Porting LibClamAV for Android

[Bengt H.]

Skickat från min iPhone

> 19 dec. 2016 kl. 13:48 skrev crazy thinker :
> 
> i still don't  understand that  why clamav developers not intersted in
> this?  '
> 
> On 19 December 2016 at 18:12, crazy thinker 
> wrote:
> 
>> Hi
>> 
>> 
>> I have heard that a lot  of open surce  libraries (in c/c++) ported to
>> android using ndk-build tool and would like to get help from
>> 
>> ClamAV Developers to build clamav from source for android platform. it
>> would be so useful if we build liblcamav.so for android. and we can see
>> ClamAV mobile app in future
>> 
>>> On 19 December 2016 at 16:36, Al Varnell  wrote:
>>> 
>>> You asked a similar question on November 22nd with one response from Noel
>>> Jones:
>>> 
 I doubt running clam on an android device would be useful due to the
 resources required.  Maybe a fun time-waster though, just to see
 what happens.  There's several free and apparently competent
 antivirus programs better suited for a mobile device.
>>> 
>>> so I’d have to guess that nobody here is going to be able to give you a
>>> hand with this one.
>>> 
>>> -Al-
>>> 
>>> On Dec 19, 2016, at 1:42 AM, crazy thinker 
>>> wrote:
>>> 
 Hi all,
 
 I am new to android and ndk build .i am  planning to use libclamav in my
 ndk project
 
 could anyone of you please help me  to build libclamav for android
 
 
 Thanks
 Crazy Thiner Inc.
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>> 
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Porting LibClamAV for Android

[crazy thinker]

i still don't  understand that  why clamav developers not intersted in
this?  '

On 19 December 2016 at 18:12, crazy thinker 
wrote:

> Hi
>
>
> I have heard that a lot  of open surce  libraries (in c/c++) ported to
> android using ndk-build tool and would like to get help from
>
> ClamAV Developers to build clamav from source for android platform. it
> would be so useful if we build liblcamav.so for android. and we can see
> ClamAV mobile app in future
>
> On 19 December 2016 at 16:36, Al Varnell  wrote:
>
>> You asked a similar question on November 22nd with one response from Noel
>> Jones:
>>
>> > I doubt running clam on an android device would be useful due to the
>> > resources required.  Maybe a fun time-waster though, just to see
>> > what happens.  There's several free and apparently competent
>> > antivirus programs better suited for a mobile device.
>>
>> so I’d have to guess that nobody here is going to be able to give you a
>> hand with this one.
>>
>> -Al-
>>
>> On Dec 19, 2016, at 1:42 AM, crazy thinker 
>> wrote:
>>
>> > Hi all,
>> >
>> > I am new to android and ndk build .i am  planning to use libclamav in my
>> > ndk project
>> >
>> > could anyone of you please help me  to build libclamav for android
>> >
>> >
>> > Thanks
>> > Crazy Thiner Inc.
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Porting LibClamAV for Android

[crazy thinker]

Hi


I have heard that a lot  of open surce  libraries (in c/c++) ported to
android using ndk-build tool and would like to get help from

ClamAV Developers to build clamav from source for android platform. it
would be so useful if we build liblcamav.so for android. and we can see
ClamAV mobile app in future

On 19 December 2016 at 16:36, Al Varnell  wrote:

> You asked a similar question on November 22nd with one response from Noel
> Jones:
>
> > I doubt running clam on an android device would be useful due to the
> > resources required.  Maybe a fun time-waster though, just to see
> > what happens.  There's several free and apparently competent
> > antivirus programs better suited for a mobile device.
>
> so I’d have to guess that nobody here is going to be able to give you a
> hand with this one.
>
> -Al-
>
> On Dec 19, 2016, at 1:42 AM, crazy thinker 
> wrote:
>
> > Hi all,
> >
> > I am new to android and ndk build .i am  planning to use libclamav in my
> > ndk project
> >
> > could anyone of you please help me  to build libclamav for android
> >
> >
> > Thanks
> > Crazy Thiner Inc.
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Porting LibClamAV for Android

[Al Varnell]

You asked a similar question on November 22nd with one response from Noel Jones:

> I doubt running clam on an android device would be useful due to the
> resources required.  Maybe a fun time-waster though, just to see
> what happens.  There's several free and apparently competent
> antivirus programs better suited for a mobile device.

so I’d have to guess that nobody here is going to be able to give you a hand 
with this one.

-Al-

On Dec 19, 2016, at 1:42 AM, crazy thinker  wrote:

> Hi all,
> 
> I am new to android and ndk build .i am  planning to use libclamav in my
> ndk project
> 
> could anyone of you please help me  to build libclamav for android
> 
> 
> Thanks
> Crazy Thiner Inc.


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Porting LibClamAV for Android

[crazy thinker]

Hi all,

I am new to android and ndk build .i am  planning to use libclamav in my
ndk project

could anyone of you please help me  to build libclamav for android


Thanks
Crazy Thiner Inc.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml