[clamav-users] WannaCry Homeland Security yara script. False positives?

[Mark Foley]

I added the yara script published by Homeland security to the clamav database
directory. I believe I am getting a substantial number of false positives on
this including messages containing PDF and JPG attachments, the latter known to
be OK.

$ clamscan "/home/HPRS/mpress/Maildir/.Sent 
Items/cur/1486141726.M192155P10931.mail,S=188385,W=191025:2,S"
/home/HPRS/mpress/Maildir/.Sent 
Items/cur/1486141726.M192155P10931.mail,S=188385,W=191025:2,S:
YARA.Wanna_Cry_Ransomware_Generic.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Known viruses: 6284977
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.95 MB
Data read: 0.18 MB (ratio 5.42:1)
Time: 7.567 sec (0 m 7 s)

Is anyone else using this rule seeing this? 

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Kishore Pawar]

Thanks Carlos

I see what you saying. I checked my previous sessions and I found the below
one from the 'Oct 2016' session where I see that the clam-miller.socket is
owned by clamav:clamav, where as my latest one is owned by clamav:root. Is
it causing the below error? If so how can I make sure the socket gets
proper permissions?

ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another
process.

# lsof | grep clamd.socket
clamd 22795clamav5u unix 0xc000712f4880   0t0
335900 /var/run/clamav/clamd.socket


Oct2016
# ls -lrt /var/run/clamav
total 8
srw-r--r--. 1 clamav clamav 0 Oct 24  2016 clamav-milter.socket
-rw-rw-r--. 1 clamav clamav 5 Oct 24  2016 clamav-milter.pid
-rw-rw. 1 clamav clamav 5 Oct 24  2016 freshclam.pid


Latest
# ls -lrt /var/run/clamav
total 12
srw-rw-rw-. 1 clamav clamav 0 May 16 21:40 clamd.socket
-rw-rw-r--. 1 clamav clamav 6 May 16 21:40 clamd.pid
srw-r--r--. 1 clamav root   0 May 16 21:40 clamav-milter.socket #
Not sure why it's not owned by clamav:clamav here
-rw-rw. 1 clamav clamav 6 May 16 21:40 freshclam.pid
-rw-rw-r--. 1 clamav clamav 6 May 16 21:40 clamav-milter.pid


Thanks
---

IMHO rc.local is not the best place to put this at all...

>* # clamd status *>* ERROR: LOCAL: Socket file
/var/run/clamav/clamd.socket is in use by another *>* process. *
You are calling clamd *daemon* with a "status" argument that it doesn't
recognize.
As you are using an init system you should use a init.d/rc.d script (like
"/etc/rc.d/clamav"). That script usually accepts a "status" argument, but
clamd (daemon) does not.

Regards,
Carlos Velasco

On Tue, May 16, 2017 at 9:55 AM, Kishore Pawar  wrote:

> Hi Carlos Velasco
>
> Our RHEL 6.8 runs on an IBM Power 8 server(ppc64), for which we dont' have
> a ClamAV package. So I had to compile it from source. I have uninstalled
> the old version and installed the *ClamAV 0.99.2. *
>
> So I can confirm that I have only one instance running. Here's the
> detailed info.
>
> # which clamd
> /usr/local/sbin/clamd
>
> # whereis clamd
> clamd: /usr/local/sbin/clamd /usr/local/etc/clamd.conf
>
> # cat /etc/rc.d/rc.local
> #!/bin/sh
> #
> # This script will be executed *after* all the other init scripts.
> # You can put your own initialization stuff in here if you don't
> # want to do the full Sys V style init stuff.
> touch /var/lock/subsys/local
> /usr/local/sbin/clamd
> /usr/local/sbin/clamav-milter
> /usr/local/bin/freshclam -d
>
> # ps -ef | grep clamd
> clamav6776 1  0 May15 ?00:00:01 clamd
> root 10956 10925  0 09:40 pts/000:00:00 grep clamd
>
> # clamd status
> ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by
> another process.
>
> # lsof | grep clamd.socket
> clamd  6776clamav5u unix 0xc3692480   0t0
> 72993 /var/run/clamav/clamd.socket
>
> Thanks
> Kishore
>
>
> ---
>
> >* Yes, I usually verify after running any command. So yes verified the *>*
> process is properly killed. I even rebooted it couple time. Even after a *
> >* clean reboot, the output of clamd status gives the same error. What is
> the *>* output of your clamd status? Can you share it please? *
> Kishore, I think you have 2 clamav installations in your machine. Maybe
> one packaged and another one compiled.
> I haven't a RHEL at hand right now, but check with any of this:
> which clamd
> whereis clamd
>
> If you see two different clamd (maybe one on /usr/local/...) that's
> because you are seeing your problems, and you should fix it changing your
> status script (init.d?) probably.
>
> Regards,
> Carlos Velasco
>
> On Tue, May 16, 2017 at 8:08 AM, Kishore Pawar  wrote:
>
>> Hi Reindl Harald
>>
>> Yes, I usually verify after running any command. So yes  verified the
>> process is properly killed. I even rebooted it couple time. Even after a
>> clean reboot, the output of clamd status gives the same error. What is the
>> output of your clamd status? Can you share it please?
>>
>> Thanks
>> Kishore
>> 
>>
>> Am 15.05.2017 um 23:53 schrieb Kishore Pawar:
>> >* Yes, I see the clamd process. I tried to kill and restart it many
>> times, *>* but when I run the 'clamd status' I get the same error about
>> the socket *>* file. Earlier when I was running the older version, I
>> used to see the *>* complete details about the clamd status including
>> the version number I was *>* running and what the latest status of that
>> clamd. Now I just get the error *>* which I am not sure if it is giving
>> me the right output *
>> and did you verify that after kill the process is really gone?
>>
>> maybe it needs a "kill -s SIGKILL" instead a SIGTERM for whatever reason
>> but that's all hard to say since you don't provide much informations
>> without beeing explicit asked
>>
>>
>> On Mon, May 15, 2017 at 5:18 PM, Kishore Pawar  wrote:
>>
>>> Btw, can you please share your output of the command 

Re: [clamav-users] DNS Caching Problem AGAIN with current.cvd.clamav.net?

[Al Varnell]

I am not understanding your point here. Where are you seeing an indication that 
the database had been updated at the time you wrote? The first indication of an 
update was an email announcing daily 23390 at 8:30am PDT, about four hours 
after you posted and almost 30 hours after the previous daily update. That 
would seem to indicate a problem or delay with updates, rather than a DNS 
Caching issue.

-Al-
-- 
Al Varnell
Mountain View, CA

On May 16, 2017, at 4:33 AM, Andy Schmidt  wrote:
> 
> The same problem had been "fixed" a few weeks ago:
> 
> http://network-tools.com/nslook/Default.asp?domain=current.cvd.clamav.net
>  ype=16=67.222.132.213=1=53=5000=12=7>
> =16=67.222.132.213=1=53=5000=12=7
> 
> current.cvd.clamav.net reports:
> 
>   "0.99.2:57:23389:1494930680:1:63:45940:300"
> 
> not just with my local DNS - but even the above public lookup.
> Consequently, virus databases are 25+ hours OUTDATED and FreshClam won't
> pick up recent ones!
> 
> clamscan -V : 
> ClamAV 0.99.2/23389/Mon May 15 04:57:48 2017
> 
> freshclam log :
> Tue May 16 06:29:19 2017 -> --
> Tue May 16 06:59:19 2017 -> ClamAV update process started at Tue May 16
> 06:59:19 2017
> Tue May 16 06:59:19 2017 -> main.cvd is up to date (version: 57, sigs:
> 4218790, f-level: 60, builder: amishhammer)
> Tue May 16 06:59:19 2017 -> daily.cld is up to date (version: 23389, sigs:
> 2071687, f-level: 63, builder: neo)
> Tue May 16 06:59:19 2017 -> safebrowsing.cld is up to date (version: 45940,
> sigs: 2889021, f-level: 63, builder: google)
> Tue May 16 06:59:19 2017 -> bytecode.cld is up to date (version: 300, sigs:
> 57, f-level: 63, builder: neo)
> Tue May 16 06:59:19 2017 -> --
> 
> So - either there is problem with their DNS server - or there is an
> open/persistent/recurrent problem with whatever process is suppose to
> automatically UPDATE their "current.cvd" TXT record. 
> Either way, there appears to be NO simple monitoring app in place that
> simply matches the DNS TXT record to the "real" database level?


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Carlos Velasco]

> # cat /etc/rc.d/rc.local
> #!/bin/sh
> #
> # This script will be executed *after* all the other init scripts.
> # You can put your own initialization stuff in here if you don't
> # want to do the full Sys V style init stuff.
> touch /var/lock/subsys/local
> /usr/local/sbin/clamd
> /usr/local/sbin/clamav-milter
> /usr/local/bin/freshclam -d

IMHO rc.local is not the best place to put this at all...
 
> # clamd status
> ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another
> process.

You are calling clamd *daemon* with a "status" argument that it doesn't 
recognize.
As you are using an init system you should use a init.d/rc.d script (like 
"/etc/rc.d/clamav"). That script usually accepts a "status" argument, but clamd 
(daemon) does not.

Regards,
Carlos Velasco

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

[Nataraj]

On 05/15/2017 01:04 PM, Mark Foley wrote:
> On Mon May 15 15:06:07 2017 "Eric Tykwinski"  wrote:
>> Here's links to sample files, ie use at your own risk:
>> https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
>>
>> Sincerely,
>>
>> Eric Tykwinski
>> TrueNet, Inc.
>> P: 610-429-8300
>>

It might be necessary to specify this option to clamav if other rules
are finding viruses first:
   -z, --allmatch
  After a match, continue scanning within the file for
additional matches.

Also, there are at least 175 signatures for wannacry in the various
sanesecurity databases which can be updated automatically using their
scripts.

Nataraj

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

[Joel Esler (jesler)]

Rdp was a factor, but only locally.  

No initial vector has been established.  The only propagation method we have 
seen is via SMB.  

Check the blog post.  We laid it all out there.  

--
Sent from my iPhone

> On May 16, 2017, at 12:40, Eric Tykwinski  wrote:
> 
> I don't think anyone really knows the initial vector, but RDP was an entry
> point according to the site I was reading:
> Backdooring: The worm loops through every RDP session on a system to run the
> ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It
> corrupts shadow volumes to make recovery harder. (source: malwarebytes)
> It seems more believable to me than everyone with SMB access to the public
> internet.
> 
> Sincerely,
> 
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
> 
> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
> Of Dennis Peterson
> Sent: Tuesday, May 16, 2017 12:25 PM
> To: ClamAV users ML
> Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
> clamav
> 
> If not email what is the vector?
> 
> dp
> 
>> On 5/15/17 5:11 PM, Joel Esler (jesler) wrote:
>> To be clear let me link to our blog post on the subject:
>> 
>> http://blog.talosintelligence.com/2017/05/wannacry.html
>> 
>> There has been No email vector seen in WannaCry to date.  Almost everyone
> that has claimed this, has retracted it. Please read the above blog post for
> all the facts as we know them.
>> 
>> This is an ongoing threat.
>> 
>> --
>> Joel Esler | Talos: Manager | jes...@cisco.com
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

[Eric Tykwinski]

I don't think anyone really knows the initial vector, but RDP was an entry
point according to the site I was reading:
Backdooring: The worm loops through every RDP session on a system to run the
ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It
corrupts shadow volumes to make recovery harder. (source: malwarebytes)
It seems more believable to me than everyone with SMB access to the public
internet.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf
Of Dennis Peterson
Sent: Tuesday, May 16, 2017 12:25 PM
To: ClamAV users ML
Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
clamav

If not email what is the vector?

dp

On 5/15/17 5:11 PM, Joel Esler (jesler) wrote:
> To be clear let me link to our blog post on the subject:
>
> http://blog.talosintelligence.com/2017/05/wannacry.html
>
> There has been No email vector seen in WannaCry to date.  Almost everyone
that has claimed this, has retracted it. Please read the above blog post for
all the facts as we know them.
>
> This is an ongoing threat.
>
> --
> Joel Esler | Talos: Manager | jes...@cisco.com


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

[Dennis Peterson]

If not email what is the vector?

dp

On 5/15/17 5:11 PM, Joel Esler (jesler) wrote:

To be clear let me link to our blog post on the subject:

http://blog.talosintelligence.com/2017/05/wannacry.html

There has been No email vector seen in WannaCry to date.  Almost everyone that 
has claimed this, has retracted it. Please read the above blog post for all the 
facts as we know them.

This is an ongoing threat.

--
Joel Esler | Talos: Manager | jes...@cisco.com



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ScanOnAcess

[Mickey Sola]

Hi Roelof,

The on-access scanner is configured through clamd.conf. This is a
freshclam.conf file.

As such, it makes sense that freshclam would complain about that
configuration option, since freshclam and clamd are separate applications.

Remove the erroneous option and freshclam should pull down the signature
databases just fine.

Cheers,
Mickey

On Tue, May 16, 2017 at 6:07 AM, Roelof Wobben  wrote:

> Hello Remi,
>
>
> I use a server Centos 7 and as client Fedora 25.
>
> and I checked both and both support FANOTIFY
>
>
> Roelof
>
> 
> Van: clamav-users  namens Remi
> Bruggeman 
> Verzonden: dinsdag 16 mei 2017 08:53
> Aan: ClamAV users ML
> Onderwerp: Re: [clamav-users] ScanOnAcess
>
> Roelof,
>
> Which OS are you running? Does the kernel support FANOTIFY?
>
>
> Best regards,
>
> Remi Bruggeman
>
> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Roelof Wobben
> Sent: Tuesday, May 16, 2017 10:23 AM
> To: clamav-users@lists.clamav.net
> Subject: [clamav-users] ScanOnAcess
>
> Hello,
>
>
> I have this clamv,conf :
>
>
> ##
> ## Example config file for freshclam
> ## Please read the freshclam.conf(5) manual before editing this file.
> ##
>
>
> # Comment or remove the line below.
> # Example
>
> # Path to the database directory.
> # WARNING: It must match clamd.conf's directive!
> # Default: hardcoded (depends on installation options)
> DatabaseDirectory /var/lib/clamav
>
> # Path to the log file (make sure it has proper permissions)
> # Default: disabled
> UpdateLogFile /var/log/freshclam.log
>
> # Maximum size of the log file.
> # Value of 0 disables the limit.
> # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
> # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
> # in bytes just don't use modifiers. If LogFileMaxSize is enabled,
> # log rotation (the LogRotate option) will always be enabled.
> # Default: 1M
> LogFileMaxSize 2M
>
> # Log time with each message.
> # Default: no
> LogTime yes
>
> # Enable verbose logging.
> # Default: no
> LogVerbose yes
>
> # Use system logger (can work together with UpdateLogFile).
> # Default: no
> LogSyslog yes
>
> # Specify the type of syslog messages - please refer to 'man syslog'
> # for facility names.
> # Default: LOG_LOCAL6
> LogFacility LOG_MAIL
>
> # Enable log rotation. Always enabled when LogFileMaxSize is enabled.
> # Default: no
> LogRotate yes
>
> # This option allows you to save the process identifier of the daemon
> # Default: disabled
> #PidFile /var/run/freshclam.pid
>
> # By default when started freshclam drops privileges and switches to the
> # "clamav" user. This directive allows you to change the database owner.
> # Default: clamav (may depend on installation options)
> DatabaseOwner clamupdate
>
> # Initialize supplementary group access (freshclam must be started by
> root).
> # Default: no
> #AllowSupplementaryGroups yes
>
> # Use DNS to verify virus database version. Freshclam uses DNS TXT records
> # to verify database and software versions. With this directive you can
> change
> # the database verification domain.
> # WARNING: Do not touch it unless you're configuring freshclam to use your
> # own database verification domain.
> # Default: current.cvd.clamav.net
> # DNSDatabaseInfo current.cvd.clamav.net
>
> # Uncomment the following line and replace XY with your country
> # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
> # You can use db.XY.ipv6.clamav.net for IPv6 connections.
> # DatabaseMirror current.cvd.clamav.net
>
> # database.clamav.net is a round-robin record which points to our most
> # reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
> # not working. DO NOT TOUCH the following line unless you know what you
> # are doing.
> DatabaseMirror database.clamav.net
>
> # How many attempts to make before giving up.
> # Default: 3 (per mirror)
> MaxAttempts 5
>
> # With this option you can control scripted updates. It's highly
> recommended
> # to keep it enabled.
> # Default: yes
> ScriptedUpdates yes
>
> # By default freshclam will keep the local databases (.cld) uncompressed to
> # make their handling faster. With this option you can enable the
> compression;
> # the change will take effect with the next database update.
> # Default: no
> #CompressLocalDatabase no
>
> # With this option you can provide custom sources (http:// or file://) for
> # database files. This option can be used multiple times.
> # Default: no custom URLs
> #DatabaseCustomURL http://myserver.com/mysigs.ndb
> #DatabaseCustomURL file:///mnt/nfs/local.hdb
>
> # This option allows you to easily point freshclam to private mirrors.
> # If PrivateMirror is set, freshclam does not attempt to use DNS
> # to determine whether its databases are out-of-date, instead it will
> # use the If-Modified-Since request or directly check 

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Kishore Pawar]

Hi Carlos Velasco

Our RHEL 6.8 runs on an IBM Power 8 server(ppc64), for which we dont' have
a ClamAV package. So I had to compile it from source. I have uninstalled
the old version and installed the *ClamAV 0.99.2. *

So I can confirm that I have only one instance running. Here's the detailed
info.

# which clamd
/usr/local/sbin/clamd

# whereis clamd
clamd: /usr/local/sbin/clamd /usr/local/etc/clamd.conf

# cat /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/usr/local/sbin/clamd
/usr/local/sbin/clamav-milter
/usr/local/bin/freshclam -d

# ps -ef | grep clamd
clamav6776 1  0 May15 ?00:00:01 clamd
root 10956 10925  0 09:40 pts/000:00:00 grep clamd

# clamd status
ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another
process.

# lsof | grep clamd.socket
clamd  6776clamav5u unix 0xc3692480   0t0
72993 /var/run/clamav/clamd.socket

Thanks
Kishore


---

>* Yes, I usually verify after running any command. So yes verified the *>*
process is properly killed. I even rebooted it couple time. Even after a *>*
clean reboot, the output of clamd status gives the same error. What is the *
>* output of your clamd status? Can you share it please? *
Kishore, I think you have 2 clamav installations in your machine. Maybe one
packaged and another one compiled.
I haven't a RHEL at hand right now, but check with any of this:
which clamd
whereis clamd

If you see two different clamd (maybe one on /usr/local/...) that's because
you are seeing your problems, and you should fix it changing your status
script (init.d?) probably.

Regards,
Carlos Velasco

On Tue, May 16, 2017 at 8:08 AM, Kishore Pawar  wrote:

> Hi Reindl Harald
>
> Yes, I usually verify after running any command. So yes  verified the
> process is properly killed. I even rebooted it couple time. Even after a
> clean reboot, the output of clamd status gives the same error. What is the
> output of your clamd status? Can you share it please?
>
> Thanks
> Kishore
> 
>
> Am 15.05.2017 um 23:53 schrieb Kishore Pawar:
> >* Yes, I see the clamd process. I tried to kill and restart it many
> times, *>* but when I run the 'clamd status' I get the same error about
> the socket *>* file. Earlier when I was running the older version, I used
> to see the *>* complete details about the clamd status including the
> version number I was *>* running and what the latest status of that
> clamd. Now I just get the error *>* which I am not sure if it is giving
> me the right output *
> and did you verify that after kill the process is really gone?
>
> maybe it needs a "kill -s SIGKILL" instead a SIGTERM for whatever reason
> but that's all hard to say since you don't provide much informations
> without beeing explicit asked
>
>
> On Mon, May 15, 2017 at 5:18 PM, Kishore Pawar  wrote:
>
>> Btw, can you please share your output of the command 'clamd status'?
>>
>> Thanks
>> Kishore
>>
>> On Mon, May 15, 2017 at 4:53 PM, Kishore Pawar  wrote:
>>
>>> Yes, I see the clamd process. I tried to kill and restart it  many
>>> times, but when I run the 'clamd status' I get the same error about the
>>> socket file. Earlier when I was running the older version, I used to see
>>> the complete details about the clamd status including the version number I
>>> was running and what the latest status of that clamd. Now I just get the
>>> error which I am not sure if it is giving me the right output.
>>>
>>> On Mon, May 15, 2017 at 4:22 PM, Kishore Pawar 
>>> wrote:
>>>
 Thanks Steve. Here's the output of lsof.

 # clamd status
 ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by
 another process.

 # lsof | grep clamd.socket
 clamd 6776clamav5u unix 0xc3692480
 0t0  72993 /var/run/clamav/clamd.socket

 # ps -ef | grep 6776
 clamav6776 1  0 15:57 ?00:00:00 clamd
 root  6889  2739  0 16:20 pts/100:00:00 grep 6776

 Thanks
 Kishore

 On Mon, May 15, 2017 at 12:29 PM, Kishore Pawar 
 wrote:

> Thanks Steve. Yes, I tried removing them and kill the running clamd
> process and start it again but still the clamd status doesn't show 
> anything
> other than the error.
>
> # clamd status
> ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by
> another process.
>
> 
>
> There is probably another clamd running. If not, try deleting
> /var/run/clamav/clamd.socket.
>
> Steve
>
> On Mon, May 15, 2017 at 11:58 AM, Kishore Pawar 
> wrote:
>
>> Hi Steve
>>
>> Thank you very much for 

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Carlos Velasco]

> Yes, I usually verify after running any command. So yes  verified the
> process is properly killed. I even rebooted it couple time. Even after a
> clean reboot, the output of clamd status gives the same error. What is the
> output of your clamd status? Can you share it please?

Kishore, I think you have 2 clamav installations in your machine. Maybe one 
packaged and another one compiled.
I haven't a RHEL at hand right now, but check with any of this:
which clamd
whereis clamd

If you see two different clamd (maybe one on /usr/local/...) that's because you 
are seeing your problems, and you should fix it changing your status script 
(init.d?) probably.

Regards,
Carlos Velasco

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Kishore Pawar]

Hi Reindl Harald

Yes, I usually verify after running any command. So yes  verified the
process is properly killed. I even rebooted it couple time. Even after a
clean reboot, the output of clamd status gives the same error. What is the
output of your clamd status? Can you share it please?

Thanks
Kishore


Am 15.05.2017 um 23:53 schrieb Kishore Pawar:
>* Yes, I see the clamd process. I tried to kill and restart it many times,
*>* but when I run the 'clamd status' I get the same error about the socket
*>* file. Earlier when I was running the older version, I used to see the *>*
complete details about the clamd status including the version number I was *
>* running and what the latest status of that clamd. Now I just get the
error *>* which I am not sure if it is giving me the right output *
and did you verify that after kill the process is really gone?

maybe it needs a "kill -s SIGKILL" instead a SIGTERM for whatever reason
but that's all hard to say since you don't provide much informations
without beeing explicit asked


On Mon, May 15, 2017 at 5:18 PM, Kishore Pawar  wrote:

> Btw, can you please share your output of the command 'clamd status'?
>
> Thanks
> Kishore
>
> On Mon, May 15, 2017 at 4:53 PM, Kishore Pawar  wrote:
>
>> Yes, I see the clamd process. I tried to kill and restart it  many times,
>> but when I run the 'clamd status' I get the same error about the socket
>> file. Earlier when I was running the older version, I used to see the
>> complete details about the clamd status including the version number I was
>> running and what the latest status of that clamd. Now I just get the error
>> which I am not sure if it is giving me the right output.
>>
>> On Mon, May 15, 2017 at 4:22 PM, Kishore Pawar  wrote:
>>
>>> Thanks Steve. Here's the output of lsof.
>>>
>>> # clamd status
>>> ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by
>>> another process.
>>>
>>> # lsof | grep clamd.socket
>>> clamd 6776clamav5u unix 0xc3692480
>>> 0t0  72993 /var/run/clamav/clamd.socket
>>>
>>> # ps -ef | grep 6776
>>> clamav6776 1  0 15:57 ?00:00:00 clamd
>>> root  6889  2739  0 16:20 pts/100:00:00 grep 6776
>>>
>>> Thanks
>>> Kishore
>>>
>>> On Mon, May 15, 2017 at 12:29 PM, Kishore Pawar 
>>> wrote:
>>>
 Thanks Steve. Yes, I tried removing them and kill the running clamd
 process and start it again but still the clamd status doesn't show anything
 other than the error.

 # clamd status
 ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by
 another process.

 

 There is probably another clamd running. If not, try deleting
 /var/run/clamav/clamd.socket.

 Steve

 On Mon, May 15, 2017 at 11:58 AM, Kishore Pawar 
 wrote:

> Hi Steve
>
> Thank you very much for the reply and your suggestion. I rebuild it
> with the options (--enable-llvm=no) provided by you and it seems to be ok
> now. But now I am unable to stop/start the clamd and am not able to get 
> the
> status of clamd.
>
>
> # clamd status
> ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by
> another process.
>
> # ls -lrt /var/run/clamav/
> total 12
> srw-rw-rw-. 1 clamav clamav 0 May 15 11:29 clamd.socket
> -rw-rw-r--. 1 clamav clamav 5 May 15 11:29 clamd.pid
> -rw-rw. 1 clamav clamav 5 May 15 11:29 freshclam.pid
> srw-r--r--. 1 clamav root   0 May 15 11:46 clamav-milter.socket
> -rw-rw-r--. 1 clamav clamav 5 May 15 11:46 clamav-milter.pid
>
> I observed that the 'clamav-milter.socket' is started by root and not
> clamav user. I am not sure if that's how it is supposed to be. If it needs
> to be started by clamav, where should I do the changes?
>
> Thanks
> Kishore
>


>>>
>>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] DNS Caching Problem AGAIN with current.cvd.clamav.net?

[Andy Schmidt]

The same problem had been "fixed" a few weeks ago:

http://network-tools.com/nslook/Default.asp?domain=current.cvd.clamav.net

=16=67.222.132.213=1=53=5000=12=7

current.cvd.clamav.net reports:

"0.99.2:57:23389:1494930680:1:63:45940:300"

not just with my local DNS - but even the above public lookup.
Consequently, virus databases are 25+ hours OUTDATED and FreshClam won't
pick up recent ones!

clamscan -V : 
ClamAV 0.99.2/23389/Mon May 15 04:57:48 2017

freshclam log :
Tue May 16 06:29:19 2017 -> --
Tue May 16 06:59:19 2017 -> ClamAV update process started at Tue May 16
06:59:19 2017
Tue May 16 06:59:19 2017 -> main.cvd is up to date (version: 57, sigs:
4218790, f-level: 60, builder: amishhammer)
Tue May 16 06:59:19 2017 -> daily.cld is up to date (version: 23389, sigs:
2071687, f-level: 63, builder: neo)
Tue May 16 06:59:19 2017 -> safebrowsing.cld is up to date (version: 45940,
sigs: 2889021, f-level: 63, builder: google)
Tue May 16 06:59:19 2017 -> bytecode.cld is up to date (version: 300, sigs:
57, f-level: 63, builder: neo)
Tue May 16 06:59:19 2017 -> --

So - either there is problem with their DNS server - or there is an
open/persistent/recurrent problem with whatever process is suppose to
automatically UPDATE their "current.cvd" TXT record. 
Either way, there appears to be NO simple monitoring app in place that
simply matches the DNS TXT record to the "real" database level?

 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ScanOnAcess

[Roelof Wobben]

Hello Remi,


I use a server Centos 7 and as client Fedora 25.

and I checked both and both support FANOTIFY


Roelof


Van: clamav-users  namens Remi Bruggeman 

Verzonden: dinsdag 16 mei 2017 08:53
Aan: ClamAV users ML
Onderwerp: Re: [clamav-users] ScanOnAcess

Roelof,

Which OS are you running? Does the kernel support FANOTIFY?


Best regards,

Remi Bruggeman

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Roelof Wobben
Sent: Tuesday, May 16, 2017 10:23 AM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] ScanOnAcess

Hello,


I have this clamv,conf :


##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##


# Comment or remove the line below.
# Example

# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav

# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/freshclam.log

# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
LogFileMaxSize 2M

# Log time with each message.
# Default: no
LogTime yes

# Enable verbose logging.
# Default: no
LogVerbose yes

# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
LogFacility LOG_MAIL

# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
LogRotate yes

# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid

# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner clamupdate

# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes

# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
# DNSDatabaseInfo current.cvd.clamav.net

# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
# You can use db.XY.ipv6.clamav.net for IPv6 connections.
# DatabaseMirror current.cvd.clamav.net

# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net

# How many attempts to make before giving up.
# Default: 3 (per mirror)
MaxAttempts 5

# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
ScriptedUpdates yes

# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no

# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb

# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com

# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24

# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass

# If your servers are behind a firewall/proxy which applies 

Re: [clamav-users] ScanOnAcess

[Remi Bruggeman]

Roelof,

Which OS are you running? Does the kernel support FANOTIFY?


Best regards,

Remi Bruggeman

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Roelof Wobben
Sent: Tuesday, May 16, 2017 10:23 AM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] ScanOnAcess

Hello,


I have this clamv,conf :


##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##


# Comment or remove the line below.
# Example

# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav

# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/freshclam.log

# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
LogFileMaxSize 2M

# Log time with each message.
# Default: no
LogTime yes

# Enable verbose logging.
# Default: no
LogVerbose yes

# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
LogFacility LOG_MAIL

# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
LogRotate yes

# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid

# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner clamupdate

# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes

# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
# DNSDatabaseInfo current.cvd.clamav.net

# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
# You can use db.XY.ipv6.clamav.net for IPv6 connections.
# DatabaseMirror current.cvd.clamav.net

# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net

# How many attempts to make before giving up.
# Default: 3 (per mirror)
MaxAttempts 5

# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
ScriptedUpdates yes

# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no

# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb

# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com

# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24

# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass

# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString

# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd

# Send 

[clamav-users] ScanOnAcess

[Roelof Wobben]

Hello,


I have this clamv,conf :


##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##


# Comment or remove the line below.
# Example

# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav

# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/freshclam.log

# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
LogFileMaxSize 2M

# Log time with each message.
# Default: no
LogTime yes

# Enable verbose logging.
# Default: no
LogVerbose yes

# Use system logger (can work together with UpdateLogFile).
# Default: no
LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
LogFacility LOG_MAIL

# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
LogRotate yes

# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid

# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner clamupdate

# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes

# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
# DNSDatabaseInfo current.cvd.clamav.net

# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
# You can use db.XY.ipv6.clamav.net for IPv6 connections.
# DatabaseMirror current.cvd.clamav.net

# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net

# How many attempts to make before giving up.
# Default: 3 (per mirror)
MaxAttempts 5

# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
ScriptedUpdates yes

# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no

# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb

# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com

# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24

# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass

# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString

# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd

# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf

# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command

# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command

# Run command when freshclam reports outdated version.
# In the 

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Reindl Harald]

Am 15.05.2017 um 23:53 schrieb Kishore Pawar:

Yes, I see the clamd process. I tried to kill and restart it  many times,
but when I run the 'clamd status' I get the same error about the socket
file. Earlier when I was running the older version, I used to see the
complete details about the clamd status including the version number I was
running and what the latest status of that clamd. Now I just get the error
which I am not sure if it is giving me the right output


and did you verify that after kill the process is really gone?

maybe it needs a "kill -s SIGKILL" instead a SIGTERM for whatever reason 
but that's all hard to say since you don't provide much informations 
without beeing explicit asked

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml