Re: [clamav-users] ClamAV can't scan DVD-size ISO files

[Al Varnell]

On Wed, Sep 13, 2017 at 06:13 PM, Paul Kosinski wrote:
> On Tue, 12 Sep 2017 21:49:17 -0800 kristen R wrote:
>> 
>> The file is an image. Open the image up and then scan. Does clamscan
>> open images itself and then preform a scan?
> 
> YES! It scans *inside* ZIP, TAR, RAR etc.

But does etc. include .iso's? There are many encoding formats that clamav is 
unable to scan inside of, including some oddball .zips I've run across. 
Although .dmg image scanning was added a few years back, I've experienced mixed 
results with detections unless the image is first mounted.

It's also possible that .iso's are included in the list of files to skip. Have 
you looked into that?

Sorry I don't have time at the moment to check into this for you. Perhaps 
later

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

[Paul Kosinski]

Thanks, but it doesn't help (still scans 0 data bytes).


On Wed, 13 Sep 2017 10:33:35 -0400
Steven Morgan  wrote:

> Paul,
> 
> in addition to max-filesize, try max-scansize.
> 
> Steve

> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

[Paul Kosinski]

On Tue, 12 Sep 2017 21:49:17 -0800
kristen R  wrote:
> 
> The file is an image. Open the image up and then scan. Does  clamscan
> open images itself and then preform a scan?
> 
> 


YES! It scans *inside* ZIP, TAR, RAR etc.

(Maybe these have a 4 GB limit too?)

If ClamAV can't handle files bigger than 4 GB, then it isn't very
suitable for modern computing. Most computers sold today support 64-bit
addressing. Windows 7, 8 and 10 can be either 32 or 64 bit, as can Mac
OSX. And of course Linux started supporting files over 4 GB many years
ago -- even before it supported 64-bit memory addressing.

Finally, DVDs have held more than 4 GB almost forever, Blu-Ray is lots
bigger, and individual digital video files can easily exceed 4 GB
(especially HD or UHD source files, which have little or no compression).

P.S. The usual way to "open" an ISO is to "mount" it. This operation is
usually performed at a high privilege level (e.g. root) which means
that if a malicious ISO were able to exploit a vulnerability in the
code which decodes the ISO metadata/headers (buffer overflow comes to
mind) it could cause major system damage.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials

[Alain Zidouemba]

BC.Win.Exploit.CVE_2017_11244-6335828-0 has been dropped and will be
modified to avoid the FPs you've reported.

Thanks,

- Alain

On Wed, Sep 13, 2017 at 1:13 PM, Kees Theunissen 
wrote:

> On Wed, 13 Sep 2017, Kees Theunissen wrote:
>
> >On Wed, 13 Sep 2017, lukn wrote:
> >
> >>Hello List
> >>
> >>Same here, I do see FPs with
> >>BC.Win.Exploit.CVE_2017_11244-6335828-0
> >>hitting legitimate corporate files (so no submission possible from me
> >>either).
> >
> >We saw BC.Win.Exploit.CVE_2017_11244-6335828-0 hitting a *.docx
> >attachment in an outbound e-mail from one of our users.
> >That was probably a FP too.
> >I didn't see the attachment myself so I'm not sure that it was
> >a FP. I asked the user if the file was confidential and if I could
> >get a copy of the file for inspection and submission of a FP-report.
> >He didn't answer yet.
>
> Update: he answered while I wrote the above message.
> Unfortunately the file is a confidential research proposal so
> I can't include it in a FP-report.
>
>
> Regards,
>
> Kees Theunissen.
>
> --
> Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
> Dutch Institute For Fundamental Energy Research (DIFFER)
> e-mail address:   c.j.theunis...@differ.nl
> postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
> visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials

[Kees Theunissen]

On Wed, 13 Sep 2017, Kees Theunissen wrote:

>On Wed, 13 Sep 2017, lukn wrote:
>
>>Hello List
>>
>>Same here, I do see FPs with
>>BC.Win.Exploit.CVE_2017_11244-6335828-0
>>hitting legitimate corporate files (so no submission possible from me
>>either).
>
>We saw BC.Win.Exploit.CVE_2017_11244-6335828-0 hitting a *.docx
>attachment in an outbound e-mail from one of our users.
>That was probably a FP too.
>I didn't see the attachment myself so I'm not sure that it was
>a FP. I asked the user if the file was confidential and if I could
>get a copy of the file for inspection and submission of a FP-report.
>He didn't answer yet.

Update: he answered while I wrote the above message.
Unfortunately the file is a confidential research proposal so
I can't include it in a FP-report.


Regards,

Kees Theunissen.

-- 
Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address:   c.j.theunis...@differ.nl
postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

[Steven Morgan]

OK, open a ticket and we can look at it.

On Wed, Sep 13, 2017 at 12:57 PM, Gandalf Corvotempesta <
gandalf.corvotempe...@gmail.com> wrote:

> Ok, but why clam is treating encrypted pdf as encrypted archive ?
> I've set ArchiveBlockEncrypted to yes, but, as wrote in the setting
> name, I would like to block encrypted *archives*.
> A PDF is not an archive, thus it should not be blocked.
>
> I think this is a bug.
>
> 2017-09-13 16:09 GMT+02:00 Reindl Harald :
> >
> >
> > Am 13.09.2017 um 15:57 schrieb Gandalf Corvotempesta:
> >>
> >> So, the only way to block encrypted ZIP is also to block any encrypted
> or
> >> password protected PDF?
> >
> >
> > with one clamd instance yes
> >
> > on a smart setup you run two instances and one is just used for scoring
> in
> > spamassassin (or in my case i edited the sa-clamav plugin to support
> > multiple instances instead the ugly hardcoding) - both are scoring high
> and
> > at the end the second clamd is also wired with the milter and jectes
> > undocnditional while the PDF stuff combined with a well mainatined bayes
> has
> > no problems to distinct bewteen junk and ham
> >
> >
> >> Il 13 set 2017 3:49 PM, "Reindl Harald"  ha
> >> scritto:
> >>
> >>>
> >>>
> >>> Am 13.09.2017 um 15:45 schrieb Gandalf Corvotempesta:
> >>>
>  Hi to all
>  I would like to block any encrypted/password protected ZIP/RAR, 
>  and so on but *NOT* blocking any encrypted PDF.
>  Currently, ClamAV is blocking any encrypted PDF with
>  Heuristics.Encrypted.PDF
> 
>  How can I only block real archived and not PDF (that are not archives)
> 
> >>>
> >>> short answer: you can't and you can stop seeking around - and yes
> that's
> >>> terrible as most of the Heuristics options which are thrwoing the child
> >>> out
> >>> with the bath
> >
> >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

[Gandalf Corvotempesta]

Ok, but why clam is treating encrypted pdf as encrypted archive ?
I've set ArchiveBlockEncrypted to yes, but, as wrote in the setting
name, I would like to block encrypted *archives*.
A PDF is not an archive, thus it should not be blocked.

I think this is a bug.

2017-09-13 16:09 GMT+02:00 Reindl Harald :
>
>
> Am 13.09.2017 um 15:57 schrieb Gandalf Corvotempesta:
>>
>> So, the only way to block encrypted ZIP is also to block any encrypted or
>> password protected PDF?
>
>
> with one clamd instance yes
>
> on a smart setup you run two instances and one is just used for scoring in
> spamassassin (or in my case i edited the sa-clamav plugin to support
> multiple instances instead the ugly hardcoding) - both are scoring high and
> at the end the second clamd is also wired with the milter and jectes
> undocnditional while the PDF stuff combined with a well mainatined bayes has
> no problems to distinct bewteen junk and ham
>
>
>> Il 13 set 2017 3:49 PM, "Reindl Harald"  ha
>> scritto:
>>
>>>
>>>
>>> Am 13.09.2017 um 15:45 schrieb Gandalf Corvotempesta:
>>>
 Hi to all
 I would like to block any encrypted/password protected ZIP/RAR, 
 and so on but *NOT* blocking any encrypted PDF.
 Currently, ClamAV is blocking any encrypted PDF with
 Heuristics.Encrypted.PDF

 How can I only block real archived and not PDF (that are not archives)

>>>
>>> short answer: you can't and you can stop seeking around - and yes that's
>>> terrible as most of the Heuristics options which are thrwoing the child
>>> out
>>> with the bath
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials

[Kees Theunissen]

On Wed, 13 Sep 2017, lukn wrote:

>Hello List
>
>Same here, I do see FPs with
>BC.Win.Exploit.CVE_2017_11244-6335828-0
>hitting legitimate corporate files (so no submission possible from me
>either).

We saw BC.Win.Exploit.CVE_2017_11244-6335828-0 hitting a *.docx
attachment in an outbound e-mail from one of our users.
That was probably a FP too.
I didn't see the attachment myself so I'm not sure that it was
a FP. I asked the user if the file was confidential and if I could
get a copy of the file for inspection and submission of a FP-report.
He didn't answer yet.


Regards,

Kees Theunissen.

-- 
Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address:   c.j.theunis...@differ.nl
postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirror issues and what we are doing to fix it

[lukn]

Hello List and Joel

I still see freshclam failures for mirror 193.230.240.8

WARNING: getfile: daily-23823.cdiff not found on database.clamav.net
(IP: 193.230.240.8)
WARNING: getpatch: Can't download daily-23823.cdiff from database.clamav.net


freshclam --list-mirrors
[..]
Mirror #2
IP: 193.230.240.8
Successes: 0
Failures: 31
Last access: Wed Sep 13 15:15:03 2017
Ignore: Yes


Apologies, I don't have full freshclam debug output available.


On 28.08.2017 15:33, Joel Esler (jesler) wrote:
> ClamAV Community —
> 
> For too long we’ve had a problem with mirrors and downloads.  There are a 
> bunch of really good excuses for this internally, but I can comfortably say 
> that we are beyond the problems we had in the past, and now it’s time for us 
> to go fix it.
> 
> As of Friday, I assumed control (From a Project Owner point of view, I don’t 
> directly control the mirrors), over the ClamAV Mirror infrastructure and am 
> taking steps to clean this up.
> 
> (Internally we break ClamAV down into a bunch of pieces, a little “inside 
> baseball” for you, but we have the development team, them mirror project, the 
> signature interface (where all signatures are written, tested, and 
> published), the malware team.  All of these responsibilities are spread 
> amongst several groups within Talos (who 
> owns ClamAV inside of Cisco, amongst many other things).)
> 
> I have called a meeting with our ClamAV team, both from my team (the Open 
> Source Team), the mirror team (operations), and the PM for Development on 
> Thursday.  My plan is to outline an immediate “fix” trajectory.   What is 
> working, what isn’t working, immediate fixes, and finally suggestions for 
> moving forward.
> 
> Please continue to bear with us a little while longer.  They always say 
> things get worse before they get better.  Right now, hopefully, we are at the 
> “worst” stage.
> 
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
> 
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials

[lukn]

Hello List

Same here, I do see FPs with
BC.Win.Exploit.CVE_2017_11244-6335828-0
hitting legitimate corporate files (so no submission possible from me
either).

md5sum of the affected file is
bf20323e1cea2c2c3fc26d09956dd906
(don't know if this is helpful without the actual file...)


On 13.09.2017 16:27, Leonardo Rodrigues wrote:
> 
> I'm also getting some excel files flagged by the same signature,
> excel files that are supposed to be clean by other commercial antiviruses
> 
> two files from my amavis quarantine folder scanned with actual
> signatures:
> 
> [root@correio shm]# clamdscan -v virus-2017*
> /dev/shm/virus-20170912T100210-14568-04-oYAqsgllorwh:
> BC.Win.Exploit.CVE_2017_11244-6335828-0 FOUND
> /dev/shm/virus-20170913T105721-11777-15-NJFMBYpgy4B5:
> BC.Win.Exploit.CVE_2017_11244-6335828-0 FOUND
> 
> signatures i'm running
> 
> [root@correio shm]# freshclam
> ClamAV update process started at Wed Sep 13 11:27:06 2017
> main.cld is up to date (version: 58, sigs: 4566249, f-level: 60,
> builder: sigmgr)
> daily.cvd is up to date (version: 23823, sigs: 1742928, f-level: 63,
> builder: neo)
> bytecode.cld is up to date (version: 311, sigs: 74, f-level: 63,
> builder: neo)
> 
> 
> unfortunelly these are corporate files and i cannot submit them for
> analysis :(
> 
> 
> Em 11/09/17 16:06, Judd Grayzel escreveu:
>> My Synology Diskstation running the Anti-Virus Essentials (ClamAV
>> based engine) quarantined almost 1000 files for the CVE-2017-11241
>> vulnerability. This CVE references a problem with Adobe Acrobat, but
>> the files that are being quarantined are Microsoft Excel fIles.
>> Do these files really have a virus of some sort, or is this a
>> False/Positive situation?
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

[Steven Morgan]

Paul,

in addition to max-filesize, try max-scansize.

Steve

On Tue, Sep 12, 2017 at 11:50 PM, Paul Kosinski 
wrote:

> Clamscan read the entire ISO, but didn't scan any of it!
> I thought 21st century software was finally in the 64-bit era.
>
> ---
>
> ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
> -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
>
> ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
> WARNING: Numerical value for option max-filesize too high, resetting to 4G
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK
>
> --- SCAN SUMMARY ---
> Known viruses: 6303545
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: .99 MB (ratio 0.00:1)
> Time: 10.255 sec (0 m 10 s)
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

[Steven Morgan]

Please open a ticket for this at bugzilla.clamav.net.

Steve

On Wed, Sep 13, 2017 at 10:09 AM, Reindl Harald 
wrote:

>
>
> Am 13.09.2017 um 15:57 schrieb Gandalf Corvotempesta:
>
>> So, the only way to block encrypted ZIP is also to block any encrypted or
>> password protected PDF?
>>
>
> with one clamd instance yes
>
> on a smart setup you run two instances and one is just used for scoring in
> spamassassin (or in my case i edited the sa-clamav plugin to support
> multiple instances instead the ugly hardcoding) - both are scoring high and
> at the end the second clamd is also wired with the milter and jectes
> undocnditional while the PDF stuff combined with a well mainatined bayes
> has no problems to distinct bewteen junk and ham
>
>
> Il 13 set 2017 3:49 PM, "Reindl Harald"  ha
>> scritto:
>>
>>
>>>
>>> Am 13.09.2017 um 15:45 schrieb Gandalf Corvotempesta:
>>>
>>> Hi to all
 I would like to block any encrypted/password protected ZIP/RAR, 
 and so on but *NOT* blocking any encrypted PDF.
 Currently, ClamAV is blocking any encrypted PDF with
 Heuristics.Encrypted.PDF

 How can I only block real archived and not PDF (that are not archives)


>>> short answer: you can't and you can stop seeking around - and yes that's
>>> terrible as most of the Heuristics options which are thrwoing the child
>>> out
>>> with the bath
>>>
>>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials

[Leonardo Rodrigues]

    I'm also getting some excel files flagged by the same signature, 
excel files that are supposed to be clean by other commercial antiviruses


    two files from my amavis quarantine folder scanned with actual 
signatures:


[root@correio shm]# clamdscan -v virus-2017*
/dev/shm/virus-20170912T100210-14568-04-oYAqsgllorwh: 
BC.Win.Exploit.CVE_2017_11244-6335828-0 FOUND
/dev/shm/virus-20170913T105721-11777-15-NJFMBYpgy4B5: 
BC.Win.Exploit.CVE_2017_11244-6335828-0 FOUND


    signatures i'm running

[root@correio shm]# freshclam
ClamAV update process started at Wed Sep 13 11:27:06 2017
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, 
builder: sigmgr)
daily.cvd is up to date (version: 23823, sigs: 1742928, f-level: 63, 
builder: neo)
bytecode.cld is up to date (version: 311, sigs: 74, f-level: 63, 
builder: neo)



    unfortunelly these are corporate files and i cannot submit them for 
analysis :(



Em 11/09/17 16:06, Judd Grayzel escreveu:

My Synology Diskstation running the Anti-Virus Essentials (ClamAV based engine) 
quarantined almost 1000 files for the CVE-2017-11241 vulnerability. This CVE 
references a problem with Adobe Acrobat, but the files that are being 
quarantined are Microsoft Excel fIles.
Do these files really have a virus of some sort, or is this a False/Positive 
situation?


--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertru...@solutti.com.br
My SPAMTRAP, do not email it



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

[Reindl Harald]

Am 13.09.2017 um 15:57 schrieb Gandalf Corvotempesta:

So, the only way to block encrypted ZIP is also to block any encrypted or
password protected PDF?


with one clamd instance yes

on a smart setup you run two instances and one is just used for scoring 
in spamassassin (or in my case i edited the sa-clamav plugin to support 
multiple instances instead the ugly hardcoding) - both are scoring high 
and at the end the second clamd is also wired with the milter and jectes 
undocnditional while the PDF stuff combined with a well mainatined bayes 
has no problems to distinct bewteen junk and ham



Il 13 set 2017 3:49 PM, "Reindl Harald"  ha scritto:




Am 13.09.2017 um 15:45 schrieb Gandalf Corvotempesta:


Hi to all
I would like to block any encrypted/password protected ZIP/RAR, 
and so on but *NOT* blocking any encrypted PDF.
Currently, ClamAV is blocking any encrypted PDF with
Heuristics.Encrypted.PDF

How can I only block real archived and not PDF (that are not archives)



short answer: you can't and you can stop seeking around - and yes that's
terrible as most of the Heuristics options which are thrwoing the child out
with the bath


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

[Gandalf Corvotempesta]

So, the only way to block encrypted ZIP is also to block any encrypted or
password protected PDF?

Il 13 set 2017 3:49 PM, "Reindl Harald"  ha scritto:

>
>
> Am 13.09.2017 um 15:45 schrieb Gandalf Corvotempesta:
>
>> Hi to all
>> I would like to block any encrypted/password protected ZIP/RAR, 
>> and so on but *NOT* blocking any encrypted PDF.
>> Currently, ClamAV is blocking any encrypted PDF with
>> Heuristics.Encrypted.PDF
>>
>> How can I only block real archived and not PDF (that are not archives)
>>
>
> short answer: you can't and you can stop seeking around - and yes that's
> terrible as most of the Heuristics options which are thrwoing the child out
> with the bath
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

[Reindl Harald]

Am 13.09.2017 um 15:45 schrieb Gandalf Corvotempesta:

Hi to all
I would like to block any encrypted/password protected ZIP/RAR, 
and so on but *NOT* blocking any encrypted PDF.
Currently, ClamAV is blocking any encrypted PDF with Heuristics.Encrypted.PDF

How can I only block real archived and not PDF (that are not archives) 


short answer: you can't and you can stop seeking around - and yes that's 
terrible as most of the Heuristics options which are thrwoing the child 
out with the bath

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ArchiveBlockEncrypted and PDF

[Gandalf Corvotempesta]

Hi to all
I would like to block any encrypted/password protected ZIP/RAR, 
and so on but *NOT* blocking any encrypted PDF.
Currently, ClamAV is blocking any encrypted PDF with Heuristics.Encrypted.PDF

How can I only block real archived and not PDF (that are not archives) ?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials

[Joel Esler (jesler)]

This was taken care of already.  Thanks!


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Sep 12, 2017, at 3:36 PM, Judd Grayzel 
mailto:judd_gray...@yahoo.com>> wrote:

The MD5 of the false positive file that I submitted to the website:MD5 hash of 
file Standard Job1.xlsx:
eb 28 c5 01 b2 14 91 5a 70 31 59 92 56 9e f6 10

 From: Joel Esler (jesler) mailto:jes...@cisco.com>>
To: ClamAV users ML 
mailto:clamav-users@lists.clamav.net>>
Sent: Tuesday, September 12, 2017 5:55 AM
Subject: Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials

Depends on your operating system, but googling “how do I find the md5 of a 
file” for your OS should turn of plenty of results.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Sep 11, 2017, at 5:42 PM, Judd Grayzel 
mailto:judd_gray...@yahoo.com>>
 wrote:

Where do I get the MD5 for the file?

Sent from my iPhone

On Sep 11, 2017, at 1:42 PM, Joel Esler (jesler) 
mailto:jes...@cisco.com>> wrote:

You want to submit some false positives to us via the website, followup here 
with the md5s of the files you submit, the malware team can take a look.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Sep 11, 2017, at 3:06 PM, Judd Grayzel 
mailto:judd_gray...@yahoo.com>>
 wrote:

My Synology Diskstation running the Anti-Virus Essentials (ClamAV based engine) 
quarantined almost 1000 files for the CVE-2017-11241 vulnerability. This CVE 
references a problem with Adobe Acrobat, but the files that are being 
quarantined are Microsoft Excel fIles.
Do these files really have a virus of some sort, or is this a False/Positive 
situation?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml