Re: [clamav-users] CVE-2017-11241 - Synology DIskStation AV Essentials

2017-09-14 Thread Al Varnell 
Haven't seen any notification that it's been dropped yet.

-Al-

On Wed, Sep 13, 2017 at 11:52 AM, Alain Zidouemba wrote:
> BC.Win.Exploit.CVE_2017_11244-6335828-0 has been dropped and will be
> modified to avoid the FPs you've reported.
> 
> Thanks,
> 
> - Alain
> 
> On Wed, Sep 13, 2017 at 1:13 PM, Kees Theunissen  >
> wrote:
> 
>> On Wed, 13 Sep 2017, Kees Theunissen wrote:
>> 
>>> On Wed, 13 Sep 2017, lukn wrote:
>>> 
 Hello List
 
 Same here, I do see FPs with
 BC.Win.Exploit.CVE_2017_11244-6335828-0
 hitting legitimate corporate files (so no submission possible from me
 either).
>>> 
>>> We saw BC.Win.Exploit.CVE_2017_11244-6335828-0 hitting a *.docx
>>> attachment in an outbound e-mail from one of our users.
>>> That was probably a FP too.
>>> I didn't see the attachment myself so I'm not sure that it was
>>> a FP. I asked the user if the file was confidential and if I could
>>> get a copy of the file for inspection and submission of a FP-report.
>>> He didn't answer yet.
>> 
>> Update: he answered while I wrote the above message.
>> Unfortunately the file is a confidential research proposal so
>> I can't include it in a FP-report.
>> 
>> 
>> Regards,
>> 
>> Kees Theunissen.
>> 
>> --
>> Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
>> Dutch Institute For Fundamental Energy Research (DIFFER)
>> e-mail address:   c.j.theunis...@differ.nl 
>> postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
>> visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net 
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Al Varnell 
I realize this is only peripherally related to the OP's issue, but I believe 
it's similar enough to bring it back to the list again.

I mentioned earlier that I ran tests on a .dmg (back in March 2015) by first 
creating my own .dmg with an eicar test file on-board. But that was made with 
engine 98.6 when the dmg capability was first added.

I just repeated that test using engine 99.2 running clamscan --debug on the 
file and it still does not detect any infection nor did it identify the file as 
a DMG:

> LibClamAV debug:* SubmoduleDMG:   On
> ...
> LibClamAV debug: Recognized binary data
> ...
> /Volumes/Macintosh HD/Users/***/Documents/EicarTest.dmg: OK
> --- SCAN SUMMARY ---
> Known viruses: 7343153
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 15.24 MB
> Data read: 7.55 MB (ratio 2.02:1)
> Time: 13.971 sec (0 m 13 s)

After mounting the image and scanning that:

> LibClamAV debug: Recognized ASCII text
> LibClamAV debug: cache_check: 44d88612fea8a8f36de82e1278abb02f is negative
> LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> LibClamAV debug: Eicar-Test-Signature found
> LibClamAV debug: FP SIGNATURE: 
> 44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
> LibClamAV debug: cli_magic_scandesc: returning 1  at line 2685
> /Volumes/Disk Image/eicar.com: Eicar-Test-Signature FOUND
> --- SCAN SUMMARY ---
> Known viruses: 7343153
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 10.979 sec (0 m 10 s)

I plan on doing additional tests against at least one other .dmg that I know 
contains malware when I have more time.

-Al-

On Thu, Sep 14, 2017 at 11:45 AM, Paul Kosinski wrote:
> I tried the --debug option and it produced a lot of output (which I can
> provide if it would help). It *did* say the following, however:
> 
>  LibClamAV debug: Module ARCHIVE: On
>  LibClamAV debug:* SubmoduleRAR:  On
>  LibClamAV debug:* SubmoduleZIP:  On
>  LibClamAV debug:* Submodule   GZIP:  On
>  ...
>  LibClamAV debug:* Submodule   7zip:  On
>  LibClamAV debug:* SubmoduleISO9660:  On
>  LibClamAV debug:* SubmoduleDMG:  On
>  ...
> 
> so it apparently knows about ISOs.
> 
> It also scanned 0 data bytes in a CD-sized ISO, so it isn't just the
> problem that DVD ISOs are "too big".
> 
> Paul Kosinski
> 
> 
> On Thu, 14 Sep 2017 12:51:38 -0400
> Steven Morgan > wrote:
> 
>> ClamAV contains an iso9660 parser.
>> 
>> The clamscan --debug option may give a clue as to why it is not being
>> scanned.
>> 
>> Steven Morgan


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Paul Kosinski 
I was mistaken: it turns out that ClamAV 0.99.2 *will* scan CD-size ISO
files. I just had to set --max-filesize and --max-scansize big enough.

And with the -v and -a options added, it *did* indicate it was scanning
files within the ISO.

I haven't had a chance to try 0.99.3 yet.


On Thu, 14 Sep 2017 16:11:46 -0400
Mickey Sola  wrote:

> I might be remembering wrong, but I believe there was work done to
> address Clam's large filesize handling issues in the year between
> 0.99.2 and 0.99.3.
> 
> Have you tested out the beta yet to see if your needs have been
> addressed?

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

2017-09-14 Thread Steven Morgan 
OK, thanks.

Steve

On Thu, Sep 14, 2017 at 5:40 AM, Gandalf Corvotempesta <
gandalf.corvotempe...@gmail.com> wrote:

> Opened https://bugzilla.clamav.net/show_bug.cgi?id=11911
>
> 2017-09-13 19:01 GMT+02:00 Steven Morgan :
> > OK, open a ticket and we can look at it.
> >
> > On Wed, Sep 13, 2017 at 12:57 PM, Gandalf Corvotempesta <
> > gandalf.corvotempe...@gmail.com> wrote:
> >
> >> Ok, but why clam is treating encrypted pdf as encrypted archive ?
> >> I've set ArchiveBlockEncrypted to yes, but, as wrote in the setting
> >> name, I would like to block encrypted *archives*.
> >> A PDF is not an archive, thus it should not be blocked.
> >>
> >> I think this is a bug.
> >>
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Mickey Sola 
I might be remembering wrong, but I believe there was work done to address
Clam's large filesize handling issues in the year between 0.99.2 and 0.99.3.

Have you tested out the beta yet to see if your needs have been addressed?

On Thu, Sep 14, 2017 at 2:45 PM, Paul Kosinski 
wrote:

> To continue...
>
> Since this is the year 2017, and 64-bit computing has been around for
> years, I decided to see how a Windows AV package would handle my ISO
> which is "too big" for ClamAV.
>
> I copied it over to a 64-bit Win7 machine with lots of RAM (32 GB), and
> scanned it with Microsoft "Security Essentials". The result?
>
> 1. It didn't complain about the size of the file.
>
> 2. It scanned 11424 items *within* the ISO!
>
> I can understand (sort of) that ClamAV can't scan inside some archive
> formats. (But then why did --debug report that the ISO module was "on"?)
>
> But I can't understand why ClamAV can't handle files bigger than 4 GB.
> Especially now that 64-bit OSes are common, and 64-bit CPUs are totally
> mainstream.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Paul Kosinski 
To continue...

Since this is the year 2017, and 64-bit computing has been around for
years, I decided to see how a Windows AV package would handle my ISO
which is "too big" for ClamAV.

I copied it over to a 64-bit Win7 machine with lots of RAM (32 GB), and
scanned it with Microsoft "Security Essentials". The result?

1. It didn't complain about the size of the file.

2. It scanned 11424 items *within* the ISO!

I can understand (sort of) that ClamAV can't scan inside some archive
formats. (But then why did --debug report that the ISO module was "on"?)

But I can't understand why ClamAV can't handle files bigger than 4 GB.
Especially now that 64-bit OSes are common, and 64-bit CPUs are totally
mainstream.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Paul Kosinski 
I tried the --debug option and it produced a lot of output (which I can
provide if it would help). It *did* say the following, however:

  LibClamAV debug: Module ARCHIVE: On
  LibClamAV debug:* SubmoduleRAR:   On
  LibClamAV debug:* SubmoduleZIP:   On
  LibClamAV debug:* Submodule   GZIP:   On
  ...
  LibClamAV debug:* Submodule   7zip:   On
  LibClamAV debug:* SubmoduleISO9660:   On
  LibClamAV debug:* SubmoduleDMG:   On
  ...

so it apparently knows about ISOs.

It also scanned 0 data bytes in a CD-sized ISO, so it isn't just the
problem that DVD ISOs are "too big".

Paul Kosinski


On Thu, 14 Sep 2017 12:51:38 -0400
Steven Morgan  wrote:

> ClamAV contains an iso9660 parser.
> 
> The clamscan --debug option may give a clue as to why it is not being
> scanned.
> 
> Steven Morgan
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV Customer Feedback Survey

2017-09-14 Thread Joel Esler (jesler) 
ClamAV Customer Feedback Survey

As we are ramping up the feature planning on the next version of ClamAV, and 
with the recent turmoil that we've overcome (for the most part) with the mirror 
system.  We have a lot of fantastic ideas and goals ourselves on making ClamAV 
more reliable, easier to install, and better to use -- but we want to hear from 
you! We decided it would be a fantastic idea to send out a survey to the ClamAV 
community to gather your thoughts.

https://www.research.net/r/WZH2NL5


Please take a look at this survey over on SurveyMonkey, and please give us 
feedback!


--
Joel Esler | Talos: Manager | jes...@cisco.com






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

2017-09-14 Thread Steven Morgan 
ClamAV contains an iso9660 parser.

The clamscan --debug option may give a clue as to why it is not being
scanned.

Steven Morgan

On Wed, Sep 13, 2017 at 10:52 PM, Al Varnell  wrote:

> On Wed, Sep 13, 2017 at 06:13 PM, Paul Kosinski wrote:
> > On Tue, 12 Sep 2017 21:49:17 -0800 kristen R wrote:
> >>
> >> The file is an image. Open the image up and then scan. Does clamscan
> >> open images itself and then preform a scan?
> >
> > YES! It scans *inside* ZIP, TAR, RAR etc.
>
> But does etc. include .iso's? There are many encoding formats that clamav
> is unable to scan inside of, including some oddball .zips I've run across.
> Although .dmg image scanning was added a few years back, I've experienced
> mixed results with detections unless the image is first mounted.
>
> It's also possible that .iso's are included in the list of files to skip.
> Have you looked into that?
>
> Sorry I don't have time at the moment to check into this for you. Perhaps
> later
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

2017-09-14 Thread Gandalf Corvotempesta 
Opened https://bugzilla.clamav.net/show_bug.cgi?id=11911

2017-09-13 19:01 GMT+02:00 Steven Morgan :
> OK, open a ticket and we can look at it.
>
> On Wed, Sep 13, 2017 at 12:57 PM, Gandalf Corvotempesta <
> gandalf.corvotempe...@gmail.com> wrote:
>
>> Ok, but why clam is treating encrypted pdf as encrypted archive ?
>> I've set ArchiveBlockEncrypted to yes, but, as wrote in the setting
>> name, I would like to block encrypted *archives*.
>> A PDF is not an archive, thus it should not be blocked.
>>
>> I think this is a bug.
>>
>> 2017-09-13 16:09 GMT+02:00 Reindl Harald :
>> >
>> >
>> > Am 13.09.2017 um 15:57 schrieb Gandalf Corvotempesta:
>> >>
>> >> So, the only way to block encrypted ZIP is also to block any encrypted
>> or
>> >> password protected PDF?
>> >
>> >
>> > with one clamd instance yes
>> >
>> > on a smart setup you run two instances and one is just used for scoring
>> in
>> > spamassassin (or in my case i edited the sa-clamav plugin to support
>> > multiple instances instead the ugly hardcoding) - both are scoring high
>> and
>> > at the end the second clamd is also wired with the milter and jectes
>> > undocnditional while the PDF stuff combined with a well mainatined bayes
>> has
>> > no problems to distinct bewteen junk and ham
>> >
>> >
>> >> Il 13 set 2017 3:49 PM, "Reindl Harald"  ha
>> >> scritto:
>> >>
>> >>>
>> >>>
>> >>> Am 13.09.2017 um 15:45 schrieb Gandalf Corvotempesta:
>> >>>
>>  Hi to all
>>  I would like to block any encrypted/password protected ZIP/RAR, 
>>  and so on but *NOT* blocking any encrypted PDF.
>>  Currently, ClamAV is blocking any encrypted PDF with
>>  Heuristics.Encrypted.PDF
>> 
>>  How can I only block real archived and not PDF (that are not archives)
>> 
>> >>>
>> >>> short answer: you can't and you can stop seeking around - and yes
>> that's
>> >>> terrible as most of the Heuristics options which are thrwoing the child
>> >>> out
>> >>> with the bath
>> >
>> >
>> > ___
>> > clamav-users mailing list
>> > clamav-users@lists.clamav.net
>> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> >
>> >
>> > Help us build a comprehensive ClamAV guide:
>> > https://github.com/vrtadmin/clamav-faq
>> >
>> > http://www.clamav.net/contact.html#ml
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml