Re: [clamav-users] Questions about ClamAV

[Paul Kosinski]

My experience is that ClamAV is limited by to 4 GB for the size of a
file. Apparently it still uses 32-bit numbers (as opposed to addresses)
even on 64-bit machines.


On Mon, 20 Nov 2017 18:42:22 -0800
Al Varnell  wrote:

> On Mon, Nov 20, 2017 at 03:48 PM, Micah Snyder (micasnyd) wrote:
> > 2. Does it have the ability to scan large files (2 GBs+)?
> > ClamAV currently has max file size limits around 2GB.
> 
> I believe the default MaxFileSize is only 25MB, at least that's what
> it is for the clamd daemon. It can be re-configured to scan larger
> files, but "setting it too high may result in severe damage to the
> system." You may be limited by the amount of RAM in your
> configuration. There are other limits involving archive files and
> PE's that should be adequately explained to you in
> the /etc/clamd.conf file.
> 
> 
> -Al-
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Questions about ClamAV

[Al Varnell]

On Mon, Nov 20, 2017 at 03:48 PM, Micah Snyder (micasnyd) wrote:
> 2. Does it have the ability to scan large files (2 GBs+)?
> ClamAV currently has max file size limits around 2GB.

I believe the default MaxFileSize is only 25MB, at least that's what it is for 
the clamd daemon. It can be re-configured to scan larger files, but "setting it 
too high may result in severe damage to the system." You may be limited by the 
amount of RAM in your configuration. There are other limits involving archive 
files and PE's that should be adequately explained to you in the 
/etc/clamd.conf file.


-Al-
-- 
Al Varnell
ClamXAV User






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Questions about ClamAV

[Eric Tykwinski]

> On Nov 20, 2017, at 6:48 PM, Micah Snyder (micasnyd)  
> wrote:
> 
> 3. Is it compatible with both Linux and Windows?
> Yes, however certain features (e.g. on access scanning) are limited to Linux.

I’ve found fswatch to overcome on-access scanning on OSX, and it supposed to 
support more, but I haven’t tested them.
https://github.com/emcrisostomo/fswatch

Don’t know if this will help S3, but may help others.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Questions about ClamAV

[Micah Snyder (micasnyd)]

Hello,

1. Can it scan all files/data from a dirty S3 bucket, and place the files
into a clean bucket?
I don’t have experience working with S3 buckets.  ClamAV works with files on a 
filesystem.  ClamAV’s ability to move files during scanning is limited to 
moving dirty files, not moving clean files.  For example: 
https://askubuntu.com/questions/171441/how-to-quarantine-or-delete-infected-files-with-clamav
  In theory you could use a technology such as S3FS to mount your S3 bucket as 
a file system and then scan the files as such.  However, I make no guarantees 
about how well that will work.

2. Does it have the ability to scan large files (2 GBs+)?
ClamAV currently has max file size limits around 2GB.

3. Is it compatible with both Linux and Windows?
Yes, however certain features (e.g. on access scanning) are limited to Linux.

4. Does it scale horizontally, adding more scanning capacity?
It depends on what you mean by “Scale horizontally”.  The clamd component (a 
daemon process) may be used in conjunction with clamdscan (a process that 
interacts with clamd to scan with multithreading.  I’m guessing, based on your 
question about S3 that you’re talking about the idea of hosting clamav services 
in the cloud and scaling up the number of instances to handle scan requests.  
In theory, if you could mount your S3 bucket and if clamav does handle scanning 
these files well, you could write a wrapper around clamdscan to accept scan 
requests in a scalable architecture.  That said, I still make no guarantees 
about the scan performance and of course this cloud-scaling wrapper tech is not 
provided as a part of ClamAV.

5. Does it give the user the ability to load their own virus signatures (in
addition to pulling signatures down from vendor's site)?
Yes.


Micah Snyder
Software Engineer
Talos Intelligence
Cisco Systems, Inc.

This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.

On Nov 20, 2017, at 2:34 PM, Brian Turner 
mailto:brian.tur...@blue-star-software.com>>
 wrote:

Hello,

I have a few questions about ClamAV.

1. Can it scan all files/data from a dirty S3 bucket, and place the files
into a clean bucket?
2. Does it have the ability to scan large files (2 GBs+)?
3. Is it compatible with both Linux and Windows?
4. Does it scale horizontally, adding more scanning capacity?
5. Does it give the user the ability to load their own virus signatures (in
addition to pulling signatures down from vendor's site)?

--


Brian Turner
Blue Star Software
p: 703.968.1974  m: 301.980.6657 a: 8500 Leesburg Pike #403 Vienna, VA 22182
s: http://www.blue-star-software.com e: 
brian.tur...@blue-star-software.com


Listed as a "Best Place to Work" by the Washington Business Journal in 2016
and 2017!
*Read our company reviews on Glassdoor
 to
learn more!*
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE fix status

[Steven Morgan]

I think some may be fixed already. I've opened ticket 11961 in the ClamAV
bugzilla for followup and tracking.

Steve


On Mon, Nov 20, 2017 at 2:54 PM, Zetan Drableg 
wrote:

> Hi,
> Anyone know when these CVEs will be fixed? Does clamav provide a 0.99.2
> security fix branch or I need to consume 0.99.3 devel? Does EPEL backport
> fixes?
>
> CVE-2017-6418
> CVE-2017-6419
> CVE-2017-6420
>
> It was discovered that ClamAV incorrectly handled parsing certain e-mail
> messages. A remote attacker could possibly use this issue to cause ClamAV
> to crash, resulting in a denial of service. (CVE-2017-6418
> )
>
> It was discovered that ClamAV incorrectly handled certain malformed CHM
> files. A remote attacker could use this issue to cause ClamAV to crash,
> resulting in a denial of service, or possibly execute arbitrary code. This
> issue only affected Ubuntu 14.04 LTS. In the default installation,
> attackers would be isolated by the ClamAV AppArmor profile. (CVE-2017-6419
> )
> It was discovered that ClamAV incorrectly handled parsing certain PE files
> with WWPack compression. A remote attacker could possibly use this issue to
> cause ClamAV to crash, resulting in a denial of service. (CVE-2017-6420
> )
>
> Thank you
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] CVE fix status

[Zetan Drableg]

Hi,
Anyone know when these CVEs will be fixed? Does clamav provide a 0.99.2
security fix branch or I need to consume 0.99.3 devel? Does EPEL backport
fixes?

CVE-2017-6418
CVE-2017-6419
CVE-2017-6420

It was discovered that ClamAV incorrectly handled parsing certain e-mail
messages. A remote attacker could possibly use this issue to cause ClamAV
to crash, resulting in a denial of service. (CVE-2017-6418
)

It was discovered that ClamAV incorrectly handled certain malformed CHM
files. A remote attacker could use this issue to cause ClamAV to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 LTS. In the default installation,
attackers would be isolated by the ClamAV AppArmor profile. (CVE-2017-6419
)
It was discovered that ClamAV incorrectly handled parsing certain PE files
with WWPack compression. A remote attacker could possibly use this issue to
cause ClamAV to crash, resulting in a denial of service. (CVE-2017-6420
)

Thank you
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Questions about ClamAV

[Brian Turner]

Hello,

I have a few questions about ClamAV.

1. Can it scan all files/data from a dirty S3 bucket, and place the files
into a clean bucket?
2. Does it have the ability to scan large files (2 GBs+)?
3. Is it compatible with both Linux and Windows?
4. Does it scale horizontally, adding more scanning capacity?
5. Does it give the user the ability to load their own virus signatures (in
addition to pulling signatures down from vendor's site)?

-- 


Brian Turner
Blue Star Software
p: 703.968.1974  m: 301.980.6657 a: 8500 Leesburg Pike #403 Vienna, VA 22182
s: http://www.blue-star-software.com e: brian.tur...@blue-star-software.com


Listed as a "Best Place to Work" by the Washington Business Journal in 2016
and 2017!
*Read our company reviews on Glassdoor
 to
learn more!*
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Emf.Exploit.CVE_2017_16395-6376329-0

[Mark Foley]

Interesting. All the allegedly affected emails I've checked have docx
attachments, not Adobe or .PDF. It seems incorrect that a signature for Adobe
and Reader would be triggering on docx files.

For now, I'm not going to put this in .ign2, but I will exclude the Maildir
scanning script from looking at these specific older messages. We'll see what
happens from there.

Thanks for your feedback.

--Mark

On Sun, 19 Nov 2017 14:52:36 -0800 Al Varnell  wrote:

> It's a vulnerability that impacts Adobe Acrobat and Reader for Windows and 
> Macintosh, specifically a Critical Buffer Access with Incorrect Length Value 
> that can result in Remote Code Execution.
>  >
>
> It was added to the ClamAV signature database on Friday and the signature 
> looks for:
> VIRUS NAME: Emf.Exploit.CVE_2017_16395-6376329-0
> TDB: Target:0
> LOGICAL EXPRESSION: (0&1)
>  * SUBSIG ID 0
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> {WILDCARD_ANY_STRING(LENGTH==36)} EMF
>  * SUBSIG ID 1
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> 
>
> -Al-
>
> On Sun, Nov 19, 2017 at 09:12 AM, Mark Foley wrote:
> > For the past couple of days I've been getting notices from clamscan for
> > Emf.Exploit.CVE_2017_16395-6376329-0. clamscan is running on the IMAP 
> > Maildir
> > directories and is finding this exploit on emails as old as 2010.
> > 
> > I can find nothing on this exploit searching on the web other than it 
> > exists. No
> > description, etc. Can anyone tell me anything about this? What systems does 
> > it
> > affect (Windows only?) What does it do? Etc. I'll have to decide whether to
> > remove these old emails or stick this signature into my .ign2 file.
> > 
> > btw - is there some good website that describes ALL current exploits?
> > cve.mitre.org  has a supposed complete list but for 
> > CVE-2017-16395 all it says
> > is:
> > 
> >  ** RESERVED **
> >  This candidate has been reserved by an organization or individual that
> >  will use it when announcing a new security problem.  When the
> >  candidate has been publicized, the details for this candidate will be
> >  provided.
> > 
> > THX --Mark
>
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
>
>
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav capabilities detecting malicious scripts (javascript, sql injection)

[Reindl Harald]

Am 20.11.2017 um 16:01 schrieb Peter Geerts:

As far as I understand : files that are uploaded to a website/CMS system
are offered/delegated to clamav for checking.
Can you elaborate on the sanesecurity link because I have been at their
site but didn't find anything that could help me for this specific
scenario.


you don't want any scripts uploaded on a website by foreigners at all

http://sanesecurity.com/usage/signatures/
http://sanesecurity.com/foxhole-databases/

sorry, but nobody can read the signature descriptions for you and sql 
injection has nothing to do with clamav / file-uploads at all - here you 
go: https://www.modsecurity.org/


if you think you can just eaisly secure a webserver with some clicks and 
install some stuff you are wrong - invest the time to do your homework 
or hire somebody - seriously!



2017-11-20 15:56 GMT+01:00 Reindl Harald :

Am 20.11.2017 um 15:48 schrieb Peter Geerts:


Perhaps this has been raised earlier but as a newbie I have a question
regarding Clamav capabilities in this area.

We currently already run a 99.2 version on Red Hat which does a lot of
virus checking already but malicious (script) code is not detected.

If this is at all possible I would like to receive pointers on how to
configure this , if not we will have to look at another product most
likely


there is no single yes/no answer because it all depends on your usecase -
a inbound mailserver using clamd for scoring combined with SpamAssassin has
different filters than a unconditional clamav-milter or clamav running on a
workstation

in any case without http://sanesecurity.com/ clamav has poor rates at all
but you need to consider wisely which signatures macth your usecase

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav capabilities detecting malicious scripts (javascript, sql injection)

[Peter Geerts]

As far as I understand : files that are uploaded to a website/CMS system
are offered/delegated to clamav for checking.
Can you elaborate on the sanesecurity link because I have been at their
site but didn't find anything that could help me for this specific
scenario.

Thanks

Peter

2017-11-20 15:56 GMT+01:00 Reindl Harald :

>
>
> Am 20.11.2017 um 15:48 schrieb Peter Geerts:
>
>> Perhaps this has been raised earlier but as a newbie I have a question
>> regarding Clamav capabilities in this area.
>>
>> We currently already run a 99.2 version on Red Hat which does a lot of
>> virus checking already but malicious (script) code is not detected.
>>
>> If this is at all possible I would like to receive pointers on how to
>> configure this , if not we will have to look at another product most
>> likely
>>
>
> there is no single yes/no answer because it all depends on your usecase -
> a inbound mailserver using clamd for scoring combined with SpamAssassin has
> different filters than a unconditional clamav-milter or clamav running on a
> workstation
>
> in any case without http://sanesecurity.com/ clamav has poor rates at all
> but you need to consider wisely which signatures macth your usecase
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav capabilities detecting malicious scripts (javascript, sql injection)

[Reindl Harald]

Am 20.11.2017 um 15:48 schrieb Peter Geerts:

Perhaps this has been raised earlier but as a newbie I have a question
regarding Clamav capabilities in this area.

We currently already run a 99.2 version on Red Hat which does a lot of
virus checking already but malicious (script) code is not detected.

If this is at all possible I would like to receive pointers on how to
configure this , if not we will have to look at another product most likely


there is no single yes/no answer because it all depends on your usecase 
- a inbound mailserver using clamd for scoring combined with 
SpamAssassin has different filters than a unconditional clamav-milter or 
clamav running on a workstation


in any case without http://sanesecurity.com/ clamav has poor rates at 
all but you need to consider wisely which signatures macth your usecase

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Clamav capabilities detecting malicious scripts (javascript, sql injection)

[Peter Geerts]

Hi All,





Perhaps this has been raised earlier but as a newbie I have a question
regarding Clamav capabilities in this area.

We currently already run a 99.2 version on Red Hat which does a lot of
virus checking already but malicious (script) code is not detected.

If this is at all possible I would like to receive pointers on how to
configure this , if not we will have to look at another product most likely



Thanks for your time


Kind regards


Peter Geerts
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml