Re: [clamav-users] freshclam vs sudo freshclam

[Micah Snyder (micasnyd)]

Woah, I need to proof-read my emails better.  I meant to say, "You shouldn't 
need 'sudo' if your user can write to the directory.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Aug 21, 2018, at 12:45 PM, Micah Snyder (micasnyd) 
mailto:micas...@cisco.com>> wrote:

Hi Mike,

It depends on whether what your clamav database directory's user permissions 
are set to.  You shouldn't need freshclam if your user can write to the 
directory.

At this time, ClamAV relies on the installer (or sys admin) to configure the 
permissions.
If you install from source, the default install path places the database in 
/usr/local/share/clamav.  On my mac, it doesn't require 'sudo' to write to that 
directory.  If you installed from MacPorts or Homebrew, the installation path 
is different.

For homebrew it seems to use the Cellar location and also install symlinks in 
the default system locations (/usr/local/...):
/usr/local/Cellar/clamav//share/clamav
I guess MacPorts went with:
/opt/local/share/clamav)

On some systems, I believe they install to /usr/..., with the database then 
being in:
/usr/share/clamav.

I'm really not certain on the default permissions settings for each OS.  I 
guess the TL;DR is that it isn't consistent across every OS.  Sorry about the 
confusion.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Aug 20, 2018, at 9:31 PM, Michael Newman 
mailto:mgnew...@mac.com>> wrote:



Al Varnell wrote:

It appears to me from your other thread that you are using a Homebrew compiled 
installation. If that is the case, then you need to contact the package 
distributor (Homebrew) about any issues with their compilation.


Actually, it’s MacPorts, but, point taken. I’ve posted this inquiry on their 
mailing list.

But I really don't understand why you want to use sudo if everything is working 
for you. I personally never use sudo and never have seen a need to.


I "want" to use sudo because everything I’ve read says that’s what to do. For 
example, this in the GitHub FAQ:

After ClamAV is installed, then what? How do I update / refresh the virus 
database?

You will need to edit the freshclam.conf.example file located in 
/usr/local/etc. Once that is done, you will need to run a 'sudo freshclam' to 
download the signatures. You will need to run the command to update signatures 
often so that ClamAV has the most up to date signatures.

But, since you say that sudo is not necessary and because it doesn’t work, I 
won’t use it anymore.

Thanks for your advice.

Mike


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam vs sudo freshclam

[Micah Snyder (micasnyd)]

Hi Mike,

It depends on whether what your clamav database directory's user permissions 
are set to.  You shouldn't need freshclam if your user can write to the 
directory.

At this time, ClamAV relies on the installer (or sys admin) to configure the 
permissions.
If you install from source, the default install path places the database in 
/usr/local/share/clamav.  On my mac, it doesn't require 'sudo' to write to that 
directory.  If you installed from MacPorts or Homebrew, the installation path 
is different.

For homebrew it seems to use the Cellar location and also install symlinks in 
the default system locations (/usr/local/...):
/usr/local/Cellar/clamav//share/clamav
I guess MacPorts went with:
/opt/local/share/clamav)

On some systems, I believe they install to /usr/..., with the database then 
being in:
/usr/share/clamav.

I'm really not certain on the default permissions settings for each OS.  I 
guess the TL;DR is that it isn't consistent across every OS.  Sorry about the 
confusion.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Aug 20, 2018, at 9:31 PM, Michael Newman 
mailto:mgnew...@mac.com>> wrote:



Al Varnell wrote:

It appears to me from your other thread that you are using a Homebrew compiled 
installation. If that is the case, then you need to contact the package 
distributor (Homebrew) about any issues with their compilation.


Actually, it’s MacPorts, but, point taken. I’ve posted this inquiry on their 
mailing list.

But I really don't understand why you want to use sudo if everything is working 
for you. I personally never use sudo and never have seen a need to.


I "want" to use sudo because everything I’ve read says that’s what to do. For 
example, this in the GitHub FAQ:

After ClamAV is installed, then what? How do I update / refresh the virus 
database?

You will need to edit the freshclam.conf.example file located in 
/usr/local/etc. Once that is done, you will need to run a 'sudo freshclam' to 
download the signatures. You will need to run the command to update signatures 
often so that ClamAV has the most up to date signatures.

But, since you say that sudo is not necessary and because it doesn’t work, I 
won’t use it anymore.

Thanks for your advice.

Mike


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV signature update sync errors have gotten worse

[Joel Esler (jesler)]

On Aug 21, 2018, at 12:32 PM, G.W. Haywood 
mailto:cla...@jubileegroup.co.uk>> wrote:

Hi there,

On Tue, 21 Aug 2018, Joel Esler wrote:

The amount of people using ClamAV version 0.90 and below is
surprising as well.

That's not really surprising to me.  Most of them probably don't even
know that they're running it, and those who do could easily be lying
as it's trivial to forge a User-Agent string.

Especially given what's happened in the past to users of old versions,
if there is any surprise it's that you're still serving files to them.
In my view it would be perfectly reasonable to block them.  It might
even save you some money.


We have blocked people that are 0.80 and below, to see if anyone brings it up 
(to which, I think this list would violently react with something akin to "You 
are running 13 year old AV?").  No one has, publicly or privately.  We'll 
probably proceed with a blog post stating that we're blocking everyone below 
the version that introduced diff'ing (0.93.3).  Also rate limiting people that 
are attempting to download the main.cvd every 1 minute has helped.

The good news is, the top ten successful download versions (by User-Agent) are 
within the last 4 or 5 releases.

(0.99.4 is our largest deployed version, followed by 0.100.1, for those of you 
that are curious)

--
Joel Esler
Sr. Manager
Community, Branding, and Open Source
Talos Group
http://www.talosintelligence.com



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV signature update sync errors have gotten worse

[G.W. Haywood]

Hi there,

On Tue, 21 Aug 2018, Joel Esler wrote:


The amount of people using ClamAV version 0.90 and below is
surprising as well.


That's not really surprising to me.  Most of them probably don't even
know that they're running it, and those who do could easily be lying
as it's trivial to forge a User-Agent string.

Especially given what's happened in the past to users of old versions,
if there is any surprise it's that you're still serving files to them.
In my view it would be perfectly reasonable to block them.  It might
even save you some money.

--

73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV signature update sync errors have gotten worse

[Joel Esler (jesler)]

CC'ing your comments over to Micah.  We have a heavy freshclam rewrite in the 
pipeline.

The amount of people using ClamAV version 0.90 and below is surprising as well. 
 None of those versions support .diff files on the daily file.  So, those 
versions are downloading the whole daily.cvd (sometimes hundreds of times a 
day) even though those versions  of ClamAV won't work with the current options 
in daily.cvd, so they can't even start up. But Freshclam is still updating!



> On Aug 20, 2018, at 10:25 PM, Paul Kosinski  wrote:
> 
> It's good to save so much (5 PB) Internet traffic.
> 
> What we were seeing from our end was that there were a lot of full-size
> downloads of daily.cvd that were useless because they were the old
> version rather than the new version advertised by the DNS TXT record.
> 
> Besides being annoying because of lots of extra logging by freshclam,
> it kept killing off the mirror IP addresses due to the update failures,
> and thus eventually blocked all downloads.
> 
> Since we already had a wrapper around freshclam to do some extra stuff
> in our environment, I decided to write the extra code to only invoke
> freshclam if the prefix of the cvd file(s) showed the correct version.
> After that, it was easy to log the delay to separate file.
> 
> I guess my question at this point is: how many other users of freshclam
> are seeing the problem we had? The behavior we were seeing not only
> wasted bandwidth, it also caused semi-permanent blockage of future
> updates. Users who don't monitor their logs (like many desktop users?)
> could be far out of date with their ClamAV signatures.
> 
> P.S. It shouldn't be too hard to modify freshclam itself to deal with
> this problem in a similar fashion. But I didn't want to fork a fairly
> complicated program which mainly does stuff that has nothing to do with
> this particular problem.
> 
> 
> 
> On Mon, 20 Aug 2018 15:43:14 +
> "Joel Esler (jesler)"  wrote:
> 
>> Thank you.  We have to make adjustments very slowly to not disrupt
>> anyone.
>> 
>> Cloudflare has helped us save 2 PB in the last month, delivering
>> updates an average of 39% faster.  We are seeing excellent results.  
>> 
>>> On Aug 18, 2018, at 1:09 AM, Paul Kosinski 
>>> wrote:
>>> 
>>> Joel,
>>> 
>>> Still lots of delays since "2018-08-11 13:18:02  No delay", but none
>>> quite as long as the previous batch:
>>> 
>>> 2018-08-11 21:33:02  00:15:00 delay
>>> 2018-08-12 05:48:02  01:00:00 delay
>>> 2018-08-12 14:33:01  01:15:00 delay
>>> 2018-08-12 22:48:02  01:00:00 delay
>>> 2018-08-13 05:18:01  No delay
>>> 2018-08-13 13:18:02  No delay
>>> 2018-08-13 21:33:01  00:14:59 delay
>>> 2018-08-14 05:18:01  No delay
>>> 2018-08-14 13:18:02  No delay
>>> 2018-08-14 21:33:02  00:30:01 delay
>>> 2018-08-15 05:03:02  No delay
>>> 2018-08-15 13:48:01  00:45:00 delay
>>> 2018-08-15 22:03:01  No delay
>>> 2018-08-16 05:03:02  No delay
>>> 2018-08-16 14:03:02  01:00:01 delay
>>> 2018-08-16 21:18:01  00:14:59 delay
>>> 2018-08-17 06:03:01  No delay
>>> 2018-08-17 13:33:02  00:30:01 delay
>>> 2018-08-17 21:03:02  No delay
>>> 
>>> 
>>> On Thu, 16 Aug 2018 22:13:48 +
>>> "Joel Esler (jesler)"  wrote:
>>> 
 Paul, how are things looking from your side?
> 
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Alex]

On Tue, Aug 21, 2018 at 9:02 AM Steve Basford
 wrote:
> On Tue, August 21, 2018 12:27 pm, Dave McMurtrie wrote:
> >
> > I'm beginning to get the feeling they don't have any type of review
> > process in place.
>
> I whitelisted the sig on the Sanesecurity mirrors this morning UK time:
>
> 21/08/2018 @ 11:37
>
> It's usually quicker to do that, if not ideal.

Thank you, as always. I should also add that I submitted this to
malwarepatrol prior to posting here - it was important enough that all
clamav users should be made aware so people can whitelist the rule
quickly.

I also believe they don't have any type of quality control. They're
also intermittently responsive to support requests and have frequent
database download problems.


>
>
> --
> Cheers,
>
> Steve
> Twitter: @sanesecurity
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Steve Basford]

On Tue, August 21, 2018 12:27 pm, Dave McMurtrie wrote:
>
> I'm beginning to get the feeling they don't have any type of review
> process in place.

I whitelisted the sig on the Sanesecurity mirrors this morning UK time:

21/08/2018 @ 11:37

It's usually quicker to do that, if not ideal.


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Arnaud Jacques]

Hello,

Do it yourself:
https://www.securiteinfo.com/services/anti-spam-anti-virus/whitelisting_clamav_signatures.shtml

Btw, users/customers of 
https://www.securiteinfo.com/services/anti-spam-anti-virus/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml 
have no problem because the signature has been included in 
securiteinfo.ign2.


Le 21/08/2018 à 13:31, Al Varnell a écrit :
OK, I don't think there is anything that ClamAV can do about it since 
it's an UNOFFICIAL.


Maybe Steve Basford from SaneSecurity can put some pressure on them. He 
usually reads what's posted here.


-Al-

On Tue, Aug 21, 2018 at 04:27 AM, Dave McMurtrie wrote:
They did this in April, 2017 also.  When I reported it as a false 
positive at that time, they responded with:


"Thank you for contacting us.  There is a file hosted there with a vague
AV classification.  After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."

I'm beginning to get the feeling they don't have any type of review 
process in place.



On Mon, 20 Aug 2018, Al Varnell wrote:


Submit to fp (at) malwarepatrol.net .

-Al-

On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:

Hi, fyi

# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://drive.google.com



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Al Varnell]

OK, I don't think there is anything that ClamAV can do about it since it's an 
UNOFFICIAL. 

Maybe Steve Basford from SaneSecurity can put some pressure on them. He usually 
reads what's posted here.

-Al-

On Tue, Aug 21, 2018 at 04:27 AM, Dave McMurtrie wrote:
> They did this in April, 2017 also.  When I reported it as a false positive at 
> that time, they responded with:
> 
> "Thank you for contacting us.  There is a file hosted there with a vague
> AV classification.  After further reviewing it, we've decided to remove
> the URL from our block lists and data feeds."
> 
> I'm beginning to get the feeling they don't have any type of review process 
> in place.
> 
> 
> On Mon, 20 Aug 2018, Al Varnell wrote:
> 
>> Submit to fp (at) malwarepatrol.net .
>> 
>> -Al-
>> 
>> On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:
>>> Hi, fyi
>>> 
>>> # sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
>>> VIRUS NAME: MBL_12952716
>>> TARGET TYPE: ANY FILE
>>> OFFSET: *
>>> DECODED SIGNATURE:
>>> https://drive.google.com 

smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positive

[Dave McMurtrie]

They did this in April, 2017 also.  When I reported it as a false positive 
at that time, they responded with:


"Thank you for contacting us.  There is a file hosted there with a vague
AV classification.  After further reviewing it, we've decided to remove
the URL from our block lists and data feeds."

I'm beginning to get the feeling they don't have any type of review 
process in place.



On Mon, 20 Aug 2018, Al Varnell wrote:


Submit to fp (at) malwarepatrol.net.

-Al-

On Mon, Aug 20, 2018 at 08:34 PM, Alex wrote:

Hi, fyi

# sigtool --find-sigs MBL_12952716 | sigtool --decode-sigs
VIRUS NAME: MBL_12952716
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
https://drive.google.com



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml