date:20181024

Re: [clamav-users] Secure download/verification of clamav database?

2018-10-24 Thread Luke Massa

Ah I see it now!

For those following along, in libclamav/dsig.c, there is an implementation of 
RSA inspired by http://www.erikyyy.de/yyyRSA/, and the public parameters of an 
RSA key are hard-coded in that file.

Thanks again!
- Luke

On Oct 24, 2018, at 2:01 PM, Noel Jones 
mailto:njo...@megan.vbhcs.org>> wrote:

Baked in.



On 10/24/2018 12:10 PM, Luke Massa wrote:
But what are they signed *by*? If it’s using a public/private keypair, where is 
the public key? Is it baked into freshclam/clamd/clamscan somewhere?

- Luke

On Oct 24, 2018, at 11:59 AM, Noel Jones 
mailto:njo...@megan.vbhcs.org>> wrote:

On 10/23/2018 2:17 PM, Luke Massa wrote:

In short, is there any way I can setup clamav/freshclam and be
confident that a malicious user isn’t adding/removing signatures
from the upstream mirrors?

The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan.  If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified.  This is built into clam; no external tools are called.



___
clamav-users mailing list
clamav-users@lists.clamav.net
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=4z3Dmbis3lgzZCwuTZLvD73r3WkvhFQDX5PNfriNroU=


Help us build a comprehensive ClamAV guide:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=mKsCe7GnAu-_iumtzjklXt4uvxURW8H8jZPNpv1EgFg=

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=gyItpqPZCd_ddSzi93tJXOU6DbhXlZZECSjFSpkF38s=


___
clamav-users mailing list
clamav-users@lists.clamav.net
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=xQcHctByJ46ituBr0fBWjVHR2JB4UUgsgIG65YJ6ksw=YqDbJ5kZYvxQHOP-sACfz78f7ksWTA0FWGIW6sn2YIg=


Help us build a comprehensive ClamAV guide:
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=xQcHctByJ46ituBr0fBWjVHR2JB4UUgsgIG65YJ6ksw=UCsMk2EqhvAnRMT3eZ27uwIYg4tN7po2zR9DntwAa7E=

https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=xQcHctByJ46ituBr0fBWjVHR2JB4UUgsgIG65YJ6ksw=j7KoiDSpXjDR4mNDh03CIdjyop5B4yn_B6z3WwZWatU=

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Secure download/verification of clamav database?

2018-10-24 Thread Noel Jones

Baked in.



On 10/24/2018 12:10 PM, Luke Massa wrote:
> But what are they signed *by*? If it’s using a public/private keypair, where 
> is the public key? Is it baked into freshclam/clamd/clamscan somewhere?
> 
> - Luke
> 
>> On Oct 24, 2018, at 11:59 AM, Noel Jones  wrote:
>>
>> On 10/23/2018 2:17 PM, Luke Massa wrote:
>>>
>>> In short, is there any way I can setup clamav/freshclam and be
>>> confident that a malicious user isn’t adding/removing signatures
>>> from the upstream mirrors?
>>
>> The .cvd files have an internal cryptographic signature that's
>> checked by freshclam and clamd/clamscan.  If freshclam and/or clamd
>> accepts the files, you can be assured they are official and
>> unmodified.  This is built into clam; no external tools are called.
>>
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=4z3Dmbis3lgzZCwuTZLvD73r3WkvhFQDX5PNfriNroU=
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=mKsCe7GnAu-_iumtzjklXt4uvxURW8H8jZPNpv1EgFg=
>>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=gyItpqPZCd_ddSzi93tJXOU6DbhXlZZECSjFSpkF38s=
> 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Secure download/verification of clamav database?

2018-10-24 Thread Luke Massa

But what are they signed *by*? If it’s using a public/private keypair, where is 
the public key? Is it baked into freshclam/clamd/clamscan somewhere?

- Luke

> On Oct 24, 2018, at 11:59 AM, Noel Jones  wrote:
> 
> On 10/23/2018 2:17 PM, Luke Massa wrote:
>> 
>> In short, is there any way I can setup clamav/freshclam and be
>> confident that a malicious user isn’t adding/removing signatures
>> from the upstream mirrors?
> 
> The .cvd files have an internal cryptographic signature that's
> checked by freshclam and clamd/clamscan.  If freshclam and/or clamd
> accepts the files, you can be assured they are official and
> unmodified.  This is built into clam; no external tools are called.
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=4z3Dmbis3lgzZCwuTZLvD73r3WkvhFQDX5PNfriNroU=
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=mKsCe7GnAu-_iumtzjklXt4uvxURW8H8jZPNpv1EgFg=
> 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwIGaQ=9Hv6XPedRSA-5PSECC38X80c1h60_XWA4z1k_R1pROA=kBR20qCRpw_COsjokFR0DeDlBjL9wibcGzBBJtTubwc=ubAc0_qBT9TvSWB9vjS80Ms_3NrthlFbqGFdf4SnHnI=gyItpqPZCd_ddSzi93tJXOU6DbhXlZZECSjFSpkF38s=

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Secure download/verification of clamav database?

2018-10-24 Thread Noel Jones

On 10/23/2018 2:17 PM, Luke Massa wrote:
> 
> In short, is there any way I can setup clamav/freshclam and be
> confident that a malicious user isn’t adding/removing signatures
> from the upstream mirrors?

The .cvd files have an internal cryptographic signature that's
checked by freshclam and clamd/clamscan.  If freshclam and/or clamd
accepts the files, you can be assured they are official and
unmodified.  This is built into clam; no external tools are called.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] MBL_17713260 false positive!

2018-10-24 Thread Alex

> As a follow-up, in response to a question as to why they just block

I meant "don't just block", of course ...
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] MBL_17713260 false positive!

2018-10-24 Thread Alex

Hi,

> * Alex :
> > Another malwarepatrol fp for docs.google.com
> >
> > # sigtool --find-sigs MBL_17713260 |sigtool --decode-sigs
> > VIRUS NAME: MBL_17713260
> > TARGET TYPE: ANY FILE
> > OFFSET: *
> > DECODED SIGNATURE:
> > https://docs.google.com
> >
> > I don't even know what to do anymore. Is it worth it to keep malwarepatrol?
>
> I'm wondering this as well. That stuff pops up every other day.

As a follow-up, in response to a question as to why they just block
the specific URL and payload that triggered their detection, they
insisted it wasn't a false-positive because the malware was detected
by 12 other virus vendors. "Unfortunately, the file that serves the
malware in question is in the root directory of that domain.  That is
the reason why the entire docs[.]google[.]com website is blocked."

I love how they even had to obscure docs.google.com so their own
software doesn't block receipt of their own email.

It's not just bad experiences with them like this, it's also constant
download issues, zero-length files, malformed files, and failure to
reach their system at least every third day.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest report on update "delays"

2018-10-24 Thread Joel Esler (jesler)

If you are testing connectivity, please state what version of ClamAV you are 
using. 

If you are not using the most up to date, please try that.  

Sent from my iPhone

> On Oct 24, 2018, at 04:00, Michael Da Cova  wrote:
> 
> Hi
> 
>> On 24/10/2018 04:09, Dave Warren wrote:
>>> On Tue, Oct 23, 2018, at 11:50, Paul Kosinski wrote:
>>> "...it works smoothly for a very large number of people, myself
>>> included."
>>> 
>>> It would be interesting to know what percentage have experienced our
>>> original problem of all mirrors ending up blacklisted.
> 
> I still get the issue now and again, today report below if I notice it I 
> remove the mirror.dat file
> 
> Retrieving http://database.clamav.net/daily.cvd
> Ignoring mirror 104.16.187.138 (due to previous errors)
> Ignoring mirror 104.16.188.138 (due to previous errors)
> Ignoring mirror 104.16.185.138 (due to previous errors)
> Ignoring mirror 104.16.186.138 (due to previous errors)
> Ignoring mirror 104.16.189.138 (due to previous errors)
> Trying host database.clamav.net (2400:cb00:2048:1::6810:ba8a)...
> nonblock_connect: connect(): fd=4 errno=101: Network is unreachable
> 
> ~michael
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] MBL_17713260 false positive!

2018-10-24 Thread Steve Basford



On Wed, October 24, 2018 9:05 am, Al Varnell wrote:
> I cannot argue that malware does not show up in Google Docs which is wide
> open to anybody that wants to post there, as I know it has occurred. Not
> sure how big a problem it has become for Google to police. I think it
> would be better if malwarepatrol were to list the specific site where the
> malware was reportedly found, rather than condemning the entire
> sub-domain.

Agreed

Plus as the signature name changes for the blocked domain... you'd have to
do something like:

grep "68747470733a2f2f646f63732e676f6f676c652e636f6d"| cut -d "=" -f1 >
mbl.ign2

... each time you download... and re-generate the whitelist name.



-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] MBL_17713260 false positive!

2018-10-24 Thread Ralf Hildebrandt

* Al Varnell :

> I cannot argue that malware does not show up in Google Docs which is
> wide open to anybody that wants to post there,

Amen to that!

> as I know it has occurred. Not sure how big a problem it has become for
> Google to police. I think it would be better if malwarepatrol were to
> list the specific site where the malware was reportedly found, rather
> than condemning the entire sub-domain.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155


signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] MBL_17713260 false positive!

2018-10-24 Thread Al Varnell

I cannot argue that malware does not show up in Google Docs which is wide open 
to anybody that wants to post there, as I know it has occurred. Not sure how 
big a problem it has become for Google to police. I think it would be better if 
malwarepatrol were to list the specific site where the malware was reportedly 
found, rather than condemning the entire sub-domain.

-Al-

On Wed, Oct 24, 2018 at 01:00 AM, Ralf Hildebrandt wrote:
> * Alex mailto:mysqlstud...@gmail.com>>:
>> Another malwarepatrol fp for docs.google.com 
>> 
>> # sigtool --find-sigs MBL_17713260 |sigtool --decode-sigs
>> VIRUS NAME: MBL_17713260
>> TARGET TYPE: ANY FILE
>> OFFSET: *
>> DECODED SIGNATURE:
>> https://docs.google.com 
>> 
>> I don't even know what to do anymore. Is it worth it to keep malwarepatrol?
> 
> I'm wondering this as well. That stuff pops up every other day.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] Re: MBL_17713260 false positive!

2018-10-24 Thread Ralf Hildebrandt

* Alex :
> Hi,
> 
> Thought I'd follow up with the response from Malwarepatrol:
> 
> "The classification of a sample hosted on that domain, according to
> MBL# 17713260 (MD5: 88a1265b2f954a1fb06b6a67f198645e9617007e), is
> backed by 12 anti-virus products. Therefore, this is not a false
> positive.
> 
> There is no reason to believe that the Google infrastructure doesn't
> host malware. In case you still don't want or can't block such domain,
> we advise you to whitelist it before applying our block lists."

Fucking idiots.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155


signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] MBL_17713260 false positive!

2018-10-24 Thread Ralf Hildebrandt

* Alex :
> Another malwarepatrol fp for docs.google.com
> 
> # sigtool --find-sigs MBL_17713260 |sigtool --decode-sigs
> VIRUS NAME: MBL_17713260
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> https://docs.google.com
> 
> I don't even know what to do anymore. Is it worth it to keep malwarepatrol?

I'm wondering this as well. That stuff pops up every other day.


-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155


signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest report on update "delays"

2018-10-24 Thread Michael Da Cova

Hi

On 24/10/2018 04:09, Dave Warren wrote:
> On Tue, Oct 23, 2018, at 11:50, Paul Kosinski wrote:
>> "...it works smoothly for a very large number of people, myself
>> included."
>>
>> It would be interesting to know what percentage have experienced our
>> original problem of all mirrors ending up blacklisted.

I still get the issue now and again, today report below if I notice it I 
remove the mirror.dat file

Retrieving http://database.clamav.net/daily.cvd
Ignoring mirror 104.16.187.138 (due to previous errors)
Ignoring mirror 104.16.188.138 (due to previous errors)
Ignoring mirror 104.16.185.138 (due to previous errors)
Ignoring mirror 104.16.186.138 (due to previous errors)
Ignoring mirror 104.16.189.138 (due to previous errors)
Trying host database.clamav.net (2400:cb00:2048:1::6810:ba8a)...
nonblock_connect: connect(): fd=4 errno=101: Network is unreachable

~michael
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Secure download/verification of clamav database?

Re: [clamav-users] Secure download/verification of clamav database?

Re: [clamav-users] Secure download/verification of clamav database?

Re: [clamav-users] Secure download/verification of clamav database?

Re: [clamav-users] [ext] MBL_17713260 false positive!

Re: [clamav-users] [ext] MBL_17713260 false positive!

Re: [clamav-users] Latest report on update "delays"

Re: [clamav-users] [ext] MBL_17713260 false positive!

Re: [clamav-users] [ext] MBL_17713260 false positive!

Re: [clamav-users] [ext] MBL_17713260 false positive!

Re: [clamav-users] [ext] Re: MBL_17713260 false positive!

Re: [clamav-users] [ext] MBL_17713260 false positive!

Re: [clamav-users] Latest report on update "delays"

13 matches

Site Navigation

Mail list logo

Footer information