Re: [clamav-users] Updates from ClamAV blocked by Cloudflare

[Gary R. Schmidt]

On 2018-11-07 13:57, twee...@secmail.pro wrote:

https://notabug.org/themusicgod1/cloudflare-tor/issues/32
http://forums.clamwin.com/viewtopic.php?t=4915

What now? How can I update my computer?

What you should do is find out *why* cloudflare has banned your IP 
address, and get that fixed, because if you are on a ban list then you 
will find that more and more sites will refuse to accept connections.


Short term - use a machine that is not on a blocked IP address to 
download items, and transfer them manually.


Cheers,
GaryB-)
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Updates from ClamAV blocked by Cloudflare

[Al Varnell]

Look under “Virus Definitions” here . Download 
daily.cvd and replace daily.cld file with it.

Sent from my iPad

-Al-
ClamXAV user

> On Nov 6, 2018, at 18:57, twee...@secmail.pro wrote:
> 
> https://notabug.org/themusicgod1/cloudflare-tor/issues/32
> http://forums.clamwin.com/viewtopic.php?t=4915
> 
> What now? How can I update my computer?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Updates from ClamAV blocked by Cloudflare

[tweeter]

https://notabug.org/themusicgod1/cloudflare-tor/issues/32
http://forums.clamwin.com/viewtopic.php?t=4915

What now? How can I update my computer?

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clam user has read permissions, but I still get "lstat() failed: Permission denied"

[Doug Ingham]

 Sorry, for the delay in replying, and many thanks to those who did.

On Tue, 30 Oct 2018 at 19:08, Scott Kitterman  wrote:

> Did you explicitly remove Apparmor?  It's shipped by default in Ubuntu and
> the
> Ubuntu clamav has an Apparmor profile included.
>

That was exactly it! I was unaware of Apparmor now coming enabled by
default. It's the first time it's ever caused me any issues.

For anyone looking for a fix in the future, do the following:
1. Uncomment the local config include at the bottom of
"/etc/apparmor.d/usr.sbin.clamd"
2. Add the system paths clamd should have access to in
"/etc/apparmor.d/local/usr.sbin.clamd"
3. Reload the apparmor service

Many thanks for your help all!
-- 
Doug
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Specify more servers for clamdscan to pass for scanning

[Micah Snyder (micasnyd)]

Very interesting Kris!


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Nov 5, 2018, at 12:37 PM, Kris Deugau 
mailto:kdeu...@vianet.ca>> wrote:

Brent Clark wrote:
Good day Guys
I have setup two clamd servers.
On my Webservers, I need to stream a file to the clamd for scanning.
I would like to ask, how would I specify two TCPAddr.
If I specify just one, server, everything works ok.
Ive tried various options and google does not appears to be of assists.
How does one specify more than one server for scanning?
I would like to use this a poor mans "fail over", so that if one server is 
down, clamscan will move on to the next server.

We use Linux LVM load balancing to group "many" processing nodes (currently 
two, although we've had more on older hardware in the past) into one logical 
service.  You can then point your clamdscan (or clamav-milter) callers to the 
load-balanced IP.

-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about sending sample process

[Micah Snyder (micasnyd)]

Thanks Luca for investigating the false negative reports and submitting them to 
our malware research team.  These reports really help, even if you don't 
necessarily get feedback on the reports.

Kind regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Nov 6, 2018, at 11:10 AM, Luca Moscato 
mailto:l...@funambol.com>> wrote:


Thanks to everyone, by adding some extra signature the found rate has 
increased, a few, but has increased and this is a good news.

Luca

Il 06/11/18 15:27, Joel Esler (jesler) ha scritto:


On Nov 6, 2018, at 4:46 AM, Luca Moscato 
mailto:l...@funambol.com>> wrote:

Question 1 - Is this process correct to send samples?


Please update the version of clamsubmit you are using.  You are several 
versions behind.



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] About clamav's requirements for system resources

[Micah Snyder (micasnyd)]

Thanks Graeme,

That is helpful.  I'm definitely not familiar with how to use Exim with ClamAV. 
 I had been hoping to set up a page on how to integrate ClamAV with other 
applications.  Putting details from this at the top of a guide for Exim would 
be useful.  If you have the time to do a short write-up on the setup for Exim 
that'd be pretty sweet.

The same applies to anyone else using ClamAV with other applications.  We'd 
really love your help documenting how to get new users started.

-Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Nov 5, 2018, at 12:12 PM, Graeme Fowler 
mailto:g.e.fow...@lboro.ac.uk>> wrote:

Not milter, but Exim calls ClamAV using the SCAN command when using a UNIX 
socket, or zINSTREAM for TCP sockets.

I've got 3 'clusters' (loosely coupled groups, more accurately) VMs of 
differing roles with slightly differing setups here at Loughborough Uni.


  *   CentOS 6 MX servers with a small number of custom sig files - consuming 
around 2GB RAM per clamd instance, scanning around 25-100k messages each per 
day. ClamAV MaxThreads set to greater than the max permitted number of inbound 
simultaneous SMTP connections, with a short pending queue.



  *   CentOS 7 MX servers with stock ClamAV sigs - consuming around 1.5GB RAM 
per clamd instance, scanning around 15-75k messages each per day. ClamAV 
MaxThreads set to greater than the max permitted number of inbound connections 
with a small, but a short pending queue.



  *   CentOS 6 MTA (outbound) servers with stock ClamAV sigs - consuming around 
2GB RAM per clamd instance, scanning around 25-100k messages each per day. 
ClamAV MaxThreads set to less than the max permitted number of inbound 
simultaneous SMTP connections, with a long pending queue where (pending + 
active) = max inbound SMTP connections.


Each of these groups are the same in 'hardware' terms - 4 cores, 8GB RAM. They 
normally don't break a sweat.

>From memory, we had a single instance in the last 12 months where the kernel 
>OOM killer was invoked and killed off clamd after an external 3rd party 
>attempted to exploit a web form on one of our websites; the form sent several 
>hundred thousand messages via one of the MTA servers which got a touch upset. 
>We never did work out why.

Is that helpful in any way?

Graeme



From: clamav-users 
mailto:clamav-users-boun...@lists.clamav.net>>
 on behalf of "Micah Snyder (micasnyd)" 
mailto:micas...@cisco.com>>
Reply-To: ClamAV users ML 
mailto:clamav-users@lists.clamav.net>>
Date: Monday, 5 November 2018 at 15:14
To: ClamAV users ML 
mailto:clamav-users@lists.clamav.net>>
Subject: Re: [clamav-users] About clamav's requirements for system resources

At this time, we don't have recommendations for those using clamav-milter in 
conjunction with a mail server under any amount of load.  I'd be interested to 
hear from the community what your experience has been with real-world milter 
applications.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about sending sample process

[Luca Moscato]

Thanks to everyone, by adding some extra signature the found rate has 
increased, a few, but has increased and this is a good news.


Luca

Il 06/11/18 15:27, Joel Esler (jesler) ha scritto:



On Nov 6, 2018, at 4:46 AM, Luca Moscato > wrote:


Question 1 - Is this process correct to send samples?



Please update the version of clamsubmit you are using.  You are 
several versions behind.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about sending sample process

[Joel Esler (jesler)]

On Nov 6, 2018, at 4:46 AM, Luca Moscato 
mailto:l...@funambol.com>> wrote:

Question 1 - Is this process correct to send samples?


Please update the version of clamsubmit you are using.  You are several 
versions behind.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about sending sample process

[Al Varnell]

Luca

It's possible that some of the failure to detect is due to your using an 
outdated version of ClamAV. Some signature only work with more recent versions. 
You should probably focus on upgrading before submitting any undetected samples.

-Al-
ClamXAV User

On Tue, Nov 06, 2018 at 01:46 AM, Luca Moscato wrote:
> Hi everyone, one of our customers notify us that the AV we use (clamav of 
> course) does not detect some of malware downloadable from das malwerk usued 
> for testing.
> 
> Pretty strange situation, so we decided to download all malwares from that 
> site and send as a sample using command line interface
> 
> [luca@amazon-ami:~]$ clamsubmit -n 
> /home/luca/malware/d77aca7d-f9f1-11e7-b482-80e65024849a.file -N luca -e 
> l...@funambol.com 
> 
> 
> 302 Found
> 
> Found
> The document has moved http://www.clamav.net/sendmalware.cgi 
> ">here.
> 
> [luca@amazon-ami:~]$
> 
> Question 1 - Is this process correct to send samples?
> 
> Question 2 - How much time is required to validate a sample and get the A/V 
> db updated? Days? Months?
> 
> Some notes:
> 
> - I'm using Amazon linux and clamav version available in amz linux repo, db 
> should be updated with freshclam
> 
> [luca@amazon-ami:~]$ sudo freshclam
> ClamAV update process started at Tue Nov  6 09:36:41 2018
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.99.4 Recommended version: 0.100.2
> DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav 
> 
> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: 
> sigmgr)
> daily.cld is up to date (version: 25095, sigs: 2143057, f-level: 63, builder: 
> neo)
> bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
> 
> - I have all links and script (see attach) to quick download all stuff from 
> das_malwerk
> 
> - Actually a scan of all the stuff retrieved from that website have this 
> results while I expect to have a 100%
> 
> --- SCAN SUMMARY ---
> Known viruses: 6702413
> Engine version: 0.99.4
> Scanned directories: 1
> Scanned files: 1488
> Infected files: 964
> Data scanned: 1125.26 MB
> Data read: 1195.11 MB (ratio 0.94:1)
> Time: 361.283 sec (6 m 1 s)
> 
> 
> Thanks and have a nice day
> 
> Luca
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about sending sample process

[Arnaud Jacques]

Hello Luca,

If I remember well, clamsubmit only works since versions 0.100.x of 
ClamAV. It seems you are still using version 0.99.4.



Question 1 - Is this process correct to send samples?


Yes it it.

Question 2 - How much time is required to validate a sample and get 
the A/V db updated? Days? Months?


Depending of many things on ClamAV team side, it can take just a few 
hours, or days, or ... never.


- Actually a scan of all the stuff retrieved from that website have 
this results while I expect to have a 100%


If you expect 100% detection, please use at least the last version of 
ClamAV.

And some 3rd party signatures can help to get full detection :
https://sanesecurity.com
http://ow.ly/LqfdL

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Question about sending sample process

[Luca Moscato]

Hi everyone, one of our customers notify us that the AV we use (clamav 
of course) does not detect some of malware downloadable from das malwerk 
usued for testing.


Pretty strange situation, so we decided to download all malwares from 
that site and send as a sample using command line interface


[luca@amazon-ami:~]$ clamsubmit -n 
/home/luca/malware/d77aca7d-f9f1-11e7-b482-80e65024849a.file -N luca -e 
l...@funambol.com



302 Found

Found
The document has moved href="http://www.clamav.net/sendmalware.cgi";>here.


[luca@amazon-ami:~]$

Question 1 - Is this process correct to send samples?

Question 2 - How much time is required to validate a sample and get the 
A/V db updated? Days? Months?


Some notes:

- I'm using Amazon linux and clamav version available in amz linux repo, 
db should be updated with freshclam


[luca@amazon-ami:~]$ sudo freshclam
ClamAV update process started at Tue Nov  6 09:36:41 2018
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.99.4 Recommended version: 0.100.2
DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, 
builder: sigmgr)
daily.cld is up to date (version: 25095, sigs: 2143057, f-level: 63, 
builder: neo)
bytecode.cld is up to date (version: 327, sigs: 91, f-level: 63, 
builder: neo)


- I have all links and script (see attach) to quick download all stuff 
from das_malwerk


- Actually a scan of all the stuff retrieved from that website have this 
results while I expect to have a 100%


--- SCAN SUMMARY ---
Known viruses: 6702413
Engine version: 0.99.4
Scanned directories: 1
Scanned files: 1488
Infected files: 964
Data scanned: 1125.26 MB
Data read: 1195.11 MB (ratio 0.94:1)
Time: 361.283 sec (6 m 1 s)


Thanks and have a nice day

Luca

http://dasmalwerk.eu/archive/2018-04-16.zip
http://dasmalwerk.eu/archive/2018-04-02.zip
http://dasmalwerk.eu/archive/2018-03-31.zip
http://dasmalwerk.eu/archive/2018-03-26.zip
http://dasmalwerk.eu/archive/2018-03-25.zip
http://dasmalwerk.eu/archive/2018-03-14.zip
http://dasmalwerk.eu/archive/2018-03-13.zip
http://dasmalwerk.eu/archive/2018-02-07.zip
http://dasmalwerk.eu/archive/2018-01-19.zip
http://dasmalwerk.eu/archive/2018-01-16.zip
http://dasmalwerk.eu/archive/2018-01-15.zip
http://dasmalwerk.eu/archive/2018-01-12.zip
http://dasmalwerk.eu/archive/2018-01-11.zip
http://dasmalwerk.eu/archive/2018-01-09.zip
http://dasmalwerk.eu/archive/2018-01-05.zip
http://dasmalwerk.eu/archive/2018-01-02.zip
http://dasmalwerk.eu/archive/2018-01-01.zip
http://dasmalwerk.eu/archive/2017-12-25.zip
http://dasmalwerk.eu/archive/2017-12-22.zip
http://dasmalwerk.eu/archive/2017-12-19.zip
http://dasmalwerk.eu/archive/2017-12-12.zip
http://dasmalwerk.eu/archive/2017-12-09.zip
http://dasmalwerk.eu/archive/2017-12-06.zip
http://dasmalwerk.eu/archive/2017-12-03.zip
http://dasmalwerk.eu/archive/2017-11-18.zip
http://dasmalwerk.eu/archive/2017-11-03.zip
http://dasmalwerk.eu/archive/2017-10-20.zip
http://dasmalwerk.eu/archive/2017-10-18.zip
http://dasmalwerk.eu/archive/2017-10-17.zip
http://dasmalwerk.eu/archive/2017-10-15.zip
http://dasmalwerk.eu/archive/2017-10-14.zip
http://dasmalwerk.eu/archive/2017-10-11.zip
http://dasmalwerk.eu/archive/2017-10-09.zip
http://dasmalwerk.eu/archive/2017-10-08.zip
http://dasmalwerk.eu/archive/2017-10-05.zip
http://dasmalwerk.eu/archive/2017-09-22.zip
http://dasmalwerk.eu/archive/2017-09-06.zip
http://dasmalwerk.eu/archive/2017-09-02.zip
http://dasmalwerk.eu/archive/2017-08-28.zip
http://dasmalwerk.eu/archive/2017-08-27.zip
http://dasmalwerk.eu/archive/2017-08-26.zip
http://dasmalwerk.eu/archive/2017-08-23.zip
http://dasmalwerk.eu/archive/2017-08-22.zip
http://dasmalwerk.eu/archive/2017-08-14.zip
http://dasmalwerk.eu/archive/2017-08-12.zip
http://dasmalwerk.eu/archive/2017-08-11.zip
http://dasmalwerk.eu/archive/2017-08-02.zip
http://dasmalwerk.eu/archive/2017-07-26.zip
http://dasmalwerk.eu/archive/2017-07-20.zip
http://dasmalwerk.eu/archive/2017-06-22.zip
http://dasmalwerk.eu/archive/2017-06-21.zip
http://dasmalwerk.eu/archive/2017-06-17.zip
http://dasmalwerk.eu/archive/2017-06-16.zip
http://dasmalwerk.eu/archive/2017-06-13.zip
http://dasmalwerk.eu/archive/2017-06-11.zip
http://dasmalwerk.eu/archive/2017-06-09.zip
http://dasmalwerk.eu/archive/2017-06-08.zip
http://dasmalwerk.eu/archive/2017-06-05.zip
http://dasmalwerk.eu/archive/2017-05-24.zip
http://dasmalwerk.eu/archive/2017-05-23.zip
http://dasmalwerk.eu/archive/2017-05-22.zip
http://dasmalwerk.eu/archive/2017-05-20.zip
http://dasmalwerk.eu/archive/2017-05-19.zip
http://dasmalwerk.eu/archive/2017-05-18.zip
http://dasmalwerk.eu/archive/2017-05-17.zip
http://dasmalwerk.eu/archive/2017-05-13.zip
http://dasmalwerk.eu/archive/2017-05-12.zip
http://dasmalwerk.eu/archive/2017-05-11.zip
http://dasmalwerk.eu/archive/2017-05-06.zip
http://dasmalwerk.eu/archive/2017-05-05.zip
http://dasmalwerk.eu/archive/2017-04-21.zip
http://dasmalwerk.eu/archive/2017-04-16.zip
http:/