Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
Hi there, On Sun, 22 Aug 2021, Mark Pizzolato via clamav-users wrote: ... Previous portable zip files included a README.md, a NEWS.md and UserManual.html (in addition to what’s in the now html directory which previously was called UserManual). I never worried about what’s in these files or directories ... :):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi Ged,
Sorry. I hope you have some hair yet.
I understand that I have to be patient.
Thank you,
Zvi
On 8/19/2021 9:33 PM, G.W. Haywood via
clamav-users wrote:
Hi
there,
On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
I found that yara strings like this: $re =
/[0-9]{9}/
find only first 9-digit match in file.
This spoils my logic ...
After tearing out most of what remains of my hair over Yara rules
in
ClamAV, my advice is not to try anything fancy until the Yara
engine
is completely replaced. My list of the faults in it keeps on
growing,
and AFAICT there's no prospect of any attention being paid to them
in
the foreseeable future. As you have seen there are reports going
back
years. If I had time I'd do it myself, but I don't. I've reached
the
point where I code Yara rules in as simple a way as I possibly can
and
every time I add a new rule or modify an existing one I hope not
to
find another fault in the engine. Sometimes I've spent hours
trying
to get it to do a single match correctly and finally given up.
It's a
terrible shame, because (here at least) Yara rules by a very long
way
find more spam and malicious mail content than anything else:
$ grep FOUND /var/log/mail.debug | wc -l
60072
$ grep FOUND /var/log/mail.debug | grep -v YARA | wc -l
11530
$ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\)' | wc
-l
2876
$ grep FOUND /var/log/mail.debug | grep -v
'\(YARA\|MANUAL\|UNOFFICIAL\)' | wc -l
20
$
This is a single mail server, approximately 19 days of August
2021.
I'd consider it a low-volume site. For whatever reasons we see
very
little malicious mail, rarely more than two or three items of
malware
in a typical day, but quite a lot of spam. I don't know how this
compares with the experience of other people here on the list.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
I’m a fan of the thought of removing the user manual completely from the downloaded packages and including a link to docs.ClamAV.net. Since that’s more dynamic. — Sent from my iPhone > On Aug 22, 2021, at 04:22, G.W. Haywood via clamav-users > wrote: > > Hi there, > >> On Sun, 22 Aug 2021, Mark Pizzolato via clamav-users wrote: >> >> ... Previous portable zip files included a README.md, a NEWS.md and >> UserManual.html (in addition to what’s in the now html directory >> which previously was called UserManual). >> I never worried about what’s in these files or directories ... > > :):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):):) > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
Hi there, On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote: I’m a fan of the thought of removing the user manual completely from the downloaded packages and including a link to docs.ClamAV.net. Since that’s more dynamic. But not so easy to pipe through 'grep'. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
Citeren "G.W. Haywood via clamav-users" : Hi there, On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote: I’m a fan of the thought of removing the user manual completely from the downloaded packages and including a link to docs.ClamAV.net. Since that’s more dynamic. But not so easy to pipe through 'grep'. There is a search button on the website... ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
Citeren "Joel Esler (jesler) via clamav-users" : I’m a fan of the thought of removing the user manual completely from the downloaded packages and including a link to docs.ClamAV.net. Since that’s more dynamic. I wouldn't be too heartbroken if that happened. For the 0.104.0 release, we will package the HTML documentation in a separate subpackage anyway. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
Citeren "Micah Snyder (micasnyd)" : I've run into this issue with the fixed port # on our test systems occasionally as well. I think I can identify an open port in the python code to make it more reliable, but haven't have time to try it. I'm not sure if it is worth the effort. It seems to happen infrequent enough not to be a serious problem. The openSUSE buikd service will retry building after failures automatically anyway, so this is certainly not a blocking issue for me. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
Hi there, On Sun, 22 Aug 2021, Arjen de Korte via clamav-users wrote: Citeren "G.W. Haywood via clamav-users" : On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote: I’m a fan of the thought of removing the user manual completely from the downloaded packages and including a link to docs.ClamAV.net. Since that’s more dynamic. But not so easy to pipe through 'grep'. There is a search button on the website... And if the site is inaccessible? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
I could work about the .0001% or the time that github is inaccessible in a given time, or I could save maintaining the docs in two places. — Sent from my iPhone > On Aug 22, 2021, at 10:55, G.W. Haywood via clamav-users > wrote: > > Hi there, > >> On Sun, 22 Aug 2021, Arjen de Korte via clamav-users wrote: >> Citeren "G.W. Haywood via clamav-users" : >>> On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote: I’m a fan of the thought of removing the user manual completely from the downloaded packages and including a link to docs.ClamAV.net. Since that’s more dynamic. >>> But not so easy to pipe through 'grep'. >> >> There is a search button on the website... > > And if the site is inaccessible? > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi,
I'm wondering if the --allmatch option/switch is useful here.
Regards,
R
On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi Ged,
>
>
> Sorry. I hope you have some hair yet.
>
> I understand that I have to be patient.
>
>
> Thank you,
>
>
> Zvi
>
>
> On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote:
>
> Hi there,
>
> On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
>
> I found that yara strings like this: $re = /[0-9]{9}/
>
> find only first 9-digit match in file.
>
> This spoils my logic ...
>
>
> After tearing out most of what remains of my hair over Yara rules in
> ClamAV, my advice is not to try anything fancy until the Yara engine
> is completely replaced. My list of the faults in it keeps on growing,
> and AFAICT there's no prospect of any attention being paid to them in
> the foreseeable future. As you have seen there are reports going back
> years. If I had time I'd do it myself, but I don't. I've reached the
> point where I code Yara rules in as simple a way as I possibly can and
> every time I add a new rule or modify an existing one I hope not to
> find another fault in the engine. Sometimes I've spent hours trying
> to get it to do a single match correctly and finally given up. It's a
> terrible shame, because (here at least) Yara rules by a very long way
> find more spam and malicious mail content than anything else:
>
> $ grep FOUND /var/log/mail.debug | wc -l
> 60072
> $ grep FOUND /var/log/mail.debug | grep -v YARA | wc -l
> 11530
> $ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\)' | wc -l
> 2876
> $ grep FOUND /var/log/mail.debug | grep -v '\(YARA\|MANUAL\|UNOFFICIAL\)'
> | wc -l
> 20
> $
>
> This is a single mail server, approximately 19 days of August 2021.
> I'd consider it a low-volume site. For whatever reasons we see very
> little malicious mail, rarely more than two or three items of malware
> in a typical day, but quite a lot of spam. I don't know how this
> compares with the experience of other people here on the list.
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
I could worry about the .0001% of the time* — Sent from my iPhone > On Aug 22, 2021, at 13:48, Joel Esler (jesler) wrote: > > I could work about the .0001% or the time that github is inaccessible in > a given time, or I could save maintaining the docs in two places. > > — > Sent from my iPhone > >> On Aug 22, 2021, at 10:55, G.W. Haywood via clamav-users >> wrote: >> >> Hi there, >> On Sun, 22 Aug 2021, Arjen de Korte via clamav-users wrote: >>> Citeren "G.W. Haywood via clamav-users" : On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote: > I’m a fan of the thought of removing the user manual completely from > the downloaded packages and including a link to docs.ClamAV.net. > Since that’s more dynamic. But not so easy to pipe through 'grep'. >>> >>> There is a search button on the website... >> >> And if the site is inaccessible? >> >> -- >> >> 73, >> Ged. >> >> ___ >> >> clamav-users mailing list >> clamav-users@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
Hi there, On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote: On Aug 22, 2021, at 10:55, G.W. Haywood via clamav-users wrote: On Sun, 22 Aug 2021, Arjen de Korte via clamav-users wrote: Citeren "G.W. Haywood via clamav-users" : On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote: I’m a fan of the thought of removing the user manual completely from the downloaded packages and including a link to docs.ClamAV.net. Since that’s more dynamic. But not so easy to pipe through 'grep'. There is a search button on the website... And if the site is inaccessible? I could worry about the .0001% of the time that github is inaccessible ... Good job you're not a coder. What about when the Internet connection at the client's end is down? Here, in the English midlands, the heart of British industry, that's like five times a day for anywhere between ten minutes and half an hour. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi there,
On Sun, 22 Aug 2021, Richard Graham via clamav-users wrote:
On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave wrote:
On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote:
On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
I found that yara strings like this: $re = /[0-9]{9}/
find only first 9-digit match in file.
This spoils my logic ...
... my advice is not to try anything fancy ...
I understand that I have to be patient.
I'm wondering if the --allmatch option/switch is useful here.
Unfortunately I'm afraid it's a diffferent issue. Yara rules don't
necessarily produce a match (one which ClamAV would report as FOUND)
even if there are strings in the Yara rules which _do_ in fact match.
The point is that you can (or should be able to) tell Yara things like
"count the number of times the string is found in the text, and report
if there are more than 23 of them". This sort of thing will sometimes
work with the Yara engine in ClamAV, but my experience is that it's at
the fancy end of the scale and I've spent hours trying to get things
to work which would seem to be trivial exercises in regexes and logic.
--
73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
Hi,
Very interesting! Thanks!
R
On Sun, Aug 22, 2021 at 9:10 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi there,
>
> On Sun, 22 Aug 2021, Richard Graham via clamav-users wrote:
> > On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave wrote:
> >> On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote:
> >>> On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
>
> I found that yara strings like this: $re = /[0-9]{9}/
> find only first 9-digit match in file.
> This spoils my logic ...
> >>>
> >>> ... my advice is not to try anything fancy ...
> >>
> >> I understand that I have to be patient.
> >
> > I'm wondering if the --allmatch option/switch is useful here.
>
> Unfortunately I'm afraid it's a diffferent issue. Yara rules don't
> necessarily produce a match (one which ClamAV would report as FOUND)
> even if there are strings in the Yara rules which _do_ in fact match.
> The point is that you can (or should be able to) tell Yara things like
> "count the number of times the string is found in the text, and report
> if there are more than 23 of them". This sort of thing will sometimes
> work with the Yara engine in ClamAV, but my experience is that it's at
> the fancy end of the scale and I've spent hours trying to get things
> to work which would seem to be trivial exercises in regexes and logic.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
On Sunday, August 22, 2021 at 11:48 AM, G.W. Haywood via clamav-users wrote: > On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote: > >> On Aug 22, 2021, at 10:55, G.W. Haywood via clamav-users us...@lists.clamav.net> wrote: > >>> On Sun, 22 Aug 2021, Arjen de Korte via clamav-users wrote: > >>> Citeren "G.W. Haywood via clamav-users" us...@lists.clamav.net>: > On Sun, 22 Aug 2021, Joel Esler (jesler) via clamav-users wrote: > > > > I’m a fan of the thought of removing the user manual completely > > from the downloaded packages and including a link to > docs.ClamAV.net. > > Since that’s more dynamic. > > But not so easy to pipe through 'grep'. > >>> > >>> There is a search button on the website... > >> > >> And if the site is inaccessible? > > > > I could worry about the .0001% of the time that github is inaccessible > > ... > > Good job you're not a coder. What about when the Internet connection at > the client's end is down? Here, in the English midlands, the heart of British > industry, that's like five times a day for anywhere between ten minutes and > half an hour. It seems to me that these zip or other specifically prebuilt packages on the ClamAV website's download pages serve the needs of those folks doing a manual version update. In general, this means that you're merely replacing the useful binary files and hardly ever changing the configuration of either clamd or freshclam. Someone doing an initial installation has various other things to think about relating to configuration setup which MAY find total documentation useful. The web site serves that purpose very well. Meanwhile, the conf_examples directory contains a very useful starting point for anyone who may actually start from that container (zip or otherwise) if they're actually doing an initial install and configuration without the benefit of immediate proximate Internet access. - Mark Pizzolato ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Regarding Clam AV latest Signature on Ubuntu 18.04 OS
Hi Team, We have installed the Clam AV on Ubuntu 18.04 OS, however it is showing "An update is available". We are trying to update the signature however it is not updating, I think it is updated to the latest one but showing this message . Please advise how to check the latest signature version on Ubuntu 18.04 version and how to update the same if it is not updated. Awaiting your response. -- Regards, Amey Lele mobile: 9850093736 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
On Sun, 22 Aug 2021 14:42:06 + "Joel Esler \(jesler\) via clamav-users" wrote: > I’m a fan of the thought of removing the user manual completely from the > downloaded packages and including a link to docs.ClamAV.net. Since that’s > more dynamic. I think that's a bad idea for three reasons: First, the Website might be (temporarily) inaccessible. Second, the machine running ClamAV may be blocked from accessing the Internet in general. E.g., our mail server runs ClamAV, but is explicitly blocked from general outbound Internet access by IPtables (except for the few anycast IP addresses needed for DB updates). It's an application of the "principle of least privilege". Finally, if the documentation is "dynamic", it presumably is for the latest release, probably the latest "official" release. If that is the case, how can somebody use those docs to diagnose a problem with a slightly older release that's still supposed to be usable? Aren't most problems due to misunderstanding, bad configuration or other user caused issues that won't be solved by simply upgrading? In other words, aren't the docs really specific to a particular release? (This is especially important for beta releases like 0.104.) ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yara regular expression finds only first match in ClamAV ?
On Sun, 22 Aug 2021 20:10:00 +0100 (BST)
"G.W. Haywood via clamav-users" wrote:
> Hi there,
>
> On Sun, 22 Aug 2021, Richard Graham via clamav-users wrote:
> > On Sun, Aug 22, 2021 at 10:41 AM Zvi Kave wrote:
> >> On 8/19/2021 9:33 PM, G.W. Haywood via clamav-users wrote:
> >>> On Thu, 19 Aug 2021, Zvi Kave via clamav-users wrote:
>
> I found that yara strings like this: $re = /[0-9]{9}/
> find only first 9-digit match in file.
> This spoils my logic ...
> >>>
> >>> ... my advice is not to try anything fancy ...
> >>
> >> I understand that I have to be patient.
> >
> > I'm wondering if the --allmatch option/switch is useful here.
>
> Unfortunately I'm afraid it's a diffferent issue. Yara rules don't
> necessarily produce a match (one which ClamAV would report as FOUND)
> even if there are strings in the Yara rules which _do_ in fact match.
> The point is that you can (or should be able to) tell Yara things like
> "count the number of times the string is found in the text, and report
> if there are more than 23 of them". This sort of thing will sometimes
> work with the Yara engine in ClamAV, but my experience is that it's at
> the fancy end of the scale and I've spent hours trying to get things
> to work which would seem to be trivial exercises in regexes and logic.
Maybe ClamAV should support plugins, rather than being constrained to what's
compiled in. (There are, of course, various plugins that invoke ClamAV, but
that's not what I mean.)
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
