[clamav-users] freshclam downloadFile: Unexpected response (403) from https://database.clamav.net/daily.cvd

2021-12-20 Thread Gene Goykhman 
ClamAV: 0.102.4 .. latest stable package in Debian 9 (stretch)

Due to (what I suspect to be) a bunch of repeated, failed attempts to download 
virus definitions a few months ago, I think our IP has been blocked by the 
patch server. I've dialed down the refresh frequency and number of failed 
attempts before aborting ... could we get unblocked? Our IP is 192.241.136.229.

Or if the server logs show something else that we need to change at our end 
please let me know.

Thank you!

Current output from freshclam:

$ freshclam
Tue Dec 21 01:09:28 2021 -> ClamAV update process started at Tue Dec 21 
01:09:28 2021
Tue Dec 21 01:09:28 2021 -> ^Your ClamAV installation is OUTDATED!
Tue Dec 21 01:09:28 2021 -> ^Local version: 0.102.4 Recommended version: 0.103.4
Tue Dec 21 01:09:28 2021 -> DON'T PANIC! Read 
https://www.clamav.net/documents/upgrading-clamav
Tue Dec 21 01:09:28 2021 -> daily database available for update (local version: 
26231, remote version: 26394)
Current database is 163 versions behind.
Downloading database patch # 26232...
Tue Dec 21 01:09:32 2021 -> ^downloadFile: file not found: 
https://database.clamav.net/daily-26232.cdiff
Tue Dec 21 01:09:32 2021 -> ^getpatch: Can't download daily-26232.cdiff from 
https://database.clamav.net/daily-26232.cdiff
Downloading database patch # 26232...
Tue Dec 21 01:09:32 2021 -> ^downloadFile: file not found: 
https://database.clamav.net/daily-26232.cdiff
Tue Dec 21 01:09:32 2021 -> ^getpatch: Can't download daily-26232.cdiff from 
https://database.clamav.net/daily-26232.cdiff
Tue Dec 21 01:09:32 2021 -> ^Incremental update failed, trying to download 
daily.cvd
Time: 0.0s, ETA: 0.0s [=>] 16B/16B 
Tue Dec 21 01:09:32 2021 -> ^downloadFile: Unexpected response (403) from 
https://database.clamav.net/daily.cvd
Tue Dec 21 01:09:32 2021 -> ^getcvd: Can't download daily.cvd from 
https://database.clamav.net/daily.cvd
Tue Dec 21 01:09:32 2021 -> Trying again in 5 secs...

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [EXT] Re: clamscan tar archive

2021-12-20 Thread G.W. Haywood via clamav-users 

Hi there,

On Mon, 20 Dec 2021, Hart, Steven A. via clamav-users wrote:


...
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 333.34 MB (ratio 0.00:1)
...


Perhaps you should let us have the output of

clamconf -n

or whatever passes for that on RHEL.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [EXT] Re: clamscan tar archive

2021-12-20 Thread Hart, Steven A. via clamav-users 
I retract my retraction.


Original scan of test directory:

$ clamscan -ir test/
test/eicar.com: Eicar-Signature FOUND

--- SCAN SUMMARY ---
Known viruses: 8584449
Engine version: 0.103.4
Scanned directories: 1
Scanned files: 6
Infected files: 1
Data scanned: 0.63 MB
Data read: 333.32 MB (ratio 0.00:1)
Time: 10.682 sec (0 m 10 s)
Start Date: 2021:12:20 16:29:39
End Date:   2021:12:20 16:29:50

$ tar -cvf test.tar test/


$ tar -tvf test.tar | grep eicar
-rw-rw-r-- X/X69 2021-12-06 10:18 test/eicar.com

$ clamscan -ir test.tar

--- SCAN SUMMARY ---
Known viruses: 8584449
Engine version: 0.103.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 333.34 MB (ratio 0.00:1)
Time: 10.408 sec (0 m 10 s)
Start Date: 2021:12:20 16:32:07
End Date:   2021:12:20 16:32:17

This is on RHEL8.  If I do a simple tar of just the eicar.com file into a tar 
archive it detects on scanning the tar file.  The above sample test directory 
has 5 other simple files including the eicar.com file.

Thanks!



From: clamav-users  on behalf of Hart, 
Steven A. via clamav-users 
Sent: Monday, December 20, 2021 4:17:28 PM
To: ClamAV users ML
Cc: Hart, Steven A.
Subject: Re: [clamav-users] [EXT] Re: clamscan tar archive

APL external email warning: Verify sender clamav-users-boun...@lists.clamav.net 
before clicking links or attachments



And now it's working for me too.  Nice magic you have there!


Problem solved.I guessso weird.


Thanks


From: clamav-users  on behalf of Kris 
Deugau 
Sent: Monday, December 20, 2021 4:09:26 PM
To: ClamAV users ML
Subject: [EXT] Re: [clamav-users] clamscan tar archive

APL external email warning: Verify sender clamav-users-boun...@lists.clamav.net 
before clicking links or attachments

Hart, Steven A. via clamav-users wrote:
> Hello all,
>
>
> ClamAV documentation states that tar archives are supported.   I've
> created a small sample tar archive that includes an eicar sample.
> Clamscan seems to only look at the tar archive as a single file and does
> not hit on the eicar sample within.   I've tried using the "-a" and
> "--scan-archive=yes" flags with no improvements.  I would appreciate
> advice as to if clamscan can actively scan tar archives directly.

WorksForMe(TM):

kdeugau@ele:~/$ tar -c ~kdeugau/dev/eicar >testeicar.tar
tar: Removing leading `/' from member names
kdeugau@ele:~/$ clamscan
/home/kdeugau/testeicar.tar: Eicar-Signature FOUND
[...]

kdeugau@ele:~/$ clamscan -V
ClamAV 0.103.3/26393/Mon Dec 20 04:19:51 2021

(Debian package;  only Debian testing and unstable have 0.103.4 so far,
no sign of 0.104.)

-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [EXT] Re: clamscan tar archive

2021-12-20 Thread Hart, Steven A. via clamav-users 
And now it's working for me too.  Nice magic you have there!


Problem solved.I guessso weird.


Thanks


From: clamav-users  on behalf of Kris 
Deugau 
Sent: Monday, December 20, 2021 4:09:26 PM
To: ClamAV users ML
Subject: [EXT] Re: [clamav-users] clamscan tar archive

APL external email warning: Verify sender clamav-users-boun...@lists.clamav.net 
before clicking links or attachments

Hart, Steven A. via clamav-users wrote:
> Hello all,
>
>
> ClamAV documentation states that tar archives are supported.   I've
> created a small sample tar archive that includes an eicar sample.
> Clamscan seems to only look at the tar archive as a single file and does
> not hit on the eicar sample within.   I've tried using the "-a" and
> "--scan-archive=yes" flags with no improvements.  I would appreciate
> advice as to if clamscan can actively scan tar archives directly.

WorksForMe(TM):

kdeugau@ele:~/$ tar -c ~kdeugau/dev/eicar >testeicar.tar
tar: Removing leading `/' from member names
kdeugau@ele:~/$ clamscan
/home/kdeugau/testeicar.tar: Eicar-Signature FOUND
[...]

kdeugau@ele:~/$ clamscan -V
ClamAV 0.103.3/26393/Mon Dec 20 04:19:51 2021

(Debian package;  only Debian testing and unstable have 0.103.4 so far,
no sign of 0.104.)

-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan tar archive

2021-12-20 Thread Kris Deugau 

Hart, Steven A. via clamav-users wrote:

Hello all,


ClamAV documentation states that tar archives are supported.   I've 
created a small sample tar archive that includes an eicar sample.  
Clamscan seems to only look at the tar archive as a single file and does 
not hit on the eicar sample within.   I've tried using the "-a" and 
"--scan-archive=yes" flags with no improvements.  I would appreciate 
advice as to if clamscan can actively scan tar archives directly.


WorksForMe(TM):

kdeugau@ele:~/$ tar -c ~kdeugau/dev/eicar >testeicar.tar
tar: Removing leading `/' from member names
kdeugau@ele:~/$ clamscan
/home/kdeugau/testeicar.tar: Eicar-Signature FOUND
[...]

kdeugau@ele:~/$ clamscan -V
ClamAV 0.103.3/26393/Mon Dec 20 04:19:51 2021

(Debian package;  only Debian testing and unstable have 0.103.4 so far, 
no sign of 0.104.)


-kgd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamscan tar archive

2021-12-20 Thread Hart, Steven A. via clamav-users 
Hello all,


ClamAV documentation states that tar archives are supported.   I've created a 
small sample tar archive that includes an eicar sample.  Clamscan seems to only 
look at the tar archive as a single file and does not hit on the eicar sample 
within.   I've tried using the "-a" and "--scan-archive=yes" flags with no 
improvements.  I would appreciate advice as to if clamscan can actively scan 
tar archives directly.


Thanks


Steve

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Lot of false positives detected from signature Java.Malware.CVE_2021_44228-9915814-0

2021-12-20 Thread Christopher Marczewski 
Hi Puneet,

Java.Malware.CVE_2021_44228-9915814-0 has been revised to
Java.Malware.CVE_2021_44228-9915814-2 (revision 2). Please ensure you're
using the latest daily CVD.

Signatures are targeting malware leveraging CVE-2021-44228, in addition to
targeting resulting payload Java classes.

On Mon, Dec 20, 2021 at 12:38 PM Puneet Bhootra via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi
>
> Is there any update on whether this has been resolved? I see many
> signatures related to this CVE.
> Also, since this is an exploit/vulnerability, is ClamAV supposed to detect
> this considering its a malware/virus detection tool.
>
> Regards
> Puneet
>
> On Fri, Dec 17, 2021 at 3:30 AM Micah Snyder (micasnyd) <
> micas...@cisco.com> wrote:
>
>> Hi Puneet,
>>
>> Thank you for submitting the FP reports through our web form.
>> Our malware research team is actively working on improving the signatures
>> related to CVE-2021-44228.
>>
>> Regards,
>> Micah
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>> --
>> *From:* clamav-users  on behalf
>> of Puneet Bhootra via clamav-users 
>> *Sent:* Thursday, December 16, 2021 11:32 AM
>> *To:* clamav-users@lists.clamav.net 
>> *Cc:* Puneet Bhootra ; Himanshu Kumar <
>> himanshuku...@salesforce.com>
>> *Subject:* Re: [clamav-users] Lot of false positives detected from
>> signature Java.Malware.CVE_2021_44228-9915814-0
>>
>>
>> Hi
>>
>> We are seeing lot of false positives being generated from this signature.
>> Java.Malware.CVE_2021_44228-9915814-0
>> which has resulted in the quarantine of a lot of java applications
>> running in our environments.
>>
>> It seems for this CVE there are other signatures as well which detects
>> this - Exploit.CVE_2021_44228-9914600 and Exploit.CVE_2021_44228-9914601
>>
>> So, this one Java.Malware.CVE_2021_44228-9915814-0 is kind of redundant
>> and since it is generating a lot of false positives also, please remove
>> this from the daily.cld.
>>
>> I have also submitted a false positive report for the same.
>> Can someone please check and take appropriate action on this?
>>
>>
>
> --
>
> 
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


-- 
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Lot of false positives detected from signature Java.Malware.CVE_2021_44228-9915814-0

2021-12-20 Thread Puneet Bhootra via clamav-users 
Hi

Is there any update on whether this has been resolved? I see many
signatures related to this CVE.
Also, since this is an exploit/vulnerability, is ClamAV supposed to detect
this considering its a malware/virus detection tool.

Regards
Puneet

On Fri, Dec 17, 2021 at 3:30 AM Micah Snyder (micasnyd) 
wrote:

> Hi Puneet,
>
> Thank you for submitting the FP reports through our web form.
> Our malware research team is actively working on improving the signatures
> related to CVE-2021-44228.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> --
> *From:* clamav-users  on behalf of
> Puneet Bhootra via clamav-users 
> *Sent:* Thursday, December 16, 2021 11:32 AM
> *To:* clamav-users@lists.clamav.net 
> *Cc:* Puneet Bhootra ; Himanshu Kumar <
> himanshuku...@salesforce.com>
> *Subject:* Re: [clamav-users] Lot of false positives detected from
> signature Java.Malware.CVE_2021_44228-9915814-0
>
>
> Hi
>
> We are seeing lot of false positives being generated from this signature.
> Java.Malware.CVE_2021_44228-9915814-0
> which has resulted in the quarantine of a lot of java applications running
> in our environments.
>
> It seems for this CVE there are other signatures as well which detects
> this - Exploit.CVE_2021_44228-9914600 and Exploit.CVE_2021_44228-9914601
>
> So, this one Java.Malware.CVE_2021_44228-9915814-0 is kind of redundant
> and since it is generating a lot of false positives also, please remove
> this from the daily.cld.
>
> I have also submitted a false positive report for the same.
> Can someone please check and take appropriate action on this?
>
>

-- 



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml