Re: [clamav-users] ClamAV on RHEL9 with FIPS enabled

2023-07-11 Thread Micah Snyder (micasnyd) via clamav-users 
Apologies for the delayed response.

We are only just starting to discuss a possibility of a new CVD (signed 
signature database archive) format internally.  Sorry I cannot promise anything 
in terms of timeline.

-Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Vu, 
Hong-Duc V. via clamav-users 
Sent: Friday, July 7, 2023 2:33 PM
To: clamav-users@lists.clamav.net 
Cc: Vu, Hong-Duc V. 
Subject: [clamav-users] ClamAV on RHEL9 with FIPS enabled


Hello Everyone,



Looks like there’s some discussion on the clamav github about this issue.



https://github.com/Cisco-Talos/clamav/issues/564



Micah do you have an anticipated roadmap of when you plan on implementing the 
new SHA256 signatures?





Hong-Duc Vu

Phone: 240-592-3072 Email: hong-duc...@jhuapl.edu


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0

2023-07-11 Thread Eric Tykwinski via clamav-users 
Taken care of… I think it only uploaded the one sample, but I think all three 
were just test emails send by the MS customer.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jul 11, 2023, at 5:30 PM, Micah Snyder (micasnyd)  
> wrote:
> 
> You can submit FP reports through https://www.clamav.net/reports/fp 
> 
> 
> Our threat research team has automation in place behind this submission 
> portal to investigate and resolve FP's. 
> 
> Regards,
> Micah
> 
> 
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> From: clamav-users  on behalf of Eric 
> Tykwinski via clamav-users 
> Sent: Tuesday, July 11, 2023 1:04 PM
> To: 'ClamAV users ML' 
> Cc: Eric Tykwinski 
> Subject: [clamav-users] Needed to whitelist 
> Email.Phishing.RPMSG_Downloader-10004958-0
>  
> Just a heads up, we had a legitimate customer receiving Office 365 secure 
> emails get hit with this filter.
> I’m not sure what the original rule was for, but I’m assuming it was for 
> phishing emails, but seems to be a bit too loose on the rules to not get 
> false positives.
>  
> Clam team, if you need headers or anything let me know.
>  
> Sincerely,
>  
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0

2023-07-11 Thread Micah Snyder (micasnyd) via clamav-users 
You can submit FP reports through https://www.clamav.net/reports/fp

Our threat research team has automation in place behind this submission portal 
to investigate and resolve FP's.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Eric 
Tykwinski via clamav-users 
Sent: Tuesday, July 11, 2023 1:04 PM
To: 'ClamAV users ML' 
Cc: Eric Tykwinski 
Subject: [clamav-users] Needed to whitelist 
Email.Phishing.RPMSG_Downloader-10004958-0


Just a heads up, we had a legitimate customer receiving Office 365 secure 
emails get hit with this filter.

I’m not sure what the original rule was for, but I’m assuming it was for 
phishing emails, but seems to be a bit too loose on the rules to not get false 
positives.



Clam team, if you need headers or anything let me know.



Sincerely,



Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0

2023-07-11 Thread Eric Tykwinski via clamav-users 
Just a heads up, we had a legitimate customer receiving Office 365 secure
emails get hit with this filter.

I'm not sure what the original rule was for, but I'm assuming it was for
phishing emails, but seems to be a bit too loose on the rules to not get
false positives.

 

Clam team, if you need headers or anything let me know.

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Cloudflare ban?

2023-07-11 Thread Grant Taylor via clamav-users 

On 7/11/23 11:52 AM, Brian Morrison wrote:

You're right, I was not thinking clearly enough.


That's why we're better together than individually.

I'm trusting that you'll help me next time.  :-D

Of course it would really help if numerical error codes like these had 
consistent meanings but I imagine that ship is 30+ years over the 
horizon now.


Agreed.



Grant. . . .

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Cloudflare ban?

2023-07-11 Thread Brian Morrison 
On Tue, 11 Jul 2023 11:22:43 -0500
Grant Taylor via clamav-users  wrote:

> On 7/11/23 8:44 AM, Brian Morrison wrote:
> > 403 is temporary error, if it was permanent (which might be due to
> > a ban) it would be a 5xx error.  
> I may need more coffee, but I don't think that's correct.
> 
> Yes, in email, 4xy is temporary and 5xy is permanent.
> 
> However in HTTP, 4xy and 5xy mean significantly different things than 
> they do in SMTP.
> 
> Per Mozilla's HTTP response status code page (link below), 400-499
> (4xy) is "client (made an) error" response.
> 
> 403 specifically is "The client does not have access rights to the 
> content; that is, it is unauthorized, so the server is refusing to
> give the requested resource."
> 
> Link - HTTP response status codes
>   - https://developer.mozilla.org/en-US/docs/Web/HTTP/Status

You're right, I was not thinking clearly enough.

Of course it would really help if numerical error codes like these had
consistent meanings but I imagine that ship is 30+ years over the
horizon now.

-- 

Brian Morrison

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Cloudflare ban?

2023-07-11 Thread Joel Esler via clamav-users 
403 is a specific ban.  Maybe by country or an Ip specifically.  

— 
Sent from my iPhone

> On Jul 11, 2023, at 02:50, Łukasz Baniecki via clamav-users 
>  wrote:
> 
> Today I did a clean cvd update, meaning I removed everything in
> /var/lib/clamav, I flushed my fw rules, so it won't block anything, I
> have clamav version 0.103.8 which is LTS, so it shouldn't be banned.
> Here is the full log of freshclam: https://pastebin.com/RbSNnM5C
> It specifically says I get 403 from Cloudflare. I must be banned,
> otherwise I don't know where to look.
> 
>> -- Forwarded message --
>> From: newcomer01 
>> To: "Łukasz Baniecki via clamav-users" 
>> Cc:
>> Bcc:
>> Date: Wed,  5 Jul 2023 08:42:15 +
>> Subject: Re: [clamav-users] Cloudflare ban?
>> Hi,
>> 
>> please check to freshclam.log for more detailed informations whats going on.
>> 
>> kind greetings
>> Marc
>> 
>> Von / From: Clamav User Mailinglist 
>> An / To: Newcomer01 
>> CC / CC: Łukasz Baniecki 
>> Gesendet / Sent: Mittwoch, Juli 05, 2023 um 10:21 (at 10:21 AM) +0200
>> Betreff / Subject: [clamav-users] Cloudflare ban?
>>> Hi,
>>> I already wrote in this topic ealier this year, about my ip
>>> (95.215.234.142) being blocked, so cvdupdate doesn't work. You helped
>>> me, so you are not blocking my ip and suggested that maybe I'm blocked
>>> on cloudflare. I have made more tests and I think that must be it, so
>>> I just did freshclam --verbose and here is my Cloudflare Ray ID:
>>> 7e1e292a4fe60046-WAW. Please check if at some level I am blocked and
>>> if so, why? Note: I'm not from Russia, I am from Poland.
> 
> 
> 
> 
> --
> pozdrawiam,
> Łukasz Baniecki
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Cloudflare ban?

2023-07-11 Thread Grant Taylor via clamav-users 

On 7/11/23 8:44 AM, Brian Morrison wrote:
403 is temporary error, if it was permanent (which might be due to a 
ban) it would be a 5xx error.

I may need more coffee, but I don't think that's correct.

Yes, in email, 4xy is temporary and 5xy is permanent.

However in HTTP, 4xy and 5xy mean significantly different things than 
they do in SMTP.


Per Mozilla's HTTP response status code page (link below), 400-499 (4xy) 
is "client (made an) error" response.


403 specifically is "The client does not have access rights to the 
content; that is, it is unauthorized, so the server is refusing to give 
the requested resource."


Link - HTTP response status codes
 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Status



Grant. . . .
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Cloudflare ban?

2023-07-11 Thread Brian Morrison 
On Tue, 11 Jul 2023 08:49:55 +0200
Łukasz Baniecki via clamav-users  wrote:

> It specifically says I get 403 from Cloudflare. I must be banned,

403 is temporary error, if it was permanent (which might be due to a
ban) it would be a 5xx error.

-- 

Brian Morrison

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Cloudflare ban?

2023-07-11 Thread Marc 
> 
> Today I did a clean cvd update, meaning I removed everything in
> /var/lib/clamav, I flushed my fw rules, so it won't block anything, I
> have clamav version 0.103.8 which is LTS, so it shouldn't be banned.
> Here is the full log of freshclam: https://pastebin.com/RbSNnM5C
> It specifically says I get 403 from Cloudflare. I must be banned,
> otherwise I don't know where to look.

Cloudflare sucks, I constantly have such pages telling that it is not 
cloudflare's error but the server. Which statistically is very unlikely.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat