Re: [clamav-users] clamd taking too long to restart?

2013-08-14 Thread A K Varnell 
On Aug 14, 2013, at 1:54 PM, Joel Esler  wrote:
> On Aug 14, 2013, at 2:34 PM, Steve Basford  
> wrote:
> 
>>> We'll also review if code changes are appropriate, but given how the tree
>>> operates, I don't immediately expect that to be the case.
>> 
>> Out of interest are there any "roadmaps"/future improvements for ClamAV
>> that are being discussed, as the last changelog update was May (before the
>> takeover)?
> 
> Steve,
> 
> Just to clarify, at this time we’ve just announced Cisco acquiring 
> Sourcefire.  It takes time for the deal to be approved and go through.
> 
> I’ll let Matt speak to the specifics of the roadmap.

So I gather the 0.98 release that was announced back in February is in a 
holding pattern pending final approval once the Cisco acquisition has been 
approved and their processes put into place?


-Al-
-- 
Al Varnell
Mountain View, CA




___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] clamd socket permissions

2013-07-31 Thread A K Varnell 
On Jul 31, 2013, at 1:22 PM, Bob Miller  wrote:
> 
> I realize seeing this that the list rules are not to top post, yet my
> very first reply to this list that is exactly what I did.

What list rules would that be?


-Al-
-- 
Al Varnell
Mountain View, CA

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Janicab Definitions

2013-07-26 Thread A K Varnell 
Thanks, I'm seeing them at this time.

-Al-

On Jul 25, 2013, at 7:25 AM, Alain Zidouemba  wrote:
> Updated signatures with the coverage you are looking for will be released
> shortly.
> 
> Thanks,
> 
> - Alain
> 
> 
> On Thu, Jul 25, 2013 at 2:50 AM, A K Varnell  wrote:
> 
>> A definition was added today (Wednesday) for Win.Trojan.Janicab which I
>> assume is based on the malware described by F-Secure on Tuesday <
>> http://www.f-secure.com/weblog/archives/2581.html>.
>> 
>> The OS X version of Janicab was announced by F-Secure over a week before
>> on July 15
>> <http://www.f-secure.com/weblog/archives/2576.html> based on a
>> posting found on VirusTotal first submitted on 2013-07-12 05:03:36 UTC
>> <
>> https://www.virustotal.com/en/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/
>>> .
>> 
>> Where is the definition for OSX.Trojan.Janicab which was made available on
>> VT almost two weeks ago.  22 of 47 A-V scanners are currently able to
>> detect it.
>> 
>> I realize that Apple eventually took action to disable this Malware for
>> the current version of OS X, but still….
>> 
>> 
>> -Al-
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Janicab Definitions

2013-07-24 Thread A K Varnell 
A definition was added today (Wednesday) for Win.Trojan.Janicab which I assume 
is based on the malware described by F-Secure on Tuesday 
.

The OS X version of Janicab was announced by F-Secure over a week before on 
July 15 
 based on a posting 
found on VirusTotal first submitted on 2013-07-12 05:03:36 UTC
.

Where is the definition for OSX.Trojan.Janicab which was made available on VT 
almost two weeks ago.  22 of 47 A-V scanners are currently able to detect it.

I realize that Apple eventually took action to disable this Malware for the 
current version of OS X, but still….


-Al-
-- 
Al Varnell
Mountain View, CA

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Fwd: clamav-mirror.sonic.net

2013-07-08 Thread A K Varnell 
Ryan,

A couple of us have been dealing with the 69.12.162.28 mirror. It doesn't seem 
to be included on the mirror status page and it often fails and appears to be 
off-line. Joel once said that it was not in the rotation, but it keeps showing 
up in mine.  The OP I referred to has posted a link to his log including some 
recent verbose results today on the ClamXav Forum 
, if that will help.




-Al-
-- 
Al Varnell
Mountain View, CA

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] clamav-mirror.sonic.net

2013-07-02 Thread A K Varnell 
On Oct 12, 2012, at 7:49 AM, Joel Esler  wrote:
> On Oct 11, 2012, at 3:45 AM, Al Varnell  wrote:
>> I think it may be time to decommission this US Mirror, which is located only
>> a few miles away from my location and has been a problem for years.  It
>> doesn't seem to be listed any more on the status page
>> , but it is listed on
>> db.us.big.clamav.net and still comes up every few days.
>> 
>> Mirror #5
>> IP: 69.12.162.28
>> Successes: 0
>> Failures: 21
>> Last access: Mon Apr  2 07:45:04 2012
>> Ignore: No

> We actually don't have this IP in the rotation at all.  
> 
> --
> Joel Esler

Sorry to have to bring this up again after all this time, but it seems to be a 
small issue again.

As you can see it's back in the rotation again:

> $ host database.clamav.net
> database.clamav.net is an alias for db.local.clamav.net.
> db.local.clamav.net is an alias for db.us.rr.clamav.net.
> db.us.rr.clamav.net has address 64.22.33.90
> db.us.rr.clamav.net has address 69.12.162.28
> db.us.rr.clamav.net has address 150.214.142.197
> db.us.rr.clamav.net has address 194.186.47.19
> db.us.rr.clamav.net has address 207.57.106.31

then:

> $ /usr/local/clamXav/bin/freshclam --list-mirrors
> Mirror #3
> IP: 69.12.162.28
> Successes: 23
> Failures: 0
> Last access: Tue Jun 25 07:45:21 2013
> Ignore: No
> -

>From my freshclam.log there have been four attempts to use that mirror since 
>Apr 25, three successes and only this failure:

> ClamAV update process started at Sat Jun 22 13:47:35 2013
> main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: 
> sven)
> connect_error: getsockopt(SO_ERROR): fd=6 error=61: Connection refused
> Can't connect to port 80 of host database.clamav.net (IP: 69.12.162.28)

That mirror is not included on your mirror status site 


Another user notified me that he had a failure with this mirror yesterday, so 
I've been trying to do a trace route on it over the last 24 hours and it times 
out after hitting "mirrors.200p-sf.sonic.net (69.12.162.27)" so it's apparently 
down.

So here are a few questions:

- Is clamav-mirror.sonic.net still in the rotation?

- Is it reliable enough to retain it and if so can it be added back to the 
mirror status page?

- What's the current rule on when an error is counted as a failure in 
mirrors.dat?


-Al-
-- 
Al Varnell
Mountain View, CA

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] It's Clamav free for comercial use

2013-06-11 Thread A K Varnell 

On Jun 11, 2013, at 4:32 PM, david oberti  wrote:

> I everyone I just want to know if it's free to use in a company thanks!.

>> ClamAV User Manual, ⃝c 2007 - 2013 Sourcefire, Inc. Authors: Tomasz Kojm
>> This document is distributed under the terms of the GNU General Public 
>> License v2.
>> 
>> Clam AntiVirus is free software; you can redistribute it and/or modify it 
>> under the terms of the GNU General Public License as published by the Free 
>> Software Foundation; either version 2 of the License, or (at your option) 
>> any later version.
>> 
>> This program is distributed in the hope that it will be useful, but WITHOUT 
>> ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 
>> FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 
>> more details.
>> 
>> You should have received a copy of the GNU General Public License along with 
>> this program; if not, write to the Free Software Foundation, Inc., 51 
>> Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.


-Al-
-- 
Al Varnell
Mountain View, CA

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] OSX.Trojan.KitM

2013-05-23 Thread A K Varnell 
Subject definition appeared in a update a day or two ago and but I could not 
find any announcement of it on the ClamAV VirusDB list. Now it seems to have 
disappeared, despite this article in today's SANS Newsletter:

> Title: Mac spyware found at Oslo freedom forum
> Description: During a demonstration of how to secure personal devices
> against government monitoring, respected independent researcher Jacob
> Appelbaum discovered a brand new piece of targeted Mac malware on an
> African activist's system - one signed with an Apple developer ID, no
> less. The discovery is a reminder that targeted attacks abound on Mac
> systems, and that users of that platform should be as diligent in their
> patching as their PC counterparts. Further research by Norwegian company
> Norman indicates that this particular piece of malware can be traced to
> a professional organization inside of India, for example (details
> above).
> Reference:
> http://www.f-secure.com/weblog/archives/2554.html
> http://www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/
> Snort SID: 26670, 26671
> ClamAV: OSX.Trojan.KitM

Any idea what's going on with that?


-Al-
-- 
Al Varnell
Mountain View, CA

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Investigating false positive

2013-05-13 Thread A K Varnell 

On May 13, 2013, at 9:47 AM, Lee Graber  wrote:

> I am investigating a document which seems to be getting flagged by clamav
> as having a virus but I am not sure this is accurate. It is actually a
> document about a virus and I am wondering if there is something in it that
> perhaps describes the virus and so is getting flagged.

It wouldn't be the first time this has happened.

Here are some details on what's being found:

> VIRUS NAME: Exploit.IFrame.Gen (Clam)
> DECODED SIGNATURE:
> iframe 
> src={WILDCARD_ANY_STRING(LENGTH<=4096)}cid:{WILDCARD_ANY_STRING(LENGTH<=8192)}height={WILDCARD_ANY_STRING(LENGTH<=4096)}
>  
> width={WILDCARD_ANY_STRING(LENGTH<=1024)}/iframe{WILDCARD_ANY_STRING(LENGTH<=4096)}/BODY>{WILDCARD_ANY_STRING(LENGTH<=512)}Content-{WILDCARD_IGNORE}ype:
>  a

which I see on page 5.

The definition has been in the database since 2003.


-Al-
-- 
Al Varnell
Mountain View, CA

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Many virus/malware samples for ClamAV

2013-04-17 Thread A K Varnell 
On Apr 17, 2013, at 1:56 AM, Stanislav Petr  wrote:

> Hello,
> 
> We are a wen hosting company and we are using clamav to detect malware on
> customers websites (PHP trojans, remote shells, …). Now we try to manually
> scan all domains (over 20 000) with other antivirus software (AVG, F-PROT)
> and we found many files containing malware (Trojans, PHP Backdoors,  JS
> malware, …). So my question is how to submit a large set o files detected by
> other antivirus engines and not detected by ClamAV?

Instruction on the File Submission site are:

"If you plan to submit a large number of samples contact Alain Zidouemba first."

I show his e-mail to be Alain Zidouemba .


-Al-
-- 
Al Varnell
Mountain View, CA
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Help with clamscan 0.97.7 and mbox files

2013-04-10 Thread A K Varnell 

On Apr 10, 2013, at 4:59 PM, A K Varnell  wrote:

> On Apr 10, 2013, at 4:41 PM, Scott Ehrlich  wrote:
> 
>> You may be correct, though recalling my command-line options, including
>> verbose mode, the mbox file is very large, yet the scan took just a few
>> seconds.
> 
> Then you'll need to change:
> 
> --max-filesize=#n
>  Extract and scan at most #n kilobytes from each archive. You may
>  pass the value in megabytes in format xM or xm,  where  x  is  a
>  number.  This  option  protects  your system against DoS attacks
>  (default: 25 MB, max: <4 GB)

Sorry, wrong reference:

--max-scansize=#n
  Extract and scan at most #n kilobytes from  each  scanned  file.
  You  may pass the value in megabytes in format xM or xm, where x
  is a number.  This  option  protects  your  system  against  DoS
  attacks (default: 100 MB, max: <4 GB)

-Al-

>> ...
>> Scott
>> 
>> 
>> On Wed, Apr 10, 2013 at 5:41 PM, Steven Morgan wrote:
>> 
>>> Scott,
>>> 
>>> Looking at the code, I think the option is 'scan-mail'. It defaults as yes,
>>> so you shouldn't need to do anything special, just clamscan /path/to/mbox/.
>>> 
>>> Let us know if that is not working.
>>> 
>>> Steve
>>> 
>>> On Wed, Apr 10, 2013 at 4:46 PM, Scott Ehrlich >>> wrote:
>>> 
>>>> I just compiled clamav 0.97.7 on SANS SIFT Linux.
>>>> 
>>>> Reviewing the README file and google, it appears that clamscan should be
>>>> able to review/scan mbox files, but any attempt at using --mbox, such as
>>>> clamscan --mbox or clamscan -d /tmp/virdir --mbox /path/to/mboxfile,
>>>> reports an error with the --mbox switch.
>>>> 
>>>> I reviewed the configuration file, and there was nothing for mbox
>>> support.
>>>> 
>>>> Am I missing something?
>>>> 
>>>> Thanks.
>>>> 
>>>> Scott
>>>> ___
>>>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>>>> http://www.clamav.net/support/ml
>>>> 
>>> ___
>>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>>> http://www.clamav.net/support/ml
>>> 
>> ___
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>> http://www.clamav.net/support/ml
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Help with clamscan 0.97.7 and mbox files

2013-04-10 Thread A K Varnell 
On Apr 10, 2013, at 4:41 PM, Scott Ehrlich  wrote:

> You may be correct, though recalling my command-line options, including
> verbose mode, the mbox file is very large, yet the scan took just a few
> seconds.

Then you'll need to change:

--max-filesize=#n
  Extract and scan at most #n kilobytes from each archive. You may
  pass the value in megabytes in format xM or xm,  where  x  is  a
  number.  This  option  protects  your system against DoS attacks
  (default: 25 MB, max: <4 GB)

-Al-

> ...
> Scott
> 
> 
> On Wed, Apr 10, 2013 at 5:41 PM, Steven Morgan wrote:
> 
>> Scott,
>> 
>> Looking at the code, I think the option is 'scan-mail'. It defaults as yes,
>> so you shouldn't need to do anything special, just clamscan /path/to/mbox/.
>> 
>> Let us know if that is not working.
>> 
>> Steve
>> 
>> On Wed, Apr 10, 2013 at 4:46 PM, Scott Ehrlich >> wrote:
>> 
>>> I just compiled clamav 0.97.7 on SANS SIFT Linux.
>>> 
>>> Reviewing the README file and google, it appears that clamscan should be
>>> able to review/scan mbox files, but any attempt at using --mbox, such as
>>> clamscan --mbox or clamscan -d /tmp/virdir --mbox /path/to/mboxfile,
>>> reports an error with the --mbox switch.
>>> 
>>> I reviewed the configuration file, and there was nothing for mbox
>> support.
>>> 
>>> Am I missing something?
>>> 
>>> Thanks.
>>> 
>>> Scott
>>> ___
>>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>>> http://www.clamav.net/support/ml
>>> 
>> ___
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>> http://www.clamav.net/support/ml
>> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Mirror Issues

2013-04-10 Thread A K Varnell 
In the past I've addressed most of my ClamAV® Database mirror issues directly 
with luca. 

Is there someone else I should be working with or post to the list?

And speaking of Luca, he's still listed as administrator at the bottom of all 
the ClamAV Mailing Lists .


-Al-
-- 
Al Varnell
Mountain View, CA



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] W32/Autorun.worm.aaeh not found in ClamAV ?

2013-04-08 Thread A K Varnell 
I'm sure it would help the team if you could provide the file name and MD5 hash 
of what you submitted.


-Al-
-- 
Al Varnell
Mountain View, CA

On Apr 8, 2013, at 1:45 AM, Zvi Kave  wrote:

> 
> Hi,
> 
> I can not understand why  the dangerous virus called W32/Autorun.worm.aaeh by 
> McAfee
> can not be detected by ClamAV.
> http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456
> 
> I tried to scan it also from free Immunet 3.0 but without detection.
> I submitted this virus to ClamAV a month ago!
> Am I doing something wrong?
> 
> Regards,
> 
> Zvi
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml