Re: [clamav-users] What is OpenSSL used for in ClamAV?

2019-08-08 Thread Andreas Schulze via clamav-users 
Am 07.08.19 um 19:52 schrieb Micah Snyder (micasnyd) via clamav-users:
> If anyone is interested in reviewing/auditing correct usage of OpenSSL in 
> ClamAV we always appreciate the help!

I'm compiling clamav and use openssl-1.1.1x since last year or so - no trouble.
But that's not a revewi/audit. I simply say: works ...

Andreas


-- 
A. Schulze
DATEV eG

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] OnAccessScan doesn't prevent Access

2018-11-08 Thread Andreas Schulze 
Am 08.11.18 um 10:25 schrieb vamp898:
> This is how the logs looks like when i do this
> 
> Thu Nov  8 10:13:51 2018 -> ScanOnAccess: notifying only for access attempts.
> Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Protecting 
> '/var/www/localhost/htdocs/nextcloud/data' and rest of mount.
> Thu Nov  8 10:13:51 2018 -> ScanOnAccess: Max file size limited to 52428800 
> bytes
> Thu Nov  8 10:15:09 2018 -> ScanOnAccess: 
> /var/www/localhost/htdocs/nextcloud-14.0.3/data/administrator/files/eicar.com:
>  Eicar-Test-Signature FOUND
> 
> Any help highly appriciated =)

looks like a bug: 
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/clamd/onaccess_fan.c#L155

the second condition should not be negated for my feeling.

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Client disconnected (FD 82)

2018-09-27 Thread Andreas Schulze 
Am 21.09.2018 um 13:21 schrieb Reindl Harald:
> 
> 
> Am 21.09.18 um 07:07 schrieb ZEMEN Dragana:
>> I'd like to know what does this clamav's log message mean: "Client 
>> disconnected (FD 82)". I suppose the client broke the connection, but what 
>> is the meaning of "FD 82"?
> 
> https://en.wikipedia.org/wiki/File_descriptor

Hello,

A log entry like "Client disconnected (FD 82)" is without information for an 
admin.
ClamAV should change the loglevel to debug or change the code to log more 
operational information.

Had the client an IP-address + port + reverse DNS name? (or was the Client 
connected via Unix-Socket?)
What was the clients' last action before that error occured?
*This* are answers that may help...

I know, implementing helpful logging is a challenge but every programmer should 
at least try it :-)

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Syncing only CustomDatabaseURLs with freshclam

2018-09-10 Thread Andreas Schulze 
Am 07.09.2018 um 16:42 schrieb Sven Bartscher:
> I would like to change this setup, so it only uses the third-party
> database and not the original ClamAV database, but I see no way to tell
> freshclam not to download the standard main.cvd and friends.

"freshclam --update-db=custom" update only the signature files configured as 
DatabaseCustomURL



-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam 0.100.0 returning 1 on up-to-date

2018-04-10 Thread Andreas Schulze 
Am 10.04.2018 um 10:32 schrieb Pertti Karppinen:
> Freshclam seems to be returning 1 on up-to-date situation, but man page
> says it should return 0:
> 0 : Database is up-to-date or successfully updated.
> 
I think, I had the similar (same?) problem some times ago and fixed it with 
this patch:

Description: freshclam should return 0 if only custom databases
 are updated and all are up to date
Author: A. Schulze
URL: https://bugzilla.clamav.net/show_bug.cgi?id=11812
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: clamav-0.100.0~beta/freshclam/manager.c
===
--- clamav-0.100.0~beta.orig/freshclam/manager.c
+++ clamav-0.100.0~beta/freshclam/manager.c
@@ -2612,6 +2612,7 @@ downloadmanager (const struct optstruct
  updatecustomdb (opt->strarg, , opts, localip,
  logerr)) == 0)
 updated = 1;
+if (custret == 1) { /* not updated but up to date */ custret = 0; }
 opt = opt->nextarg;
 }
 }


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [ext] Re: Question regarding SIGUSR2 and clamd

2018-03-22 Thread Andreas Schulze 
Am 22.03.2018 um 13:40 schrieb Ralf Hildebrandt:
> * Maarten Broekman :
>> You might be able to open the socket that clamd is listening on and attempt
>> to ping it. I forget if it replies with PONG while it's in the middle of
>> reloading. It's been a while since I tried to do that.
> 
> Thanks:
> 
> # echo PING | socat - /var/run/clamav/clamd.ctl 
> PONG
> # echo RELOAD | socat - /var/run/clamav/clamd.ctl 
> RELOADING
> # echo PING | socat - /var/run/clamav/clamd.ctl 
> 
> # echo PING | socat - /var/run/clamav/clamd.ctl 
> PONG
> 
> Yeah!

Just jeserdayI opened a feature request to have "clamdscan --ping" :-)
(https://bugzilla.clamav.net/show_bug.cgi?id=12062)

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 0.99.3 upgrade

2018-02-01 Thread Andreas Schulze 
Am 01.02.2018 um 14:35 schrieb Eric Broch:
> Hello list,
> 
> I have user who has upgraded clamav to the most recent version (0.99.3) but 
> is still getting the warning when doing 'freshclam' as below:
> 
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.99.1 Recommended version: 0.99.3
> 
> There are no other version of clamav on the computer that I know of. Is there 
> a configuration setting somewhere that was missed perhaps?
> Help appreciated!
> 
the used freshclam binary has version 0.99.1

-> there *are* other version of clamav on the computer that you *do not* know 
of :-)

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

2018-01-26 Thread Andreas Schulze 

Am 26.01.2018 um 16:06 schrieb Tobi:

As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta.
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version
I compared 0.99.2 and 0.99.3 and found most of the diffs be present in 
0.99.3beta2


now, as the links to bugzilla.clamav.net are public, we see, the issues 
where known to the developers since October/November 2017!
They published these changes silent as part of "beta2". They discusses 
about CVE at this time!

This is *not* amazing.

Andreas


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Announcement without access to linked information

2018-01-26 Thread Andreas Schulze 
Am 26.01.2018 um 14:22 schrieb Andreas Schulze:
> Am 26.01.2018 um 14:09 schrieb Tobi:
>> Do you mean this one ? 
>> http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
> 
> @Cisco: is it so hard to use 
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce
> 

what is the intension sending an announcement with links to bugzilla.clamav.net
that are not public accessible?

Looks like structured incident management is completely new stuff for cisco.


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Announcement missing

2018-01-26 Thread Andreas Schulze 
Am 26.01.2018 um 14:09 schrieb Tobi:
> Do you mean this one ? 
> http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

@Cisco: is it so hard to use 
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce



-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

2018-01-26 Thread Andreas Schulze 
Am 26.01.2018 um 13:50 schrieb Ralf Hildebrandt:
> If I had to guess: they used the beta for testing, but the release
> versions (both 0.99.2 and 0.99.3!) fail to operate properly...
yes, it's the explanation the matches best to the observed fallout :-/

usually there is a "official" announcement about new version with references to 
fixed CVEs
did only I misses that?


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

2018-01-26 Thread Andreas Schulze 
Am 26.01.2018 um 11:48 schrieb Ralf Hildebrandt:
>> Arguably if a bug in the signatures can lead to such massive problems
>> then that is in itself a bug in the software, which might be (but
>> apparently so far isn't) fixed in a later version.
> 
> Amen to that.

the former 0.99.3beta2 don't crash with latest daily.cvd
I'll could use that version, but what's with the CVE's?
assume, they are still unfixed in the beta code...


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

2018-01-26 Thread Andreas Schulze 
Am 26.01.2018 um 10:01 schrieb Ralf Hildebrandt:
> * Reindl Harald :
> 
>> sounds like an issue with the official signatures given that you are not the
>> first reporter and that we don't use them and have no problems
> 
> Thought so. Must be a recent signature in daily.cvd.

just updated to 0.99.3 ( which is a 0.99.2 + Security fixes ) bit still clamav 
don't work as expected.

Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afwkdfLS/parts/p006: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afpEpkat/parts/p004: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afpEpkat/parts/p001: Can't 
create new file ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afpEpkat/parts/p002: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afka2dVq/parts/p001: Can't 
create new file ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afka2dVq/parts/p005: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afka2dVq/parts/p002: Can't 
create new file ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afka2dVq/parts/p003: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afVaWWDm/parts/p007: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afVaWWDm/parts/p001: Can't 
create new file ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afVaWWDm/parts/p002: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afruM9hl/parts/p001: Can't 
create new file ERROR
Fri Jan 26 11:23:11 2018 -> /opt/amavis/tmp/afruM9hl/parts/p004: Can't 
create temporary file ERROR
Fri Jan 26 11:23:11 2018 -> /opt/amavis/tmp/afruM9hl/parts/p005: Can't 
create temporary file ERROR

looks like we have to disable official sigs or clamav at all...

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Detected duplicate databases

2018-01-22 Thread Andreas Schulze 
Am 22.01.2018 um 10:46 schrieb Hugo Deprez:
> I reported a bug : https://bugzilla.clamav.net/show_bug.cgi?id=12009

@admins:
even as registered user I can't access 
https://bugzilla.clamav.net/show_bug.cgi?id=12009

any reasons against "bugs are readable for registered users (or public)" by 
default?



-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Using a file to list exclusions for on-demand search?

2018-01-05 Thread Andreas Schulze 

Am 04.01.2018 um 19:37 schrieb Paul B.:

Hi,
I just installed ClamAv on a desktop Linux machine. I would like to
set it up using aliases in the bashrc file, so I can do various kinds
of file and directory scans from the command line. Rather than an
unwieldy string of exclusions in the alias' command line, I would like
to have a file that lists exclusions, which Clam would reference. I've
seen mention of this ability, but not enough info to get me started. I
do not have the daemon installed, just ClamAv, and FreshClam for
updates.


Hello Paul,

you're not alone. see https://bugzilla.clamav.net/show_bug.cgi?id=12001
If others also thinks it's a useful feature, please document the use 
cases in that ticket.


Andreas
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 beta2 has been released!

2017-12-19 Thread Andreas Schulze 
Am 18.12.2017 um 18:06 schrieb Joel Esler (jesler):
>> ClamAV 0.99.3 beta2 has been released!

hello,

I upgraded some lab servers from beta1 to beta2.
Now I receive messages from cron containing the text "debug enabled"
That happen on reloads where yara rules are active.

I found the string in "libclamav/yara_lexer.c" and "libclamav/yara_lexer.l".

what's going on there?


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 beta2 has been released!

2017-12-19 Thread Andreas Schulze 
Am 18.12.2017 um 18:06 schrieb Joel Esler (jesler):
>> ClamAV 0.99.3 beta2 has been released!

hello,

I upgraded some lab servers from beta1 to beta2.
Now I receive messages from cron containing the text "degug enabled"
That happen on reloads where yara rules are active.

I found the string in "libclamav/yara_lexer.c" and "libclamav/yara_lexer.l".

what's going on there?


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-27 Thread Andreas Schulze 

Am 25.08.2017 um 22:44 schrieb Joel Esler (jesler):

We are working on ways to not only fix the on going mirror issues, but prevent them 
in the future, as well as bring back the Mirror page on 
ClamAV.net at some point soon.

Joel,

expect a mirror monitoring would make visible that many mirrors are no 
longer up to date.

I could imagine, some db.XY.clamav.net don't have current mirrors at all.

Andreas
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV will be publishing a new Main.cvd on Wednesday, June 7th, 2017

2017-06-07 Thread Andreas Schulze 
Am 17.05.2017 um 16:56 schrieb Joel Esler (jesler):
> We are currently planning on cutting a new Main.cvd on Wednesday, June 7th, 
> 2017.
> We will post an estimated size in an updated post.

Is the release canceled?

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] New Main.cvd coming

2017-05-17 Thread Andreas Schulze 
Am 17.05.2017 um 11:45 schrieb Mark Allan:
> I spotted this yesterday on the ClamAV blog and was waiting for Joel (or 
> someone else) to mention it here, but that may or may not happen, so...
>   
> http://blog.clamav.net/2017/05/clamav-will-be-publishing-new-maincvd.html

Mark, thanks for the hint!

@Cisco: It would be helpful if new BLOG entries would also be announced on this 
mailing list.
maybe the blog admin could subscribe this list at "Subscribe to the ClamAV Blog 
by Email"

Andreas

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam exit codes

2017-04-05 Thread Andreas Schulze 
Am 05.04.2017 um 12:52 schrieb Benny Pedersen:
> I get Access denied, can login OK, but cant see any problems at all, is there 
> a point with open source on closed bugzillas?

maybe you've simple to create an account?

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam exit codes

2017-04-04 Thread Andreas Schulze 
Am 16.02.2017 um 17:29 schrieb Steven Morgan:

> It looks like return code 1 means the virus database is up to date (#define
> FC_UPTODATE 1 from freshclamcodes.h). Please advise if this is incorrect or
> inconsistent. The man page needs to be updated.

I wrote a one line patch to let freshclam behave like documented:
return 0 on updated or up to date custom databases.

https://bugzilla.clamav.net/show_bug.cgi?id=11812


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] freshclam exit codes

2017-02-16 Thread Andreas Schulze 
Hello,

consider this setup. the goal is to run a separate clamav instance using *only* 
our database files
to speedup clamav reload times.

# cat custom-freshclam.conf 
DatabaseCustomURL http://our.clamav.mirror/local_foo.ndb
DatabaseDirectory /path/to/custom_clamdir/
# required but not relevant here
DatabaseMirror our.clamav.mirror

# freshclam --config-file=/path/to/custom-freshclam.conf --update-db=custom
...

# echo $?
1

unfortunately the exit code is *always* 1 ("man freshclam" doesn't describe 1 
as exit code at all ...)
normaly freshclam return 0 if some files where updated or if all files are 
uptodate.
Am I using freshclam wrongly or should I consider this as a bug ?
( version 0.99.2 )

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] another outdated link on freshclams ExtraDatabase option

2016-11-23 Thread Andreas Schulze 

man 5 freshclam.conf:

ExtraDatabase STRING
  Download  an additional 3rd party signature database distributed
  through the ClamAV mirrors. This option  can  be  used  multiple
  times.  Here  you  can  find  a  list  of  available  databases:
  http://www.clamav.net/download/cvd/3rdparty
  Default: disabled


$ curl -I http://www.clamav.net/download/cvd/3rdparty
HTTP/1.1 404 Not Found 


Btw:
could one explain the difference between ExtraDatabase and DatabaseCustomURL ?

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav users break dkim signed mails

2016-05-30 Thread Andreas Schulze 
Dennis Peterson:
> I'm not aware of a way to send a signed message to a list then have the list 
> resend it to all members while preserving the dkim signature.

Yes, but exactly this is the way to go:

add 3 lines in mm_cfg.py
  DEFAULT_SUBJECT_PREFIX  = ""
  DEFAULT_MSG_HEADER = ""
  DEFAULT_MSG_FOOTER = ""

It's simply a matter of doing it.
Don't hurt: see http://dovecot.org/list/dovecot/2014-June/096547.html

-- 
A. Schulze
DATEV eG
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

2016-05-18 Thread Andreas Schulze 
Am 18.05.2016 um 06:27 schrieb Helmut Hullen:
> LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332-1 
> uses PCREs but support is disabled, skipping
> LibClamAV Warning: cli_loadldb: logical signature for Win.Ransomware.Locky-4 
> uses PCREs but support is disabled, skipping
> LibClamAV Warning: cli_loadldb: logical signature for 
> Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled, skipping

your clamav was build without pcre support. You have to compile a new binary


-- 
A. Schulze
DATEV eG
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam --show-progress

2016-03-03 Thread Andreas Schulze 
Am 03.03.2016 um 11:53 schrieb Mark Allan:
> There was a change in 0.99 which meant if the freshclam tool was called from 
> something other than a terminal (tty),
> the progress percentage wouldn't be shown. The intended usage with the new 
> --show-progress flag is to force the progress percentage to be shown even if 
> freshclam is not called from a tty - e.g. being called from third party 
> software.

Mark,
thanks for clarification.


-- 
A. Schulze
DATEV eG
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] freshclam --show-progress

2016-03-03 Thread Andreas Schulze 
Hello,

the parameter seem to be new in freshclam Version 0.99.1
but download progress percentage is shown here in earlier versions too.

what's the intended usage?

-- 
A. Schulze
DATEV eG
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter reject and quarantine?

2016-02-21 Thread Andreas Schulze 
Am 18.02.2016 um 14:14 schrieb Michael Grant:
> Using clamav-milter, is there anyway to reject virus infected messages AND
> put them into a quarantine directory?
> 
> The reason I want to do this is that I want to reject virus messages while
> the smtp connection is still alive, but after the fact, if there was a
> false positive, I'd like to be able to send the message on through anyway
> after the fact.

+1 for this feature request (if not already implemented)

Andreas
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav ignoring HTTPProxyServer/HTTPProxyPort in freshclam.conf?

2016-02-17 Thread Andreas Schulze 
Am 17.02.2016 um 19:34 schrieb Kevin Kretz:
> I posted earlier this month, but maybe my subject wasn't informative enough.
> 
> We use ClamAV as part of Zimbra.  In freshclam.conf I have HTTPProxyServer 
> and HTTPProxyPort set.  But I still see DNS lookups to hostnames like
> 
> daily.21375.77.1.0.AC122E0A.ping.clamav.net
> daily.21375.77.1.0.AC122E0A.ping.clamav.net
> daily.21375.77.1.0.AC122E0A.ping.clamav.net
> daily.21375.77.1.0.AC122E0A.ping.clamav.net
> daily.21375.77.1.0.AC122E0A.ping.clamav.net

freshclam general mode of operation:

1. try to determine the current published CVD version *via DNS* (dig 
current.cvd.clamav.net. txt +short)
2. fetch a new CVD version from a mirror *via HTTP* ( and respect local proxy 
settings )

-- 
A. Schulze
DATEV eG
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan: exludes and includes

2015-11-30 Thread Andreas Schulze 
Am 27.11.2015 um 14:15 schrieb Matus UHLAR - fantomas:
> run clam(d)scan on the "included" again

well... simple idea!
thanks!


-- 
A. Schulze
DATEV eG
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamscan: exludes and includes

2015-11-27 Thread Andreas Schulze 
Hello,

I like to scan directories recursive. Of course I have to exclude some subdirs.
But somewhere deeper one special dir should be included again...

$ find /foo -type d
/foo
/foo/bar
/foo/bar/buzz
/foo/bar/mumble
/foo/bar/random
/foo/bar/special
/foo/other_dir

Everything under /foo should be scanned. But all under /foo/bar which should 
/not/ be scanned.
Exept one special /foo/bar/special which should be scanned again.

I tried
  clamscan --include=/foo/bar/special --exclude=/foo/bar
and also
  clamscan --exclude=/foo/bar --include=/foo/bar/special

But it looks like paths once excluded could not be included again.
Any suggestions?

Thanks
Andreas



-- 
A. Schulze
DATEV eG
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] DB update and clamav-milter delay

2015-09-29 Thread Andreas Schulze 
Am 29.09.2015 09:31 schrieb Marco:
> With this installation, after every freshclam update session, clamd is
> forced to read the DB:

I had a similar issue. I call freshclam once a minute and the db reload 
generate a significant load.
I fixed it with ithe attached patch.

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail i...@datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70

Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dr. Robert Mayr (stellv. Vorsitzender)
Eckhard Schwarzer (stellv. Vorsitzender)
Dr. Peter Krug
Jörg Rabe von Pappenheim

Vorsitzender des Aufsichtsrates: Dirk Schmale
Description: freshclam should reload the db only on update
Author: A. Schulze
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: clamav-0.98.7/freshclam/manager.c
===
--- clamav-0.98.7.orig/freshclam/manager.c
+++ clamav-0.98.7/freshclam/manager.c
@@ -2861,7 +2861,7 @@ downloadmanager (const struct optstruct
 
 cli_rmdirs (updtmpdir);
 
-if (checkdbdir () < 0)
+if (updated && checkdbdir () < 0)
 {
 if (newver)
 free (newver);
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] DB update and clamav-milter delay

2015-09-29 Thread Andreas Schulze 
Am 29.09.2015 um 12:41 schrieb Joel Esler (jesler):
> Once a minute?  That’s fairly excessive.
> Once an hour is appropriate…  Overdoing it, but more appropriate.  Keep in 
> mind that the mirrors are donated to ClamAV and the bandwidth you are 
> consuming is probably fairly heavy.
I see it relaxed because I *do run* one of these mirrors
and I make sure to not bother other mirrors that way...

-- 
A. Schulze DATEV eG
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] format of current.cvd.clamav.net

2015-03-05 Thread Andreas Schulze 
Am 24.02.2015 02:03 schrieb Al Varnell:
 I’m not sure why you want to know, but I’ll tell you as best I can recall.  
 Some of the answers are in the archives, but I don’t have time to look them 
 up for you at the moment.
 
 Field 2 is the main.cvd version number
 Field 3 is the daily.cvd version number
 Field 4 is the time of last update? (guess)
 Field 5 is a flag indicating that a warning should be issued if the engine is 
 out-of-date
 Field 6 is the engine functional level required to read the most advanced 
 database (currently daily  bytecode)
 Field 7 ?
 Field 8 is the bytecode.cvd version number


Field 7 looks like the safebrowsing.cvd version number ...

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail i...@datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70

Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dr. Robert Mayr (stellv. Vorsitzender)
Eckhard Schwarzer (stellv. Vorsitzender)
Dr. Peter Krug
Jörg Rabe von Pappenheim

Vorsitzender des Aufsichtsrates: Dirk Schmale
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] format of current.cvd.clamav.net

2015-02-24 Thread Andreas Schulze 
Hello,

could somebody explain the meaning of the field in the mentioned TXT record ?

$ dig current.cvd.clamav.net txt +short
0.98.6:55:20101:1424766540:1:63:43056:246

Field1: 0.98.6 - current software version
Field2: 55 - ?
Field3: 20101  - current pattern number
Filed4: 1424766540 - timestamp for what ?
...

Thanks
Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail i...@datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70

Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dr. Robert Mayr (stellv. Vorsitzender)
Eckhard Schwarzer (stellv. Vorsitzender)
Dr. Peter Krug
Jörg Rabe von Pappenheim

Vorsitzender des Aufsichtsrates: Dirk Schmale
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamav-milter logrotation

2014-11-17 Thread Andreas Schulze 
Hello,

I run clamd. Logs are written without syslog and rotated using logrotate:
 - move old logfile away
 - touch new logfile
 - send clamd a SIGHUP

that work without service interuption.

Now I installed clamav-milter and did not found SIGHUP working the same way.
looks like I have to *restart* clamav-milter on logrotation.

Did I missed something?
Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail i...@datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70

Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dr. Robert Mayr (stellv. Vorsitzender)
Eckhard Schwarzer (stellv. Vorsitzender)
Dr. Peter Krug
Jörg Rabe von Pappenheim

Vorsitzender des Aufsichtsrates: Dirk Schmale
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter logrotation

2014-11-17 Thread Andreas Schulze 
Am 17.11.2014 16:03 schrieb Benny Pedersen:
 Use logrotate in clamav-milter, not external logrotate, then you dont need to 
 restart

Benny,

the suggestion sounds good but could you be more precise?
I only found this options in clamav-milter.conf:

LogFile
 - enable
LogFileMaxSize (The logger will be automatically disabled if the file is 
greater)
 - disabled
LogSyslog
 - disabled

But notthing for rotation.

Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail i...@datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70

Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dr. Robert Mayr (stellv. Vorsitzender)
Eckhard Schwarzer (stellv. Vorsitzender)
Dr. Peter Krug
Jörg Rabe von Pappenheim

Vorsitzender des Aufsichtsrates: Dirk Schmale
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV®: The new ClamAV.net is here!

2014-09-05 Thread Andreas Schulze 
Am 05.09.2014 09:22 schrieb Joel Esler:
 I just tested the whole site with elinks and it worked fine.  Which parts are 
 you referring to?

OK, my fault too. The site *is* usable without javascript.
Exeption I'm currently aware: http://www.clamav.net/download.html#otherversions

Anyway: good job!

Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail i...@datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70

Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dr. Robert Mayr (stellv. Vorsitzender)
Eckhard Schwarzer (stellv. Vorsitzender)
Dr. Peter Krug
Jörg Rabe von Pappenheim

Vorsitzender des Aufsichtsrates: Dirk Schmale
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV®: The new ClamAV.net is here!

2014-09-03 Thread Andreas Schulze 
Am 26.08.2014 20:56, schrieb Joel Esler (jesler):
   *   Simple Navigation  
   
Thanks for the next site only usable with mainstream browsers and
JavaScript enabled :-/

   *   Elimination of dead links and pages
   
I was told the old website contained the current patternversion
somewhere. That function is also gone away.
It's handy to point a user to the official Website to proof that he's
running outdated viresscanner.

Andreas

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] libclamunrar_iface.so

2014-06-03 Thread Andreas Schulze 
Am 30.05.2014 23:15, schrieb Shawn Webb:
 This will be resolved in the upcoming 0.98.4 release.
is a release date known?

Andreas

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] build a CVD file using sigtool

2014-06-02 Thread Andreas Schulze 
Hello,

we are creating signatures mostly using procedures described in 
~clamav-src/docs/signatures.pdf
The resulting files *.hdb, *ign2, *db are copied to a clamav datadir and used 
by clamav.
Thats fine.

As far as I understand I could combine these files to a custom CVD.
For that reason I tried this procedure:

$ install -d /tmp/testing  cd /tmp/testing
$ echo testing  COPYING

$ sigtool --md5 /etc/issue  issue.hdb

$ cat issue.hdb
174fd67875b42f41746ea8ae50f9b4b7:28:issue

$ install -d out

$ SIGNDUSER=me sigtool --unsigned --datadir=. --build out/db.cud --max-bad-sigs 
0 --cvd-version 1
WARNING: build: Signatures in out/db db files: 0, loaded by libclamav: 1
LibClamAV Error: cl_cvdhead: Can't open file ./out/db.cud
Version number: Total sigs: 1
New sigs: 1
Created out/db.cud

$ sigtool --unsigned --info out/db.cud
File: out/db.cud
Build time: 02 Jun 2014 13:20 +0200
Version: 1
Signatures: 1
Functionality level: 77
Builder: me
Verification: Unsigned container

... looks good, but I cannot use the file:

$ clamscan --database=out/ /etc/issue
LibClamAV Error: cli_tgzload: Slash separators are not allowed in CVD
LibClamAV Error: Can't load out/db.cud: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database out/db.cud
ERROR: Malformed database

--- SCAN SUMMARY ---
Known viruses: 0
Engine version: 0.98.4-rc1
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.002 sec (0 m 0 s)


what's wrong here 

Btw: could someone explain the difference between cvd, cld and cud ?

Thanks,
Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] libclamunrar_iface.so

2014-05-31 Thread Andreas Schulze 
Am 30.05.2014 17:15 schrieb Shawn Webb:
 This will be resolved in the upcoming 0.98.4 release.

thanks, that's fine.
I tried to include the link in the packages I create
and lintian told me my package would be broken realy badly:

don't include developer files in non -devel package
and other errors clearly say including the missing lint is wrong


-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] ClamAV®: ClamAV 0.98.4rc1 is now available!

2014-05-30 Thread Andreas Schulze 
Am 16.05.2014 16:08 schrieb Martin Preen:
 The compilation with Solaris OpenSSL 0.9.7 stops with
 
 crypto.c, line 834: undefined symbol: X509_VERIFY_PARAM
 crypto.c, line 834: undefined symbol: param
 crypto.c, line 834: syntax error before or at: =
 crypto.c, line 860: warning: implicit function declaration: 
 X509_VERIFY_PARAM_new

same here: SLES9, openssl 0.9.7d

crypto.c: In function `cl_validate_certificate_chain':
crypto.c:834: error: `X509_VERIFY_PARAM' undeclared (first use in this function)
crypto.c:834: error: (Each undeclared identifier is reported only once
crypto.c:834: error: for each function it appears in.)
crypto.c:834: error: `param' undeclared (first use in this function)

Is there a chance the codepath could be disabled?

Yes, I know the target is old, yes. But that's not the point here.
I would like to update too but it's simply no option.

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] ClamAV®: ClamAV 0.98.4rc1 is now available!

2014-05-30 Thread Andreas Schulze 
Am 30.05.2014 10:02 schrieb Charles Swiger:
  Is there a chance the codepath could be disabled?
 
 Of course.  Source code is available; and anyone is welcome to create a patch.

Charles,

thanks for response. I'm not unfamiliar in creating patches but here I need a 
hint
to a starting point. That's why I ask...

 A second point to note is that openssl-0.9.7d not only has a bunch of known 
 security
 issues, it's obsolete and will not be getting fixes.  It should be easier to 
 update
 your OpenSSL to something secure than it would be to create a patch ClamAV to 
 have it
 work with obsolete versions of OpenSSL.

normaly the server in question don't use ssl at all. for that reason they still 
run.
But no clamav uses parts of openssl and I run into that problem.

Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] libclamunrar_iface.so

2014-05-30 Thread Andreas Schulze 
Hello,

after packaging 0.98.4-rc1 I noticed  a message after starting clamav:
LibClamAV Warning: Cannot dlopen: file not found – unrar support unavailable

solution:
ln -s /usr/lib/libclamunrar_iface.so.6 /usr/lib/libclamunrar_iface.so


I wonder why this link is now needed while 0.98.1 and many lower version run 
fine without that link.

( I had only /usr/lib/libclamunrar_iface.so.6 and 
/usr/lib/libclamunrar_iface.so.6.1.* )

Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV

2014-03-12 Thread Andreas Schulze 
Am 03.03.2014 08:38, schrieb Paul Kosinski:
 There are only a few of reasons I can imagine that SSL (OpenSSL)
 would be a *required* addition to ClamAV:

Hello,

I thinks that's the keyquestion. *Which* problem should SSL solve.
Focus the problem, not one possible solution ...

Btw.
my clamav binary and libraries depend on libz and libbz2 and I never
worry about that...

Andreas
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

2013-11-12 Thread Andreas Schulze 
Am 11.11.2013 21:15 schrieb Benny Pedersen:
 report them to sanesecuity maillist, not clamav maillist since its
 unofficial sigs :)

Benny,

that's not the point here.
In fact a feature does not work as expected. This must be discussed here.

Funny, I just have the same issue here!

We get messages with attachments created by our own software.
The attachements have the same name have different hashes and fingerprints.
But all are zip files and all are found as Worm.Bagle.H-zippwd-1 by clamav.

Reporting them as false postive is not an option because I can't send 1 
samples...
So we tried to whitelist the virusname for a fast solution.

$ freshclam --version
ClamAV 0.98/18100/Tue Nov 12 06:40:40 2013

$ clamscan /tmp/falsepositive
/tmp/falsepositive: Worm.Bagle.H-zippwd-1 FOUND

--- SCAN SUMMARY ---
Known viruses: 2424441
Engine version: 0.98
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 2.72 MB
Data read: 1.56 MB (ratio 1.75:1)
Time: 7.733 sec (0 m 7 s)

We added a file local.ign2 containing one line: Worm.Bagle.H-zippwd-1
clamscan called again and - nothing changed. Still marked as virus...

I added a second line: Eicar-Test-Signature
$ cat ~clamav/local.ign2
Eicar-Test-Signature
Worm.Bagle.H-zippwd-1

Now the EICAR file is no longer marked as virus:
$ clamscan /tmp/EICAR.COM
/tmp/EICAR.COM: OK
...

But it looks like clamav does not load/use/recognize all entries:

$ clamscan --debug /tmp/falsepositive 21 | grep -e 'local.ign2' -e 'Ignoring 
signature'
LibClamAV debug: /var/lib/clamav/local.ign2 loaded
LibClamAV debug: Ignoring signature Eicar-Test-Signature

Any hints/ideas?
Thanks

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] sigwhitelist.ign2 whitelist not working

2013-11-12 Thread Andreas Schulze 
Am 12.11.2013 10:06 schrieb Steve Basford:
 
  We added a file local.ign2 containing one line: Worm.Bagle.H-zippwd-1
  clamscan called again and - nothing changed. Still marked as virus...
  Any hints/ideas?
 
 Hi Andreas,
 
 Make sure you don't have a space at the end of the sig name in the .ign2
 file:
 
 Sanesecurity.Malware.22454.ZipHeur works
 Sanesecurity.Malware.22454.ZipHeur  fails
yes, we doublechecked that and there is no space.

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] How is Worm.Bagle.H-zippwd-1 detected? (was: sigwhitelist.ign2 whitelist not working)

2013-11-12 Thread Andreas Schulze 
Am 12.11.2013 12:39 schrieb Andreas Schulze:
   We added a file local.ign2 containing one line: Worm.Bagle.H-zippwd-1
   clamscan called again and - nothing changed. Still marked as virus...
   Any hints/ideas?
I found a fantastic fact!

For testing I have the message as flat file in /tmp.

The messages marked as virus here contain a Authentication-Results header.
If I remove these AR header or simply change dkim=pass to dkim=none
Or simply change chagacters to Uppercase
in the messagefile it is no linger classified as Bagle virus!

$ md5sum falsepositive falsepositive.ok
17bb34d840e1266b09954021a4175e51  falsepositive
997a68e9ed616c61e56d3b5154159441  falsepositive.ok

$ ls -la falsepositive falsepositive.ok
-rw-r--r-- 1 sca sca 13167933 12. Nov 12:50 falsepositive
-rw-r--r-- 1 sca sca 13167933 12. Nov 12:52 falsepositive.ok

$ clamscan falsepositive falsepositive.ok
falsepositive: Worm.Bagle.H-zippwd-1 FOUND
falsepositive.ok: OK

--- SCAN SUMMARY ---
Known viruses: 2903796
Engine version: 0.98
Scanned directories: 0
Scanned files: 2
Infected files: 1
Data scanned: 34.58 MB
Data read: 25.11 MB (ratio 1.38:1)
Time: 11.345 sec (0 m 11 s)

and now: whats different?
$ diff falsepositive falsepositive.ok
27c27
   dkim=pass (1024-bit key; unprotected)
---
   dkim=pasS (1024-bit key; unprotected)
 
May it be the signature for Worm.Bagle test also for a valid dkim signed 
message?
Bagle was active in 2004 an dkim signed messages where not so common than today.

Anyway: a working whitelisting option would still be nice :-)

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] How is Worm.Bagle.H-zippwd-1 detected? (was: sigwhitelist.ign2 whitelist not working)

2013-11-12 Thread Andreas Schulze 
Am 12.11.2013 12:59 schrieb Andreas Schulze:
 I found a fantastic fact!
+1

other samplemessage:
$ clamdscan falsepositive falsepositive.ok 
/tmp/falsepositive: Worm.Bagle.H-zippwd-1 FOUND
/tmp/falsepositive.ok: OK

--- SCAN SUMMARY ---
Infected files: 1
Time: 0.061 sec (0 m 0 s)

$ diff falsepositive falsepositive.ok 
49c49
 X-Spam-Note: SpamAssassin run bypassed due to message size
---
 X-Spam-Note: SpamAssassin run bypAssed due to message size

looks like a simple pass in lower case trigger the file as 
Worm.Bagle.H-zippwd-1

Anyway: a working whitelisting option would still be nice :-)

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] virusnames .UNOFFICIAL

2013-11-05 Thread Andreas Schulze 
Hello,

we use clamav with local created pattern.
Detected content is marked with virusname.UNOFFICIAL.
That confuses some people here.

I think about a local patch to clamav to change the string UNOFFICIAL.
Would it make sense to make the extension string configurable via clamd.conf?
Did somone already implemented such feature?

Thanks
Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

[clamav-users] SOLVED: freshclam checks database every time

2013-11-05 Thread Andreas Schulze 
Am 21.06.2013 13:28 schrieb Andreas Schulze:
 Am 10.04.2013 15:05 schrieb Andreas Schulze:
 
  symptom: freshclam needs 3..4 seconds to finish also in the case where *no* 
  updates are available.
 Thats worse because freshclam still steal cputime here :-(

I finaly found the relevant piece of code. Using the attached patch freshclam
check the db only if there was really an update available.
Maybe it could be an option in freshclam.conf

Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
Index: clamav-0.98/freshclam/manager.c
===
--- clamav-0.98.orig/freshclam/manager.c	2013-09-25 08:19:10.0 +0200
+++ clamav-0.98/freshclam/manager.c	2013-09-25 08:19:13.0 +0200
@@ -3087,7 +3087,7 @@
 
 cli_rmdirs (updtmpdir);
 
-if (checkdbdir ()  0)
+if (updated  checkdbdir ()  0)
 {
 if (newver)
 free (newver);
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] freshclam checks database every time

2013-06-21 Thread Andreas Schulze 
Am 10.04.2013 15:05 schrieb Andreas Schulze:

 symptom: freshclam needs 3..4 seconds to finish also in the case where *no* 
 updates are available.
No comments on this topic anymore...
Thats worse because freshclam still steal cputime here :-(

To dive into the problem I describe the problem again: keep an eye on the 
timestamps!

# echo 'DatabaseMirror clamav.datev.de'  /tmp/freshclam.conf
# (/usr/bin/freshclam --config-file=/tmp/freshclam.conf --verbose --debug 
--no-dns; echo $?) 21 | tai64n | tai64nlocal

2013-04-10 14:49:25.241597500 Current working dir is /var/lib/clamav
 - starting freshclam
...
2013-04-10 14:49:25.253432500 bytecode.cvd is up to date (version: 214, sigs: 
41, f-level: 63, builder: neo)
 - after 12ms freshclam detects, that no updates are available

2013-04-10 14:49:25.253533500 LibClamAV debug: Initialized 0.97.7 engine
2013-04-10 14:49:25.253533500 LibClamAV debug: in cli_cvdload()
- now freshclam load the entire db
...
2013-04-10 14:49:28.147515500 LibClamAV debug: Phishcheck cleaned up
- and after ~3s freshclam finished

   PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND  
  
  4940 clamav20   0 13212 3256 2588 R  100  0.0   0:01.35 freshclam
- 3 seconds of 100% cpu usage for nothing!

I agree if freshclam load a *new* db in case of a *new* pattern version
to verify the data are valid. But if no update was available, thats total 
unnecessary!

Is there any clamav developer who could point me into the code or explain the 
logic?

Thanks!
Any feedback is welcome:-)

 I looked in the source but did not found a relevant place to disable that 
 behaviour.
 A patches or a pointer into the source would be nice :-)
Thats still my intention ...

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] freshclam checks database every time

2013-04-24 Thread Andreas Schulze 
Am 12.04.2013 20:27 schrieb Matus UHLAR - fantomas:
 On 12.04.13 19:58, Andreas Schulze wrote:
 But back to my main problem. clamscan wastes 3 seconts time
 loading the complete engine every time it is called.
 
 loading virus databage to memory and parsing it is really CPU-intensive
 process. That's why we recommend running clamd daemon and using clamdscan.

Sorry, my fault: s/clamscan/freshclam/
for clamscan you are right.
But I mean the updater...

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] freshclam checks database every time

2013-04-24 Thread Andreas Schulze 
Am 12.04.2013 11:19 schrieb Chuck Swiger:
 The data available to me suggests that ClamAV has seen ~736 database updates 
 since the beginning of the year, for an average update frequency of ~3.5 
 hours between updates.
that fine. I could update not once a minute but every three hours.
But in the worst case I use old pattern while new pattern are available since 3 
hours.
Thats what I like to avoid. For that reason I update so often.

 Frankly, trying to update more often than once an hour is just a waste of 
 resources.
Do you have better ideas to minimize the time between
 - new pattern is available on $my_local_update_mirror
 - new pattern is used on $my_local_clamd
??

Thanks
Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] freshclam checks database every time

2013-04-12 Thread Andreas Schulze 

Am 11.04.2013 15:50, schrieb Greg Folkert:

Is that checking your *OWN* mirror? If not, you are being throttled.

sure, I ask my own server of course.

But back to my main problem. clamscan wastes 3 seconts time loading the 
complete engine every time it is called.

Notice the timestamps!

# echo 'DatabaseMirror clamav.datev.de'  /tmp/freshclam.conf
# (/usr/bin/freshclam --config-file=/tmp/freshclam.conf --verbose --debug --no-dns; 
echo $?) 21 | tai64n | tai64nlocal
2013-04-10 14:49:25.241597500 Current working dir is /var/lib/clamav
2013-04-10 14:49:25.241655500 Max retries == 3
2013-04-10 14:49:25.241840500 ClamAV update process started at Wed Apr 10 
14:49:25 2013
2013-04-10 14:49:25.241841500 Using IPv6 aware code
2013-04-10 14:49:25.241935500 If-Modified-Since: Tue, 11 Oct 2011 14:34:20 GMT
2013-04-10 14:49:25.244810500 Connected to clamav.datev.de (IP: 193.27.49.165).
2013-04-10 14:49:25.244812500 Trying to retrieve CVD header 
ofhttp://clamav.datev.de/main.cvd
2013-04-10 14:49:25.246660500 OK
2013-04-10 14:49:25.246665500 main.cvd is up to date (version: 54, sigs: 
1044387, f-level: 60, builder: sven)
2013-04-10 14:49:25.246758500 If-Modified-Since: Wed, 10 Apr 2013 02:36:19 GMT
2013-04-10 14:49:25.246759500 Reading CVD header (daily.cvd): Connected to 
clamav.datev.de (IP: 193.27.49.165).
2013-04-10 14:49:25.248873500 Trying to retrieve CVD header 
ofhttp://clamav.datev.de/daily.cvd
2013-04-10 14:49:25.250376500 OK
2013-04-10 14:49:25.250380500 daily.cvd is up to date (version: 16985, sigs: 
1079403, f-level: 63, builder: guitar)
2013-04-10 14:49:25.250449500 If-Modified-Since: Wed, 13 Feb 2013 15:29:15 GMT
2013-04-10 14:49:25.250449500 Reading CVD header (bytecode.cvd): Connected to 
clamav.datev.de (IP: 193.27.49.165).
2013-04-10 14:49:25.252128500 Trying to retrieve CVD header 
ofhttp://clamav.datev.de/bytecode.cvd
2013-04-10 14:49:25.253427500 OK
2013-04-10 14:49:25.253432500 bytecode.cvd is up to date (version: 214, sigs: 
41, f-level: 63, builder: neo)
2013-04-10 14:49:25.253533500 LibClamAV debug: Initialized 0.97.7 engine
2013-04-10 14:49:25.253533500 LibClamAV debug: in cli_cvdload()
2013-04-10 14:49:25.253744500 LibClamAV debug: MD5(.tar.gz) = 
ff0c9c4e86dee9e705840537bd13ee71
2013-04-10 14:49:25.254423500 LibClamAV debug: cli_versig: Decoded signature: 
ff0c9c4e86dee9e705840537bd13ee71
2013-04-10 14:49:25.254424500 LibClamAV debug: cli_versig: Digital signature is 
correct.
2013-04-10 14:49:25.254435500 LibClamAV debug: in cli_tgzload()
2013-04-10 14:49:25.259901500 LibClamAV debug: bytecode.info loaded
2013-04-10 14:49:25.259913500 LibClamAV debug: in cli_tgzload()
2013-04-10 14:49:25.264665500 LibClamAV debug: Cleaning up phishcheck
2013-04-10 14:49:25.264666500 LibClamAV debug: Phishcheck cleaned up
2013-04-10 14:49:25.264699500 LibClamAV debug: Initialized 0.97.7 engine
2013-04-10 14:49:25.264699500 LibClamAV debug: in cli_cvdload()
2013-04-10 14:49:25.339354500 LibClamAV debug: MD5(.tar.gz) = 
ef015484e18b983ddf08425e2dad6a3f
2013-04-10 14:49:25.339964500 LibClamAV debug: cli_versig: Decoded signature: 
ef015484e18b983ddf08425e2dad6a3f
2013-04-10 14:49:25.339964500 LibClamAV debug: cli_versig: Digital signature is 
correct.
2013-04-10 14:49:25.339975500 LibClamAV debug: in cli_tgzload()
2013-04-10 14:49:25.345214500 LibClamAV debug: main.info loaded
2013-04-10 14:49:25.345219500 LibClamAV debug: in cli_tgzload()
2013-04-10 14:49:26.804849500 LibClamAV debug: Cleaning up phishcheck
2013-04-10 14:49:26.804850500 LibClamAV debug: Phishcheck cleaned up
2013-04-10 14:49:26.804873500 LibClamAV debug: Initialized 0.97.7 engine
2013-04-10 14:49:26.804874500 LibClamAV debug: in cli_cvdload()
2013-04-10 14:49:26.869060500 LibClamAV debug: MD5(.tar.gz) = 
da5da571c1a0369904550994d15dcc99
2013-04-10 14:49:26.869653500 LibClamAV debug: cli_versig: Decoded signature: 
da5da571c1a0369904550994d15dcc99
2013-04-10 14:49:26.869654500 LibClamAV debug: cli_versig: Digital signature is 
correct.
2013-04-10 14:49:26.869658500 LibClamAV debug: in cli_tgzload()
2013-04-10 14:49:26.875003500 LibClamAV debug: daily.info loaded
2013-04-10 14:49:26.875004500 LibClamAV debug: in cli_tgzload()
2013-04-10 14:49:28.147514500 LibClamAV debug: Cleaning up phishcheck
2013-04-10 14:49:28.147515500 LibClamAV debug: Phishcheck cleaned up
2013-04-10 14:49:28.147994500 0

Andreas
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] freshclam checks database every time

2013-04-11 Thread Andreas Schulze 
Am 10.04.2013 17:39, schrieb Al Varnell:
 I thought the limit was four times an hour.  Is that only for mirror servers?
cat /etc/cron.d/clamav
* * * * * root freshclam

:-)
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] freshclam checks database every time

2013-04-10 Thread Andreas Schulze 
: 282 total,   2 running, 280 sleeping,   0 stopped,   0 zombie
Cpu0  :  1.0%us,  2.9%sy,  0.0%ni, 96.1%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu1  :  0.0%us,  0.0%sy,  0.0%ni,100.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu2  :  0.0%us,  0.0%sy,  0.0%ni,100.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu3  :  0.0%us,  0.0%sy,  0.0%ni, 98.0%id,  2.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu4  :  0.9%us,  0.9%sy,  0.0%ni, 98.1%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu5  :100.0%us,  0.0%sy,  0.0%ni,  0.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu6  :  0.0%us,  0.0%sy,  0.0%ni,100.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Cpu7  :  0.0%us,  0.0%sy,  0.0%ni,100.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   8242704k total,  3989076k used,  4253628k free,   634104k buffers
Swap:  1951736k total,0k used,  1951736k free,  2644668k cached

  PID USER  PR  NI  VIRT  RES  SHR S %CPU %MEMTIME+  COMMAND   
 4940 clamav20   0 13212 3256 2588 R  100  0.0   0:01.35 freshclam


As you see freshclam uses 13 MB memory and 100% cpu ...

I looked in the source but did not found a relevant place to disable that 
behaviour.
A patches or a pointer into the source would be nice :-)

Thanks
Andreas

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] ClamAV 0.97.4 - 2 notices

2012-03-16 Thread Andreas Schulze 
Hello,

1.
I just compiled the new version in my autobuild system for
multiple version of SuSE Linux Enterprise Servers.

I noticed this RPMLINT report which I like to forward to you for inforamation:

RPMLINT report:
===
clamav.i586: W: shared-lib-calls-exit /usr/lib/libclamav.so.6.1.13 
exit@GLIBC_2.0
This library package calls exit() or _exit(), probably in a non-fork()
context. Doing so from a library is strongly discouraged - when a library
function calls exit(), it prevents the calling program from handling the
error, reporting it to the user, closing files properly, and cleaning up any
state that the program has. It is preferred for the library to return an
actual error code and let the calling program decide how to handle the
situation.

Could it be possible that the _exit() is intentional correct?
Then I would like to add an exeption for my rpmlint...

2.
Avira, a german antivirus vendor, may(*) classify the sourcecode tarball as 
malicious:

clamav-0.97.4/test/.split/split.clam-pespin.exeaa  PCK/PESpin ; packer ; 
File has been compressed with an unusual runtime compression tool (PCK/PESpin). 
Please verify the origin of the file

I informed avira and got the response that their av-envine finds unusual 
runtime compression tool commonly used by
malware :-(


Andreas




(*) depends how aggressive the scanner is configured

-- 
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Dipl.-Kfm. Dr. Robert Mayr
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] handling encrypted pdf

2010-12-02 Thread Andreas Schulze 
Hello,

I use clamavs option to mark encrypted archives as virus.
For policy reasons I like to handle password protected pdf
in the same was like password protected zip archive.

The intention is to categorize content, which is known to be passwordprotected
and therefore is known to be unscanable for virusscanners.
In this context it shouldn't matter if it's a password prozected archive
or pdf.

Thats why I wrote a little patch:

Index: dv-clamav-0.96.5/libclamav/pdf.c
===
--- dv-clamav-0.96.5.orig/libclamav/pdf.c   2010-12-02 13:21:02.0 
+0100
+++ dv-clamav-0.96.5/libclamav/pdf.c2010-12-02 13:47:56.0 +0100
@@ -1087,6 +1087,12 @@
 }
 size -= offset;

+if ((pdf.flags  (1  ENCRYPTED_PDF))  DETECT_ENCRYPTED) {
+cli_dbgmsg(cli_pdf: Encrypted PDF found.\n);
+*ctx-virname = Encrypted.Pdf;
+return CL_VIRUS;
+}
+
 pdf.size = size;
 pdf.map = fmap_need_off(map, offset, size);
 pdf.startoff = offset;
--- snap

This lets clamav mark any pdf containing an /Encrypt
with a virusname Encrypted.Pdf.

But this patch is not perfect. A Pdf may be only protected against copy/paste 
or printing.
These Documents are also marked as Encrypted.Pdf which is false.

A detailed but outdated documentation about allowed operations I found in pdf.c 
itself.
http://www.cs.cmu.edu/~dst/Adobe/Gallery/anon21jul01-pdf-encryption.txt

Is any programmer able to implement a more correct Encryption detection?
Thanks.

-- 
Andreas Schulze
Internetdienste | P532

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] 0.96rc2 failed to compile

2010-03-26 Thread Andreas Schulze 
Hello Edwin,

I put all information you asked for at 
http://postmaster.datev.de/clamav-0.96rc2/
hope that helps ...

Andreas

-- 
Andreas Schulze
Internetdienste | P532

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen



GnuPG-Signatur.asc
Description: digitale Signatur dieser Nachricht von Andreas Schulze
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] HTTPUserAgent must be disabled for SubmitDetectionStats

2010-03-26 Thread Andreas Schulze 
Hello,

I notice that clamav 0.96 provide some kind of personalized detection 
statistics.
Thes data are transfered by freshclam

In our network we are forced to setup a special http useragent to make 
freshclam to work.
Unfortunly this will make it impossible to send detection statistics.

I suggest to transfer the hostid into an X-Subisstion-HostID header as part of 
the 
http-request and *not* as part of the useragent header.

-- 
Andreas Schulze
Internetdienste | P532

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen



GnuPG-Signatur.asc
Description: digitale Signatur dieser Nachricht von Andreas Schulze
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] 0.96rc2 failed to compile

2010-03-25 Thread Andreas Schulze 
Hello,

I have sles9, sles10 an debian lenny

# ./configure \
--prefix=/usr/ \
--libdir=/usr/lib \
--mandir=/usr/share/man \
--sysconfdir=/etc/clamav \
--disable-check \
--disable-zlib-vcheck \
--enable-ipv6 \
--disable-clamuko \
--disable-milter \
--enable-bigstack \
--enable-readdir_r \
--enable-clamdtop \
--with-dbdir=/var/lib/clamav

sles9 and debian compiles fine.
make fail only on sles10:
...
make[2]: Entering directory `/usr/src/packages/BUILD/clamav-0.96rc2/clamscan'
  CC output.o
  CC getopt.o
  CC optparser.o
  CC actions.o
  CC misc.o
  CC clamscan.o
  CC others.o
  CC manager.o
  CCLD   clamscan
../libclamav/.libs/libclamav.so: undefined reference to 
`__sync_val_compare_and_swap_4'
../libclamav/.libs/libclamav.so: undefined reference to `__sync_add_and_fetch_4'
../libclamav/.libs/libclamav.so: undefined reference to `__sync_sub_and_fetch_4'
collect2: ld returned 1 exit status
make[2]: *** [clamscan] Fehler 1
make[2]: Leaving directory `/usr/src/packages/BUILD/clamav-0.96rc2/clamscan'
make[1]: *** [all-recursive] Fehler 1
make[1]: Leaving directory `/usr/src/packages/BUILD/clamav-0.96rc2'
make: *** [all] Fehler 2
error: Bad exit status from /var/tmp/rpm-tmp.28193 (%build)

This problem is new in 0.96rc2. rc1 doas compile an run with these settings.

Any Hints !?


-- 
Andreas Schulze
Internetdienste | P532

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen



GnuPG-Signatur.asc
Description: digitale Signatur dieser Nachricht von Andreas Schulze
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] clamav-0.96rc1 classified as Trojan horse TR/Crypt.XPACK.Gen

2010-03-17 Thread Andreas Schulze 
Hello,

in the Clamav Source clamav-0.96rc1.tar.gz the Avira Scanner
( a german AntiVirus Company / www.avira.com )
finds a Trojan horse TR/Crypt.XPACK.Gen

I informed avira about the false positive.

The point: the detection is done by some generics and is a 100% hit !
But in this special case a false positive.

# antivir --allfiles -s -z /tmp/clamav-0.96rc1.tar.gz 
AntiVir / Linux Version 2.1.12-260
Copyright (c) 2008 by Avira GmbH.
All rights reserved.

VDF version: 7.10.5.109 created 16 Mar 2010

AntiVir license: 08154711 for DATEV eG

auto excluding /sys/ from scans (is a special fs)
auto excluding /proc from scans (is a special fs)
auto excluding /var/lib/ntp/proc from scans (is a special fs)
archive: /tmp/clamav-0.96rc1.tar.gz -- clamav-0.96rc1.tar -- 
clamav-0.96rc1/test/.split/split.clam.cabaa -- clam.exe extract error (Error 
file read.)
archive: /tmp/clamav-0.96rc1.tar.gz -- clamav-0.96rc1.tar -- 
clamav-0.96rc1/test/.split/split.clam.chmaa -- /#SYSTEM extract error (Header 
of archive is bad.)
archive: /tmp/clamav-0.96rc1.tar.gz -- clamav-0.96rc1.tar -- 
clamav-0.96rc1/test/.split/split.clam.chmaa -- /clam.exe.txt extract error 
(Header of archive is malformed.)
archive: /tmp/clamav-0.96rc1.tar.gz -- clamav-0.96rc1.tar -- 
clamav-0.96rc1/test/.split/split.clam.exe.binhexaa -- clam.exe extract error 
(Unexpected end of file.)
archive: /tmp/clamav-0.96rc1.tar.gz -- clamav-0.96rc1.tar -- 
clamav-0.96rc1/test/.split/split.clam.exe.bz2aa -- unkwn.tar extract error 
(Unexpected end of file.)
archive: /tmp/clamav-0.96rc1.tar.gz -- clamav-0.96rc1.tar -- 
clamav-0.96rc1/test/.split/split.clam.newc.cpioaa -- clam.exe extract error 
(Error incomplete block read.)

/tmp/clamav-0.96rc1.tar.gz
 Date: 17.03.2010  Time: 08:39:38  Size: 37966412
 WARNING: archive not completely scanned: contents exceed 1073741824 bytes
 WARNING: archive not completely scanned: processing error
 ALERT: [TR/Crypt.XPACK.Gen] /tmp/clamav-0.96rc1.tar.gz -- clamav-0.96rc1.tar 
-- clamav-0.96rc1/test/.split/split.clam_IScab_ext.exeaa  Is the Trojan 
horse TR/Crypt.XPACK.Gen


-- scan results --
   directories:0
 scanned files: 4864
alerts:1
suspicious:0
  repaired:0
   deleted:0
   renamed:0
   quarantined:0
  warnings:2
 scan time: 00:00:17
--
Thank you for using AntiVir.



-- 
Andreas Schulze
Internetdienste | P532

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen



GnuPG-Signatur.asc
Description: digitale Signatur dieser Nachricht von Andreas Schulze
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] patch to dedect encrypted pdf

2009-09-29 Thread Andreas Schulze 
Hello,

clamav has the option --block-encrypted / ArchiveBlockEncrypted

this enables clamav to classify passwordprotected zip- and rarfiles as virus.

this simple patch to libclamav/pdf.c classify passwordprotected pdf in the same 
way:

---  snip
158,159c158,165
   cli_dbgmsg(cli_pdf: Encrypted PDF files not yet supported\n);
   return CL_CLEAN;
---
   if(DETECT_ENCRYPTED) {
   cli_dbgmsg(cli_pdf: Encrypted PDF found.\n);
   *ctx-virname = Encrypted.Pdf;
   return CL_VIRUS;
   } else {
   cli_dbgmsg(cli_pdf: Encrypted PDF files not yet 
 supported\n);
   return CL_CLEAN;
   }
--- snap

may the a fault inside ?


-- 
Andreas Schulze
Internetdienste | P532

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail info @datev.de | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg 
Nr.70
Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
Dipl.-Kfm. Michael Leistenschneider
Jörg Rabe v. Pappenheim
Dipl.-Vw. Eckhard Schwarzer
Vorsitzender des Aufsichtsrates: Reinhard Verholen



GnuPG-Signatur.asc
Description: digitale Signatur dieser Nachricht von Andreas Schulze
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] NodalCore cards in use ?

2008-09-10 Thread Andreas Schulze 
Hello,

realy nobody has used an ClamAV-Accelerator ?
So the sourcecode contains code which nobody uses ?

what about http://sensorynetworks.com/Partners/Application/ 

who wrote this peise of source ?


Andreas


On Mon, Sep 08, 2008 at 01:23:07PM +0200, Andreas Schulze wrote:
 anybody on the list uses NodalCore cards to accelerate ClamAV ?
 
 I tried to get a sample card from sensorynetworks via a german distributor.
 But this failed because sensorynetworks expected too much support :-(
 

-- 
Andreas Schulze
Internet-/Security-Dienste

DATEV eG  | 90329 Nürnberg
Telefon +49(911)276-0 | Telefax +49(911)276-3196
E-Mail info @datev.de | www.datev.de
Paumgartnerstr. 6-14  | Nürnberg


GnuPG-Signatur.asc
Description: digitale Signatur dieser Nachricht von Andreas Schulze
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] NodalCore cards in use ?

2008-09-08 Thread Andreas Schulze 
hello,

anybody on the list uses NodalCore cards to accelerate ClamAV ?

I tried to get a sample card from sensorynetworks via a german distributor.
But this failed because sensorynetworks expected too much support :-(

Any experiences ?

-- 
Andreas Schulze
Internet-/Security-Dienste

DATEV eG  | 90329 Nürnberg
Telefon +49(911)276-0 | Telefax +49(911)276-3196
E-Mail info @datev.de | www.datev.de
Paumgartnerstr. 6-14  | Nürnberg


GnuPG-Signatur.asc
Description: digitale Signatur dieser Nachricht von Andreas Schulze
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] ClamAV acceleration with NodalCore

2007-06-12 Thread Andreas Schulze 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

does anyone uses Sensorynetworks AcceleratorCards with ClamAV ?
(http://sensorynetworks.com/Products/Acceleration/)

I tried to Buy _ONE_ Card as evaluation sample,
but the german reseller said, that SensoryNetworks does not sell
_only one_ Card. ( too much support expected )

Any experiences 

- -- 
Andreas Schulze
DATEV eG | Internet-/Security-Dienste | +49(911)276-2648

wichtig
  DATEV eG
  90329 Nürnberg | Telefon +49(911)276-0 | Telefax +49(911)276-3196
  E-Mail [EMAIL PROTECTED] | Internet http://www.datev.de
  Sitz: Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70

  Vorstand
  Prof. Dipl.-Kfm. Dieter Kempf (Vorsitzender)
  Dipl.-Betrw. (FH) Siegbert Rudolph (stellvertretender Vorsitzender)
  Dipl.-Kfm. Wolfgang Stegmann (stellvertretender Vorsitzender)
  Dipl.-Kfm. Michael Leistenschneider
  Jörg Rabe v. Pappenheim
  Vorsitzender des Aufsichtsrates: Reinhard Verholen
/wichtig
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGb4adA7Vnk6fbpn8RAv0GAJ9LS11r312kdxML42AIKIYqkgYO8wCbB9Ad
sF4Z16CTj4M/YO9n95skFu8=
=L31j
-END PGP SIGNATURE-
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html