Re: [clamav-users] Hi, I have a question
Due to my university project in my lab, I want to utilize unpacking function of clamav. So, is there anyway to only unpack binary files without any other analysis? Because performance of my project is very important, other unnecessary analysis steps degrade performance. I've done this. Start by initializing: cl_init(CL_INIT_DEFAULT); Create a new engine: engine = cl_engine_new(); Set the directory you want it to be parsed into, and tell it to keep the temp files: cl_engine_set_str(engine, CL_ENGINE_TMPDIR, tmpdir); cl_engine_set_num(engine, CL_ENGINE_KEEPTMP, 1); Create a dummy database of only one line and load it: cl_load(dummy_db_file, engine, sigs, CL_DB_STDOPT); Compile the engine: cl_engine_compile(engine); Finally scan the file you want to parse: cl_scanfile(filename, matchname, NULL, engine, CL_SCAN_STDOPT); The file's components will be in the tmp dir you specified and you can check them at your leisure. When you're done, make sure to call cl_engine_free() to free the engine, and then you need to remove the files in the tmp dir. Check the Clamav docs for the arguments in the routines called, and add your own error checking. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [Clamav-users] Excel file being expanded enormously
We have a customer who sent an email through us that was a short text body with an Excel spreadsheet attachment. The attachment is about 988K and the entire email is about 1.3M. For some reason, when ClamAV parses the Excel file, it winds up creating about 2300 files and taking up about 1.3 *gig* of space. What is your MaxScanSize setting? If it is the default, or below 1.3G then it is a bug. It should stop extracting as soon as it reaches that limit. The MaxScanSize setting is the default, which I see is 100M. As a test, I ran it with --max-scansize=50M and it only took half the space, so I think it did stop when it it the limit. Running debug, it says it thinks it Matched signature for file type CAB-SFX at 35233. Why would it think an Excel file is a cab file? Because it matched the CAB-SFX signature (MSCF): 1:*:4d534346:CAB-SFX:CL_TYPE_ANY:CL_TYPE_CABSFX However if this is a false match and not a real CAB, it should detect that, and extract nothing. Please open a bug and attach the file. I'll do so as soon as we get permission from the customer. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Excel file being expanded enormously
We have a customer who sent an email through us that was a short text body with an Excel spreadsheet attachment. The attachment is about 988K and the entire email is about 1.3M. For some reason, when ClamAV parses the Excel file, it winds up creating about 2300 files and taking up about 1.3 *gig* of space. Because there are multiple copies, it's running the tmp out if space, causing the message to fail. Running debug, it says it thinks it Matched signature for file type CAB-SFX at 35233. Why would it think an Excel file is a cab file? I've opened it to check, and it really is just a spreadsheet of 12 pages. I've tried various options, but it doesn't seem to make any difference. It started happening in production on 0.95.3, but it does the same thing on 0.96. I have about 800k lines of debug output I can try to cut down if that will help. We can also contact the customer to see if they'll let us submit the file if you'd like to check it. Any ideas on how to get this properly scanned would be appreciated. -- Brian Bebeau bbeb...@trustwave.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Email.Trojan FPs
So TPTB at work here would like some insight into how text is extracted from a submission for a signature. Specifically, the Email.Trojan-xx signatures. Of the handful of viruses I submitted, two are causing false positives. Email.Trojan-48 is the text of a legal disclaimer belonging to our customer who reported it to us as spam. It is not a part of the original virus email, which was attached and contained a Trojan.Downloader.Agent-1297 virus. Likewise, Email.Trojan-36 is a quote from a customer's .sig, not a part of the virus email. Email.Trojan-37 is the text of the viral email, along with Trojan.Autorun-287 to cover the executable part of the email. Two questions then: 1) Is there an automated process for generating text signatures or does a human look at it (if you'd rather not reveal that, I can understand, I just need to tell them that)? It would seem fairly evident that a .sig or disclaimer that occurs before the viral email that's an attachment should not be treated as virus material. 2) Can you remove the Email.Trojan-36 and Email-Trojan-48 signatures? Thanks. I'll strip out customer stuff from now on before submitting, just so there's no misunderstanding. -- Brian Bebeau Trustwave http://www.trustwave.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Upgraded freshclam not updating
Jim Preston wrote: Brian Bebeau wrote: We have a test box that is a local update server (that our other boxes get the dbs from) that I just upgraded to 0.93. The upgrade works well on my personal workstation, but fails on this box. Any pointers on getting this updating will be appreciated. It was updating ok before the upgrade. Trying to retrieve the daily db via wget resolves the host but hangs before returning any data. Trying to download http://db.us.clamav.net/main.cvd (IP: 64.142.100.50) Hi Brian, What happens if you put http://db.us.clamav.net/main.cvd into browser addressbar? It should download the file. Are you running Freshclam? As daemon or from cron? If from cron, what time are you checking? This box doesn't have a browser, it's a server. That's why I was trying to use wget. If I do that, I get: # wget http://db.us.clamav.net/main.cvd --16:52:08-- http://db.us.clamav.net/main.cvd = `main.cvd.2' Resolving db.us.clamav.net... 64.142.100.50, 64.246.44.108, 128.121.60.235, ... Connecting to db.us.clamav.net|64.142.100.50|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13,050,207 (12M) [text/plain] 0% [ ] 0 --.--K/s and it hangs there, never downloading anything. -- Brian Bebeau Trustwave http://www.trustwave.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Upgraded freshclam not updating
We have a test box that is a local update server (that our other boxes get the dbs from) that I just upgraded to 0.93. The upgrade works well on my personal workstation, but fails on this box. Any pointers on getting this updating will be appreciated. It was updating ok before the upgrade. Trying to retrieve the daily db via wget resolves the host but hangs before returning any data. Running freshclam -v, I get the following: # freshclam -v Current working dir is /var/lib/clamav Max retries == 3 ClamAV update process started at Wed May 7 15:20:29 2008 Querying current.cvd.clamav.net TTL: 300 Software version from DNS: 0.93 Retrieving http://db.us.clamav.net/main.cvd Trying to download http://db.us.clamav.net/main.cvd (IP: 64.246.44.108) WARNING: getfile: main.cvd not found on remote server (IP: 64.246.44.108) WARNING: Can't download main.cvd from db.us.clamav.net Trying again in 5 secs... ClamAV update process started at Wed May 7 15:20:35 2008 Querying current.cvd.clamav.net TTL: 295 Software version from DNS: 0.93 Retrieving http://db.us.clamav.net/main.cvd Trying to download http://db.us.clamav.net/main.cvd (IP: 128.121.60.235) nonblock_recv: recv timing out (30 secs) WARNING: getfile: Error while reading database from db.us.clamav.net (IP: 128.121.60.235) WARNING: Can't download main.cvd from db.us.clamav.net Trying again in 5 secs... ClamAV update process started at Wed May 7 15:21:10 2008 Querying current.cvd.clamav.net TTL: 260 Software version from DNS: 0.93 Retrieving http://db.us.clamav.net/main.cvd nonblock_connect: connect timing out (30 secs) Can't connect to port 80 of host db.us.clamav.net (IP: 209.170.150.7) Trying host db.us.clamav.net (64.142.100.50)... Trying to download http://db.us.clamav.net/main.cvd (IP: 64.142.100.50) nonblock_recv: recv timing out (30 secs) Downloading main.cvd [0%] LibClamAV Error: cli_cvdverify: Can't read CVD header ERROR: Verification: Broken or not a CVD file Giving up on db.us.clamav.net... Update failed. Your network may be down or none of the mirrors listed in freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons. I had blown away all files in /var/lib/clamav prior to running freshclam. It doesn't seem like a DNS problem, since I can do: # host db.us.clamav.net db.us.clamav.net is an alias for db.us.rr.clamav.net. db.us.rr.clamav.net has address 209.170.150.7 db.us.rr.clamav.net has address 64.142.100.50 db.us.rr.clamav.net has address 64.246.44.108 db.us.rr.clamav.net has address 128.121.60.235 db.us.rr.clamav.net has address 194.47.250.218 Running clamconf gives me: # clamconf /etc/freshclam.conf: freshclam directives -- LogFileMaxSize = 1048576 LogTime = no LogVerbose = no LogSyslog = no LogFacility = LOG_LOCAL6 PidFile = /var/run/clamav/freshclam.pid DatabaseDirectory = /var/lib/clamav Foreground = no Debug = no AllowSupplementaryGroups = no DatabaseOwner = clamav Checks = 12 UpdateLogFile not set DNSDatabaseInfo = current.cvd.clamav.net DatabaseMirror = db.us.clamav.net MaxAttempts = 3 ScriptedUpdates = yes CompressLocalDatabase = no HTTPProxyServer not set HTTPProxyPort not set HTTPProxyUsername not set HTTPProxyPassword not set HTTPUserAgent not set NotifyClamd not set OnUpdateExecute not set OnErrorExecute not set OnOutdatedExecute not set LocalIPAddress not set ConnectTimeout = 30 ReceiveTimeout = 30 Engine and signature databases -- Engine version: 0.93 Database directory: /var/lib/clamav main db: Not found daily db: Not found BTW, on my box that's working okay, clamconf returns the last line as saying daily db is also not found, when it really is there. Does clamconf need to be updated to recognize .cld files? -- Brian Bebeau Trustwave http://www.trustwave.com -- Brian Bebeau Trustwave http://www.trustwave.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] libclamav segfaulting when scanning infected files
Ben Lull wrote: Hello, I recently wrote a program which uses libclamav. However, whenever I scan an infected file (archive, plain file, etc..) the call to cl_scanfile() segfaults. When I scan a clean file, there is no problem. I'm guessing this has something to do with how I'm init'ing the virus database, but thats just a guess. You can take a look at my code at http://blull.storagefreak.com/main.c The program segfaults on line 242. I'm pretty stuck here, I've spent the last 12 hours working on this and have exhausted the mailing archives, irc, and google. Thanks, Ben Good guess. You've declared struct cl_node **root = NULL;, but it should be struct cl_node *root = NULL; instead. Also, I believe cl_buildtrie() is deprecated, you should use cl_build() now. See the API. The only other flag you need is CL_SCAN_BLOCKMAX, CL_SCAN_STDOPT already includes the rest. -- Brian Bebeau SecurePipe, Inc. [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] How to use clamd?
This is an OpenBSD 3.4 system, and configured using: ./configure --disable-pthreads make make check make install Notable errors: (on ./configure --disable-pthreads) checking for __gmpz_init in -lgmp... no checking for mpz_init in -lgmp... no configure: WARNING: ** GNU MP 2 or newer NOT FOUND - digital signature support will be disabled ! (However I know I installed version 3 with no errors before this compile. I obviously would like to get signatures working too ;-) I just had this problem the other day on a new AMD64 box. Check the directory where libgmp is installed. I found it had the library and a libgmp.so.3 symlink to it, but I needed to make a libgmp.so symlink to it also. Everything compiled fine after that. Brian Bebeau Mycom Group, Inc. [EMAIL PROTECTED] -- This message has been scanned by mycomPRO® mailMAX. For further information, visit http://www.mycompro.com winmail.dat___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] How to use clamd?
Suggestions? I would do: $ ln -s /usr/local/lib/libgmp.so.6.3 /usr/local/lib/libgmp.so Maybe even do: $ ln -s /usr/local/lib/libgmp.so.6.3 /usr/local/lib/libgmp.so.3 just to be sure. You could link to the one in /usr/lib instead. It looks like you didn't need to install it, it was already there, it just couldn't find the name it was looking for. Gah! Still no luck :-( Do you have /usr/local/lib in the /etc/ld.so.conf file? If not, add it, the run ldconfig, and try compiling again. If that still doesn't work, make sure you have gmp.h somewhere in your include path. I also had to add the gmp-devel RPM to get it. I don't know what the BSD equivalent would be. Brian Bebeau Mycom Group, Inc. [EMAIL PROTECTED] -- This message has been scanned by mycomPRO® mailMAX. For further information, visit http://www.mycompro.com winmail.dat___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users