from:"Joel Esler"

Db.us<http://Db.us> should be good on both now.

Sent from my iPhone

On Jun 26, 2018, at 21:15, Al Varnell 
mailto:alvarn...@mac.com>> wrote:

Worked perfectly from California, but with .cdiff updates, not the entire .cvd.

Let me know if I need to check the .cvd.

-Al-

On Tue, Jun 26, 2018 at 05:40 PM, Joel Esler (jesler) wrote:
I just purged db.us<http://db.us/>’s cache.  Can you try?

Sent from my iPhone

On Jun 26, 2018, at 20:24, Paul Kosinski 
mailto:clamav-us...@iment.com>> wrote:

Joel,

Sorry to have been somewhat cryptic: I assumed the context of the
posting I was nominally replying to.

By "broken", I meant that freshclam cannot retrieve daily.cvd files
from the new CloudFlare IPs. In fact, I just now removed mirrors.dat,
and all(?) the new CloudFlare IPs report "not synchronized", probably
due to the ping.clamav.net<http://ping.clamav.net> failures (see below):

WARNING: Mirror 104.16.185.138 is not synchronized.
WARNING: Mirror 104.16.186.138 is not synchronized.
WARNING: Mirror 104.16.187.138 is not synchronized.
WARNING: Mirror 104.16.188.138 is not synchronized.
WARNING: Mirror 104.16.189.138 is not synchronized.

The command "host -t txt current.cvd.clamav.net<http://current.cvd.clamav.net>" 
reports as follows:

current.cvd.clamav.net<http://current.cvd.clamav.net> descriptive text 
"0.100.0:58:24699:1530048540:1:63:47550:322"

But the freshclam log reports some variant of:

Querying daily.0.85.0.0.6810BD8A.ping.clamav.net
Can't query daily.0.85.0.0.6810BD8A.ping.clamav.net
Giving up on db.us.clamav.net<http://db.us.clamav.net>...

None of my local recursive DNS, my off-site Web server (in another
state), or (apparently) 8.8.8.8 or 8.8.4.4 can resolve
daily.0.85.0.0.6810BD8A.ping.clamav.net, but 
mxtoolbox.com<http://mxtoolbox.com> resolves it,
(via ns4.clamav.net<http://ns4.clamav.net>) to:

5.9.14.57 at Hetzner Online AG (AS24940)

Weird.

However, it seems I *can* get at the daily.cvd file by means of direct HTTP
access to "http://db.us.clamav.net/daily.cvd;, which accesses the same
CloudFlare IPs that are allegedly "not synchronized".

The result of all this confusion is that the last time I got a
daily.cvd via freshclam was before CloudFlare:

Monday 25 June 2018 at 09:06:26
Database updated (6556585 signatures) from 
db.us.clamav.net<http://db.us.clamav.net> (IP: 200.236.31.1)

I am going to have to use the direct HTTP until [whenever]?




On Tue, 26 Jun 2018 20:01:09 +
"Joel Esler (jesler)" mailto:jes...@cisco.com>> wrote:

Define broken in your context?  Doesn't have the file?  (Humor me, so
I understand from your parlance)



On Jun 26, 2018, at 2:59 PM, Paul Kosinski 
mailto:clamav-us...@iment.com>>
wrote:

ALL of the db.xx.clamav.net<http://db.xx.clamav.net> (plus 
database.clamav.net<http://database.clamav.net>) apparently
point to CloudFlare, and they are ALL broken. (And have been for
many hours.)


On Tue, 26 Jun 2018 11:09:08 -0700
Dave Warren mailto:d...@thedave.ca>> wrote:

As that is a Cloudflare IP, I believe it possibly could represent
one or more backend mirrors as it may return different content
depending on the hostname provided.

On Tue, Jun 26, 2018, at 06:41, Robin Bourne wrote:
Joel,

I'm now getting "WARNING: Mirror 104.16.188.138 is not
synchronized." when using the CDN. Could it be related to the
changes made to fix this as my definitions are 3 revisions out?>
Thanks,

On 25 June 2018 at 04:28, Joel Esler (jesler)
mailto:jes...@cisco.com>> wrote:>> Al,


Thanks. We are aware.  Looking into it.

Sent from my iPhone


On Jun 24, 2018, at 23:12, Al Varnell 
mailto:alvarn...@mac.com>> wrote:

Yes, but all but one was empty.

Sent from my iPad

-Al-

On Jun 24, 2018, at 19:42, Paul Kosinski
mailto:clamav-us...@iment.com>> wrote:>>  >>
I've gotten several daily.cvd updates in that period. They came
from>>  >> several IP addresses associated with
from>>  >> http://db.us.clamav.net/.


On Sun, 24 Jun 2018 18:08:59 -0700
Al Varnell mailto:alvarn...@mac.com>> wrote:

Just wanted to point out that there has only been one
signature
added>>  >>> to the VirusDB by daily updates in the last 32
added>>  >>> hours.


-Al-

___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help

Re: [clamav-users] VirusDB Updates Broken?

I just purged db.us’s cache.  Can you try?

Sent from my iPhone

> On Jun 26, 2018, at 20:24, Paul Kosinski  wrote:
> 
> Joel,
> 
> Sorry to have been somewhat cryptic: I assumed the context of the
> posting I was nominally replying to.
> 
> By "broken", I meant that freshclam cannot retrieve daily.cvd files
> from the new CloudFlare IPs. In fact, I just now removed mirrors.dat,
> and all(?) the new CloudFlare IPs report "not synchronized", probably
> due to the ping.clamav.net failures (see below):
> 
>  WARNING: Mirror 104.16.185.138 is not synchronized.
>  WARNING: Mirror 104.16.186.138 is not synchronized.
>  WARNING: Mirror 104.16.187.138 is not synchronized.
>  WARNING: Mirror 104.16.188.138 is not synchronized.
>  WARNING: Mirror 104.16.189.138 is not synchronized.
> 
> The command "host -t txt current.cvd.clamav.net" reports as follows:
> 
>  current.cvd.clamav.net descriptive text 
> "0.100.0:58:24699:1530048540:1:63:47550:322"
> 
> But the freshclam log reports some variant of:
> 
>  Querying daily.0.85.0.0.6810BD8A.ping.clamav.net
>  Can't query daily.0.85.0.0.6810BD8A.ping.clamav.net
>  Giving up on db.us.clamav.net...
> 
> None of my local recursive DNS, my off-site Web server (in another
> state), or (apparently) 8.8.8.8 or 8.8.4.4 can resolve
> daily.0.85.0.0.6810BD8A.ping.clamav.net, but mxtoolbox.com resolves it,
> (via ns4.clamav.net) to:
> 
>  5.9.14.57 at Hetzner Online AG (AS24940)
> 
> Weird.
> 
> However, it seems I *can* get at the daily.cvd file by means of direct HTTP
> access to "http://db.us.clamav.net/daily.cvd;, which accesses the same
> CloudFlare IPs that are allegedly "not synchronized".
> 
> The result of all this confusion is that the last time I got a
> daily.cvd via freshclam was before CloudFlare:
> 
>  Monday 25 June 2018 at 09:06:26
>  Database updated (6556585 signatures) from db.us.clamav.net (IP: 
> 200.236.31.1)
> 
> I am going to have to use the direct HTTP until [whenever]?
> 
> 
> 
> 
> On Tue, 26 Jun 2018 20:01:09 +
> "Joel Esler (jesler)"  wrote:
> 
>> Define broken in your context?  Doesn't have the file?  (Humor me, so
>> I understand from your parlance)
>> 
>> 
>> 
>>> On Jun 26, 2018, at 2:59 PM, Paul Kosinski 
>>> wrote:
>>> 
>>> ALL of the db.xx.clamav.net (plus database.clamav.net) apparently
>>> point to CloudFlare, and they are ALL broken. (And have been for
>>> many hours.)
>>> 
>>> 
>>> On Tue, 26 Jun 2018 11:09:08 -0700
>>> Dave Warren  wrote:
>>> 
>>>> As that is a Cloudflare IP, I believe it possibly could represent
>>>> one or more backend mirrors as it may return different content
>>>> depending on the hostname provided.
>>>> 
>>>>> On Tue, Jun 26, 2018, at 06:41, Robin Bourne wrote:
>>>>> Joel, 
>>>>> 
>>>>> I'm now getting "WARNING: Mirror 104.16.188.138 is not
>>>>> synchronized." when using the CDN. Could it be related to the
>>>>> changes made to fix this as my definitions are 3 revisions out?> 
>>>>> Thanks, 
>>>>> 
>>>>> On 25 June 2018 at 04:28, Joel Esler (jesler)
>>>>>  wrote:>> Al,
>>>>>> 
>>>>>> 
>>>>>> Thanks. We are aware.  Looking into it.  
>>>>>> 
>>>>>> Sent from my iPhone
>>>>>> 
>>>>>> 
>>>>>>> On Jun 24, 2018, at 23:12, Al Varnell  wrote:
>>>>>>> 
>>>>>>> Yes, but all but one was empty.
>>>>>>> 
>>>>>>> Sent from my iPad
>>>>>>> 
>>>>>>> -Al-
>>>>>>> 
>>>>>>>> On Jun 24, 2018, at 19:42, Paul Kosinski
>>>>>>>>  wrote:>>  >> 
>>>>>>>> I've gotten several daily.cvd updates in that period. They came
>>>>>>>> from>>  >> several IP addresses associated with
>>>>>>>> from>>  >> http://db.us.clamav.net/.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Sun, 24 Jun 2018 18:08:59 -0700
>>>>>>>> Al Varnell  wrote:
>>>>>>>> 
>>>>>>>>> Just wanted to point out that there has only been one
>>>>>>>>> signature
>>>>>>>>> added>>  >>> to the VirusDB by daily updates in the last 32
>>>>>>>>> added>>  >>> hours.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> -Al-
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Mirror Load + ClamAV Updates

Team --

Today we were able to add 100% of the mirror infrastructure to our CDN, 
Cloudflare.  We are currently measuring the load and evaluating the viability 
and problems (if any) with this solution.  We are currently pushing approx 12GB 
a second through their Tier 1 POP locations.

We are seeking feedback about the stability of this, or if any updates are 
failing.  (I have seen the thread that is currently on-going).


If you having problems downloading from the ClamAV mirror infrastructure, 
please delete your mirrors.dat file and start over.

--
Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] VirusDB Updates Broken?

Define broken in your context?  Doesn't have the file?  (Humor me, so I 
understand from your parlance)



> On Jun 26, 2018, at 2:59 PM, Paul Kosinski  wrote:
> 
> ALL of the db.xx.clamav.net (plus database.clamav.net) apparently point
> to CloudFlare, and they are ALL broken. (And have been for many hours.)
> 
> 
> On Tue, 26 Jun 2018 11:09:08 -0700
> Dave Warren  wrote:
> 
>> As that is a Cloudflare IP, I believe it possibly could represent one
>> or more backend mirrors as it may return different content depending
>> on the hostname provided.
>> 
>> On Tue, Jun 26, 2018, at 06:41, Robin Bourne wrote:
>>> Joel, 
>>> 
>>> I'm now getting "WARNING: Mirror 104.16.188.138 is not
>>> synchronized." when using the CDN. Could it be related to the
>>> changes made to fix this as my definitions are 3 revisions out?> 
>>> Thanks, 
>>> 
>>> On 25 June 2018 at 04:28, Joel Esler (jesler)
>>>  wrote:>> Al,
>>>> 
>>>> 
>>>> Thanks. We are aware.  Looking into it.  
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>> 
>>>>> On Jun 24, 2018, at 23:12, Al Varnell  wrote:
>>>>> 
>>>>> Yes, but all but one was empty.
>>>>> 
>>>>> Sent from my iPad
>>>>> 
>>>>> -Al-
>>>>> 
>>>>>> On Jun 24, 2018, at 19:42, Paul Kosinski
>>>>>>  wrote:>>  >> 
>>>>>> I've gotten several daily.cvd updates in that period. They came
>>>>>> from>>  >> several IP addresses associated with
>>>>>> from>>  >> http://db.us.clamav.net/.
>>>>>> 
>>>>>> 
>>>>>> On Sun, 24 Jun 2018 18:08:59 -0700
>>>>>> Al Varnell  wrote:
>>>>>> 
>>>>>>> Just wanted to point out that there has only been one
>>>>>>> signature
>>>>>>> added>>  >>> to the VirusDB by daily updates in the last 32
>>>>>>> added>>  >>> hours.
>>>>>>> 
>>>>>>> 
>>>>>>> -Al-
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] VirusDB Updates Broken?

2018-06-24 Thread Joel Esler (jesler)

Al,


Thanks. We are aware.  Looking into it.  

Sent from my iPhone

> On Jun 24, 2018, at 23:12, Al Varnell  wrote:
> 
> Yes, but all but one was empty.
> 
> Sent from my iPad
> 
> -Al-
> 
>> On Jun 24, 2018, at 19:42, Paul Kosinski  wrote:
>> 
>> I've gotten several daily.cvd updates in that period. They came from
>> several IP addresses associated with http://db.us.clamav.net/.
>> 
>> 
>> On Sun, 24 Jun 2018 18:08:59 -0700
>> Al Varnell  wrote:
>> 
>>> Just wanted to point out that there has only been one signature added
>>> to the VirusDB by daily updates in the last 32 hours.
>>> 
>>> 
>>> -Al-
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav list spf problem

2018-06-21 Thread Joel Esler (jesler)


> On Jun 21, 2018, at 3:54 AM, Tilman Schmidt  wrote:
> 
>> Am 20.06.2018 um 19:14 schrieb Andrew McGlashan:
>> 
>> This is an opportunity to fix things, such an opportunity should not
>> lost, especially if it helps more people to understand the problems with
>> having too liberal SPF rules (defeating the purpose of SPF).
> 
> I disagree. The purpose of clamav-users is to discuss ClamAV issues, not
> to educate people on SPF, so the primary objective of fixing the SPF
> record should be reliable delivery, not educational value.
> 

Generally I don’t mind if things get a little off topic, as long as its done in 
a civil manner and people aren’t yelling at each other.

But I do agree that it’s probably time to steer this back on course.  I am just 
returning from being out of the office for almost two weeks.  I’ll dig into 
this and see what’s up.

Sent from my iPad
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Server inside DMZ - No internet access - Howto update definitions

2018-06-19 Thread Joel Esler (jesler)

Plus the diff files, if you are using freshclam.   We much prefer that you 
download using freshclam, so that diff Cvds are available.  Saves on bandwidth. 
 

Sent from my iPhone

On Jun 19, 2018, at 07:45, SCOTT PACKARD  wrote:

>> Is there a way that I can copy the files from another server internal to the 
>> network out to the server in the DMZ? Without running freshclam to update? 
>> And just reload clamd?
> 
> Seem like you could copy the files from another server that can pull them.
> daily.cvd
> main.cvd
> bytecode.cvd (though probably not using that one)
> 
> Mine are in /var/lib/clamav.  That is set with "DatabaseDirectory".
> 
> Regards, Scott
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirrors not responding?

2018-05-20 Thread Joel Esler (jesler)

Oh sorry, dB.gb. Very interesting.  Thank you for the follow up 

Sent from my iPhone

> On May 20, 2018, at 11:06, Joel Esler (jesler) <jes...@cisco.com> wrote:
> 
> What zone?
> 
> Sent from my iPhone
> 
>> On May 20, 2018, at 08:34, Brian Morrison <b...@fenrir.org.uk> wrote:
>> 
>> On Sat, 19 May 2018 12:23:29 +
>> "Joel Esler (jesler)" <jes...@cisco.com> wrote:
>> 
>>> Try removing your mirrors.dat. 
>> 
>> Fixed itself overnight before I did that, but thanks for the suggestion.
>> 
>>> 
>>> 
>>> Sent from my iPhone
>>> 
>>>> On May 19, 2018, at 05:45, Brian Morrison <b...@fenrir.org.uk> wrote:
>>>> 
>>>> On Fri, 18 May 2018 15:18:06 +
>>>> "Joel Esler (jesler)" <jes...@cisco.com> wrote:
>>>> 
>>>>> db.gb was overlooked in the move of db.uk<http://db.uk> to our CDN
>>>>> for freshclam.  We just moved db.gb over to our CDN.  Problem should
>>>>> clear itself up shortly.  
>>>> 
>>>> Sorry Joel, no change here this morning so far.
>> 
>> 
>> 
>> 
>> -- 
>> 
>> Brian Morrison
>> 
>>   "I am not young enough to know everything"
>> Oscar Wilde
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirrors not responding?

2018-05-20 Thread Joel Esler (jesler)

What zone?

Sent from my iPhone

> On May 20, 2018, at 08:34, Brian Morrison <b...@fenrir.org.uk> wrote:
> 
> On Sat, 19 May 2018 12:23:29 +0000
> "Joel Esler (jesler)" <jes...@cisco.com> wrote:
> 
>> Try removing your mirrors.dat. 
> 
> Fixed itself overnight before I did that, but thanks for the suggestion.
> 
>> 
>> 
>> Sent from my iPhone
>> 
>>> On May 19, 2018, at 05:45, Brian Morrison <b...@fenrir.org.uk> wrote:
>>> 
>>> On Fri, 18 May 2018 15:18:06 +
>>> "Joel Esler (jesler)" <jes...@cisco.com> wrote:
>>> 
>>>> db.gb was overlooked in the move of db.uk<http://db.uk> to our CDN
>>>> for freshclam.  We just moved db.gb over to our CDN.  Problem should
>>>> clear itself up shortly.  
>>> 
>>> Sorry Joel, no change here this morning so far.
> 
> 
> 
> 
> -- 
> 
> Brian Morrison
> 
>"I am not young enough to know everything"
>  Oscar Wilde
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] DNS entry of db.jp.clamav.net disappeared?

2018-05-20 Thread Joel Esler (jesler)

Sorry for my lack of response.   We went to fix it, and I didn’t acknowledge 
your email. 

Sent from my iPhone

> On May 20, 2018, at 03:06, Yasuhiro KIMURA  wrote:
> 
> From: Al Varnell 
> Subject: Re: [clamav-users] DNS entry of db.jp.clamav.net disappeared?
> Date: Sat, 19 May 2018 03:15:09 -0700
> 
>> Probably related to moving mirrors to a new CDN.
> 
> Thank you for reply. Now the problem is fixed.
> 
> yasu@rolling[2001]% dig db.jp.clamav.net  
> ~
> 
> ; <<>> DiG 9.11.2-P1 <<>> db.jp.clamav.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59490
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: a4af0d1a15bf7be1516e34815b011e1f13e04bb680c89489 (good)
> ;; QUESTION SECTION:
> ;db.jp.clamav.net.  IN  A
> 
> ;; ANSWER SECTION:
> db.jp.clamav.net.   60  IN  CNAME   
> db.jp.clamav.net.cdn.cloudflare.net.
> db.jp.clamav.net.cdn.cloudflare.net. 300 IN A   104.16.185.138
> db.jp.clamav.net.cdn.cloudflare.net. 300 IN A   104.16.186.138
> db.jp.clamav.net.cdn.cloudflare.net. 300 IN A   104.16.187.138
> db.jp.clamav.net.cdn.cloudflare.net. 300 IN A   104.16.188.138
> db.jp.clamav.net.cdn.cloudflare.net. 300 IN A   104.16.189.138
> 
> ;; Query time: 127 msec
> ;; SERVER: 192.168.174.1#53(192.168.174.1)
> ;; WHEN: 日 5月 20 16:05:05 JST 2018
> ;; MSG SIZE  rcvd: 202
> 
> yasu@rolling[2002]%
> 
> ---
> Yasuhiro KIMURA
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Db.cn was moved to CDN last night, and more CDN stuff

2018-05-19 Thread Joel Esler (jesler)

We are letting the traffic settle back down after the transfer of dB.cn.   

What we have discovered are there a ton of ClamAV installations that have not 
been able to update in a long time or are pointed at a dead mirror in the zone. 
 

When we transfer a zone to Cloudflare, (our CDN provider, please check them 
out!), within the hour, we immediately see a tremendous amount of traffic from 
installations that haven’t been able to update.  For instance, when we moved 
“cn” last night, we immediately saw 2TB worth of data transferred at once.  

We like to give new zones 12-24 hours for everyone’s crontab’s to have a chance 
to pull from CDN before we move another big zone.  

We also have seen a couple errors in certain installations, (we are working on 
a blog post).  If you are having problems updating from CDN (you can tell if 
your zone has been moved to CDN by doing a nslookup on your zone, and the 
resulting DNS response ends with “cloudflare.net”), please delete your 
mirrors.dat, and try again.  

Thanks for your patience.   This will make things so much better for our users. 
 

We are currently transferring about 20 TB a day in updates.   So we are seeing 
a tremendous amount of improvement.  

Sent from my iPhone
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirrors not responding?

2018-05-19 Thread Joel Esler (jesler)

Try removing your mirrors.dat. 


Sent from my iPhone

> On May 19, 2018, at 05:45, Brian Morrison <b...@fenrir.org.uk> wrote:
> 
> On Fri, 18 May 2018 15:18:06 +0000
> "Joel Esler (jesler)" <jes...@cisco.com> wrote:
> 
>> db.gb was overlooked in the move of db.uk<http://db.uk> to our CDN
>> for freshclam.  We just moved db.gb over to our CDN.  Problem should
>> clear itself up shortly.
> 
> Sorry Joel, no change here this morning so far.
> 
> -- 
> 
> Brian Morrison
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Attachments

2018-05-18 Thread Joel Esler (jesler)

This should be fixed.


On May 15, 2018, at 8:13 AM, Groach via clamav-users 
> wrote:


From: Groach 
>
Subject: Re: [clamav-users] Attachments
Date: May 15, 2018 at 8:13:53 AM EDT
To: ClamAV users ML 
>


Yes I  would like to know too. (Playing havoc with my mobile email client - 
they no longer show a preview of the message correctly. Or show the quoted 
message in reply as you can see with this).

[Entered by mobile. Excuse my spelling.]

On 15 May 2018 12:57:38 BST, Todd Aiken via clamav-users 
> wrote:
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Test Message

2018-05-18 Thread Joel Esler (jesler)

Ah ha!  I found the setting that caused it.  Not sure how it changed (maybe it 
was a change in a default setting from an upgrade or something?). Either way.  
Fixed now.



> On May 18, 2018, at 3:05 PM, Todd Aiken <todd.ai...@ubishops.ca> wrote:
> 
> Test 2 working for me as well.  :-)
> 
> Thanks Joel.
> 
> -Original Message-
> From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of 
> "Thomas McCourt (tmccourt)" <tmcco...@cisco.com>
> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
> Date: Friday, May 18, 2018 at 3:04 PM
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Subject: Re: [clamav-users] Test Message
> 
>Test 2 worked for me.
> 
>From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of 
> "Joel Esler (jesler)" <jes...@cisco.com>
>Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
>Date: Friday, May 18, 2018 at 3:04 PM
>To: ClamAV users ML <clamav-users@lists.clamav.net>
>Subject: Re: [clamav-users] Test Message
> 
> 
> 
>Test number 2?
> 
> 
> 
> 
>On May 18, 2018, at 3:02 PM, Todd Aiken via clamav-users 
> <clamav-users@lists.clamav.net>
> wrote:
> 
> 
> 
>From:
>Todd Aiken <todd.ai...@ubishops.ca>
> 
>Subject: Re: [clamav-users] Test Message
> 
>Date:
>May 18, 2018 at 3:02:22 PM EDT
> 
>To:
>ClamAV users ML <clamav-users@lists.clamav.net>
> 
> 
> 
>Unfortunately messages are still appearing as attachments.
> 
> 
>Todd A. Aiken
>Systems Analyst & Administrator
>ITS Department
>BISHOP'S UNIVERSITY
>2600 College Street
>Sherbrooke, Quebec
>CANADA   J1M 1Z7
> 
>
> 
>"What's going on around here?" - RS
> 
>Having a technology issue?
> 
>Visit https://octopus.ubishops.ca to place a ticket directly
> into our ITS work order system.  This is the best way to get your 
> requests to ITS and provide more detailed information for our analysts and 
> technicians.
> 
> 
>-Original Message-
>    From: clamav-users <clamav-users-boun...@lists.clamav.net>
> on behalf of "Joel Esler (jesler) via clamav-users" 
> <clamav-users@lists.clamav.net>
>Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
>Date: Friday, May 18, 2018 at 3:01 PM
>To: ClamAV users ML <clamav-users@lists.clamav.net>
>Cc: "Joel Esler (jesler)" <jes...@cisco.com>
>Subject: [clamav-users] Test Message
> 
>   ___
>   clamav-users mailing list
>   clamav-users@lists.clamav.net
>   http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
>   Help us build a comprehensive ClamAV guide:
>   https://github.com/vrtadmin/clamav-faq
> 
>   http://www.clamav.net/contact.html#ml
> 
> 
> 
> 
>___
>clamav-users mailing list
>clamav-users@lists.clamav.net
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
> 
>http://www.clamav.net/contact.html#ml
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Test Message

2018-05-18 Thread Joel Esler (jesler)

Test number 2?

On May 18, 2018, at 3:02 PM, Todd Aiken via clamav-users 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:


From: Todd Aiken <todd.ai...@ubishops.ca<mailto:todd.ai...@ubishops.ca>>
Subject: Re: [clamav-users] Test Message
Date: May 18, 2018 at 3:02:22 PM EDT
To: ClamAV users ML 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>


Unfortunately messages are still appearing as attachments.


Todd A. Aiken
Systems Analyst & Administrator
ITS Department
BISHOP'S UNIVERSITY
2600 College Street
Sherbrooke, Quebec
CANADA   J1M 1Z7



"What's going on around here?" - RS

Having a technology issue?

Visit https://octopus.ubishops.ca to place a ticket directly into our ITS work 
order system.  This is the best way to get your requests to ITS and provide 
more detailed information for our analysts and technicians.


-Original Message-
From: clamav-users 
<clamav-users-boun...@lists.clamav.net<mailto:clamav-users-boun...@lists.clamav.net>>
 on behalf of "Joel Esler (jesler) via clamav-users" 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
Reply-To: ClamAV users ML 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
Date: Friday, May 18, 2018 at 3:01 PM
To: ClamAV users ML 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
Cc: "Joel Esler (jesler)" <jes...@cisco.com<mailto:jes...@cisco.com>>
Subject: [clamav-users] Test Message

   ___
   clamav-users mailing list
   clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
   http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


   Help us build a comprehensive ClamAV guide:
   https://github.com/vrtadmin/clamav-faq

   http://www.clamav.net/contact.html#ml




___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Test Message

2018-05-18 Thread Joel Esler (jesler) via clamav-users

--- Begin Message ---
I made some alterations to this clamav-users list.  Hopefully that stops the 
errors that people seem to be having?

--
Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com
--- End Message ---
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mirrors not responding?

2018-05-18 Thread Joel Esler (jesler) via clamav-users

--- Begin Message ---
db.gb was overlooked in the move of db.uk to our CDN for 
freshclam.  We just moved db.gb over to our CDN.  Problem should clear itself 
up shortly.

On May 18, 2018, at 10:45 AM, Brian Morrison via clamav-users 
> wrote:


From: Brian Morrison >
Subject: Mirrors not responding?
Date: May 18, 2018 at 10:45:38 AM EDT
To: >


Lots of failures for db.gb.clamav.net and 
database.clamav.net

Pings succeed, telnet to port 80 connects then disconnects without
further traffic.

Happening since last night.

--

Brian



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--- End Message ---
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamsubmit error code 500

2018-05-15 Thread Joel Esler (jesler) via clamav-users

--- Begin Message ---
One of the backend systems that handles the submissions was on the fritz.  I 
kicked it.  Should be okay now.

--
Joel Esler
Sr. Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com

On May 15, 2018, at 10:16 AM, Arnaud Jacques via clamav-users 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote:


From: Arnaud Jacques 
<webmas...@securiteinfo.com<mailto:webmas...@securiteinfo.com>>
Subject: Re: [clamav-users] clamsubmit error code 500
Date: May 15, 2018 at 10:16:00 AM EDT
To: ClamAV users ML 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>


Hello Micah,

Is there anything unusual about the file you were submitting when this occured?

I don't think so. It happends on different files submitted.

I guess you will find the cause viewing logs of your webserver.

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com<http://SecuriteInfo.com>

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com<mailto:a...@securiteinfo.com>
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--- End Message ---
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamsubmit error

2018-05-11 Thread Joel Esler (jesler) via clamav-users

--- Begin Message ---
We may be able to provide you a better way to do this, if you have a massive 
amount?

> On May 11, 2018, at 9:20 AM, Arnaud Jacques  
> wrote:
> 
> Hello Jesler,
> 
> 
>> Is that you sending us all those submissions?!  Fantastic amount!
> 
> Yes it is me.
> Is it too much samples for you ?
> I got so many to upload...
> Time for Clamav to create generic signatures to detect all of these ;)
> 
> 
> -- 
> Cordialement / Best regards,
> 
> Arnaud Jacques
> Gérant de SecuriteInfo.com
> 
> Téléphone : +33-(0)3.44.39.76.46
> E-mail : a...@securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> 
> Securiteinfo.com
> La Sécurité Informatique - La Sécurité des Informations.
> 266, rue de Villers
> 60123 Bonneuil en Valois
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

--- End Message ---
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] how long i will get up-to-date AV signatures for version 0.99.2

0.99.2 is still supported, and will remain supported officially until we ship 
0.101.0, according to our EOL guidelines.

But I will also tell you that we keep testing older versions for awhile, right 
up until they break.  I think we test as far back as 0.97ish, I'd have to check 
to be sure.



> On May 10, 2018, at 9:22 AM, Colm O'Brien  wrote:
> 
> Hey,
> 
> Can you tell how long i will get up-to-date AV signatures for version 0.99.2 
> of this product?
> 
> I am already getting this when i update signatures :
> 
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.99.2 Recommended version: 0.100.0
> 
> Would ideally like to wait for the newer version to be available for 
> installation with yum via amazon repos before upgrading.
> 
> Thanks, Colm
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamsubmit error

Arnaud, 

Is that you sending us all those submissions?!  Fantastic amount!


> On May 9, 2018, at 10:07 AM, Arnaud Jacques  
> wrote:
> 
> Hello,
> 
>> clamsubmit with ClamAV 0.100.0 should work fine.  I am surprised to see that 
>> error. We fixed code in the near vicinity to that error statement shortly 
>> before the 0.100 release.
> 
> I got deeper today : I listened HTTP flow when I use
> clamsubmit version 0.100.0 :
> 
> GET /reports/malware HTTP/1.1
> Host: www.clamav.net
> Accept: */*
> 
> HTTP/1.1 301 Moved Permanently
> Date: Wed, 09 May 2018 13:56:37 GMT
> Transfer-Encoding: chunked
> Connection: keep-alive
> Cache-Control: max-age=3600
> Expires: Wed, 09 May 2018 14:56:37 GMT
> Location: https://www.clamav.net/reports/malware
> Server: cloudflare
> CF-RAY: 4184aba783bb68ba-CDG
> 
> 
> It seems clamsubmit use wrong (old) URL.
> How is it possible in v0.100.0 ?
> 
> Bonus : it sends malware or false positive using HTTP, non encrypted 
> submission. So it could transfert sensitive information on the network in 
> clear text using clamsubmit.
> 
> -- 
> Cordialement / Best regards,
> 
> Arnaud Jacques
> Gérant de SecuriteInfo.com
> 
> Téléphone : +33-(0)3.44.39.76.46
> E-mail : a...@securiteinfo.com
> Site web : https://www.securiteinfo.com
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> 
> Securiteinfo.com
> La Sécurité Informatique - La Sécurité des Informations.
> 266, rue de Villers
> 60123 Bonneuil en Valois
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamsubmit error



On May 9, 2018, at 3:43 PM, Benny Pedersen > 
wrote:

Micah Snyder (micasnyd) skrev den 2018-05-09 19:39:

The web interface, however, can do both http and https.

if users can do 2 things, most will do incorrect way

turning off ssl is not a good option to any problem

We will adjust clamsubmit to work with https in an upcoming release.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Is it legal to use ClamAV on a Windows Server in a SMB environment?

ClamAV's license is GPLv2. I don't see why it wouldn't be legal to do so.

On May 9, 2018, at 2:11 PM, Allen Morrow 
> wrote:

Is it legal to use ClamAV on a Windows Server in a SMB environment?


[cid:image001.jpg@01D327DB.1656BA60]

ALLEN MORROW
405.264.2264 [p] / 405.265.6707 [UPDATED MOBILE]
allen.mor...@withrossgroup.com
 / withrossgroup.com



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] fp Img.Malware.Agent-6499558-0

2018-05-06 Thread Joel Esler (jesler)

Whoops, that’s an old link

https://www.clamav.net/reports/fp

Sent from my iPhone

On May 6, 2018, at 21:24, Joel Esler (jesler) 
<jes...@cisco.com<mailto:jes...@cisco.com>> wrote:

Dear Benny,

You should submit a false positive report.

The false positive submission form can be found here:
http://www.clamav.net/lang/en/sendvirus/submit-fp/


Sent from my iPhone

On May 6, 2018, at 20:55, Benny Pedersen <m...@junc.eu<mailto:m...@junc.eu>> 
wrote:

https://www.virustotal.com/file/074fe51b41596a05f5c04ba14c578786fe2edb553659fe9c8bc1f3210ab0/analysis/1525623232/

it hits on android google apps
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] fp Img.Malware.Agent-6499558-0

2018-05-06 Thread Joel Esler (jesler)

Dear Benny,

You should submit a false positive report.

The false positive submission form can be found here:
http://www.clamav.net/lang/en/sendvirus/submit-fp/


Sent from my iPhone

> On May 6, 2018, at 20:55, Benny Pedersen  wrote:
> 
> https://www.virustotal.com/file/074fe51b41596a05f5c04ba14c578786fe2edb553659fe9c8bc1f3210ab0/analysis/1525623232/
> 
> it hits on android google apps
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamsubmit error

Files that come in via the website, for the most part, are processed 
automatically. There is a lot of automation going on with web submissions.

> On May 5, 2018, at 4:29 PM, Benny Pedersen <m...@junc.eu> wrote:
> 
> Joel Esler (jesler) skrev den 2018-05-05 19:56:
>> for I in `ls -l /tmp/files/malicious` do clamsubmit $I; done
> 
> +1
> 
> add option to clamav-milter.conf to extract file attachment from email, but 
> only from 3dr party signatures
> 
> that way more malware would soon be detected
> 
> not needed if its already detected
> 
> wish to see foxhole as std signature
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamsubmit error

Are you using a current version of clamsubmit?

> On May 5, 2018, at 3:21 PM, Walter H.  wrote:
> 
> On 05.05.2018 07:38, Arnaud Jacques wrote:
>> Hello,
>> 
>> Wanted to send some files to ClamAV using clamsubmit, got this error :
>> 
>> invalid cfduid and/or session id values provided by clamav.net/presigned. 
>> Unable to continue submission.
>> 
>> Seems to be an error on ClamAV side... Is there something wrong ?
>> 
>> I did :
>> clamsubmit -e webmas...@securiteinfo.com -N Arnaud Jacques -n myfile
>> 
> I get this Error
> 
> 
> 
> 404 Not Found
> 
> Not Found
> The requested URL /sendmalware.cgi was not found on this server.
> 
> 
> I did
> 
> clamsubmit -e EMAIL -n FILE -N NAME
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamsubmit error

for I in `ls -l /tmp/files/malicious` do clamsubmit $I; done

> On May 5, 2018, at 8:30 AM, Benny Pedersen  wrote:
> 
> Arnaud Jacques skrev den 2018-05-05 07:38:
> 
>> I did :
>> clamsubmit -e webmas...@securiteinfo.com -N Arnaud Jacques -n myfile
> 
> space is new arg ?
> 
> clamsubmit -e webmas...@securiteinfo.com -N "Arnaud Jacques" -n myfile
> 
> untested
> 
> imho create clamsubmit.conf as a ticket for new realeases of clamav would be 
> helpfull
> 
> so it could be just clamsubmit 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamsubmit error

I like this idea.

> On May 5, 2018, at 8:30 AM, Benny Pedersen  wrote:
> 
> Arnaud Jacques skrev den 2018-05-05 07:38:
> 
>> I did :
>> clamsubmit -e webmas...@securiteinfo.com -N Arnaud Jacques -n myfile
> 
> space is new arg ?
> 
> clamsubmit -e webmas...@securiteinfo.com -N "Arnaud Jacques" -n myfile
> 
> untested
> 
> imho create clamsubmit.conf as a ticket for new realeases of clamav would be 
> helpfull
> 
> so it could be just clamsubmit 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malwarepatrol false positives

2018-04-28 Thread Joel Esler (jesler)

That shouldn’t be part of the official ruleset.  

Sent from my iPhone

> On Apr 28, 2018, at 17:32, Alex  wrote:
> 
> Hi,
> 
> So I decided to check which MBL hits there were today, and it seems
> they're now blocking https://bit.ly
> 
> $ sigtool --find-sigs MBL_6913896 |sigtool --decode-sigs
> VIRUS NAME: MBL_6913896
> TARGET TYPE: ANY FILE
> OFFSET: *
> DECODED SIGNATURE:
> https://bit.ly
> 
> I'm beginning to think I've made a mistake with this vendor...
> 
> 
>> On Sat, Apr 28, 2018 at 2:26 AM, Gene Heskett  wrote:
>>> On Saturday 28 April 2018 01:06:38 Steve Basford wrote:
>>> 
>>> Hi Alex...
>>> 
>>> I've whitelisted the two sigs... until they fix them.. so that might
>>> help a little.
>>> 
>>> Cheers,
>>> 
>>> Steve
>>> Twitter: @sanesecurity
>>> On 28 April 2018 04:23:51 Alex  wrote:
>>> 
>>> Hi,
>>> 
>>> I can't imagine outright blocking https://goo.gl is not a mistake.
>>> 
>>> MBL_6882958 and MBL_6888621 both hit on https://goo.gl.
>>> 
>> 
>> its affecting my incoming traffic, mail traffic is down about 80% since
>> yesterday sometime. And its not being blocked here according to my
>> clamav logs. Nor apparently at shentel.net either, my isp.
>> 
>> --
>> Cheers, Gene Heskett
>> --
>> "There are four boxes to be used in defense of liberty:
>> soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> Genes Web page 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.100.0 has been released!

2018-04-09 Thread Joel Esler (jesler)



https://blog.clamav.net/2018/04/clamav-01000-has-been-released.html

ClamAV 0.100.0 has been released!
Join us as we welcome ClamAV 0.100.0 to the family officially.  You can grab 
it, as always, from the downloads page on 
ClamAV.net.

ClamAV 0.100.0 is a feature release which includes many code submissions from 
the ClamAV community.  Some of the more prominent submissions include:



  *   Interfaces to the Prelude SIEM open source package for collecting ClamAV 
virus events.
  *   Support for Visual Studio 2015 for Windows builds.  Please note that we 
have deprecated support for Windows XP, and while Vista may still work, we no 
longer test ClamAV on Windows XP or Vista.
  *   Support libmspack internal code or as a shared object library. The 
internal library is the default and includes modifications to enable parsing of 
CAB files that do not entirely adhere to the CAB file format.
  *   Linking with OpenSSL 1.1.0.
  *   Deprecation of the AllowSupplementaryGroups parameter statement in clamd, 
clamav-milter, and freshclam. Use of supplementary is now in effect by default.
  *   Numerous bug fixes, typo corrections, and compiler warning fixes.


Additionally, we have introduced important changes and new features in ClamAV 
0.100, including but not limited to:



  *   Deprecating internal LLVM code support. The configure script has changed 
to search the system for an installed instance of the LLVM development 
libraries, and to otherwise use the bytecode interpreter for ClamAV bytecode 
signatures. To use the LLVM Just-In-Time compiler for executing bytecode 
signatures, please ensure that the LLVM development package at version 3.6 or 
lower is installed. Using the deprecated LLVM code is possible with the 
command: ./configure --with-system-llvm=no, but it no longer compiles on all 
platforms.
  *   Compute and check PE import table hash (a.k.a. "imphash") signatures.
  *   Support file property collection and analysis for MHTML files.
  *   Raw scanning of PostScript files.
  *   Fix clamsubmit to use the new virus and false positive submission web 
interface.
  *   Optionally, flag files with the virus "Heuristic.Limits.Exceeded" when 
size limitations are exceeded.
  *   Improved decoders for PDF files.
  *   Reduced number of compile time warnings.
  *   Improved support for C++11.
  *   Improved detection of system installed libraries.
  *   Fixes to ClamAV's Container system and the introduction of Intermediates 
for more descriptive signatures.
  *   Improvements to clamd's On-Access scanning capabilities for Linux.


Acknowledgements

The ClamAV team thanks the following individuals for their code submissions:



  *   Andreas Schulze
  *   Anthony Chan
  *   Bill Parker
  *   Chris Miserva
  *   Daniel J. Luke
  *   Georgy Salnikov
  *   James Ralston
  *   Jonas Zaddach
  *   Keith Jones
  *   Marc Deslauriers
  *   Mark Allan
  *   Matthew Boedicker
  *   Michael Pelletier
  *   Ningirsu
  *   Sebastian Andrzej Siewior
  *   Stephen Welker
  *   Tuomo Soini


Known Issues

ClamAV has an active issue queue and enjoys continual improvement but as sad as
 I am to say it, we couldn't address every bug in this release.  I want to draw
 your attention a couple bugs in particular so as not to frustrate users
 setting up ClamAV:



  *   Platform: macOS:
 *   Bug:  If you attempt to build ClamAV with a system installed LLVM you 
may receive a linker error.  We recently changed default linking behavior to 
prefer dynamic linking over static linking.  As a result, we've uncovered a bug 
in building on macOS where dynamic linking against the LLVM libraries fails.  
To work around this bug, please add the --with-llvm-linking=static option to 
your ./configure call.




  *   Platform: CentOS 6 32bit, older versions of AIX:
 *   Bug:  On CentOS 6 32bit we observed that specific versions of zlib 
fail to correctly decompress the CVD signature databases.  If you are on an 
older system such as CentoOS 6 32bit and observe failures loading the signature 
database, please consider upgrading to a newer version of zlib.




  *   Platform: Miscellaneous
 *   Bug:  When cross compiling on certain legacy systems (Solaris, AIX, 
OSX) against older system libraries that do not support strn functions linking 
may fail during compile time. While automatic checking is done during configure 
time to check for unsupported libs, this problem can be manually avoided using 
the --enable-strni configure flag if it is encountered.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV Mirror improvements

2018-04-06 Thread Joel Esler (jesler)

https://blog.clamav.net/2018/04/clamav-mirror-improvements.html


ClamAV Mirror improvements

Community -- Over the next several weeks, you are going to see some changes 
made to our ClamAV mirror infrastructure.  This shouldn't result in any outages 
or issues, but will improve the reliability of  downloads. You may see mirrors 
fall out of rotation, and new ones inserted.  This is intentional.  If there 
are any questions, or issues, please address them on the ClamAV-Mirrors list. 
Thank you for your patience.

--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [clamav-virusdb] Signatures Published daily - 24446

2018-04-03 Thread Joel Esler (jesler)

It was replaced with better detection.

On Apr 3, 2018, at 8:26 AM, Al Varnell 
> wrote:

  * Osx.Malware.Agent-6453877-0

Not sure why you would drop this as it's clearly part of the OSX.Coldroot RAT

VT: 
>

>

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Errors connecting to mirrors

2018-03-28 Thread Joel Esler (jesler)

Inline’

Sent from my iPad

> On Mar 28, 2018, at 5:34 PM, Alex  wrote:
> 
> Is there a known current problem?

Not that I am aware of. Please file a mirror error ticket at 
bugzilla.clamav.net and I’ll get someone to investigate it?

> Is there a site where we can go to
> check mirror status?

Not yet, we are working on that, as we speak. 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Errors connecting to mirrors

2018-03-23 Thread Joel Esler (jesler)

Please file errors here:

https://bugzilla.clamav.net/enter_bug.cgi?product=Mirror%20Issues

With Mirrors?

Thanks.

--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com


On Mar 23, 2018, at 1:41 PM, G.W. Haywood 
<cla...@jubileegroup.co.uk<mailto:cla...@jubileegroup.co.uk>> wrote:

Hi there,

On Fri, 23 Mar 2018, Orion Poplawski wrote:

It seems like in the last month or so I'm seeing more timeouts connecting to
the clamav DB mirrors.  Is anyone else seeing this?  I have a bit of a strange
mirror setup so it might just be my configuration.

Yes, I'm seeing some in the UK recently, but more like the last week
than the last month.  This is the last two months' logs:

/var/log/clamav# >>> grep connect freshclam.log.1 freshclam.log
freshclam.log:Fri Mar 16 19:44:27 2018 -> nonblock_connect: connect timing out 
(30 secs)
freshclam.log:Fri Mar 16 19:44:27 2018 -> Can't connect to port 80 of host 
db.uk.clamav.net<http://db.uk.clamav.net> (IP: 178.79.177.182)
freshclam.log:Sun Mar 18 21:45:24 2018 -> nonblock_connect: connect timing out 
(30 secs)
freshclam.log:Sun Mar 18 21:45:24 2018 -> Can't connect to port 80 of host 
db.uk.clamav.net<http://db.uk.clamav.net> (IP: 178.79.177.182)
freshclam.log:Wed Mar 21 04:48:02 2018 -> nonblock_connect: connect timing out 
(30 secs)
freshclam.log:Wed Mar 21 04:48:02 2018 -> Can't connect to port 80 of host 
db.uk.clamav.net<http://db.uk.clamav.net> (IP: 178.79.177.182)
freshclam.log:Wed Mar 21 12:51:05 2018 -> nonblock_connect: connect timing out 
(30 secs)
freshclam.log:Wed Mar 21 12:51:05 2018 -> Can't connect to port 80 of host 
db.uk.clamav.net<http://db.uk.clamav.net> (IP: 178.79.177.182)
freshclam.log:Wed Mar 21 22:52:13 2018 -> nonblock_connect: connect timing out 
(30 secs)
freshclam.log:Wed Mar 21 22:52:13 2018 -> Can't connect to port 80 of host 
db.uk.clamav.net<http://db.uk.clamav.net> (IP: 178.79.177.182)
freshclam.log:Thu Mar 22 04:52:53 2018 -> nonblock_connect: connect timing out 
(30 secs)
freshclam.log:Thu Mar 22 04:52:53 2018 -> Can't connect to port 80 of host 
db.uk.clamav.net<http://db.uk.clamav.net> (IP: 178.79.177.182)

I haven't investigated carefully, but I've no reason to believe that
the problem is within our network.  We run Smokeping continuously, and
there's no sign of anything in the graphs of packet loss and RTTs to
off-site servers which could explain something like this.

--

73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.100.0-rc has been posted!

2018-03-22 Thread Joel Esler (jesler)



http://blog.clamav.net/2018/03/clamav-01000-rc-has-been-posted.html

ClamAV 0.100.0-rc has been posted!
ClamAV 0.100.0 is a feature release (candidate) which includes many code 
submissions from the ClamAV community.  As always, it can be downloaded from 
our downloads site on clamav.net. Some of the 
more prominent submissions include:



  *Interfaces to the Prelude SIEM open source package for collecting ClamAV 
virus events.
  *Support for Visual Studio 2015 for Windows builds.
  *Support libmspack internal code or as a shared object library. The 
internal library is the default and contains additional integrity checks.
  *Linking with openssl 1.1.0.
  *Deprecation of the AllowSupplementaryGroups parameter statement in 
clamd, clamav-milter, and freshclam. Use of supplementary is now in effect by 
default.
  *Numerous bug fixes, typo corrections, and compiler warning fixes.


Additionally, we have introduced important changes and new features in ClamAV 
0.100, including but not limited to:



  *   Deprecating internal LLVM code support. The configure script has changed 
to search the system for an installed instance of the LLVM development 
libraries, and to otherwise use the bytecode interpreter for ClamAV bytecode 
signatures. To use the LLVM Just-In-Time compiler for executing bytecode 
signatures, please ensure that the LLVM development package at version 3.6 or 
lower is installed. Using the deprecated LLVM code is possible with the 
command: `./configure --with-system-llvm=no`, but it no longer compiles on all 
platforms.
  *Compute and check PE import table hash (a.k.a. "imphash") signatures.
  *Support file property collection and analysis for MHTML files.
  *Raw scanning of PostScript files.
  *Fix clamsubmit to use the new virus and false positive submission web 
interface.
  *Optionally, flag files with the virus "Heuristic.Limits.Exceeded" when 
size limitations are exceeded.
  *Improved decoders for PDF files.
  *Reduced number of compile time warnings.
  *Improved support for C++11.
  *Improved detection of system installed libraries.
  *Fixes to ClamAV's Container system and the introduction of Intermediates 
for more descriptive signatures.
  *Improvements to clamd's On-Access scanning capabilities for Linux.


Acknowledgements

The ClamAV team thanks the following individuals for their code submissions:

Andreas Schulze
Anthony Chan
Bill Parker
Chris Miserva
Daniel J. Luke
Georgy Salnikov
James Ralston
Jonas Zaddach
Keith Jones
Marc Deslauriers
Mark Allan
Matthew Boedicker
Michael Pelletier
Ningirsu
Sebastian Andrzej Siewior
Stephen Welker
Tuomo Soini

Known Issues

ClamAV has an active issue queue and enjoys continual improvement but as sad as 
I am to say it, we couldn't address every bug in this release.  I want to draw 
your attention a couple bugs in particular so as not to frustrate users setting 
up ClamAV:



  *   Platform: macOS:
 *   Bug:  If you attempt to build ClamAV with a system installed LLVM you 
may receive a linker error.  We recently changed default linking behavior to 
prefer dynamic linking over static linking.  As a result, we've uncovered a bug 
in building on macOS where dynamic linking against the LLVM libraries fails.  
To work around this bug, please add the --with-llvm-linking=static option to 
your ./configure call.
  *   Platform: CentOS 6 32bit, older versions of AIX:
 *   Bug:  On CentOS 6 32bit we observed that specific versions of zlib 
fail to correctly decompress the CVD signature databases.  If you are on an 
older system such as CentoOS 6 32bit and observe failures loading the signature 
database, please consider upgrading to a newer version of zlib.
  *Platform: Miscellaneous
 *   Bug:  When cross compiling on certain legacy systems (Solaris, AIX, 
OSX) against older system libraries that do not support strn functions linking 
may fail during compile time. While automatic checking is done during configure 
time to check for unsupported libs, this problem can be manually avoided using 
the --enable-strni configure flag if it is encountered.

Please check out 0.100.0-rc and provide us feedback on the ClamAV Mailing 
lists.  As always, a big thank you to the 
ClamAV Community!
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Signatures once again 2 days old

2018-03-18 Thread Joel Esler (jesler)

We have a new cvd building now.  We do have an alert system, but the alert 
system, for some reason didn’t email us the alert.  We’re looking into that.  

Sent from my iPhone

> On Mar 18, 2018, at 12:07, Andy Schmidt  wrote:
> 
> This has become a regular occurrence - but since no one else has mentioned
> it... according to the automated alerts I am receiving for MY server, the
> signature updating seems to be stuck again.
> 
> The "up  to date daily.cld" is now 40 hours old.
> 
> Sun Mar 18 11:42:02 2018 -> ClamAV update process started at Sun Mar 18
> 11:42:02 2018
> Sun Mar 18 11:42:02 2018 -> main.cld is up to date (version: 58, sigs:
> 4566249, f-level: 60, builder: sigmgr)
> Sun Mar 18 11:42:02 2018 -> daily.cld is up to date (version: 24397, sigs:
> 1879834, f-level: 63, builder: neo)
> Sun Mar 18 11:42:02 2018 -> safebrowsing.cld is up to date (version: 47149,
> sigs: 2950093, f-level: 63, builder: google)
> Sun Mar 18 11:42:02 2018 -> bytecode.cld is up to date (version: 319, sigs:
> 75, f-level: 63, builder: neo)
> 
> It's trivial to have an automated script that reports when the file dates
> are older than the "expected" replacement periods and then alert the project
> owners to a potential problem.
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV? blog: ClamAV 0.99.4 has been released!

2018-03-08 Thread Joel Esler (jesler)

Okay, let's call an end to this thread, I'll handle it differently.


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Mar 8, 2018, at 1:15 PM, G.W. Haywood 
<cla...@jubileegroup.co.uk<mailto:cla...@jubileegroup.co.uk>> wrote:

Hi Joel,

On Thu, 8 Mar 2018, Joel Esler wrote:

Reindl, it is not productive, nor helpful on an Open Source product
to berate people ...

Don't waste your effort Joel.  To my knowledge people have been telling
him that for more than a decade and AFAICT it's never made the slightest
difference to his offensive style.

https://lists.gt.net/apache/dev/435169#435169

--

73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.4 has been released!

2018-03-08 Thread Joel Esler (jesler)

Tilman is correct.  Thank you.

Reindl, it is not productive, nor helpful on an Open Source product to berate 
people like that.  That does not foster a sense of community, and helps no one. 
 We can't expect people to come here and ask for help and work out the problems 
with our answers and suggestions unless this is a warm and welcoming community. 
 That's what it needs to be.


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Mar 8, 2018, at 4:08 AM, Tilman Schmidt 
<tschm...@cardtech.de<mailto:tschm...@cardtech.de>> wrote:

What definitely isn't fine is this endless griping about how people
should phrase their questions differently, know more than they do, have
read this and that (blindly assuming that they hadn't) and so on which
contributes exactly nothing to a solution.

What isn't fine either is rude language.

Joel's reaction was the appropriate one: neither jumping to conclusions
nor berating the person seeking help, but cleary and politely asking for
the missing information.

Sorry for contributing to the flamewar but I have observed this long
enough now to run out of patience.

Am 08.03.2018 um 01:08 schrieb Reindl Harald:


Am 07.03.2018 um 22:10 schrieb Joel Esler (jesler):
Which is perfectly fine.  The mailing lists are the correct place for
people to ask for help.  Should people read the archives?  Yes.
Should people read FAQs?  Yes.  But largely, they won't.  So we need
to help our community.

nothing is perfectly fine - they should quote the damned message they
are talking about in the initial post

"understanding the issue with the warning being logged by freshclam"
without mentioning said message is a joke

http://www.catb.org/esr/faqs/smart-questions.html#beprecise

On Mar 7, 2018, at 2:05 PM, Reindl Harald
<h.rei...@thelounge.net<mailto:h.rei...@thelounge.net>> wrote:
if only the OP would have taken time to mention the exact message
unasked in his original post - i love people starting with "I just
subscribed to the list in the hopes of understanding the issue with
the warning being logged by freshclam"
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.4 has been released!

2018-03-07 Thread Joel Esler (jesler)

Which is perfectly fine.  The mailing lists are the correct place for people to 
ask for help.  Should people read the archives?  Yes.  Should people read FAQs? 
 Yes.  But largely, they won't.  So we need to help our community.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Mar 7, 2018, at 2:05 PM, Reindl Harald 
<h.rei...@thelounge.net<mailto:h.rei...@thelounge.net>> wrote:



Am 07.03.2018 um 19:01 schrieb Freddie Cash:
If you would take the time to actually read the message

if only the OP would have taken time to mention the exact message unasked in 
his original post - i love people starting with "I just subscribed to the list 
in the hopes of understanding the issue with the warning being logged by 
freshclam"

On Mar 7, 2018 9:33 AM, "Reindl Harald" 
<h.rei...@thelounge.net<mailto:h.rei...@thelounge.net>> wrote:
Am 07.03.2018 um 18:29 schrieb Brian Fluet:
Here's the most recent freshclam log entry:

Wed Mar 07 12:19:08 2018 -> ClamAV update process started at Wed Mar 07
12:19:08 2018
Wed Mar 07 12:19:08 2018 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Mar 07 12:19:08 2018 -> WARNING: Local version: clamav-0.99.4
Recommended version: 0.99.4
Wed Mar 07 12:19:08 2018 -> DON'T PANIC! Read
http://www.clamav.net/documents/upgrading-clamav

and why don't you just read http://www.clamav.net/documents/upgrading-clamav
frankly even if it would say "clamav-0.99.3 Recommended version: 0.99.4"
the DON'T PANIC applies because when you ue LTS distributions it#s pretty
common that the version of many packages don't change but security related
and critical fixes are backported
the PHP 5.4 of RHEL/CentOS as example is not just a plain, never updated
PHP 5.4
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.4 has been released!

2018-03-07 Thread Joel Esler (jesler)

Can you show us the warning you are receiving?


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Mar 7, 2018, at 12:05 PM, Brian Fluet-Denver Equip of Chlt 
<d...@dec-clt.com<mailto:d...@dec-clt.com>> wrote:

I just subscribed to the list in the hopes of understanding the issue with the 
warning being
logged by freshclam.  The discussion indicates that the issue is resolved but 
the warning is
still being logged here.  Is there something I need to do on this end?
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Blank Signature Updates

2018-03-05 Thread Joel Esler (jesler)

Thank you Al.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Mar 4, 2018, at 12:51 AM, Al Varnell 
<alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote:

Seems to be working again with 24361 this evening.

-Al-

On Sat, Mar 03, 2018 at 02:21 AM, Al Varnell wrote:
All three of the last three signature update 24357, 8 & 9 have been empty.

-Al-
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.4 has been released!

2018-03-02 Thread Joel Esler (jesler)

Understood.   

Sent from my iPhone

> On Mar 2, 2018, at 03:28, lukn  wrote:
> 
>> On 02.03.2018 09:21, Al Varnell wrote:
>> They just need to update DNS with updated version when they come in. Not a 
>> big deal. It only results in display of the warning. Should not impact 
>> operations in any way.
> 
> 
> this is correct, 0.99.4 is fully operational and getting signature
> updates. But the negligence to check whether all steps needed to publish
> a release have been completed leaves some smell.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.99.4 has been released!

2018-03-01 Thread Joel Esler (jesler)



http://blog.clamav.net/2018/03/clamav-0994-has-been-released.html

ClamAV 0.99.4 has been released!
Join us as we welcome ClamAV 0.99.4 to the family!


0.99.4 Release Notes

0.99.4 is a security patch release, quick on the heels of the 0.99.3 security 
patch release.  This is a renewal of our commitment to the ClamAV community for 
timely fixes to critical issues.

0.99.4 addresses a few outstanding vulnerability bugs.  It includes fixes for:


  *   
CVE-2012-6706<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6706>
  *   
CVE-2017-6419<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6419>
  *   
CVE-2017-11423<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11423>
  *   
CVE-2018-185<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-185>

There are also a few bug fixes that were not assigned CVE’s, but were important 
enough to address while we had the chance.  One of these was the notorious file 
descriptor exhaustion bug that caused outages late last January.

In addition to the above, 0.99.4 fixes:


  *   
CVE-2018-0202<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0202>
 *   Two newly reported vulnerabilities in the PDF parsing code.
  *   GCC 6, C++11 compatibility issues.


A big "thank you" to everyone out there contributing patches, bug reports, and 
helping support the ClamAV community via our mailing 
lists<https://www.clamav.net/contact#ml> and IRC channel.

Thank you to the following ClamAV community members for your code submissions 
and bug reports!

Alberto Garcia
Bernhard Vogel
Francisco Oca
Hanno Böck
Jeffrey Yasskin
Keith Jones
mtowalski
Suleman Ali
yongji.oy
xrym

Stay tuned for the upcoming 0.100.0 release candidate!


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] test

2018-02-16 Thread Joel Esler (jesler)

Feel free to ignore this.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Possible FP on Doc.Dropper.Agent-6447876-0?

2018-02-16 Thread Joel Esler (jesler)

It is possible, using a service we have here:

https://talosintelligence.com/sha_searches 
<https://talosintelligence.com/sha_searches>

To look up some additional details about files, if interested.  SHA256 required.


--
Joel Esler | Talos: Manager | jes...@cisco.com <mailto:jes...@cisco.com>






> On Feb 15, 2018, at 3:23 PM, Alain Zidouemba <azidoue...@sourcefire.com> 
> wrote:
> 
> The alert with the signature Doc.Dropper.Agent-6447876-0 is not a false
> positive. The signature alerted on a Microsoft Word document. The hash for
> that document is
> f614c9664f566becb3bdf5a52027088407a3a73d5de8f2a5ec1da2b47438d156.
> 
> The Word document has a macro that launches powershell, downloads an
> executable and runs it.
> 
> On Thu, Feb 15, 2018 at 2:05 PM, Kris Deugau <kdeu...@vianet.ca> wrote:
> 
>> I've had a customer reporting problems sending a supposedly all-text
>> (likely actually multipart text+html with no hand-added attachments)
>> triggering this signature.
>> 
>> Since it's a hash I'm baffled by what it might be misfiring on in a
>> legitimate more-or-less text-only message.
>> 
>> I don't yet have a copy of the message that actually triggered this
>> signature, and after finally getting a couple of empty test messages they
>> are of course scanning clean.
>> 
>> Can anyone give any more detail on what kind of file or file component
>> this is matching on?  All I can see is that it's in daily.hsb, so beyond
>> the fact that it is a hash of either the whole file or a component of a
>> Word document containing macros I have no idea what it is, and whether it's
>> really a FP or not.
>> 
>> -kgd
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml



signature.asc
Description: Message signed with OpenPGP
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Commercial License

2018-02-14 Thread Joel Esler (jesler)

We've thought about doing something like this, but it's problematic on several 
levels.I'd want to be sensitive to how the community receives the database. 
 I don't think we'd have a "Early release" database.  But maybe an exclusive 
database, that only covered certain things..  It's an idea.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Feb 14, 2018, at 10:25 AM, McRoy, Jeffrey (GE Healthcare) 
<jeffrey.mc...@ge.com<mailto:jeffrey.mc...@ge.com>> wrote:

Hi Everyone,



I’ve heard of some malware scanners that have commercial licensing or support 
agreements available where the end user gets access to an advance version of 
the database. Does something like that exist for ClamAV?



Thanks & Regards,

Jeff



___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Please guide me

2018-02-14 Thread Joel Esler (jesler)

As the community manager for both Immunet and ClamAV, Al is correct.  

Sent from my iPhone

> On Feb 14, 2018, at 02:11, Al Varnell  wrote:
> 
> Again, I'll point out that Immunet  comes from 
> the same developer as does ClamAV, so not 3rd party at all. 
> 
> I don't understand why you would think that one is OK and the other might be 
> full of malware.
> 
> -Al-
> 
>> On Tue, Feb 13, 2018 at 05:19 PM, teo peishen wrote:
>> 
>> Too many solution. I dun know which one works but I dun like install third 
>> party software, scared of malware or Trojan inside.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Failing Mirrors (or other Mirror issues)

2018-02-13 Thread Joel Esler (jesler)

All --

We are looking for bugs for failing mirrors or any issues with mirrors, just to 
get them all in once place, it would be fantastic if you see failing mirrors, 
to throw us a ticket here:

https://bugzilla.clamav.net/enter_bug.cgi?product=Mirror%20Issues

Thank you.


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] submitting phish samples - stripped

2018-02-12 Thread Joel Esler (jesler)

Generally speaking, it's better for us to have as much detail as possible.  
Samples that you submit through the website (either one) are not shared with 
partners (unless you check the "share with partners" checkbox)


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Feb 11, 2018, at 7:16 AM, Matus UHLAR - fantomas 
<uh...@fantomas.sk<mailto:uh...@fantomas.sk>> wrote:

On Feb 8, 2018, at 3:52 AM, Matus UHLAR - fantomas 
<uh...@fantomas.sk<mailto:uh...@fantomas.sk><mailto:uh...@fantomas.sk>> wrote:
when submitting phish samples, should I use the same form as for malware?
(https://www.clamav.net/reports/malware)
some time ago it contained selection list whether it's malware, phish, false
positive.
Now the page contains forms for malware and false positives - no phishes.

I hope phishes are still to be detected :)

side question: is it fine to strip sample of an e-mail of private data like
recipient mail address, Received: headers etc?

On 08.02.18 18:54, Joel Esler (jesler) wrote:
So, there's two things you can do here, I think.  Phish can be submitted to
ClamAV in the same way you submit malware.  Phish can also be sent in to
phishtank.com<http://phishtank.com> (also a project ran by my team) which
allows community voting on phish to product a blacklist for users to use.

so, phish samples to clamav, URLs to phishtank.com<http://phishtank.com>.

what about stripping private information, like recipients and Received:
headers - it that fine?

--
Matus UHLAR - fantomas, uh...@fantomas.sk<mailto:uh...@fantomas.sk> ; 
http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] submitting phish samples - stripped

2018-02-08 Thread Joel Esler (jesler)

So, there's two things you can do here, I think.  Phish can be submitted to 
ClamAV in the same way you submit malware.  Phish can also be sent in to 
phishtank.com<http://phishtank.com> (also a project ran by my team) which 
allows community voting on phish to product a blacklist for users to use.


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Feb 8, 2018, at 3:52 AM, Matus UHLAR - fantomas 
<uh...@fantomas.sk<mailto:uh...@fantomas.sk>> wrote:

Hello,

when submitting phish samples, should I use the same form as for malware?
(https://www.clamav.net/reports/malware)
some time ago it contained selection list whether it's malware, phish, false
positive.
Now the page contains forms for malware and false positives - no phishes.

I hope phishes are still to be detected :)

side question: is it fine to strip sample of an e-mail of private data like
recipient mail address, Received: headers etc?

--
Matus UHLAR - fantomas, uh...@fantomas.sk<mailto:uh...@fantomas.sk> ; 
http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.100.0 beta has been released!

2018-02-05 Thread Joel Esler (jesler)



http://blog.clamav.net/2018/02/clamav-01000-beta-has-been-released.html

ClamAV 0.100.0 beta has been released!
ClamAV 0.100.0-beta is the successor to the previous 0.99.3-beta2.  The 0.99.3 
patch release on January 25th was required to address vulnerability fixes in a 
timely manner, so the features previously found in 0.99.3 betas have been 
bumped to this new version.  If you haven’t read it, please read the 
announcement regarding the version number change. 
<http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html>

The 0.100.0-beta includes all of the feature improvements and bug fixes that 
were in the previous 0.99.3-beta2, plus some additional bug fixes and requested 
improvements that were found by users of the previous beta.  These include:


  *   Eliminating warnings regarding with variables being used before being 
initialized.
  *   Correcting an issue for those using private mirrors where freshclam 
attempts to pull down the CVD file if the CLD is up-to-date.
  *   Fixed a bug in the filtering system that caused unexpected behavior for 
signatures that use the case insensitive signatures (:i).
  *   Increased the max stack size when building ClamAV for non-glibc Linux 
machines (i.e. musl).
  *   Deprecated the AllowSupplementaryGroups config option in a more graceful 
way.
  *   Bug fixes to on-access scanning.
  *   A few other bug fixes.


We could use community support testing these fixes, of course.  That said, our 
main goal of 0.100.0-beta is to get the community ready for the version string 
change.  Mirror maintainers have been asked to verify that ClamAV clients using 
the 0.100.0 version number in the HTTP user agent are not blacklisted by 
regexes intended to drop support for older versions of ClamAV.

As a disclaimer, 0.100.0-beta isn’t a release candidate because we have a few 
outstanding known issues that we must address prior to the 0.100.0 release, and 
because once the fixes are made we will have to complete regression testing.  
The known issues blocking release include the following:


  *   The libmspack library install location, name. 
Bug<https://bugzilla.clamav.net/show_bug.cgi?id=11994>
  *   BlockMax config option may differ slightly from —block-max command line 
option. Bug<https://bugzilla.clamav.net/show_bug.cgi?id=11970>
  *   Using the ./configure --disable-static will still require llvm-static. 
Bug<https://bugzilla.clamav.net/show_bug.cgi?id=11995>
  *   Improvements in PDF object parsing (in progress).
  *   Messages when clamscan skips a file due to max file size settings, along 
with corrections to the —help string. 
Bug<https://bugzilla.clamav.net/show_bug.cgi?id=11967>
  *   Warnings when building on macOS.  
Bugs<https://bugzilla.clamav.net/show_bug.cgi?id=11747>, 
Bugs<https://bugzilla.clamav.net/show_bug.cgi?id=11977>

Bugs should be brought to our attention via the clamav-devel mailing 
list<https://www.clamav.net/contact#ml> or via 
bugzilla<https://bugzilla.clamav.net/>


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Daily version 24256

2018-01-30 Thread Joel Esler (jesler)

Understood the concern.  But managing the evil in between an old version of the 
cvd being used in perpetuity because someone found the link on a clamav-users 
archive, or working with freshclam to stay current...  it's a hard road.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Jan 30, 2018, at 11:57 AM, Reindl Harald 
<h.rei...@thelounge.net<mailto:h.rei...@thelounge.net>> wrote:



Am 30.01.2018 um 17:50 schrieb Joel Esler (jesler):
This shouldn't be necessary, we're way past that on Daily.cvd files now, and 
the issue has been corrected.

yes, *that* issue was corrected, but that don#t mean that soemthing similar 
won't happen tomorrow and hence he likes to code something which would alert in 
that case - and if it's only because mailing lists like this where you can find 
the reason don't work that much when clamd kills your inbound MX

On Jan 30, 2018, at 8:56 AM, Paul Kosinski 
<clamav-us...@iment.com<mailto:clamav-us...@iment.com><mailto:clamav-us...@iment.com>>
 wrote:
If anyone still wants 24256, I have made it available at
  http://iment.com/clamav/daily.cvd.24256
On Mon, 29 Jan 2018 13:24:45 +0100
Carlos García Gómez 
<carlos.gar...@f-integra.org<mailto:carlos.gar...@f-integra.org><mailto:carlos.gar...@f-integra.org>>
 wrote:
Hi,
I´m thinking about
http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html
I would like to reproduce the problem again to force the error in
order to be able to establish a system alarms or warnings with Nagios
scripting
Anybody knows how can I get daily.cld version 24256? Any link to
download it?

___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Daily version 24256

2018-01-30 Thread Joel Esler (jesler)

This shouldn't be necessary, we're way past that on Daily.cvd files now, and 
the issue has been corrected.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Jan 30, 2018, at 8:56 AM, Paul Kosinski 
<clamav-us...@iment.com<mailto:clamav-us...@iment.com>> wrote:

If anyone still wants 24256, I have made it available at

  http://iment.com/clamav/daily.cvd.24256


On Mon, 29 Jan 2018 13:24:45 +0100
Carlos García Gómez 
<carlos.gar...@f-integra.org<mailto:carlos.gar...@f-integra.org>> wrote:

Hi,

I´m thinking about
http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

I would like to reproduce the problem again to force the error in
order to be able to establish a system alarms or warnings with Nagios
scripting

Anybody knows how can I get daily.cld version 24256? Any link to
download it?

Regards,

Carlos
Murcia
Spain



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] GPG key where? (was: Re: GPG signature problem with clamav-0.99.2.tar.gz)

2018-01-29 Thread Joel Esler (jesler)

That's the correct one, thank you Scott.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Jan 29, 2018, at 6:13 PM, SCOTT PACKARD 
<scott.pack...@raytheon.com<mailto:scott.pack...@raytheon.com>> wrote:

https://talosintelligence.com/about  click on box "Talos PGP Public Key".
Maybe that one works?  If it was its own URL I'd include it, but it looks like 
it's javascript, in the same page.

Regards, Scott

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Tomasz Papszun
Sent: Monday, January 29, 2018 2:26 PM
To: clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
Subject: [External] [clamav-users] GPG key where? (was: Re: GPG signature 
problem with clamav-0.99.2.tar.gz)

On Fri, 30 Jun 2017 at 20:12:11 +, Joel Esler (jesler) wrote:
Jim,

Thanks.  This look like the vulndev key.  The correct key is on the contact 
page of Talosintelligence.com<http://Talosintelligence.com>.

We'll take a look here.

Hi, Joel.

I went to http://www.clamav.net/downloads, got
http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz  and
http://www.clamav.net/downloads/production/clamav-0.99.3.tar.gz.sig
and wanted to verify the tarball and compile ASAP - there are bugs in
0.99.2 after all.

For half an hour or so I tried to find the public key at various places:

Talosintelligence.com, Cisco.com, http://labs.snort.org/contact.html
(linked at
https://github.com/Cisco-Talos/clamav-faq/blob/master/faq/faq-upgrade.md),
a keyserver - all to no avail.

Where is the key?



On Jun 30, 2017, at 13:46, Jim Michaud <jjmich...@constantcontact.com> wrote:

I just downloaded clamav-0.99.2.tar.gz from
https://www.clamav.net/downloads and tried to check the signature
using the "Talos PGP Public Key" on the same page.  It looks like it
was signed with a different public key.

$ gpg --import ../Talos-PGP-Public-Key
gpg: key 0B3BB3A7: public key "vuln...@cisco.com <vuln...@cisco.com>" imported
gpg: Total number processed: 1
gpg:   imported: 1  (RSA: 1)

$ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
gpg: Can't check signature: No public key

I was able to do some digging and did find the key using
https://pgp.key-server.io/
(https://pgp.key-server.io/search/Talos+GPG+Key).  However that key
expired in April 2017. I'm guessing someone needs to update the
signature file using the new public key.

$ gpg --verify clamav-0.99.2.tar.gz.sig clamav-0.99.2.tar.gz
gpg: Signature made Fri 22 Apr 2016 12:25:32 PM EDT using DSA key ID 260429A0
gpg: Good signature from "Talos (Talos GPG Key) <resea...@sourcefire.com>"
gpg: Note: This key has expired!
Primary key fingerprint: F79F B2D0 8751 574C 5D3F  DFFB B3D5 342C 2604 29A0


--
Tomasz Papszun  | And it's only
tomek at lodz.tpsa.pl linkedin.com/in/tomaszpapszun | ones and zeros.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

There are outside issues that prevented us from announcing the CVEs at that 
time.  It's not because we were trying to hide something.


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Jan 26, 2018, at 2:39 PM, Andreas Schulze 
<andreas.schu...@datev.de<mailto:andreas.schu...@datev.de>> wrote:

Am 26.01.2018 um 16:06 schrieb Tobi:
As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta.
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version
I compared 0.99.2 and 0.99.3 and found most of the diffs be present in 
0.99.3beta2

now, as the links to bugzilla.clamav.net<http://bugzilla.clamav.net> are 
public, we see, the issues where known to the developers since October/November 
2017!
They published these changes silent as part of "beta2". They discusses about 
CVE at this time!
This is *not* amazing.

Andreas


___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: Update on the recent "File Descriptors" issue in ClamAV



http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

Update on the recent "File Descriptors" issue in ClamAV
A signature introduced in daily.cvd version 24256 triggered bug that exists in 
all current stable releases of ClamAV.

The symptoms on a Linux/Unix machine running clamd under heavy load results in 
the system running out of file descriptors, because the file descriptors for 
deleted temp files were not being closed.  On Windows systems, a different 
error occurred wherein the system reported “permission denied” errors when 
closing (unlinking) the temp files.

The bug was reported as early as April 2016 here: 
https://bugzilla.clamav.net/show_bug.cgi?id=11549. A patch for this bug was 
applied towards the upcoming 0.100.0 feature release of ClamAV, but 
unfortunately the fix didn’t make it into the recent 0.99.3 security patch 
release.

For the time-being, the offending signature was pulled as of daily.cvd version 
24258, and changes to our backend processes have been implemented to prevent 
this from happening again.

We apologize for the inconvenience this has caused. Future releases of ClamAV 
will have a fix in place to prevent this issue from reocurring.



--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

Steve Morgan, a developer here at Cisco that worked on ClamAV for about the 
past five years or so, decided to retire.  Monday was his last day.  On top of 
that, one our other developers (Micah) was out of the office today for a 
holiday, and so that only left, essentially myself and a couple other people to 
see this action on the list.

So while we regret the issue that this signature caused (and we will fix, not 
only the signature, but the code itself in an upcoming release), I am super 
proud of the community that came together and solved the problem.



--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Jan 26, 2018, at 10:02 AM, Dianne Skoll 
<d...@roaringpenguin.com<mailto:d...@roaringpenguin.com>> wrote:

On Fri, 26 Jan 2018 06:44:30 -0800
"Jason J. W. Williams" 
<jasonjwwilli...@gmail.com<mailto:jasonjwwilli...@gmail.com>> wrote:

We started seeing this problem last night as well. Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet
(as of 24257), or am I wrong?

Not only has it not been fixed, there hasn't been a peep out of the
developers.

This is NOT the way to deal with issues like this, especially in
security-sensitive software.

Regards,

Dianne.
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Max Open File Descriptors issue found this morning

2018-01-26 Thread Joel Esler


On Fri, Jan 26, 2018 at 07:41:05AM -0800, Jason J. W. Williams wrote:

Hi Joel,

Appreciate you chiming in. For what its worth, I can confirm David
Shrimpton's suggestion of adding Vbs.Downloader.Generic-6431223-0 to
local.ign2 stops the problem.



Yes.  We've dropped that sig from our side and are currently building a new 
daily

--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Max Open File Descriptors issue found this morning

There are a bunch of threads going on, so I am going to try and address most of 
them with this email, sorry if I leave anything out.

There are reports of exploits against 0.99.2 in the wild. Heise reports
on that (in german, can't find an english source right now):
https://heise.de/-3951801

No that I  have seen.  Maybe I'm wrong and maybe one of my coworkers here at 
Cisco knows something that I don't, but all of the referenced CVE's in my blog 
post here: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html 
were disclosed to us responsibly by the folks from Offensive Research at 
Salesforce.com<http://Salesforce.com>.  We appreciate their work, and it helps 
tremendously.

Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
24257), or am I wrong?


We are currently reviewing the issue to see if we can isolate the cause and 
work out a fix.  This is a "All Hands on Deck" situation 
(https://en.oxforddictionaries.com/definition/all_hands_on_deck) here.  We 
apologize for any issues, and we'll do a post mortem analysis once we fix it to 
figure out what went wrong and what we can do to remedy this in the future.

ClamAV QA team: In future, please run new signatures against a clamd
process a few thousand times to check for possible resource leakage.


Thank you for your suggestion.  We have had some transition in personnel in the 
last several months on the ClamAV team, as well as further augmenting our QA 
resources.  I'm not making excuses, I'm just trying to let you all know the 
reality we've faced.  We want to change the model of ClamAV to be even more 
open source and develop more in a "Bazaar" method.  More on this over time.

Re: Mail loops

which f**g idiot is responsible for that?

Unfortunately Reindl, from what you reported, and your eloquent description, 
I'm not sure what the issue is.  I'm not seeing that issue on my side.

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences

when i read something like this in 2018 my brain ends with a bluescreen

This is something we debated for a couple weeks here internally and we found 
this to be the best solution.  We were stuck between a rock in and a hard 
place.  Trust me, this is not the user experience I want for our users either, 
but we were faced with a tough choice, and replacing the 0.99.3 beta with a 
completely different codebase was the one we found to be the best path forward 
without upsetting even more people.





--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!



On Jan 26, 2018, at 9:49 AM, Reindl Harald 
<h.rei...@thelounge.net<mailto:h.rei...@thelounge.net>> wrote:

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences

when i read something like this in 2018 my brain ends with a bluescreen

This is something we debated for a couple weeks here internally and we found 
this to be the best solution.  We were stuck between a rock in and a hard 
place.  Trust me, this is not the user experience I want for our users either.

--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

tacker could exploit this vulnerability by sending a crafted email to the 
affected device. This action could cause a buffer overflow condition when 
ClamAV scans the malicious email, allowing the attacker to potentially cause a 
DoS condition or execute arbitrary code on an affected device.

https://bugzilla.clamav.net/show_bug.cgi?id=11944
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L /A:L

CVE-2017-12380
7. ClamAV Null Dereference Vulnerability

ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition on an affected device.

The vulnerability is due to improper input validation checking mechanisms 
during certain mail parsing functions of the ClamAV software. An 
unauthenticated, remote attacker could exploit this vulnerability by sending a 
crafted email to the affected device. An exploit could trigger a NULL pointer 
dereference condition when ClamAV scans the malicious email, which may result 
in a DoS condition.

https://bugzilla.clamav.net/show_bug.cgi?id=11945
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Also included are 2 minor fixes to properly detect openssl install locations on 
FreeBSD 11, and prevent false warnings about zlib 1.2.1# version numbers.

Thank you to the following ClamAV community members for your code
submissions and bug reports!

Alberto Garcia
Daniel J. Luke
Francisco Oca
Sebastian A. Siewior
Suleman Ali

Special thanks to Offensive Research at Salesforce.com<http://Salesforce.com> 
for responsible disclosure.

As always you can download the latest copy of ClamAV from our website 
ClamAV.net/downloads<http://www.clamav.net/downloads>

Please continue the discussion on our mailing lists at 
http://www.clamav.net/contact#ml


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Announcement missing

You're right.  That's my fault.  I'll correct that here in a second after I 
read through all the emails in my ClamAV folder.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Jan 26, 2018, at 8:22 AM, Andreas Schulze 
<andreas.schu...@datev.de<mailto:andreas.schu...@datev.de>> wrote:

Am 26.01.2018 um 14:09 schrieb Tobi:
Do you mean this one ?
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

@Cisco: is it so hard to use 
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce



--
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV Version number adjustment

2018-01-24 Thread Joel Esler (jesler)

http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html?utm_source=dlvr.it_medium=twitter_campaign=Feed%3A+Clamav+%28ClamAV%C2%AE%29

ClamAV Version number adjustment
This is a heads up to the ClamAV community, we are changing our version
numbering scheme as follows. Our versions will follow x.y.z
(major.minor.patch). Major releases will be reserved for major feature
additions or changes that may be incompatible with previous releases. Minor
releases will be for regular bug fixes and minor feature changes/additions.
Patches will be reserved for security fixes to address CVE and other critical
bug fixes.

This change was driven by our need to address a security vulnerability release
to resolve a number of CVEs which will be published shortly. We internally
discussed a number of options, and reviewed these options with a few key
members of the community before making this decision.

What this means for our community members? We will shortly be releasing a
0.99.3 release. This release will specifically target the aforementioned CVEs.
The 0.99.3 betas we had previously shared will be renumbered to 0.100.0 instead.

We apologize for any confusion this change will cause, but we feel this will
impact the least number of community members, while allowing us flexibility to
quickly address critical bugs or security issues, without undue issues with
other work underway.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whither ClamAV 0.99.2.1 ?

2018-01-24 Thread Joel Esler (jesler)

Mark,

Yes.  I apologize for that.  I put out the blog post, but then we retracted it 
as we are looking into any issues caused by the version numbering we are 
planning on using.  We've been made aware of a couple issues, and are working 
through them now.


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Jan 24, 2018, at 5:56 AM, Mark Allan 
<markjal...@gmail.com<mailto:markjal...@gmail.com>> wrote:

Hi guys,

I saw the following blog post about an interim release (ClamAV 0.99.2.1) in my 
newsreader last week
http://blog.clamav.net/2018/01/heads-up-clamav-version-09921.html

The article said you planned to release 0.99.2.1 today (24th January), however, 
the post is no longer appearing on your blog.

Have plans changed, or is still coming today?

Best regards
Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Unable to upload a false positive.

2018-01-17 Thread Joel Esler (jesler)

We know about this issue and are currently working on fixing the issue.  Please 
bear with us.  It’s a specific corner case that some people are running into.

For instance, are you uploading the file before you file out the form?  

Sent from my iPad

> On Jan 17, 2018, at 3:53 PM, Ramos Alexiou  wrote:
> 
> Hi,
> 
> I have been trying to upload a false positive file on the clamav site for 
> several days now and it keeps asking for the file even if the file has been 
> selected. The upload doesn't take place either. I have attempted the upload 
> with Chrome 63.0.3239.132 and Firefox 57 on Linux (Xubuntu 16.04 x64).
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV List Server Upgrade

2018-01-10 Thread Joel Esler (jesler)


http://blog.clamav.net/2018/01/clamav-list-server-upgrade.html

Tomorrow (10/Jan/2018) at 9:00 EST, we will be upgrading the ClamAV Mailman 
list hosting server.

This will result in the clamav-users, clamav-devel, community-sigs, 
clamav-virusdb, etc will be down during the outage.  We will send a 
notification via the lists, blog, Twitter, and Facebook when the server is back 
up.

Thanks for your patience during our maintenance!


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Recommended workstation usage?

2017-12-20 Thread Joel Esler (jesler)

You may want to add “ELF….” To your count.  Perhaps even “OSX….”
--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Dec 20, 2017, at 7:02 AM, Maarten Broekman 
<maarten.broek...@gmail.com<mailto:maarten.broek...@gmail.com>> wrote:

There are far more than 31 signatures that have the potential to impact
Linux systems. There are, in truth, over 23,000 signatures that are able to
detect malware on Linux and Unix systems. Most "Linux" signatures only
contain the word Unix, however. Additionally, keep in mind that these are
only from the ClamAV provided databases. Sanesecurity and the Linux Malware
Detect project add more as well.

Of the official databases, the signatures break down like this for Unix
signatures:
 1 [bytecode]
  7386 [daily.hdb]
 11640 [daily.hsb]
67 [daily.ldb]
11 [daily.ndb]
   141 [main.hdb]
  3445 [main.hsb]
 5 [main.mdb]
   426 [main.ndb]
 2 [daily.ldb] <== These are noted by Al in his previous message.

Aside from the Win.* signatures, these are the major grouping of the
non-hash signatures:
 1 Unix.Downloader
28 Unix.Exploit
 1 Unix.Malware
 1 Unix.Packer
 6 Unix.Rootkit
   311 Unix.Tool
   144 Unix.Trojan
11 Unix.Worm

Of the hashes, there are about 50 different 'families' of Unix/Linux
related malware of varying specificity:
 3 Unix.Adware.Bundlore
 1 Unix.Adware.Bundloreca
 9 Unix.Adware.Genieo
 1 Unix.Adware.Installmiez
 1 Unix.Adware.Macinst
 1 Unix.Adware.Spigot
 1 Unix.Adware.Xloader
 1 Unix.Downloader.Amcleaner
 1 Unix.Exploit.CVE_2016_8733
 1 Unix.Exploit.CVE_2016_9032
 1 Unix.Exploit.CVE_2016_9033
 1 Unix.Exploit.CVE_2017_1000253
 1 Unix.Exploit.Gingerbreak
 1 Unix.Exploit.Iosjailbreak
 1 Unix.Exploit.Lacksand
 4 Unix.Exploit.Lotoor
 1 Unix.Exploit.Powershell
 1 Unix.Exploit.Remotesync
 1 Unix.Exploit.Roothack
 1 Unix.Exploit.TALOS_2016_0257
 21777 Unix.Malware.Agent
 1 Unix.Malware.Generic
 1 Unix.Malware.Setag
 4 Unix.Malware.Tsunami
 1 Unix.Malware.Xorddos
 1 Unix.Spyware.Opinionspy
 1 Unix.Tool.Dnsamp
 6 Unix.Tool.Dofloo
   448 Unix.Tool.EQGRP
 5 Unix.Tool.FakeAV
 1 Unix.Tool.Flood
 1 Unix.Tool.Zusy
   137 Unix.Trojan.Agent
 6 Unix.Trojan.Cornelgen
 7 Unix.Trojan.Ddostf
13 Unix.Trojan.Dofloo
 1 Unix.Trojan.Dogspectus
 1 Unix.Trojan.Elknot
 1 Unix.Trojan.Elzob
   127 Unix.Trojan.Gafgyt
 3 Unix.Trojan.Hanthie
 3 Unix.Trojan.Mayday
24 Unix.Trojan.Mirai
 2 Unix.Trojan.Small
 7 Unix.Trojan.Tsunami
 1 Unix.Trojan.Webshell
 1 Unix.Trojan.Zonie
 1 Unix.Virus.Zusy
 1 Unix.Worm.Cheese
 1 Unix.Worm.Darlloz

My suggestion is, yes. Run ClamAV. But don't rely on just the official
databases.

--Maarten

On Wed, Dec 20, 2017 at 4:09 AM, Al Varnell 
<alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote:

FYI, there are 31 ClamAV signatures that contain the word "Linux". There
are currently almost 6.4 million ClamAV signatures in the database.

All but two are in main.ndb or main.hdb, meaning they are relatively old.

All but five start with Win.Trojan or Win.Exploit or Win.Tool so I'm not
clear on their relationship to Linux.

The two most recent ones are:
- Unix.Trojan.Linux_DDoS_93-2
- Unix.Trojan.Linux_DDoS_93-5364119-0

-Al-

On Wed, Dec 20, 2017 at 12:47 AM, Matus UHLAR - fantomas wrote:
On 19.12.17 12:44, Dan Rawson wrote:
I'm working on running clamav on my Linux workstation - NOT a server
environment.  What is the recommended usage in that environment?  clamd +
OnAccess?  clamscan scheduled from cron?? clamdscan scheduled from cron??

I did search through the documentation but didn't see much addressing
"best practices" in a single machine environment.

I haven't seen a linux malware yet. Well, I've heard that it exists, but
haven't seen it (except hacking suite...)

what makes you think you need it?

-Al-
--
Al Varnell
Mountain View, CA





___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.3 beta2 has been released!

2017-12-19 Thread Joel Esler (jesler)

Thanks Steve and Tom.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Dec 19, 2017, at 11:33 AM, Steven Morgan 
<smor...@sourcefire.com<mailto:smor...@sourcefire.com>> wrote:

https://bugzilla.clamav.net/show_bug.cgi?id=12000 is the ticket.

Steve

On Tue, Dec 19, 2017 at 10:59 AM, Joel Esler (jesler) 
<jes...@cisco.com<mailto:jes...@cisco.com>>
wrote:

Can you please open a ticket in 
bugzilla.clamav.net<http://bugzilla.clamav.net>http://bugzilla.clamav.net>>?


--
Joel Esler | Talos: Manager | 
jes...@cisco.com<mailto:jes...@cisco.com><mailto:jes...@cisco.com>






On Dec 19, 2017, at 7:29 AM, Andreas Schulze 
<andreas.schu...@datev.de<mailto:andreas.schu...@datev.de><
mailto:andreas.schu...@datev.de>> wrote:

Am 18.12.2017 um 18:06 schrieb Joel Esler (jesler):
ClamAV 0.99.3 beta2 has been released!

hello,

I upgraded some lab servers from beta1 to beta2.
Now I receive messages from cron containing the text "debug enabled"
That happen on reloads where yara rules are active.

I found the string in "libclamav/yara_lexer.c" and
"libclamav/yara_lexer.l".

what's going on there?


--
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net><mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 beta2 has been released!

2017-12-19 Thread Joel Esler (jesler)

Can you please open a ticket in bugzilla.clamav.net<http://bugzilla.clamav.net>?


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Dec 19, 2017, at 7:29 AM, Andreas Schulze 
<andreas.schu...@datev.de<mailto:andreas.schu...@datev.de>> wrote:

Am 18.12.2017 um 18:06 schrieb Joel Esler (jesler):
ClamAV 0.99.3 beta2 has been released!

hello,

I upgraded some lab servers from beta1 to beta2.
Now I receive messages from cron containing the text "debug enabled"
That happen on reloads where yara rules are active.

I found the string in "libclamav/yara_lexer.c" and "libclamav/yara_lexer.l".

what's going on there?


--
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.99.3 beta2 has been released!

2017-12-18 Thread Joel Esler (jesler)

> ClamAV 0.99.3 beta2 has been released!
> 
> http://blog.clamav.net/2017/12/clamav-0993-beta2-has-been-released.html
> 
> Welcome to ClamAV 0.99.3's beta2 release. In this release, we have included 
> many code
> submissions from the ClamAV community:
> 
>   • Interfaces to the Prelude SIEM open source package for collecting 
> ClamAV virus events.
>   • Visual Studio 2015 for building Microsoft Windows binaries.
>   • Support libmspack internal code or as a shared object library. The 
> internal library is the default and contains additional integrity checks.
>   • Linking with openssl 1.1.0.
>   • Numerous code patches, typos, and compiler warning fixes.
> 
> Additionally, we have introduced important changes and new features in
> ClamAV 0.99.3, including:
> 
>   • Deprecating internal LLVM code support. The configure script has 
> change to search the system for an installed instance of the LLVM development 
> libraries, and to otherwise use the bytecode interpreter for ClamAV bytecode 
> signatures. To use the LLVM Just-In-Time compiler for executing bytecode 
> signatures, please ensure that the LLVM development package at version 3.6 or 
> lower is installed. Using the deprecated LLVM code is possible with the 
> command: './configure --with-system-llvm=no', but it no longer compiles on 
> all platforms.
>   • Compute and check PE import table hash (a.k.a. "imphash") signatures.
>   • Support file property collection and analysis for MHTML files.
>   • Raw scanning of PostScript files.
>   • Fix clamsubmit to use the new virus and false positive submission web 
> interface.
>   • Optionally, flag files with the virus "Heuristic.Limits.Exceeded" 
> when size limitations are exceeded.
>   • Improve decoders for PDF files.
> 
> 
> The ClamAV community thanks the following individuals for their ClamAV 0.99.3
> code submissions:
> 
> Sebastian Andrzej Siewior
> Keith Jones
> Bill Parker
> Chris Miserva
> Daniel J. Luke
> Matthew Boedicker
> Ningirsu
> Michael Pelletier
> Anthony Chan
> Stephen Welker
> Marc Deslauriers
> Mark Allan
> Andreas Schulze
> Jonas Zaddach
> Georgy Salnikov
> 
> We are releasing beta2 for further testing while we resolve our small list of 
> known issues in the background as we are prepping for "General Availability". 
>  If you have the ability to download and use beta2 on your network, please 
> do.  Thanks!  


--
Joel Esler | Talos: Manager | jes...@cisco.com






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Joel Esler (jesler)

I’ve adjusted some settings. Please try again.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Dec 11, 2017, at 9:02 AM, Matteo Italia 
<mat...@mitalia.net<mailto:mat...@mitalia.net>> wrote:

Hello Joel,

I receive a page containing this information:

   Sorry, you have been blocked

   You are unable to access clamav.net<http://clamav.net>

   Why have I been blocked?

   This website is using a security service to protect itself from
   online attacks. The action you just performed triggered the security
   solution. There are several actions that could trigger this block
   including submitting a certain word or phrase, a SQL command or
   malformed data.

   Cloudflare Ray ID: 3cb8f72fcc300e5a • Your IP: 79.1.45.152

Il 11/12/2017 14:58, Joel Esler (jesler) ha scritto:

What is the error you are receiving from Cloudflare?  I need some details.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com<mailto:jes...@cisco.com><mailto:jes...@cisco.com>






On Dec 11, 2017, at 3:48 AM, Matteo Italia 
<mat...@mitalia.net<mailto:mat...@mitalia.net><mailto:mat...@mitalia.net>> 
wrote:

Hello,

I'm trying to submit a virus sample through the web interface
(https://www.clamav.net/reports/malware), but it keeps getting refused
by CloudFlare. I tried several variations of the message text, putting
the virus sample in various archives (not archived, .tar.gz, .7z with
password), but CloudFlare keeps telling me I'm blocked. What should I do?

Matteo


___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net><mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Cannot send virus sample through https://www.clamav.net/reports/malware

2017-12-11 Thread Joel Esler (jesler)

What is the error you are receiving from Cloudflare?  I need some details.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Dec 11, 2017, at 3:48 AM, Matteo Italia 
<mat...@mitalia.net<mailto:mat...@mitalia.net>> wrote:

Hello,

I'm trying to submit a virus sample through the web interface
(https://www.clamav.net/reports/malware), but it keeps getting refused
by CloudFlare. I tried several variations of the message text, putting
the virus sample in various archives (not archived, .tar.gz, .7z with
password), but CloudFlare keeps telling me I'm blocked. What should I do?

Matteo


___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV - Open Source License

2017-11-29 Thread Joel Esler (jesler)

On Nov 29, 2017, at 1:21 PM, Peggy Anstett 
> wrote:

Thanks Kevin! In the code itself there are about 10 different license files 
(Apache, BSD, etc) with no explanation as to whether they apply to certain 
parts of the library. Hence the confusion

The parts of ClamAV that are attributed to a different license are labeled as 
such in the header of the file.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

2017-11-15 Thread Joel Esler (jesler)

Doc.Dropper.Agent is automated.  Sounds like someone submitted the file to 
Clamav.net<http://Clamav.net> or one my other automated systems that produces 
detection.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Nov 15, 2017, at 7:09 PM, Al Varnell 
<alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote:

Yes, both those signatures were added in daily - 24045 last night (my time).

-Al-

On Wed, Nov 15, 2017 at 01:14 PM, Mark Foley wrote:

Actually, the clamscanner is now finding these files, so someone must have
updated something since yesterday (which is when these files came in):

/home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S:
 Doc.Dropper.Agent-6374331-0 FOUND
/home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S!MAIL:InvoiceETT3600920.doc!...!(3)ZIP:docProps/core.xml:
 Doc.Dropper.Agent-6374331-0 FOUND

I'll go ahead and submit my file anyway, in case this is something different.

--Mark

-Original Message-
From: Steven Morgan <smor...@sourcefire.com<mailto:smor...@sourcefire.com>>
Date: Wed, 15 Nov 2017 15:50:31 -0500
To: ClamAV users ML 
<clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>
Subject: Re: [clamav-users] Virus Malvare not detected

Mark,

Please open a bug report about this issue at 
bugzilla.clamav.net<http://bugzilla.clamav.net>. Please
include your file and we can look into the issues.

Thanks,
Steve



On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley 
<mfo...@novatec-inc.com<mailto:mfo...@novatec-inc.com>> wrote:

I'm going to continue piggybacking onto this thread as it deals with
Clamav's
non-discovery of the malware attached to messages with the subject "Invoice
...". Although, I don't know if this is the same type of attachment.

The attachments I've been getting are .docx file named as .doc files. In
examining the contents of these archives I find:

$ unzip -l InvoiceZGC3020188.doc
Archive:  InvoiceZGC3020188.doc
Length  DateTimeName
-  -- -   
   1510  01-01-1980 00:00   [Content_Types].xml
590  01-01-1980 00:00   _rels/.rels
   1226  01-01-1980 00:00   word/_rels/document.xml.rels
   5097  01-01-1980 00:00   word/document.xml
   5424  01-01-1980 00:00   word/media/image1.emf
 132276  01-01-1980 00:00   word/media/image2.png
   6850  01-01-1980 00:00   word/theme/theme1.xml
   6144  01-01-1980 00:00   word/embeddings/oleObject1.bin
   4809  01-01-1980 00:00   word/settings.xml
   1299  01-01-1980 00:00   word/fontTable.xml
576  01-01-1980 00:00   word/webSettings.xml
995  01-01-1980 00:00   docProps/app.xml
  29121  01-01-1980 00:00   word/styles.xml
732  01-01-1980 00:00   docProps/core.xml
- ---
 196649 14 files

"Normal" .docx files do not have the oleObject1.bin as an archive members.
I do
have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting
this
oleObject1.bin member?

(To where should I submit a sample of this attachment?)

--Mark

-Original Message-
From: Mark Foley <mfo...@novatec-inc.com<mailto:mfo...@novatec-inc.com>>
Date: Wed, 15 Nov 2017 13:18:23 -0500
Organization: Novatec Software Engineering, LLC
To: clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>

I'm having this same issue. The problem as I see it is that the .doc
attached to
these "Invoice" message is encrypted and clamav does not see what's
inside. I'm
discussing this encrypted attachment issue in my thread, subject: "password
protected encrypted .docx files". I'm continuing to research this.

--Mark

On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel 
<emanuel.gonza...@donweb.com<mailto:emanuel.gonza...@donweb.com>>
wrote:

Other virus not detected

https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f
78103d2e87bd4331654bc65c0daeb176dd/detection


El 14/11/17 a las 09:52, Emanuel escribió:
Scan the attachment, clamav not detect this file.


El 14/11/17 a las 09:51, Al Varnell escribió:
You mentioned two attachments. Kaspersky and ClamXAV appear to catch
the first one, but neither catch the second one you showed us. The
SHA246 for a file is the same no matter what scanner is used.

-Al-

On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
the first scan is with kaspersky online


El 14/11/17 a las 09:31, Al Varnell escribió:
That's not the same file you showed before. The SHA256 is different.

-Al-

On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
Please see

https://www.virustotal.com/es-ar/file/
323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
5da4/analysis/1510662252/
<https://www.virustotal.com/es-ar/file/
323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
5da4/analysis/1510662252/>
<https://www.virusto

Re: [clamav-users] Virus Malvare not detected

2017-11-14 Thread Joel Esler (jesler)

Please submit malware samples to ClamAV.net

Sent from my iPhone

On Nov 14, 2017, at 6:36 AM, Emanuel 
> wrote:

Hello,

I received two docs files in a email with the Subject "Invoice". The attachment 
is a malware virus, clamav not detected this.

Scan with kaspersky


Scan result
File is infected
Detected threats
Trojan-Downloader.MSWord.Agent.bqx
File size
144.95 KB
File type
OOXML/DOCUMENT
Scan date
Nov 14 2017 08:15:42
Databases release date
Nov 14 2017 10:36:04 UTC
MD5
70bdc39f8f57e090bebc4616924cdadc
SHA1
ecf414f8523627a0d5d6637041f6e1e3bbcee62e
SHA256
142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf

it's possible to add manually this virus to the clamav database?

--
envialosimple.com 
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com 

www.envialosimple.com 

by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación 
y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la 
falsificación y/o alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, 
notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised use or 
dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable  for the message if altered 
or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter 
dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi 
endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias 
realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de quaisquer 
informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a 
para o autor.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FreshClam - DNS issues since October 31st

2017-11-13 Thread Joel Esler (jesler)

Bill,

We have taken some recent steps to resolve these issues.  Please let us know if 
they persist.

Sent from my iPhone

On Nov 13, 2017, at 5:37 PM, Bill Maidment 
> wrote:

I'm still getting a mixed bag of results on db.AU
Sometimes it works and other times I get the following:

Mon Nov 13 18:21:35 2017 -> ClamAV update process started at Mon Nov 13 
18:21:35 2017
Mon Nov 13 18:21:35 2017 -> main.cld is up to date (version: 58, sigs: 4566249, 
f-level: 60, builder: sigmgr)
Mon Nov 13 18:22:12 2017 -> nonblock_recv: recv timing out (30 secs)
Mon Nov 13 18:22:12 2017 -> WARNING: getfile: Error while reading database from 
db.AU.clamav.net (IP: 128.199.133.36): Operation now 
in progress
Mon Nov 13 18:22:12 2017 -> WARNING: getpatch: Can't download daily-24039.cdiff 
from db.AU.clamav.net
Mon Nov 13 18:22:13 2017 -> WARNING: getfile: daily-24039.cdiff not found on 
db.AU.clamav.net (IP: 72.21.91.8)
Mon Nov 13 18:22:13 2017 -> WARNING: getpatch: Can't download daily-24039.cdiff 
from db.AU.clamav.net
Mon Nov 13 18:22:14 2017 -> Downloading daily-24039.cdiff [100%]
Mon Nov 13 18:22:16 2017 -> daily.cld updated (version: 24039, sigs: 1778849, 
f-level: 63, builder: neo)
Mon Nov 13 18:22:16 2017 -> bytecode.cld is up to date (version: 318, sigs: 75, 
f-level: 63, builder: raynman)
Mon Nov 13 18:22:22 2017 -> Database updated (6345173 signatures) from 
db.AU.clamav.net (IP: 198.148.78.4)
Mon Nov 13 21:21:34 2017 -> --
Mon Nov 13 21:21:34 2017 -> ClamAV update process started at Mon Nov 13 
21:21:34 2017
Mon Nov 13 21:21:34 2017 -> WARNING: DNS record is older than 3 hours.
Mon Nov 13 21:21:34 2017 -> WARNING: Invalid DNS reply. Falling back to HTTP 
mode.
Mon Nov 13 21:21:34 2017 -> Reading CVD header (main.cvd): Mon Nov 13 21:21:35 
2017 -> OK (IMS)
Mon Nov 13 21:21:35 2017 -> main.cld is up to date (version: 58, sigs: 4566249, 
f-level: 60, builder: sigmgr)
Mon Nov 13 21:21:35 2017 -> Reading CVD header (daily.cvd): Mon Nov 13 21:21:35 
2017 -> OK
Mon Nov 13 21:21:35 2017 -> daily.cld is up to date (version: 24039, sigs: 
1778849, f-level: 63, builder: neo)
Mon Nov 13 21:21:35 2017 -> Reading CVD header (bytecode.cvd): Mon Nov 13 
21:21:36 2017 -> OK
Mon Nov 13 21:21:36 2017 -> bytecode.cld is up to date (version: 318, sigs: 75, 
f-level: 63, builder: raynman)



-Original message-
From:Groach 
>
Sent: Tuesday 14th November 2017 6:56
To: clamav-users@lists.clamav.net
Subject: Re: [clamav-users] FreshClam - DNS issues since October 31st

On 08/11/2017 21:18, Jeff wrote:
The last three updates did not have the error. Below is the last error I got:

--
ClamAV update process started at Wed Nov 08 13:13:12 2017

Its ok for me too (not returning DNS errors).  (But it says something
about 'cdiff not foundcant download from remote server' from one
server. But thats another thing).

ClamAV update process started at Tue Nov 07 21:58:00 2017
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60,
builder: sigmgr)
WARNING: getfile: daily-24020.cdiff not found on remote server (IP:
193.1.193.64)
WARNING: getpatch: Can't download daily-24020.cdiff from 
database.clamav.net
Trying host database.clamav.net (129.67.1.218)...
Downloading daily-24020.cdiff [100%]
Downloading daily-24021.cdiff [100%]
Downloading daily-24022.cdiff [100%]
Downloading daily-24023.cdiff [100%]
daily.cld updated (version: 24023, sigs: 1774015, f-level: 63, builder: neo)
Downloading bytecode-317.cdiff [100%]
Downloading bytecode-318.cdiff [100%]
bytecode.cld updated (version: 318, sigs: 75, f-level: 63, builder: raynman)
Database updated (6340339 signatures) from 
database.clamav.net (IP:
129.67.1.218)

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

Re: [clamav-users] Freshclam Fails

2017-11-09 Thread Joel Esler (jesler)

Looks like your machine can’t contact 
database.clamav.net

Sent from my iPhone

On Nov 9, 2017, at 11:24 PM, Krishnakumar Nair 
> wrote:

Hi Guys,
any idea on this, clamav running in aix box.

WARNING: Can't get information about 
database.clamav.net: Hostname and
service name not provided or found
WARNING: getpatch: Can't download main-58.cdiff from 
database.clamav.net
ERROR: Can't get information about 
database.clamav.net: Hostname and
service name not provided or found
ERROR: getpatch: Can't download main-58.cdiff from 
database.clamav.net
WARNING: Incremental update failed, trying to download main.cvd
ERROR: Can't get information about 
database.clamav.net: Hostname and
service name not provided or found
ERROR: Can't download main.cvd from 
database.clamav.net
Giving up on database.clamav.net...


Thanks & Regards,
kk
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FreshClam - DNS issues since October 31st

2017-11-08 Thread Joel Esler (jesler)

The team working on these issues is seeing these emails, so it’s good that you 
are writing in, if you are still experiencing issues.

Sent from my iPad

On Nov 8, 2017, at 9:05 AM, Simon Mousey Smith 
> wrote:

Maybe not every day but every week maybe?

Has the issue been resolved yet?

Simon

On 8 Nov 2017, at 14:02, Reindl Harald 
> wrote:



Am 08.11.2017 um 14:43 schrieb Jeff:
Since October 31st, I get the following DNS warnings every time freshclam
runs:
...
ClamAV update process started at Tue Nov 07 09:26:33 2017
+++WARNING: DNS record is older than 3 hours.+++
+++WARNING: Invalid DNS reply. Falling back to HTTP mode.+++

do we really need each day a new thread about it?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] fail updates

It would be helpful, if, starting now, deleting mirrors.dat and *then* telling 
us about failing mirrors…. Cause…. We’ve done many changes in the past month, 
it would be good to start from a clean slate.


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Nov 6, 2017, at 2:58 PM, Reindl Harald 
<h.rei...@thelounge.net<mailto:h.rei...@thelounge.net>> wrote:



Am 06.11.2017 um 20:26 schrieb Benny Pedersen:
Dennis Peterson skrev den 2017-11-06 19:43:
Come to think of it, 130.59.10.36 shouldn't even still be in
mirrors.dat and that is part of the systemic problems in the system.
Nothing cleans up stale entries in mirrors.dat except rm -f
mirrors.dat.
yep, its not working well, i see freshclam using ignore hosts from freshclam 
--list-mirrors
and now worse dns seems failing, freshclam says my internet is down, no its not

that's a error message you get always when things are failing, for many years 
but to know that you would need to regulary look and not only when things are 
obvious broken - clamav updates are slightly broken most of the time
___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] update mirror trouble?

If you have list of mirrors that are broken, it would be helpful to have that 
list, and what is broken about them.

About a month ago, we went through a removed a “ton”* of broken ones.




*ton means "a lot”.


--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Nov 6, 2017, at 11:12 AM, Dennis Peterson 
<denni...@inetnw.com<mailto:denni...@inetnw.com>> wrote:

There are still a lot of broken mirrors out there aside from this problem.

dp

On 11/6/17 8:05 AM, Joel Esler (jesler) wrote:
This should be resolving itself as we speak.

--
Joel Esler | Talos: Manager | 
jes...@cisco.com<mailto:jes...@cisco.com><mailto:jes...@cisco.com>







___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] update mirror trouble?

This should be resolving itself as we speak.

--
Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>






On Nov 6, 2017, at 4:47 AM, Simon Mousey Smith 
<simonsmith5...@gmail.com<mailto:simonsmith5...@gmail.com>> wrote:

Hi,

Same here still having problems but slightly different

ClamAV update process started at Mon Nov  6 09:46:22 2017
WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.
junk.ndb is up to date (version: custom database)
jurlbl.ndb is up to date (version: custom database)
phish.ndb is up to date (version: custom database)
rogue.hdb is up to date (version: custom database)
sanesecurity.ftm is up to date (version: custom database)
scam.ndb is up to date (version: custom database)
spamimg.hdb is up to date (version: custom database)
winnow_malware.hdb is up to date (version: custom database)
winnow_malware_links.ndb is up to date (version: custom database)
sigwhitelist.ign2 is up to date (version: custom database)
spamattach.hdb is up to date (version: custom database)
spear.ndb is up to date (version: custom database)
spearl.ndb is up to date (version: custom database)
blurl.ndb is up to date (version: custom database)
winnow.attachments.hdb is up to date (version: custom database)
winnow_bad_cw.hdb is up to date (version: custom database)
winnow_extended_malware.hdb is up to date (version: custom database)
bofhland_cracked_URL.ndb is up to date (version: custom database)
bofhland_malware_URL.ndb is up to date (version: custom database)
bofhland_phishing_URL.ndb is up to date (version: custom database)
bofhland_malware_attach.hdb is up to date (version: custom database)
crdfam.clamav.hdb is up to date (version: custom database)
malwarehash.hsb is up to date (version: custom database)
porcupine.ndb is up to date (version: custom database)
phishtank.ndb is up to date (version: custom database)
porcupine.hsb is up to date (version: custom database)
hackingteam.hsb is up to date (version: custom database)
badmacro.ndb is up to date (version: custom database)
Sanesecurity_sigtest.yara is up to date (version: custom database)
Sanesecurity_spam.yara is up to date (version: custom database)
Reading CVD header (main.cvd): WARNING: Can't read main.cvd header from 
database.clamav.net<http://database.clamav.net> (IP: )
Trying again in 5 secs…

Regards

Simon

On 6 Nov 2017, at 06:16, Tsutomu Oyamada 
<oyam...@promark-inc.com<mailto:oyam...@promark-inc.com>> wrote:

Hi,

It looks like that Updating of CVD in 
database.clamav.net<http://database.clamav.net> is not working
(stopping).
Do you have any trouble problem happened?

We are in Japan, and it set CNAME for 
database.clamav.net<http://database.clamav.net> as
db.jp.clamav.net<http://db.jp.clamav.net>.
db.jp.clamav.net<http://db.jp.clamav.net> has 4 IP addresses and those are 
working in roundrobin.
Every sites are working, but CVD version stops at 24010 as follows.

db.jp.clamav.net<http://db.jp.clamav.net>.   39  IN  A   
218.44.253.75
db.jp.clamav.net<http://db.jp.clamav.net>.   39  IN  A   
203.178.137.175
db.jp.clamav.net<http://db.jp.clamav.net>.   39  IN  A   
27.96.54.66
db.jp.clamav.net<http://db.jp.clamav.net>.   39  IN  A   
124.35.85.83


___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam broken