Re: [clamav-users] Tracking false positives
On Sun, 2011-03-06 at 20:32 -0500, Alex wrote: > > Every email has a unique-ish Message-Id. Proper MUAs, when replying, > > will set the In-Reply-To header to the just replied-to message's > > Message-Id, and likewise add it to the list in the References header. > > Yes, I understand this. I just thought the "thread view" period for a > message would be about a month or so, not six, and therefore would no > be lost in an old archive, but instead just treated as a new message. There is no time period. The In-Reply-To header reflects the parent message's Message-Id, and References keeps all of the parents. > > That's pretty much everything to understand, here. Probably not worth to > > quit over it. :) > > I meant quit on this off-topic thread before I make myself look any > more inept :-) That's the beauty of anonymous addresses, isn't it? OK, we've had this topic before. ;) Well, it probably was more worthwhile than most of the "something broke" threads. And the lesson anyway is, if you are using a third-party sig downloader script, subscribing to the sanesecurity list probably is a good idea. -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-users] Tracking false positives
On Sun, 2011-03-06 at 17:52 -0500, Alex wrote: > > In-Reply-To and References headers. Set when replying. > > > > guenther -- who has given up hoping long ago, that folks running mail > > servers should understand mail headers > > I'm not sure if I should quit while I'm still behind, or if I should > add that I do understand that mail header; I knew those headers would > be set, but I guess I didn't understand any previous references > containing that header would still associate this email with that > reference. Every email has a unique-ish Message-Id. Proper MUAs, when replying, will set the In-Reply-To header to the just replied-to message's Message-Id, and likewise add it to the list in the References header. Proper MUAs will use these headers to create a tree representation of the whole thread, when enabling the "Thread View" feature. Setting these threading headers happens when replying. Removing the quoted text does not affect this, neither does using a new Subject. (You didn't try this, but some folks seem to believe it would magically make it a new mail.) That's pretty much everything to understand, here. Probably not worth to quit over it. :) guenther -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-users] Tracking false positives
On Sun, 2011-03-06 at 17:22 -0500, Alex wrote: > > There was some discussion about this particular signature on the > > Sanesecurity list. Archives here: > > http://news.gmane.org/gmane.comp.security.virus.clamav.sanesecurity > Thanks everyone for the information. I thought for sure it was that I > was doing something wrong, which is why I didn't google it first. > > I'll also start a new thread next time; I didn't think it would be > associated with that old thread any longer for the very reason that it > was so old. In-Reply-To and References headers. Set when replying. guenther -- who has given up hoping long ago, that folks running mail servers should understand mail headers -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-users] Tracking false positives
On Sun, 2011-03-06 at 15:39 -0500, Alex wrote: > Some time ago I posted a message requesting help tracking down a false > positive, and trying to learn why it triggered. I have another one. Yes, back in Sep 2010. A lot of people using threading and keeping an archive are unlikely to ever read this new-spawned sub-thread. IMHO, a new FP months later warrants a new thread... > $ sigtool --find-sigs MBL_144360 | sigtool --decode-sigs > VIRUS NAME: MBL_144360 > TARGET TYPE: ANY FILE > OFFSET: * > DECODED SIGNATURE: > update.multivaccine.co.kr/setupa > > Is that the correct way? I looked at the email itself, and not only is > it from a trusted sender, but it doesn't contain that URL in the > message. Am I missing something? This has extensively been discussed on the sanesecurity mailing list (even though it is unrelated to sanesecurity). This MBL sig used to be a broken, plain 'updat'. It has been fixed since, and re-issued using the same sig name. For the full story, see this. http://article.gmane.org/gmane.comp.security.virus.clamav.sanesecurity/3092 -- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Reload process
On Sun, 2010-05-23 at 17:43 +0300, Török Edwin wrote: > > > If a file is determined to be clean, its MD5 is added to an in-memory > > > cache. > > > When scanning a new file, its MD5 is computed and looked up in the > > > cache. If found, it is considered clean. > > > On DB reload the entire cache is cleared. > > > > But, isn't that typically done multiple times a day? > > > > So what exactly is the use-case for this, other than doing full system > > scans more frequently than signature updates? > > Even when doing full systems scan you still have a cache of last N > minutes (where N depends how often you reload the DB). > This helps with: > - duplicate files, or files both in archived an unarchived state > - since we cache at the extracted files level, even if only part of an > archive/container is redundant, we have that cached > - mails containing same attachment, which was already determined to be > clean Ah, now I see. :) Thanks for explaining, Török. > - archive bombs: instead of trying to scan 2^N files until the > recursion depth/maxfilesize limit is reached, it only needs to scan N > files (N is recursion depth) for a typical archive bomb that expands to > 2 more archives at each depth. > - ensure that the bytecode won't accidentally need 2^N time to run: if > it happens to extract a file that matches the logical signature of the > same bytecode again, which would trigger further extraction and so on > > The latter is the reason why the feature was added, however some initial > tests have showed improved performance for nearly any kind of scan > (system, mails, home, etc.) -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Reload process
On Sun, 2010-05-23 at 10:21 +0300, Török Edwin wrote: > > else > > Scan it like it does now > > ( with everything in the DB, I assume. ) > > } > > A simpler form of this is already implemented in 0.96 :) > > If a file is determined to be clean, its MD5 is added to an in-memory cache. > When scanning a new file, its MD5 is computed and looked up in the > cache. If found, it is considered clean. > On DB reload the entire cache is cleared. But, isn't that typically done multiple times a day? So what exactly is the use-case for this, other than doing full system scans more frequently than signature updates? -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] unofficial rules preferred
On Mon, 2009-09-14 at 17:27 +0200, Wolfgang Breyha wrote: > I'm running clamd with both official and sanesecurity sigs. > > Now I made a test with my virus archive and recognized that clamd prefers the > sanesecurity sigs. Using only ClamAV original sigs I have ~3500 virus matches. > Using both original and sanesecurity sigs ~3900 are found, but the originals > only match ~2000 anymore and all the others are catched by sanesecurity rules. > > Since I want to block mail found by the original rules und mark mails for > spamassassin found by sanesecurity this is really bad. > > Is there any way to set kind of priority which of the rules are preferred? I once asked a related question. The answer was along the lines, that it is unpredictable which sig(-set) will fire, and there is no way to define preferences or order of matches. With a single clam instance, that is. guenther -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV Webinar on 4th March
On Sat, 2009-02-21 at 02:57 +0100, chen wrote: > Why don't this lists webmaster install a simple forum ? Please don't hijack unrelated threads. > Yes a link to unsubscribe this list would be welcome. You just confirmed you don't read any of these posts. Not even the ones clearly talking about this very topic. Would you mind following the link you quoted? There you'll find instructions how to unsubscribe easily. > > http://www.clamav.net/support/ml THAT link. Pretty please with sugar on top. Why can't I stop laughing, though I feel like crying? -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] OT: Re: please remove
On Fri, 2009-02-20 at 22:25 -0500, Gary L Burnore wrote: > Laurens wrote: > > I have been wanting to unsubscribe from this fucking thing for over a > > year can not remember log in details etc and as a result I keep > > getting this shit. > > Ok, someone's gotta say it, YOU are a fucking moron. The info can be found > at the bottom of every one of these posts, Thanks, Gary. :) > > I have written, mailed and asked politely all to no avail it is > > now called spam. > > No, it's not. But feel free to believe anything your little brain desires. > > > > STOP THIS SHIT PLEASE Laurens, it's amazing -- you just replied to an old post, ignoring the entire thread talking about HOW to unsubscribe. Sometimes it's better to read, than to shout, eh? Even in my wildest dreams, I don't see how *you* managed to subscribe to this list in the first place. > http://lists.clamav.net/mailman/listinfo/clamav-users > > Look down at the bottom, (that's the opposite of where you like to post) and > see this: > > To unsubscribe from clamav-users, get a password reminder, or change your > subscription options enter your subscription email address: -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] OT: Re: please remove
On Thu, 2009-02-19 at 10:50 +, Ian Eiloart wrote: > > http://www.clamav.net/support/ml > > Can we not have the list unsubscribe link in the footer, too? It's a legal Maybe start by following the link you quoted... ;) > requirement in the UK to have an easy to use mechanism to unsubscribe to > marketing emails. The definition of marketing would definitely extend to > promotion of free open source software. Whether it also extends to a This is NOT marketing, neither promotion. > support list like this might be debatable, but surely the developers of > software developed mainly in response to the spamming industry ought to be > following best practice. Those guys managed to subscribe themselfs, somehow. Too bad some (quite rare on technical lists) individuals seem to forget how they did that. *shrug* > As long as most MTAs don't expose the List-Unsubscribe: header (none do by > default, as far as I'm aware), it can't be described as "easy to use". Some > MTAs even make it really hard to find the full message headers. Evolution does. Nope, doesn't display the header verbatim, but offers Unsubscribe, Get Info and other actions on all mailing list posts. guenther -- crawls back into his hole for more coffee -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Submitting malware attachments or full email?
On Tue, 2008-12-02 at 10:10 +0100, Tomasz Kojm wrote: > On Tue, 02 Dec 2008 00:59:01 +0100 > Karsten Bräckelmann <[EMAIL PROTECTED]> wrote: FWIW, detected as Trojan.Invo-13 and Trojan.Downloader-60790. Which (again) raises the question why that variation, for what appears to be a single malware. > > Should I submit the entire, original email, or the attachment only? > > The entire email is usually most useful to us. Thanks, Tomasz. I kind of went paranoid, given the scary report recently referred in my OP. -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Submitting malware attachments or full email?
Today started again what seems to establish itself as the Monday run [1] of user-frightening malware attachments, properly phrased German. The last one is exactly one week ago, and they appear to start after office hours. *sigh* Given the recent report on this list of malware submissions, where parts of the innocent wrapper mail ended up in the signatures, rather than the attachment only... Should I submit the entire, original email, or the attachment only? Also, since no one answered my previous question: Samples checked by virustotal are *not* automatically forwarded to you guys? Or are they? guenther -- come on, this is just a nick [1] Sorry, Robert, if you again don't get that wave. ;) -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Bugzilla
On Tue, 2008-11-04 at 12:55 -0500, Jason Bertoch wrote: > > Use the advanced search tab. Or select 'All' instead of 'Open Bugs'. > > I suppose I should have mentioned I tried that. Even with all components, > versions, statuses, resolutions, severities, priorities, hardware, and OS's > checked, a search for PDF in summary or comment returns Zarro Boogs. Select all -- don't do that. :) Advanced Search, un-check [1] any Status -- this will not limit to any sub-set -- which defaults to all kind of valid bugs. Enter some search words for Summary and/or Comment [1]. Returns 67 bugs for comment contains "pdf". Since you are searching for a bug *you* filed, you can use Email / reporter contains instead of doing a plain text summary or comment search. HTH guenther [1] Ctrl-click does the trick. In the Status case you can select all to get the same result, though. [2] Defaults to contains the string. Change this, if you are looking for comments simply containing multiple words. -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Malware submission / Virustotal
On Sat, 2008-10-25 at 16:27 +0200, Karsten Bräckelmann wrote: > Recent flood of (German only?) Trojan.Agent malware, partly slipping by > ClamAV. So I now am submitting samples where I spot 'em... FWIW, also reported by Heise (sorry, German only). http://www.heise.de/security/news/meldung/117971 Robert, just consider yourself lucky you didn't see any of them. ;) > By doing so, two questions came up: > > (a) After testing the sample message with Virustotal, should I even > bother submitting it from clamav.net, too? If memory serves me > correctly, these samples are being forwarded to the ClamAV sig team > anyway. Just couldn't find any note on the websites... Any takers? Are virus samples checked by Virustotal automatically forwarded to the ClamAV sig team? > (b) When submitting on clamav.net I opted in for "notify me" and "stay > anonymous". However, I didn't get any notification about yesterdays > sample, which already has been added to the sigs. How comes, is this > broken? Probably just an oops or something, I *did* receive a notification mail about further samples submitted. Sending these from mailer-daemon isn't the best choice IMHO, though. > Thanks in advance for any insight, that might help speed up the process > and not waste our sig teams time unnecessarily. Let's try this again. :) -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Malware submission / Virustotal
On Sun, 2008-10-26 at 10:22 +0100, Robert Schetterer wrote: > Karsten Bräckelmann schrieb: > > Recent flood of (German only?) Trojan.Agent malware, partly slipping by > > ClamAV. So I now am submitting samples where I spot 'em... > > > > By doing so, two questions came up: [ Yet unanswered sample submission best-practice questions snipped. ] > Hi Karsten, > just for may interest, i dont see > a significant grow of german maleware in mail, > i use clamav-milter with > http://www.sanesecurity.com/clamav/ > and i dont know something slipping through > ( investigated the quarantaine dir ) > on 5 realy big mailserver with over hundert domains ( mostly german ) > an over 3000 mailboxes, OK, here's a rough sketch, no hard numbers. Also, please note that I am NOT a mail admin with a lot of users. The numbers below represent pretty much me, and me only. :) This started Fri and seems to have ceased by today already. I received like 40 of these a day, with half of them slipping by ClamAV on Fri. Usually I don't even get anything near 40 malware mails a *week*. That's why I believe the term "flood" is justified. (Talking about malware, attached archives containing Windows executables, mind you. This does not include the bulk of pestering phishes. And yes, I do use the SaneSecurity phish sigs.) > after all it would only be evil if real viri bypass > but as its some kind of spam ( pishing etc ) its > checked from spamassassin and marked too in my setups > perhaps you should tune up antispam features in your mailserver SpamAssassin is tuned rather well, thanks. :) In fact, you probably should know me from the SA mailing list, Robert. ;) And indeed, all of them scored around 15+, none slipped by SA. This however is a consequence of using the same botnet. ClamAV still didn't recognize the malware. I didn't complain. And my post was not about ClamAV not catching them, either. I asked about sample submission best-practices and avoiding unnecessary workload -- which remains unanswered. > in general to block incoming bots before getting to clamav-antivir stage > that should raise down the maleware rate in any case I don't block at SMTP stage for various reasons. One being, that I need the spam corpus. Anyway, while this gets slightly off-topic, most of these did hit Spamhaus XBL (sic) or at least PBL. That might explain why you didn't see them. > so where do your info come from ? Straight from my mail in-stream. :) Plus some general knowledge about botnets and their specific, identifying patterns, regarding some of the statements above. -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Malware submission / Virustotal
Recent flood of (German only?) Trojan.Agent malware, partly slipping by ClamAV. So I now am submitting samples where I spot 'em... By doing so, two questions came up: (a) After testing the sample message with Virustotal, should I even bother submitting it from clamav.net, too? If memory serves me correctly, these samples are being forwarded to the ClamAV sig team anyway. Just couldn't find any note on the websites... (b) When submitting on clamav.net I opted in for "notify me" and "stay anonymous". However, I didn't get any notification about yesterdays sample, which already has been added to the sigs. How comes, is this broken? Thanks in advance for any insight, that might help speed up the process and not waste our sig teams time unnecessarily. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Scan stops at first virus sig
On Thu, 2008-04-10 at 13:58 +0100, Greg Smith wrote: > I am trying to scan files so that clam scans the entire file for all viruses ^ Smells like mbox. > and doesnt stop at the first one it finds? Is this possible? In that case, formail is your friend. If you're not about mbox files, please be more specific. $ formail -s clamdscan - < $mbox guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Creating your own Signatures: Bound Offset
On Sat, 2008-01-26 at 10:29 +0100, Tomasz Kojm wrote: > On Sat, 26 Jan 2008 01:20:26 +0100 > Karsten Bräckelmann <[EMAIL PROTECTED]> wrote: > > > $ cat test.ndb > > local.test:4:0:{-4096}74657374 > > It won't work because there's no 'sub-signature' preceding the range wildcard. > You can use a floating offset to workaround the limitation: > > local.test:4:0,4096:74657374 Thanks Tomasz, that works nicely. :) Just a pity, that the sig manual doesn't mention range wirldcards at all. Or the limitation of a preceding sub-signature to be at least 2 chars. Anyway, now that this works -- any word on the speed impact (as per my OP and the other sub-thread)? guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] help-about regular expressions in signatures-From: T?r?k Edwin
On Sun, 2008-01-27 at 16:44 -0500, xue wen wrote: > The signature I have made up is like this: > > Worm.Yawen (Clam)=61*7c62 > > where "617c62" means "a|b". Once I add the wildcard into this signature, > there will be an error, no matter I put it into a .db or .ndb file. Is there > something wrong of the way I build my signature? As I've pointed out in a related post 2 days ago, there seems to be a limitation on the signatures and minimum lengths of sub-signatures, when wildcards are involved. A single char before the wildcard does not work. You'll need at least 2 chars before and after the wildcard. 6161*6262 The above will match any stream, that contains two consecutive 'a', and two consecutive 'b' at any point later. Oh, and this time, I checked by building a sig. ;) guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 10. Re: help-about regular expressions in signatures (Kris Deugau)
On Sun, 2008-01-27 at 17:03 -0500, xue wen wrote: > I just want to learn the format of ClamAV's signature. So I tried to build a > signature containing a wildcard by myself. The example I used is as follows: > > I have made up a signature of: Worm.Yawen (Clam)=61*7c62 > where "617c62" means "a|b". I believe this will match the string 'a|b' literally. If you want an alternation, to match either 'a' or 'b', only hex encode the strings. The wildcard stuff must not be hey encoded. (61|62) Caveat: Going from my understanding of the not-so-fine sig manual, I have not tested this. ;) > Then I put this signature into a .db file. When > I didn't add the * in the signature, it can be used to match the string of > a|b. But once I added the * into the signature, there was an error like > this: > > LibClamAV Error: cli_parse_add(): Problem adding signatures (2). > Problem parsing signature at line 1 > Problem parsing database at line 1 > Can't load daily.db: Malformed database > ERROR: Malformed database > > What is wrong in my method of building the signature with wildcard? As Török already told you Fri, wildcard signatures go into a .ndb file. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Creating your own Signatures: Bound Offset
On Fri, 2008-01-25 at 18:41 -0800, Dennis Peterson wrote: > Karsten Bräckelmann wrote: > > On Fri, 2008-01-25 at 17:54 -0800, Dennis Peterson wrote: > >> The sigs are full of unbound RE's. That's why scanning mbox mail files is > >> pointless. > > > > Yes, I know. I contributed that fact to the thread a while ago... > > > > I do realize the ambiguity here -- there is no plural for 'mail'. :) > > However, I am talking about a *single* mail. If I would have been > > talking about mbox files, I'd have used that term. > I've been out of town and haven't got caught up on all the world's history. Dennis, now you're confusing me. :) Nothing to catch up with, I've been referring to the thread "Getting line numbers" back in Oct. Both of us have been discussing that topic. > ClamAV's archives on on the list. Bounded (and anchored) RE's always > run faster and they're more accurate. What's to lose? I know about the archives, I've been a long time subscriber. Anyway... What's to lose? Well, as per my OP, it just doesn't work. ClamAV freaks out, when you start a hex signature with a (bounded) wildcard. Besides, I'm not convinced bounded wildcards [1] actually do run faster in clam. Haven't looked at the engines code, but given the rather limited set of wildcards, I doubt it uses backtracking. And the bound does impose another constraint while scanning the stream, no? Good point about running faster when anchored, though. :) guenther [1] The doc talks about wildcards -- rightly so. They are no REs. The only thing that at least comes close is the alternation. -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Creating your own Signatures: Bound Offset
On Fri, 2008-01-25 at 17:54 -0800, Dennis Peterson wrote: > Karsten Bräckelmann wrote: > > > The main purpose was, to keep ClamAV from scanning the entire, possibly > > large file (err, mail). And maybe even speed it up. It's good practice > > to bound your REs or wildcards anyway. > > > > I wonder, if this indeed would speed up scanning, however small, of > > large-ish files. Or would the additional constraint actually impose more > > CPU cycles spent? > > The sigs are full of unbound RE's. That's why scanning mbox mail files is > pointless. Yes, I know. I contributed that fact to the thread a while ago... I do realize the ambiguity here -- there is no plural for 'mail'. :) However, I am talking about a *single* mail. If I would have been talking about mbox files, I'd have used that term. Dennis, thanks for your reply. Just doesn't answer the question, unfortunately... ;) guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Creating your own Signatures: Bound Offset
So I finally got around to writing some (well, one for now ;) custom signatures. There's currently a highly annoying, lame phishing attempt I want to swat early. Anyway, while playing with the sigs and trying some optimization, the sig broke horribly for some weird reason. Please see below for a stripped down test case. What's so bad about it? Instead of using the "any" offset, I tried to bound it, by setting the offset to 0, and starting the hex signature with a limited wildcard. Also, I noticed the parser isn't happy, if there is such a wildcard with less than 2 bytes either at the beginning or end of the string. Well, I could just start the sig with "From " and then anchor it at offset 0. :) But the question remains -- why? Another question: Does this actually make sense? The main purpose was, to keep ClamAV from scanning the entire, possibly large file (err, mail). And maybe even speed it up. It's good practice to bound your REs or wildcards anyway. I wonder, if this indeed would speed up scanning, however small, of large-ish files. Or would the additional constraint actually impose more CPU cycles spent? Thanks for any insight. :) guenther $ cat test.ndb local.test:4:0:{-4096}74657374 $ clamscan --quiet -d test.ndb msg LibClamAV Error: cli_parse_add(): Problem adding signature (1). LibClamAV Error: Problem parsing signature at line 1 LibClamAV Error: Problem parsing database at line 1 LibClamAV Error: Can't load test.ndb: Malformed database ERROR: Malformed database $ clamscan --version ClamAV 0.92/5553/Fri Jan 25 22:14:29 2008 -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav gcc dependendencies ...
Please resist the urge to top-post. On Mon, 2007-12-17 at 15:52 -0800, fchan wrote: > Hello, > I'm on a MacBookPro running 10.4.11 with xcode > 2.5 and I tried your suggestion "export > CC=gcc-3.4" and I got this error: The advice was rather specific to Debian. And actually started by installing GCC 3.4... > checking for gcc... gcc-3.4 > checking for C compiler default output file name... > configure: error: C compiler cannot create executables > See `config.log' for more details. > > Here is what saw in config.log: > > ./configure: line 1: gcc-3.4: command not found See? guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Signature precedence
On Mon, 2007-10-22 at 14:43 -0500, Noel Jones wrote: > At 12:37 PM 10/22/2007, Karsten Bräckelmann wrote: > >When using additional, third party signatures, is there any particular > >order in the signatures? > > No particular order. > > >If both, the official as well as the third > >party sigs match, which one is being reported? > > One or the other will be reported, but not both. The one actually > reported is unpredictable. Thanks, Noel. That's exactly what I needed, though I did hope for another answer. ;) Guess my logs are just that -- logs. No way to turn them into half-decent stats, unless I rerun per signature set. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Signature precedence
I seem to recall I have come across this before, but I just can't find it. Maybe someone knows off-hand. :) When using additional, third party signatures, is there any particular order in the signatures? If both, the official as well as the third party sigs match, which one is being reported? karsten -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RFC: Recognize mbox format
On Mon, 2007-10-08 at 16:25 -0300, Joao S Veiga wrote: > > Of course. However, I got the impression that neither of the recent > > reporters does this additional step. Also, this gets even more annoying > > (and maybe impossible) when dealing with PST files (which one of the OPs > > does). > > Hi, if one of those reporters is me, I don't "advocate" doing what I do. I > was > justifying why I do it :-). [...] Indeed, you are. :-) Sorry, if that came out wrong. I'm not a native English speaker, and didn't mean to accuse you or anyone for that matter. The mentioned procedure of re-scanning after delivery does bear some pitfalls. Which in both these cases led to false alarms. Since it seems to be practice anyway, one needs to be aware of potential issues. That is all I was aiming for: Pointing out the issues, raising awareness. > In the FreeGame case, I just removed the signature from daily.ndb. Which, at the point of your OP and as mentioned in the previous thread, has been done upstream already. :) > I just replied to a guy who had the same false alarm as me, since I already > had > found the workaround (and had submitted the sample false positive file). Then > the > wrath of heavens broke down on me. Err, no, you did not reply, but start a new thread. Anyway, pointing out issues (as you did) and submitting FP samples always is appreciated. :) guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RFC: Recognize mbox format
On Mon, 2007-10-08 at 09:15 -0700, Dennis Peterson wrote: > Karsten Bräckelmann wrote: > >>> Another downside of this approach, together with ClamAV treating mbox > >>> format files as text/plain is, that only the first hit will be reported. > >> That was made to improve performance, the Changelog say so. > > > > Thanks for clarifying this, René. > > > > Anyway, that whole last paragraph was a heads up to those who advocated > > re-scanning after delivery (see the recent threads). They do not get > > what they believe they do. > > Unless you separate the mbox file(s) into maildir files and then you get > exactly what > you expect. It is, however, an annoying additional step one must take to > ensure > systems are as secure as possible. Of course. However, I got the impression that neither of the recent reporters does this additional step. Also, this gets even more annoying (and maybe impossible) when dealing with PST files (which one of the OPs does). guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RFC: Recognize mbox format
On Wed, 2007-10-03 at 18:31 -0500, René Berber wrote: > Karsten Bräckelmann wrote: > > Another downside of this approach, together with ClamAV treating mbox > > format files as text/plain is, that only the first hit will be reported. > > That was made to improve performance, the Changelog say so. Thanks for clarifying this, René. Anyway, that whole last paragraph was a heads up to those who advocated re-scanning after delivery (see the recent threads). They do not get what they believe they do. Also, thanks to you and Tomasz for replying to this request with some insight. IMHO wildcards in the signatures should be properly limited anyway. Unfortunately, the supported patterns are somewhat limited in functionality -- something that probably suits binary viruses much better than text-based email scam... guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] RFC: Recognize mbox format (was: Re: Getting line numbers)
On Wed, 2007-10-03 at 10:45 -0700, Dennis Peterson wrote: > Karsten Bräckelmann wrote: Developers, read on. :) > > Somewhat simplified, the signature reads "Subject with the string game" > > and "an IP style http link". > > > > Scanning maildirs as well as scanning individual messages before > > delivering, this enforces that both be in the same email. Scanning a > > whole mbox however, does *not*. > > > > The Subject can be in one message, and the link in another one further > > down the file. Boom, we got a hit! :) (Actually, according to your > > prose description, it neither needs to be a (Subject) header, nor an IP > > style link.) > > > > > > Which raises the question if the OP is correct when stating that ClamAV > > knows how to handle mbox files. It sure does not look like that. The > > summary claimed to have scanned one (mbox) file. It did not claim to > > have scanned a bunch of messages, treated individually and applying the > > signatures against each of them -- just a single text/plain file, that > > happens to resemble more than one message. > > > > This is my conclusion too, and the question was really thrown out there for > comment > from the SourceFire folks to provide clarification. Given that clamscan knows > where > in the file it is as well as being aware of the construction of it they > appear to be > very close to doing the right thing so it would be surprising to learn they > do not. Right. :) Adjusted the Subject accordingly. Maybe this will get some attention by the developers. Would be nice if someone could shed some light on this. Or implement it. Another downside of this approach, together with ClamAV treating mbox format files as text/plain is, that only the first hit will be reported. Something to keep in mind for the use case mentioned in that other thread. All you will gain is knowledge, that the users might have been exposed to some threat, before the good guys caught up. You will *not* know which threat, since there may be others lurking, too... guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Getting line numbers
On Tue, 2007-10-02 at 10:24 -0700, Dennis Peterson wrote: > Can anyone offer a reason why the OP found a virus in the mbox file but not > in the > split out maildir messages? That kind of inconsistency is unsettling. Rather easy I guess, given your analysis of the RE earlier. :) Caveat: I have not checked the signature myself, going from your own description only. Also, I assume that "any number of characters" actually includes \n. The signature wouldn't match my FreeGame crap otherwise anyway. Somewhat simplified, the signature reads "Subject with the string game" and "an IP style http link". Scanning maildirs as well as scanning individual messages before delivering, this enforces that both be in the same email. Scanning a whole mbox however, does *not*. The Subject can be in one message, and the link in another one further down the file. Boom, we got a hit! :) (Actually, according to your prose description, it neither needs to be a (Subject) header, nor an IP style link.) Which raises the question if the OP is correct when stating that ClamAV knows how to handle mbox files. It sure does not look like that. The summary claimed to have scanned one (mbox) file. It did not claim to have scanned a bunch of messages, treated individually and applying the signatures against each of them -- just a single text/plain file, that happens to resemble more than one message. A note to the OP: Line numbers won't get you anything. Well, at least for mbox files that is. Let's assume ClamAV would have spit out a line number. Now what? Your mail client doesn't support "displaying the mail of line N". And what if this is an mbox file being served by an IMAP server? Even less client control over the file... Your only option would be to start an editor, to look at the raw mail. OK, would work in this case, maybe. But what about if this wouldn't be such a dumb text/plain crap, but a binary attached base64 encoded to a mail? Scanning incoming messages before delivering definitely is the way to go. On one hand, you can act appropriately, and be sure to avoid issues like these match inconsistencies [1]. On the other hand, scanning periodically after delivery is much too late anyway. How do you ensure the user didn't fall for the phish already? guenther [1] yes, that mbox file seems to be clean, not containing any virus -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] signature names
On Wed, 2007-09-12 at 07:28 -0700, John Rudd wrote: > (to the developers, not in answer to Burnie) > > See, the current name scheme needs to be fixed. And no one responded at > all to my proposed scheme from a month or two ago. Coincidentally, my very first question on this list years ago was about naming conventions (or the lack thereof), too. :) karsten -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] As soon as Sourcefire starts charging for viru s updates,
On Tue, 2007-08-28 at 13:26 -0500, Bryan Johns wrote: > On 8/28/07, Bowie Bailey <[EMAIL PROTECTED]> wrote: > > I'm not worried about ClamAV being acquired. At the moment, everyone is > > saying that there are no plans to change anything. As long as that > > remains the case, the only difference is that there is now some money > > behind the project. If Sourcefire decides to start charging for updates > > some time in the future, I will re-evaluate my usage of ClamAV. Until > > then, I see no reason to worry about it. > > Even then, there's already been mention in this thread about forking > off an open version and/or the existence of third-party virus db > repositories. ClamAV appears to enjoy a great deal of community > support in the form of patches, bug fixes, and virus submissions. > > SourceFire would be foolish, in my opinion, to throw that away. If I > were part of their decision making process I'd recommend keeping it > like it is and rolling out an "enterprise" version with an actual help > desk for paying customers.It would also be stupid, IMHO, for the > community to turn away from ClamAV while a free version with free > virus updates were still available just out of anger because an > eeevil corporation bought it and tried to make some $$$. Amen. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] I need help
On Mon, 2007-08-06 at 13:47 -0400, Pedro Luis Domínguez Viqueira wrote: > My fresclam say > > ERROR: Can't get information about db.us1.clamav.net: Host not found Check your configuration. Where does that host name come from? There is no surprise here, because -- as freshclam correctly told you -- that host doesn't exist... [EMAIL PROTECTED] ~]# grep -B3 ^.DatabaseMirror /etc/freshclam.conf # Uncomment the following line and replace XY with your country # code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. #DatabaseMirror db.XY.clamav.net > -Mensaje original- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] > Enviado el: Domingo, 05 de Agosto de 2007 06:00 a.m. > Para: clamav-users@lists.clamav.net > Asunto: clamav-users Digest, Vol 35, Issue 5 [ snipping an entire digest ] Please do *NOT* reply to any previous list post, if you actually want to start a new thread. Please *DO* remove any quotes of previous posts that are not relevant to the issue at hand. Also, please try giving your posts a *descriptive* Subject. "help" does not help, and tends to result in less responses... guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] scan taking too long
On Fri, 2007-08-03 at 16:18 -0500, Daniel J McDonald wrote: > I've had really good success with clamav for a few years now, but I've > had a message stuck in my queue for a week: > Aug 3 14:54:08 sa postfix/lmtp[25237]: 9A1381196: > to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025, > delay=363983, delays=363554/0.02/0/428, dsn=4.5.0, status=deferred (host > 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=25448-06, > virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd > av-scanner FAILED: CODE(0x804bbac) Exceeded allowed time at (eval 50) > line 309. at (eval 50) line 511.; ClamAV-clamscan av-scanner > FAILED: /usr/bin/clamscan collect_results - reading aborted: timed out > at /usr/sbin/amavisd line 2812. at (eval 50) line 511. (in reply to end > of DATA command)) [...] > The message contains a pdf: > []$ sudo postcat -q 9A1381196 | grep Content-Type: > Content-Type: multipart/mixed; > Content-Type: multipart/alternative; > Content-Type: text/plain; > Content-Type: text/html; > Content-Type: application/pdf; > > > It appears to be rather large: > []$ sudo postcat -q 9A1381196 | wc > 118520 118856 9113939 > > And it takes a long time when run interactively: > []$ sudo postcat -q 9A1381196 | clamscan - > stdin: OK > > --- SCAN SUMMARY --- > Known viruses: 142140 > Engine version: 0.91.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 25.20 MB > Time: 488.716 sec (8 m 8 s) Yes, the message indeed appears to be rather large... ;) > from the content, it appears to be marketing anyway, so it's not > critical, but advice on what to do with it would be appreciated. Limit the size of mails for scanning in whatever calls ClamAV? Scanning huge messages takes a long time (scales worth than linear, AFAIK), and that's why you get a timeout. guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html