Re: [clamav-users] Information about the signature database

[Mark Allan via clamav-users]

Al will probably be along shortly to correct me (he's quite good at tracking 
down when items were added to the DB), but as far as I know, the only way is to 
search the archive of posts to the clamav-virusdb mailing list.

https://lists.clamav.net/pipermail/clamav-virusdb/

Mark

> On 9 Dec 2022, at 9:37 am, Alessandro Cortina  wrote:
> 
> Hello,
> 
> is there a mean which I can see when a specific signature has been insert in 
> the signature database?
> I'm doing a forensics digital investigation and I'm trying to discover for 
> how long the malware was known to the ClamAV Database.
> 
> Thanks for support.
> 
> Alessandro
> .
> Alessandro Cortina 
> 
>  .
> ___
> 
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [Clamav-devel] Second ClamAV 1.0.0 release candidate AND updated packages for 0.105.1

[Mark Allan via clamav-users]

I thought there was an issue with v1.0 rc2, as a comparison with a previous 
installation (0.104.1) on the same machine showed massively increased scan 
times. After about an hour of digging and laboriously comparing output from 
clamscan --debug, as well as the man pages and clamd.conf, I finally realised 
the max file size has increased.

Comments in the clamd.conf file says the default MaxFileSize is now 100MB (up 
from 25MB in 0.104.1), and it looks like there's been a corresponding increase 
in clamscan as well. Adding `--max-filesize=25M` on the command line brings 
scan times back to previous values.

There's no mention of the change to the maximum file size in the man pages for 
either clamd clamd.conf or clamscan.

Mark
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 0.105 release candidate

[Mark Allan via clamav-users]

> On 15 Mar 2022, at 11:15 am, Andrew C Aitchison  
> wrote:
> 
> On Tue, 15 Mar 2022, Joel Esler via clamav-users wrote:
> 
>> Can’t use wget.
> 
> Understood.
> Is there a way to get source and binaries via fetchclam or cvdupdate ?
> Or any other scriptable command ?
> 
> An interactive web browser is not really an acceptable requirement
> for acquiring source and binaries.

It looks like you can use wget if you spoof the user-agent string:

wget 
https://www.clamav.net/downloads/release_candidate/clamav-0.105.0-rc.tar.gz -U 
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 
Firefox/98.0"

This won't work for database updates (as has been covered many times on this 
list) but does appear to work for downloading sources...at least for now ;)

Mark 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[Mark Allan via clamav-users]

Hi Micah,

Apologies for the nerd-swiping!

I'm currently setting up a VM so I can install Mussels and CMake without 
messing up my current build environment - thanks for the commands.

In terms of the install location (--prefix in autotools parlance), I'd be 
inclined to go for '/usr/local' as that tends to be where 3rd party CLI tools 
live. I think '/opt' is just where MacPorts puts stuff, and most people won't 
have that directory. '/usr/local' is supplied in a standard macOS installation, 
and is deliberately hidden from the Finder to avoid being messed with by idle 
hands!

I'll get back to you once I've got the VM set up.

Mark
PS. Would you rather take this off-list?

> On 27 Jul 2021, at 11:25 pm, Micah Snyder (micasnyd)  
> wrote:
>  
> Mark:
>  
> I’m sorry about breaking your scripts. For what it’s worth, all of the 
> dependency builds should stay the same but you’ll have to change the commands 
> for building ClamAV itself.
>  
> One of those reasons why CMake is awesome is that it’s really easy to build 
> installers. Just last week Hanspeter and I figured out how to link ClamAV 
> with a static libcurl build and have it bring along all of libcurl’s 
> dependencies. This was a roadblock for a couple things to include building a 
> PKG installer for macOS. After seeing your comments about Homebrew, and with 
> that roadblock finally removed, you successfully nerd-sniped me into figuring 
> out the rest of the macOS installer build.
>  
> I just finished a pull-request to add support to build a PKG installer for 
> Mac. I would love your input on it: 
> https://github.com/Cisco-Talos/clamav/pull/228 
> <https://github.com/Cisco-Talos/clamav/pull/228>
> Note that I picked an install path /opt/clamav rather arbitrarily.  If we’re 
> going to add a macOS PKG installer to our Downloads page, I’d appreciate 
> input on where you think it should actually install to.
>  
> My example in the PR (and commit message) rely on having used Mussels, our 
> dependency build automation tool, to build all of the static libs 
> (https://github.com/Cisco-Talos/Mussels 
> <https://github.com/Cisco-Talos/Mussels>).
> We use Mussels to build the dependencies for Windows and for Linux (for 
> OSS-Fuzz). Crafting recipes for static libs for macOS wasn’t so bad. I added 
> those last night. You can review the recipes the “clamav cookbook” uses to 
> build each dependency here: 
> https://github.com/Cisco-Talos/clamav-mussels-cookbook/ 
> <https://github.com/Cisco-Talos/clamav-mussels-cookbook/>
>  
> If you want to give it a try instead of using your own build tools, the 
> Mussels project page has some basic instructions but for a leg up here are 
> some commands to get you started:
>  
> python3 -m pip install mussels
> msl --help
> msl up
> msl cookbook trust clamav
> msl build --help
> msl build clamav_deps -t host-static --dry-run
> msl build clamav_deps -t host-static 
>  
> I have not yet modified the clamav recipe to build the PKG installer, since 
> the above PR hasn’t merged yet, but “msl build clamav -t host-static” should 
> also work.
>  
> Anyways, please let me know what you think.  
>  
> Respectfully,
> Micah
>  
>  
> From: clamav-users  <mailto:clamav-users-boun...@lists.clamav.net>> On Behalf Of Mark Allan via 
> clamav-users
> Sent: Monday, July 26, 2021 5:27 PM
> To: ClamAV users ML  <mailto:clamav-users@lists.clamav.net>>
> Cc: Mark Allan mailto:markjal...@gmail.com>>
> Subject: Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is 
> here!
>  
> I find myself asking the same question. Just from a personal point of view, 
> I've invested a lot of time over the years creating scripts that pull down 
> dependencies, build & install them in the right order, and then build package 
> and deploy ClamAV. Looks like I'll now have to spend even more time, trying 
> to get my head around making them work with CMakeand for what? What 
> benefit does it bring?
>  
> Of course, I understand that this is your project and you can do whatever you 
> like with it, and that you don't owe us any explanation for doing anything, 
> but it still seems odd to change the whole build process without at least 
> saying what the benefits are.
>  
> ...and don't get me started on the official recommendation to use Homebrew on 
> macOS.
>  
> Regards
> Mark
> 
> 
> On 26 Jul 2021, at 4:35 pm, Rick Cooper  <mailto:rcoo...@dwford.com>> wrote:
>  
> And what, exactly, is the reason for moving to cmake? I am sure you know it's 
> going to be problematic for thousands of people so I am curious what 
> tremendous gain of speed, size, memory usage or seciurity the other users get 
>

Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is here!

[Mark Allan via clamav-users]

I find myself asking the same question. Just from a personal point of view, 
I've invested a lot of time over the years creating scripts that pull down 
dependencies, build & install them in the right order, and then build package 
and deploy ClamAV. Looks like I'll now have to spend even more time, trying to 
get my head around making them work with CMakeand for what? What benefit 
does it bring?

Of course, I understand that this is your project and you can do whatever you 
like with it, and that you don't owe us any explanation for doing anything, but 
it still seems odd to change the whole build process without at least saying 
what the benefits are.

...and don't get me started on the official recommendation to use Homebrew on 
macOS.

Regards
Mark

> On 26 Jul 2021, at 4:35 pm, Rick Cooper  wrote:
> 
> And what, exactly, is the reason for moving to cmake? I am sure you know it's 
> going to be problematic for thousands of people so I am curious what 
> tremendous gain of speed, size, memory usage or seciurity the other users get 
> from this change, or if it's just a convenience thing for the developers?
>  
>  
> 
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf 
> Of Joel Esler (jesler) via clamav-users
> Sent: Thursday, July 22, 2021 12:19 PM
> To: ClamAV users ML; ClamAV Development
> Cc: Joel Esler (jesler)
> Subject: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Release Candidate is 
> here!
> 
> 
>> 
>> https://blog.clamav.net/2021/07/clamav-01040-release-candidate-is-here.html 
>> 
>> 
>> ClamAV 0.104.0 Release Candidate is here!
>> 
>> We are pleased to announce the ClamAV 0.104.0 release candidate 
>> .
>> 
>> Please help us validate this release. We need your feedback, so let us know 
>> what you find and join us on the ClamAV mailing list 
>> , or on our Discord 
>> , which is bridged with our IRC.
>> 
>> This release candidate phase is only expected to last about two to four 
>> weeks before the 0.104.0 Stable version will be published. Take this 
>> opportunity to verify that you 0.104.0 can build and run in your 
>> environment. 
>> 
>>  <>Please submit bug reports to the ClamAV project GitHub Issues 
>> .  
>> ClamAV 0.104.0 includes the following improvements and changes.
>> 
>>  
>> 
>> New Requirements
>> 
>> As of ClamAV 0.104, CMake is required to build ClamAV.
>> 
>> We have added comprehensive build instructions for using CMake to the new 
>> INSTALL.md file. The online documentation will also be updated to include 
>> CMake build instructions.
>> The Autotools and the Visual Studio build systems have been removed.
>>  
>> Major changes
>> 
>> The built-in LLVM for the bytecode runtime has been removed.
>> 
>> The bytecode interpreter is the default runtime for bytecode signatures just 
>> as it was in ClamAV 0.103.
>> We wished to add support for newer versions of LLVM, but ran out of time. If 
>> you're building ClamAV from source and you wish to use LLVM instead of the 
>> bytecode interpreter, you will need to supply the development libraries for 
>> LLVM version 3.6.2. See INSTALL.md to learn more.
>> There are now official ClamAV images on Docker Hub.
>> 
>> Note: Until ClamAV 0.104.0 is released, these images are limited to 
>> "unstable" versions, which are updated daily with the latest changes in the 
>> default branch on GitHub.
>> You can find the images on Docker Hub under clamav 
>> .
>> 
>> Docker Hub ClamAV tags:
>> 
>> clamav/clamav:: A release preloaded with signature databases.
>> 
>> Using this container will save the ClamAV project some bandwidth. Use this 
>> if you will keep the image around so that you don't download the entire 
>> database set every time you start a new container. Updating with FreshClam 
>> from the existing databases set does not use much data.
>> 
>> clamav/clamav:_base: A release with no signature databases.
>> 
>> Use this container only if you mount a volume in your container under 
>> /var/lib/clamav to persist your signature database databases. This method is 
>> the best option because it will reduce data costs for ClamAV and for the 
>> Docker registry, but it does require advanced familiarity with Linux and 
>> Docker.
>> 
>>> Caution: Using this image without mounting an existing database directory 
>>> will cause FreshClam to download the entire database set each time you 
>>> start a new container.
>>> 
>> 
>> You can use the unstable version (i.e. clamav/clamav:unstable or 
>> clamav/clamav:unstable_base) to try the latest from our development branch.
>> 
>> 

Re: [clamav-users] New Main & Daily CVD's are incoming

[Mark Allan via clamav-users]

According to the man page (and freshclam.conf) "ScriptedUpdates" is what ClamAV 
calls the mechanism for performing daily incremental updates via cdiff files 
rather than downloading the whole cvd.

Are you providing cdiff files for both main.cvd and daily.cvd or just the cvd 
files?

Regards
Mark

> On 13 Jul 2021, at 3:55 pm, Joel Esler (jesler)  wrote:
> 
> I am not sure what you mean by “scripted updates”?  If you are using 
> FreshClam or cvdupdate, your downloads should happen fine.
> 
>> On Jul 13, 2021, at 10:29 AM, Mark Allan via clamav-users 
>> mailto:clamav-users@lists.clamav.net>> wrote:
>> 
>> Hi Joel,
>> 
>> Will you be posting scripted updates for main.cvd and daily.cvd or just the 
>> new cvd files in their entirety? I seem to remember processing the cdiff 
>> files caused a lot of problems for people the last time main.cvd was updated.
>> 
>> Mark
>> 
>>> On 13 Jul 2021, at 3:05 pm, Joel Esler (jesler) via clamav-users 
>>> mailto:clamav-users@lists.clamav.net>> 
>>> wrote:
>>> 
>>> Tomorrow, Wednesday July 14th, we are planning on publishing a brand new 
>>> main.cvd and daily.cvd, as we do periodically to move more of the long term 
>>> signatures into the main.cvd and make the daily.cvd smaller again.  
>>> 
>>> This will have an impact on your downloads of these files (as every ClamAV 
>>> instance will have to re-download both files), so you may see a spike in 
>>> your bandwidth usage.
>>> 
>>> We will monitor the situation on the mirror side and make any adjustments 
>>> necessary, but we anticipate no issues.
>>> 
>>> https://blog.clamav.net/2021/07/new-main-daily-cvds-are-incoming.html 
>>> <https://blog.clamav.net/2021/07/new-main-daily-cvds-are-incoming.html>
>>> 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] New Main & Daily CVD's are incoming

[Mark Allan via clamav-users]

Hi Joel,

Will you be posting scripted updates for main.cvd and daily.cvd or just the new 
cvd files in their entirety? I seem to remember processing the cdiff files 
caused a lot of problems for people the last time main.cvd was updated.

Mark

> On 13 Jul 2021, at 3:05 pm, Joel Esler (jesler) via clamav-users 
>  wrote:
> 
> Tomorrow, Wednesday July 14th, we are planning on publishing a brand new 
> main.cvd and daily.cvd, as we do periodically to move more of the long term 
> signatures into the main.cvd and make the daily.cvd smaller again.  
> 
> This will have an impact on your downloads of these files (as every ClamAV 
> instance will have to re-download both files), so you may see a spike in your 
> bandwidth usage.
> 
> We will monitor the situation on the mirror side and make any adjustments 
> necessary, but we anticipate no issues.
> 
> https://blog.clamav.net/2021/07/new-main-daily-cvds-are-incoming.html 
> 
> 
> -- 
> Joel Esler
> Manager, Communities Division
> Cisco Talos Intelligence Group
> https://www.talosintelligence.com  | 
> https://www.snort.org  | https://www.clamav.net 
>  
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can we consume .ldb files in ClamAV Ubuntu?

[Mark Allan via clamav-users]

Hi Sandeep,

There's no need to convert them. Just put them straight into the clamav 
database directory and call them whatever_you_want.ldb eg
/var/lib/clamav/fireeye.ldb

As long as the name you choose doesn't conflict with ClamAV's naming (eg 
main/daily/bytecode etc), the only bits you need to work about are keeping the 
'ldb' extension, and ensuring the files are in the correct location  with the 
correct ownership and permissions.

Mark

> On 14 Dec 2020, at 8:33 pm, Sandeep Talla  wrote:
> 
> Hi All,
> 
> We have ClamAV installed on Ubuntu. On Ubuntu, the rules can be specified or 
> modified under the directory /var/lib/clamav/main.cvd. However,  We are 
> trying to consume ClamAV rules from the FireEye as shown below link which is 
> .ldb file and we are trying to convert to .cvd format. 
> 
> Could you please let us know the steps on how to convert the .ldb to .cvd? Or 
> how to consume the .ldb file in Ubuntu? 
> 
> 
> FireEye: 
> https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-clam.ldb
>  
> 
> 
> Thank you for your time and consideration.
> 
> -- 
> Thanks,
> Sandeep
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd crashes frequently - macOS Catalina

[Mark Allan via clamav-users]

Hi Micah,

Curiously it only seems to affect clamd/clamdscan. The standalone clamscan 
doesn't appear to be affected, which means it took quite a while to track down 
the file which causes the crash.

The signature in question is Email.Exploit.Efail-6641027-1

The file triggering the crash for me is 'actionmailer-2.2.2.gem' a gem within 
the Ruby framework on Mac OS X 10.6.8


/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/cache/actionmailer-2.2.2.gem

SHA-256 164de36ca0e858ccc9bd3e33ae1ee3d3bb9f964f7d941621b3bec725945af5fe

I've uploaded it to VirusTotal.

For what it's worth, I was wrong about the version of lib-pcre that we're 
using. Our current build runs with pcre2 (10.32) but our test machine in 
question was using an older version of ClamAV (0.100.1) which was compiled with 
pcre 8.41

Still quite surprising that a signature can bring down clamd though.

Hope the above is useful.

Best regards
Mark 

> On 5 May 2020, at 6:28 pm, Micah Snyder (micasnyd)  wrote:
> 
> Mark,
>  
> It probably won’t make much difference, though there is a possible slow scan 
> time issue in pcre2 10.32 for case-insensitive patterns.
>  
> If you have a sample and signature that cause the issue, I’d love a copy so I 
> can investigate further.
>  
> -Micah
>  
> From: Mark Allan 
> Date: Tuesday, May 5, 2020 at 5:20 AM
> To: ClamAV users ML , Micah Snyder (micasnyd) 
> 
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
> 
> Hi Micah, 
>  
> Al is correct, we're using 10.32. I see 10.34 is now available, so I'll 
> compile against that when I get a chance and see if it makes any difference.
>  
> Mark
> 
> 
> On 5 May 2020, at 6:25 am, Al Varnell via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
>  
> Micah,
>  
> Looks to be 10.32, but Mark should be along shortly to confirm.
>  
> -Al-
> 
> 
> On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
>  
> Hi Mark, 
>  
> Which pcre2 version are you using?
>  
> Regards,
> Micah
>  
> From: clamav-users  <mailto:clamav-users-boun...@lists.clamav.net>>
> Date: Saturday, May 2, 2020 at 5:50 PM
> To: ClamAV users ML  <mailto:clamav-users@lists.clamav.net>>
> Cc: Mark Allan mailto:markjal...@gmail.com>>
> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
> 
> Hi James,
>  
> Glad that seems to have helped.
>  
> Al and others are correct that the distro should be updated to use pcre2, but 
> I'm not convinced that's the root of the problem. We're seeing the issue with 
> that signature despite already using pcre2 in our build.
>  
> Mark
> 
> 
> 
> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
>  
> Although I complete support what Mark has recommended, I would caution that 
> there could easily be a future signature that will cause this same issue if 
> the root cause of not upgrading to pcre2 is not accomplished, and figuring 
> out what signature that is won’t be easy.
> 
> Sent from my iPad
>  
> -Al-
> 
> 
> 
> On May 1, 2020, at 18:38, James Brown via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
> 
> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users 
> mailto:clamav-users@lists.clamav.net>> wrote:
>  
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>  
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like 
> that sig was causing the problem.
>  
> James.
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users 
> <https://lists.clamav.net/mailman/listinfo/clamav-users>
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq 
> <https://github.com/vrtadmin/clamav-faq>
> 
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 

Re: [clamav-users] Clamd crashes frequently - macOS Catalina

[Mark Allan via clamav-users]

Hi Micah,

Al is correct, we're using 10.32. I see 10.34 is now available, so I'll compile 
against that when I get a chance and see if it makes any difference.

Mark

> On 5 May 2020, at 6:25 am, Al Varnell via clamav-users 
>  wrote:
> 
> Micah,
> 
> Looks to be 10.32, but Mark should be along shortly to confirm.
> 
> -Al-
> 
>> On May 4, 2020, at 13:23, Micah Snyder (micasnyd) via clamav-users 
>> mailto:clamav-users@lists.clamav.net>> wrote:
>> 
>> Hi Mark, 
>>  
>> Which pcre2 version are you using?
>>  
>> Regards,
>> Micah
>>  
>> From: clamav-users > <mailto:clamav-users-boun...@lists.clamav.net>>
>> Date: Saturday, May 2, 2020 at 5:50 PM
>> To: ClamAV users ML > <mailto:clamav-users@lists.clamav.net>>
>> Cc: Mark Allan mailto:markjal...@gmail.com>>
>> Subject: Re: [clamav-users] Clamd crashes frequently - macOS Catalina
>> 
>> Hi James,
>>  
>> Glad that seems to have helped.
>>  
>> Al and others are correct that the distro should be updated to use pcre2, 
>> but I'm not convinced that's the root of the problem. We're seeing the issue 
>> with that signature despite already using pcre2 in our build.
>>  
>> Mark
>> 
>> 
>> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users 
>> mailto:clamav-users@lists.clamav.net>> wrote:
>>  
>> Although I complete support what Mark has recommended, I would caution that 
>> there could easily be a future signature that will cause this same issue if 
>> the root cause of not upgrading to pcre2 is not accomplished, and figuring 
>> out what signature that is won’t be easy.
>> 
>> Sent from my iPad
>>  
>> -Al-
>> 
>> 
>> On May 1, 2020, at 18:38, James Brown via clamav-users 
>> mailto:clamav-users@lists.clamav.net>> wrote:
>> 
>> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users 
>> mailto:clamav-users@lists.clamav.net>> wrote:
>>  
>> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>>  
>> Thanks Mark. After over 12 hours clamd is still up and running. Looks like 
>> that sig was causing the problem.
>>  
>> James.
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> <https://github.com/vrtadmin/clamav-faq>
>> 
>> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> <https://github.com/vrtadmin/clamav-faq>
>> 
>> http://www.clamav.net/contact.html#ml
>>  
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users 
>> <https://lists.clamav.net/mailman/listinfo/clamav-users>
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq 
>> <https://github.com/vrtadmin/clamav-faq>
>> 
>> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd crashes frequently - macOS Catalina

[Mark Allan via clamav-users]

Hi James,

Glad that seems to have helped.

Al and others are correct that the distro should be updated to use pcre2, but 
I'm not convinced that's the root of the problem. We're seeing the issue with 
that signature despite already using pcre2 in our build.

Mark

> On 2 May 2020, at 3:45 am, Al Varnell via clamav-users 
>  wrote:
> 
> Although I complete support what Mark has recommended, I would caution that 
> there could easily be a future signature that will cause this same issue if 
> the root cause of not upgrading to pcre2 is not accomplished, and figuring 
> out what signature that is won’t be easy.
> 
> Sent from my iPad
> 
> -Al-
> 
>> On May 1, 2020, at 18:38, James Brown via clamav-users 
>>  wrote:
>> 
>> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users 
>> mailto:clamav-users@lists.clamav.net>> wrote:
>>> 
>>> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>> 
>> Thanks Mark. After over 12 hours clamd is still up and running. Looks like 
>> that sig was causing the problem.
>> 
>> James.
>> 
>> ___
>> 
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd crashes frequently - macOS Catalina

[Mark Allan via clamav-users]

Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set. You can 
do that by adding the signature name to a file called anything_you_like.ign2 
and putting it in your database directory.

We had an issue with something crashing clamd and we strongly suspect that 
signature is to blame. It hasn't crashed since we started excluding it from the 
DB.

Mark

> On 1 May 2020, at 7:15 am, James Brown via clamav-users 
>  wrote:
> 
> Getting lots of crashes of clamd. No indication of an issue in the clamd.log.
> 
> Installed via Homebrew.
> 
> Crash Report has:
> Process:   clamd [29231]
> Path:  /usr/local/Cellar/clamav/0.102.2/sbin/clamd
> Identifier:clamd
> Version:   0
> Code Type: X86-64 (Native)
> 
> Crashed Thread:2
> 
> Exception Type:EXC_BAD_ACCESS (SIGBUS)
> Exception Codes:   KERN_PROTECTION_FAILURE at 0x70a1cfa8
> Exception Note:EXC_CORPSE_NOTIFY
> 
> Termination Signal:Bus error: 10
> Termination Reason:Namespace SIGNAL, Code 0xa
> Terminating Process:   exc handler [29231]
> 
> VM Regions Near 0x70a1cfa8:
>Stack  7099a000-70a1c000 [  520K] rw-/rwx 
> SM=COW  thread 1
> --> STACK GUARD70a1c000-70a1d000 [4K] ---/rwx 
> SM=NUL  stack guard for thread 2
>Stack  70a1d000-70b1f000 [ 1032K] rw-/rwx 
> SM=COW  thread 2
> 
> Application Specific Information:
> crashed on child side of fork pre-exec
> 
> Thread 0:: Dispatch queue: com.apple.main-thread
> 0   libsystem_kernel.dylib0x7fff6f6883d6 poll + 10
> 1   clamd 0x0001001c2bbe fds_poll_recv + 426
> 2   clamd 0x0001001c06c1 recvloop_th + 9039
> 3   clamd 0x0001001bb76b main + 5428
> 4   libdyld.dylib 0x7fff6f540cc9 start + 1
> 
> Thread 1:
> 0   libsystem_kernel.dylib0x7fff6f6883d6 poll + 10
> 1   clamd 0x0001001c2bbe fds_poll_recv + 426
> 2   clamd 0x0001001c0b57 acceptloop_th + 114
> 3   libsystem_pthread.dylib   0x7fff6f745109 _pthread_start + 148
> 4   libsystem_pthread.dylib   0x7fff6f740b8b thread_start + 15
> 
> Thread 2 Crashed:
> 0   libpcre.0.dylib   0x7fff6e41eae6 0x7fff6e40a000 + 
> 84710
> 1   libpcre.0.dylib   0x7fff6e41edea 0x7fff6e40a000 + 
> 85482
> 2   libpcre.0.dylib   0x7fff6e42d10c 0x7fff6e40a000 + 
> 143628
> 3   libpcre.0.dylib   0x7fff6e42d10c 0x7fff6e40a000 + 
> 143628
> 4   libpcre.0.dylib   0x7fff6e42d10c 0x7fff6e40a000 + 
> 143628
> 
> Etc
> 
> Thread 2 crashed with X86 Thread State (64-bit):
>  rax: 0x076c  rbx: 0x7fda45f3b432  rcx: 0x0006  
> rdx: 0x0001047437ab
>  rdi: 0x000104743f2d  rsi: 0x7fda45f3b435  rbp: 0x70a1d0d0  
> rsp: 0x70a1cec0
>   r8: 0x70b196a0   r9: 0x0006  r10: 0x007e  
> r11: 0x00800083
>  r12: 0x000104743f2d  r13: 0x  r14: 0x  
> r15: 0x
>  rip: 0x7fff6e41eae6  rfl: 0x00010206  cr2: 0x70a1cfa8
> 
> Logical CPU: 8
> Error Code:  0x0006 (no mapping for user data write)
> Trap Number: 14
> 
> 
> I use a number of the third party sigs, securite.info, sanesecurity, Malware 
> Patrol, etc. Updating those or running Freshclam does not crash clamd. 
> 
> Any ideas what could be causing this?
> 
> Thanks,
> 
> James.
> ___
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [External] Re: Scan very slow

[Mark Allan via clamav-users]

Fantastic! I can also confirm that scan times are back to normal now -
more-or-less back to what they were in early February.

The time for one of our FP test volumes which I've been referencing in this
thread is back down to 3m 30s, and the total time for our *full* FP test is
back down from several hours to just 47 minutes.

Thank you!
Mark

On Thu, 18 Apr 2019 at 09:46, Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Looks like all Phish.Phishing.REPHISH_ID_... signatures were dropped by
> daily-25423 today.
>
> -Al-
>
> On Apr 17, 2019, at 04:02, Al Varnell  wrote:
>
> There are still 2515 "Phish.Phishing.REPHISH_ID_" signatures in
> daily.ldb
>
> -Al-
>
> On Apr 17, 2019, at 03:36, Maarten Broekman 
> wrote:
>
> Are the "Phish" REPHISH signatures still in the daily or were they removed
> as well? Those were causing part of the issue.
>
>
> --Maarten
>
> On Wed, Apr 17, 2019 at 5:24 AM Al Varnell via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>> An additional 3968 Phishtank.Phishing.PHISH_ID_??? signatures were
>> dropped by daily-25417 on 12 April, and I can't seem to locate any more.
>>
>> -Al-
>>
>> On Apr 17, 2019, at 02:01, Mark Allan via clamav-users <
>> clamav-users@lists.clamav.net> wrote:
>>
>> Hi Micah,
>>
>> Sorry to pester you, but have you any update on when the remaining
>> Phishtank signatures will be getting removed? It would be really great to
>> get scan times properly back to normal.
>>
>> Best regards
>> Mark
>>
>> On Tue, 9 Apr 2019 at 16:32, Micah Snyder (micasnyd) 
>> wrote:
>>
>>> Mark,
>>>
>>>
>>> Yes, the plan is still to remove the rest of the Phishtank signatures.
>>> We wanted to get things back to relative normal and resolve the immediate
>>> crisis.  We’ll remove the rest of them soon.
>>>
>>>
>>>
>>> Best,
>>>
>>> Micah
>>>
>>>
>>>
>>> *From: *Mark Allan 
>>> *Date: *Tuesday, April 9, 2019 at 6:26 AM
>>> *To: *"Micah Snyder (micasnyd)" 
>>> *Cc: *ClamAV users ML 
>>> *Subject: *Re: [External] Re: [clamav-users] Scan very slow
>>>
>>>
>>>
>>> The scan times are definitely better than they were - in fact, they're
>>> back to how they were before last week's inclusion of the Phishtank
>>> signatures. They're still almost double what they used to be though, and as
>>> far as I can see, there are still almost 4000 Phishtank signatures in the
>>> DB:
>>>
>>> $ sigtool --find Phishtank | wc -l
>>>
>>> 3968
>>>
>>>
>>>
>>> Can I request that those ones also be removed please?
>>>
>>>
>>>
>>> Best regards
>>>
>>> Mark
>>>
>>>
>>>
>>> On Sun, 7 Apr 2019 at 14:43, Micah Snyder (micasnyd) 
>>> wrote:
>>>
>>> Tim,
>>>
>>>
>>>
>>> There are a couple of ways for users to drop specific categories of
>>> signatures at this time.  Sadly, they wouldn’t have helped this last week.
>>> These include bytecode signatures, PUA (potentially unwanted applications)
>>> signatures, Email.Phishing and HTML.Phishing signatures, and the
>>> Safebrowsing database.
>>>
>>>
>>>
>>> If we had named the Phishtank.Phishing sigs to HTML.Phishing.Phishtank
>>> or Email.Phishing.Phishtank then they could have been disabled with the
>>> clamscan option `--phishing-sigs=no` (clamd.conf: `PhishingSignatures no`).
>>>
>>>
>>>
>>> Maybe a better option would be for us to create a new optional database
>>> for phishing signatures. However, the names for the databases are hardcoded
>>> into freshclam, so it is non-trivial to add a new database and would
>>> require a few changes to ClamAV’s code. We have talked about making the
>>> databases easier to add/remove in the future so users can have more
>>> categories to enable/disable. In this light, it ties in well with existing
>>> plans.
>>>
>>>
>>>
>>> Of note the Phishtank sigs from Friday’s daily were removed yesterday
>>> and scan times should be back to normal.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Micah
>>>
>>>
>>>
>>> *From: *Tim Hawkins 
>>> *Date: *Friday, April 5, 2019 at 6:06 PM
>>>

Re: [clamav-users] [External] Re: Scan very slow

[Mark Allan via clamav-users]

Hi Micah,

Sorry to pester you, but have you any update on when the remaining
Phishtank signatures will be getting removed? It would be really great to
get scan times properly back to normal.

Best regards
Mark

On Tue, 9 Apr 2019 at 16:32, Micah Snyder (micasnyd) 
wrote:

> Mark,
>
>
> Yes, the plan is still to remove the rest of the Phishtank signatures.  We
> wanted to get things back to relative normal and resolve the immediate
> crisis.  We’ll remove the rest of them soon.
>
>
>
> Best,
>
> Micah
>
>
>
> *From: *Mark Allan 
> *Date: *Tuesday, April 9, 2019 at 6:26 AM
> *To: *"Micah Snyder (micasnyd)" 
> *Cc: *ClamAV users ML 
> *Subject: *Re: [External] Re: [clamav-users] Scan very slow
>
>
>
> The scan times are definitely better than they were - in fact, they're
> back to how they were before last week's inclusion of the Phishtank
> signatures. They're still almost double what they used to be though, and as
> far as I can see, there are still almost 4000 Phishtank signatures in the
> DB:
>
> $ sigtool --find Phishtank | wc -l
>
> 3968
>
>
>
> Can I request that those ones also be removed please?
>
>
>
> Best regards
>
> Mark
>
>
>
> On Sun, 7 Apr 2019 at 14:43, Micah Snyder (micasnyd) 
> wrote:
>
> Tim,
>
>
>
> There are a couple of ways for users to drop specific categories of
> signatures at this time.  Sadly, they wouldn’t have helped this last week.
> These include bytecode signatures, PUA (potentially unwanted applications)
> signatures, Email.Phishing and HTML.Phishing signatures, and the
> Safebrowsing database.
>
>
>
> If we had named the Phishtank.Phishing sigs to HTML.Phishing.Phishtank or
> Email.Phishing.Phishtank then they could have been disabled with the
> clamscan option `--phishing-sigs=no` (clamd.conf: `PhishingSignatures no`).
>
>
>
> Maybe a better option would be for us to create a new optional database
> for phishing signatures. However, the names for the databases are hardcoded
> into freshclam, so it is non-trivial to add a new database and would
> require a few changes to ClamAV’s code. We have talked about making the
> databases easier to add/remove in the future so users can have more
> categories to enable/disable. In this light, it ties in well with existing
> plans.
>
>
>
> Of note the Phishtank sigs from Friday’s daily were removed yesterday and
> scan times should be back to normal.
>
>
>
> Regards,
>
> Micah
>
>
>
> *From: *Tim Hawkins 
> *Date: *Friday, April 5, 2019 at 6:06 PM
> *To: *ClamAV users ML , Mark Allan <
> markjal...@gmail.com>
> *Cc: *"Micah Snyder (micasnyd)" 
> *Subject: *Re: [External] Re: [clamav-users] Scan very slow
>
>
>
> Hi Micah
>
>
> Does clamav partition the database so that signatures that are mainly
> associated with email scanning can be dropped out for folks only needing
> filesystems scans,  none of our systems use email, and we dont make use of
> the mailer extension.
>
> Having to load all the email focused signatures could as you have observed
> impact performance.
>
> Sent from Nine <http://www.9folders.com/>
> --
>
> *From:* "Micah Snyder (micasnyd) via clamav-users" <
> clamav-users@lists.clamav.net>
> *Sent:* Saturday, April 6, 2019 03:18
> *To:* ClamAV users ML; Mark Allan
> *Cc:* Micah Snyder (micasnyd)
> *Subject:* [External] Re: [clamav-users] Scan very slow
>
>
>
> Regarding slow scan times today (and slow scan times in general), it
> appears that the signatures we generate based on PhishTank’s feed for
> phishing URLs are resulting in very slow load and scan times.
>
>
>
> Today’s daily update saw 7448 new Phishtank signatures (much higher than
> usual) coinciding with the immediate performance drop for load time and
> scan time.  One user reported that the load time today on some of his
> slower machines was slow enough to exceed the timeout for service startup (
> https://bugzilla.clamav.net/show_bug.cgi?id=12317).
>
>
>
> In limited testing on my own machine I saw the following change after
> dropping the Phishtank.Phishing signatures from daily.cvd’s daily.ldb file:
>
>- Database load time on my laptop went from 75.43203997612 seconds
>down to 14.859203100204468 seconds
>- Scan time (for an arbitrary pdf) went from 1.798 sec to 0.644 sec.
>
>
>
> After some discussion between the teams that work on ClamAV and ClamAV
> signature content and deployment, we’ve agreed to drop PhishTank signatures
> from the database until we can determine a way to craft Phishtank
> signatures without incurring such a si

Re: [clamav-users] [External] Re: Scan very slow

[Mark Allan via clamav-users]

The scan times are definitely better than they were - in fact, they're back
to how they were before last week's inclusion of the Phishtank signatures.
They're still almost double what they used to be though, and as far as I
can see, there are still almost 4000 Phishtank signatures in the DB:
$ sigtool --find Phishtank | wc -l
3968

Can I request that those ones also be removed please?

Best regards
Mark

On Sun, 7 Apr 2019 at 14:43, Micah Snyder (micasnyd) 
wrote:

> Tim,
>
>
>
> There are a couple of ways for users to drop specific categories of
> signatures at this time.  Sadly, they wouldn’t have helped this last week.
> These include bytecode signatures, PUA (potentially unwanted applications)
> signatures, Email.Phishing and HTML.Phishing signatures, and the
> Safebrowsing database.
>
>
>
> If we had named the Phishtank.Phishing sigs to HTML.Phishing.Phishtank or
> Email.Phishing.Phishtank then they could have been disabled with the
> clamscan option `--phishing-sigs=no` (clamd.conf: `PhishingSignatures no`).
>
>
>
> Maybe a better option would be for us to create a new optional database
> for phishing signatures. However, the names for the databases are hardcoded
> into freshclam, so it is non-trivial to add a new database and would
> require a few changes to ClamAV’s code. We have talked about making the
> databases easier to add/remove in the future so users can have more
> categories to enable/disable. In this light, it ties in well with existing
> plans.
>
>
>
> Of note the Phishtank sigs from Friday’s daily were removed yesterday and
> scan times should be back to normal.
>
>
>
> Regards,
>
> Micah
>
>
>
> *From: *Tim Hawkins 
> *Date: *Friday, April 5, 2019 at 6:06 PM
> *To: *ClamAV users ML , Mark Allan <
> markjal...@gmail.com>
> *Cc: *"Micah Snyder (micasnyd)" 
> *Subject: *Re: [External] Re: [clamav-users] Scan very slow
>
>
>
> Hi Micah
>
>
> Does clamav partition the database so that signatures that are mainly
> associated with email scanning can be dropped out for folks only needing
> filesystems scans,  none of our systems use email, and we dont make use of
> the mailer extension.
>
> Having to load all the email focused signatures could as you have observed
> impact performance.
>
> Sent from Nine <http://www.9folders.com/>
> --
>
> *From:* "Micah Snyder (micasnyd) via clamav-users" <
> clamav-users@lists.clamav.net>
> *Sent:* Saturday, April 6, 2019 03:18
> *To:* ClamAV users ML; Mark Allan
> *Cc:* Micah Snyder (micasnyd)
> *Subject:* [External] Re: [clamav-users] Scan very slow
>
>
>
> Regarding slow scan times today (and slow scan times in general), it
> appears that the signatures we generate based on PhishTank’s feed for
> phishing URLs are resulting in very slow load and scan times.
>
>
>
> Today’s daily update saw 7448 new Phishtank signatures (much higher than
> usual) coinciding with the immediate performance drop for load time and
> scan time.  One user reported that the load time today on some of his
> slower machines was slow enough to exceed the timeout for service startup (
> https://bugzilla.clamav.net/show_bug.cgi?id=12317).
>
>
>
> In limited testing on my own machine I saw the following change after
> dropping the Phishtank.Phishing signatures from daily.cvd’s daily.ldb file:
>
>- Database load time on my laptop went from 75.43203997612 seconds
>down to 14.859203100204468 seconds
>- Scan time (for an arbitrary pdf) went from 1.798 sec to 0.644 sec.
>
>
>
> After some discussion between the teams that work on ClamAV and ClamAV
> signature content and deployment, we’ve agreed to drop PhishTank signatures
> from the database until we can determine a way to craft Phishtank
> signatures without incurring such a significant performance hit.
>
>
>
> The daily update tomorrow will have the change.
>
>
>
> -Micah
>
>
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
>
>
>
>
>
> *From: *clamav-users  on behalf of
> "Micah Snyder (micasnyd) via clamav-users" 
> *Reply-To: *ClamAV users ML 
> *Date: *Friday, April 5, 2019 at 1:08 PM
> *To: *Mark Allan , ClamAV users ML <
> clamav-users@lists.clamav.net>
> *Cc: *"Micah Snyder (micasnyd)" 
> *Subject: *Re: [clamav-users] Scan very slow
>
>
>
> Hi Mark,
>
>
>
> Sorry about the delay in responding.  I hadn’t looked at my clamav-users
> filter this morning.  Just investigating now.  Will respond when I know
> more.
>
>
>
> -Micah
>
>
>
> *From: *Mark Allan 
> *D

Re: [clamav-users] Scan very slow

[Mark Allan via clamav-users]

Also CC'ing Micah directly as the mailing list would appear to be offline
(at least lists.clamav.net isn't responding to http requests anyway)

It looks like scan times have gone through the roof. As Oya said, they're
still considerably higher than they were a couple of months ago, but
today's scan time is insane.

Yesterday's scan using
0.101.2:58:25409:1554370140:1:63:48554:328
took 7m 3s

On the same hardware, scanning the same read-only disk image, with today's
scan using
0.101.2:58:25410:1554452941:1:63:48557:328
the scan time has jumped to 26m 15s

This is the longest it has ever taken to scan this volume (cf my previous
email of 25th March)

Is there anything that can be excluded?

Best regards
Mark

On Mon, 1 Apr 2019 at 17:11, Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Thanks Oya for the update.  We will continue to investigate the signature
> performance issue.
>
> Regards,
> Micah
>
> On 3/28/19, 9:50 AM, "clamav-users on behalf of Tsutomu Oyamada" <
> clamav-users-boun...@lists.clamav.net on behalf of oyam...@promark-inc.com>
> wrote:
>
> Hi Micah
>
> It seems that the  scanning slow down issue of this time has been
> solved
> at some level with CVD Update of the other day.
> However, there is still big discrepancy in between the current
> condition and
> the last condition in one month ago.
>
> DateFiles   Scan time
> 2019/02/15  2550338 08:53:57
> 2019/03/15  2612792 19:22:54
> 2019/03/26  2634489 18:13:56
> 2019/03/27  2637201 18:10:05
>
> We know the improvement of this time is due to the details of CVD,
> because
> we did not make any change on the user's system.
> We are going to try some tuning for scanning.
>
> We like to know if you still have some room to make further improvement
> for this slow down issue.
> Thank you for your help, in advance.
>
> Best regards,
> Oya
>
> On Mon, 25 Mar 2019 15:45:02 +
> "Micah Snyder \(micasnyd\) via clamav-users" <
> clamav-users@lists.clamav.net> wrote:
>
> > Hi Mark, all:
> >
> > I’m disappointed to hear that it is still slow for you.
> >
> > We found that the target-type of signatures used for
> PhishTank.Phishing signatures were causing a significant slowdown.   We
> have dropped them as of this past Saturday (
> https://lists.gt.net/clamav/virusdb/75279 ) and in the last two updates
> have been re-adding them with more specific scan target types.  We’re now
> investigating some other optimizations we can make for the next major
> ClamAV release to improve scan times but at present we don’t have any other
> leads for signatures that may be slowing down scans.
> >
> > Regards,
>     > Micah
> >
> >
> > From: clamav-users  on
> behalf of Mark Allan via clamav-users 
> > Reply-To: ClamAV users ML 
> > Date: Monday, March 25, 2019 at 9:37 AM
> > To: ClamAV users ML 
> > Cc: Mark Allan 
> > Subject: Re: [clamav-users] Scan very slow
> >
> > Cheers Steve,
> >
> > In the interest of completeness, here's the scan from today (TXT
> from DNS: 0.101.1:58:25399:1553509741:1:63:48528:328) showing a marked
> improvement in scan time, although at 6m 7s it's still almost twice what it
> used to be.
> >
> > Mark
> >
> > On Mon, 25 Mar 2019 at 12:56, Steve Basford <
> steveb_cla...@sanesecurity.com<mailto:steveb_cla...@sanesecurity.com>>
> wrote:
> > On 2019-03-25 10:52, Mark Allan via clamav-users wrote:
> > > Hi all,
> > >
> > te.
> > >
> > > Hopefully this helps someone to narrow things down a bit.
> > >
> > > Mark
> > >
> >
> > 18/3/19 10m 49s TXT from DNS:
> > 0.101.1:58:25392:1552904941:1:63:48507:328  ***
> >
> > Here's the changes for the above update:
> >
> > https://lists.gt.net/clamav/virusdb/75154
> >
> > You can also check sigs quickly per update:
> >
> > https://lists.gt.net/clamav/virusdb/
> >
> >
> >
> > --
> > Cheers,
> >
> > Steve
> > Twitter: @sanesecurity
> >
> > ___
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net<mailto:clamav-users@lists.c

Re: [clamav-users] Scan very slow

[Mark Allan via clamav-users]

Cheers Steve,

In the interest of completeness, here's the scan from today (TXT from DNS:
0.101.1:58:25399:1553509741:1:63:48528:328) showing a marked improvement in
scan time, although at 6m 7s it's still almost twice what it used to be.

Mark

On Mon, 25 Mar 2019 at 12:56, Steve Basford 
wrote:

> On 2019-03-25 10:52, Mark Allan via clamav-users wrote:
> > Hi all,
> >
> te.
> >
> > Hopefully this helps someone to narrow things down a bit.
> >
> > Mark
> >
>
> 18/3/19 10m 49s TXT from DNS:
> 0.101.1:58:25392:1552904941:1:63:48507:328  ***
>
> Here's the changes for the above update:
>
> https://lists.gt.net/clamav/virusdb/75154
>
> You can also check sigs quickly per update:
>
> https://lists.gt.net/clamav/virusdb/
>
>
>
> --
> Cheers,
>
> Steve
> Twitter: @sanesecurity
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Scan very slow

[Mark Allan via clamav-users]

Hi all,

We've been experiencing this slowdown too.  We run every DB update through
an extra FP test against a number of recent Mac OS installs (OS X 10.6 -
10.14, as well as some well-known 3rd party apps) just to weed out any
potentially overzealous signatures. On the new Mac Minis this FP test used
to take around 45 minutes to complete, it now takes almost 3 hours (176
minutes).

>From our logs, looking only at the smallest disk we check (Mac OS X 10.6.8)
I've managed to compile the following list of dates, scan times and ClamAV
DB version numbers. For months, the 10.6 disk used to take around 3m 20s to
scan. It always jumped up and down a bit, but really hasn't been right
since around the middle of February.

The list is best viewed using a mono-spaced font. I've marked (with 3
asterisks) scans where the time seems to indicate an issue with the DB
update.

Hopefully this helps someone to narrow things down a bit.
Mark

dd/mm/yy duration DNS Txt
5/2/19 3m 14s TXT from DNS: 0.101.1:58:25351:1549376940:1:63:48440:328
6/2/19 3m 20s TXT from DNS: 0.101.1:58:25352:1549466941:1:63:48444:328
11/2/19 3m 20s TXT from DNS: 0.101.1:58:25356:1549837740:1:63:48460:328
11/2/19 3m 25s TXT from DNS: 0.101.1:58:25356:1549877342:1:63:48462:328
11/2/19 3m 19s TXT from DNS: 0.101.1:58:25357:1549881900:1:63:48462:328
12/2/19 3m 22s TXT from DNS: 0.101.1:58:25357:1549963741:1:63:48466:328
13/2/19 3m 22s TXT from DNS: 0.101.1:58:25358:1550050141:1:63:48470:328
14/2/19 3m 22s TXT from DNS: 0.101.1:58:25359:1550140140:1:63:48472:328
16/2/19 6m 38s TXT from DNS: 0.101.1:58:25361:1550269740:1:63:48472:328 ***
17/2/19 7m 35s TXT from DNS: 0.101.1:58:25362:1550348940:1:63:48472:328
18/2/19 7m 41s TXT from DNS: 0.101.1:58:25363:1550442540:1:63:48472:328
18/2/19 4m 22s TXT from DNS: 0.101.1:58:25364:1550492940:1:63:48472:328
19/2/19 4m 28s TXT from DNS: 0.101.1:58:25365:1550579340:1:63:48472:328
20/2/19 4m 30s TXT from DNS: 0.101.1:58:25365:1550658540:1:63:48472:328
21/2/19 4m 28s TXT from DNS: 0.101.1:58:25366:1550744940:1:63:48472:328
22/2/19 4m 36s TXT from DNS: 0.101.1:58:25368:1550842141:1:63:48472:328
24/2/19 7m 51s TXT from DNS: 0.101.1:58:25370:1551040140:1:63:48472:328 ***
25/2/19 4m 31s TXT from DNS: 0.101.1:58:25371:1551092103:1:63:48472:328
26/2/19 4m 41s TXT from DNS: 0.101.1:58:25372:1551177619:1:63:48472:328
27/2/19 4m 29s TXT from DNS: 0.101.1:58:25373:1551277740:1:63:48472:328
28/2/19 4m 28s TXT from DNS: 0.101.1:58:25373:1551349740:1:63:48472:328
1/3/19 4m 39s TXT from DNS: 0.101.1:58:25374:1551443340:1:63:48472:328
3/3/19 8m 14s TXT from DNS: 0.101.1:58:25376:1551558540:1:63:48472:328 ***
3/3/19 8m 45s TXT from DNS: 0.101.1:58:25377:1551644940:1:63:48472:328
4/3/19 4m 51s TXT from DNS: 0.101.1:58:25377:1551691742:1:63:48472:328
4/3/19 4m 52s TXT from DNS: 0.101.1:58:25378:1551709740:1:63:48472:328
5/3/19 5m 6s TXT from DNS: 0.101.1:58:25379:1551796140:1:63:48472:328
6/3/19 5m 7s TXT from DNS: 0.101.1:58:25380:1551868140:1:63:48473:328
7/3/19 5m 15s TXT from DNS: 0.101.1:58:25381:1551953509:1:63:48474:328
8/3/19 5m 14s TXT from DNS: 0.101.1:58:25382:1552048140:1:63:48478:328
9/3/19 5m 7s TXT from DNS: 0.101.1:58:25383:1552163340:1:63:48482:328
11/3/19 5m 14s TXT from DNS: 0.101.1:58:25384:1552253340:1:63:48485:328
11/3/19 5m 24s TXT from DNS: 0.101.1:58:25385:1552302125:1:63:48487:328
12/3/19 5m 42s TXT from DNS: 0.101.1:58:25386:1552388890:1:63:48490:328
13/3/19 5m 44s TXT from DNS: 0.101.1:58:25386:1552465741:1:63:48492:328
14/3/19 7m 24s TXT from DNS: 0.101.1:58:25388:1552559341:1:63:48495:328 ***
15/3/19 8m 56s TXT from DNS: 0.101.1:58:25389:1552645741:1:63:48498:328 ***
18/3/19 10m 49s TXT from DNS: 0.101.1:58:25392:1552904941:1:63:48507:328 ***
19/3/19 10m 19s TXT from DNS: 0.101.1:58:25393:1552991341:1:63:48510:328
20/3/19 10m 43s TXT from DNS: 0.101.1:58:25394:1553074140:1:63:48513:328
22/3/19 10m 58s TXT from DNS: 0.101.1:58:25395:1553180408:1:63:48517:328
22/3/19 10m 58s TXT from DNS: 0.101.1:58:25396:1553246940:1:63:48519:328




On Sat, 23 Mar 2019 at 23:26, Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Sorry, I misinterpreted the meaning of "crawled" thinking it referred to
> some sort of compromise of the data.
>
> -Al-
>
> On Mar 23, 2019, at 09:42, Jean-Michel via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> See Maarten Broekman tests above
> https://lists.clamav.net/pipermail/clamav-users/2019-March/007737.html
>
> *De :* Al Varnell 
> *Envoyé :* samedi 23 mars 2019 10:55
> *À :* ClamAV users ML 
> *Objet :* Re: [clamav-users] Scan very slow
>
> Reference? First I'm hearing of any such thing.
>
> -Al-
>
>
> On Mar 23, 2019, at 02:26, Jean-Michel via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> Hi,
> Micah Snyder, Do you know if Clamav was able to trace the orgine of
> getting crawled in the database "daily.cld" and was able to fix the problem?
> Regards
>
> *De :* Micah Snyder (micasnyd) 
> *Envoyé :* lundi 18 mars 2019 18:09
> *À :* ClamAV users 

[clamav-users] FP with Osx.Trojan.EmPyre-6852410-0

[Mark Allan]

Hey folks,

Signature "Osx.Trojan.EmPyre-6852410-0
"
is generating an FP against a file signed and distributed by Apple.

File hash is
c81d0180cbfa858d6f3faf445514cbb53675d4f469beaa5638eb95a3a8d5d0f1

Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam 0.100.0 returning 1 on up-to-date

[Mark Allan]

Looks like the problem actually stems from a new #define in
"freshclam/freshclamcodes.h".  Change the value of FC_UPTODATE from 1 to 0
and you'll get the old/correct functionality.  Patch below.

Cheers
Mark

diff -Naurw freshclamOrig/freshclamcodes.h freshclam/freshclamcodes.h
--- freshclamOrig/freshclamcodes.h 2018-04-11 14:50:44.0 +0100
+++ freshclam/freshclamcodes.h 2018-04-11 14:57:54.0 +0100
@@ -20,7 +20,7 @@
 #ifndef __FRESHCLAMCODES_H
 #define __FRESHCLAMCODES_H

-#define FC_UPTODATE1
+#define FC_UPTODATE0

 #define FCE_INIT  40
 #define FCE_CHECKS41

On 10 April 2018 at 13:36, Andreas Schulze  wrote:

> Am 10.04.2018 um 10:32 schrieb Pertti Karppinen:
> > Freshclam seems to be returning 1 on up-to-date situation, but man page
> > says it should return 0:
> > 0 : Database is up-to-date or successfully updated.
> >
> I think, I had the similar (same?) problem some times ago and fixed it
> with this patch:
>
> Description: freshclam should return 0 if only custom databases
>  are updated and all are up to date
> Author: A. Schulze
> URL: https://bugzilla.clamav.net/show_bug.cgi?id=11812
> ---
> This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
> Index: clamav-0.100.0~beta/freshclam/manager.c
> ===
> --- clamav-0.100.0~beta.orig/freshclam/manager.c
> +++ clamav-0.100.0~beta/freshclam/manager.c
> @@ -2612,6 +2612,7 @@ downloadmanager (const struct optstruct
>   updatecustomdb (opt->strarg, , opts, localip,
>   logerr)) == 0)
>  updated = 1;
> +if (custret == 1) { /* not updated but up to date */ custret
> = 0; }
>  opt = opt->nextarg;
>  }
>  }
>
>
> --
> A. Schulze
> DATEV eG
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.4 has been released!

[Mark Allan]

> On 8 Mar 2018, at 9:08 am, Tilman Schmidt  wrote:
> 
> What definitely isn't fine is this endless griping about how people
> should phrase their questions differently, know more than they do, have
> read this and that (blindly assuming that they hadn't) and so on which
> contributes exactly nothing to a solution.
> 
> What isn't fine either is rude language.
> 
> Joel's reaction was the appropriate one: neither jumping to conclusions
> nor berating the person seeking help, but cleary and politely asking for
> the missing information.
> 
> Sorry for contributing to the flamewar but I have observed this long
> enough now to run out of patience.

Hear hear!

Maybe there should be policy of some sort for contributions to this mailing 
list. Something with a 3 strikes rule?


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamAV Whitelist

[Mark Allan]

Rather than whitelisting, you could add something like cmbx$ to your exclude 
settings. You would do this either by passing the appropriate command line 
argument to clamscan or by tweaking your clamd.conf file.

Mark

> On 1 Mar 2018, at 11:52 am, Emanuel  wrote:
> 
> Hello?
> 
> 
> El 28/02/18 a las 08:38, Emanuel escribió:
>> Hello,
>> 
>> a client sends a file with a .cmbx extension and the antivirus blocks it.
>> 
>> it is possible to create a rule within the whitelist for the cmbx extension 
>> files??
>> 
>> Is unsafe to add the signature Sanesecurity.Foxhole.Zip_cmd to the whitelist?
>> 
>> Regards,

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No updates since Monday 26th - daily 24352 ?

[Mark Allan]

Thanks to all who replied. It does indeed *appear* to be correct - the DNS 
entry matches the daily.cvd file, which in turn matches the last email on the 
mailing list.

I suppose my question would have been better worded as "Is this INTENTIONAL or 
has something gone wrong with the update process?"

Mark

> On 28 Feb 2018, at 2:05 pm, Frank Elsner <fr...@moltke28.b.shuttle.de> wrote:
> 
> On Wed, 28 Feb 2018 12:52:42 + Mark Allan wrote:
>> Hi there,
>> 
>> I just noticed that there don't appear to have been any updates to daily.cvd 
>> since v24352 on Monday 26th, which seems unlikely.
>> 
>> Is this correct or has something gone wrong with the update process?  Could 
>> it be related to the update of the clamav.net backend that you blogged 
>> about...on Monday.
> 
> I think it is correct. My logfile shows
> 
> Feb 28 14:22:10 ... daily.cld is up to date (version: 24352, sigs: 1861789, 
> f-level: 63, builder: neo)
>  ^
> 
> Cheers, 
>   Frank

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] No updates since Monday 26th - daily 24352 ?

[Mark Allan]

Hi there,

I just noticed that there don't appear to have been any updates to daily.cvd 
since v24352 on Monday 26th, which seems unlikely.

Is this correct or has something gone wrong with the update process?  Could it 
be related to the update of the clamav.net backend that you blogged about...on 
Monday.

http://blog.clamav.net/2018/02/clamavnet-has-been-upgraded.html

I note the timestamp in the DNS appears to be correct 1519820940 = 2018:02:28 
12:29 (UTC) but I'm guessing there's just some automated process which 
periodically updates the DNS record based on the currently released cvd 
versions?

bash$ dig -t txt current.cvd.clamav.net +short
"0.99.3:58:24352:1519820940:1:63:47077:319"

Best regards
Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Read the signature in cdiff file.

[Mark Allan]

I agree with Al - I can't really see why anyone would need to do this, but I've 
been dealing a lot with cdiff and script files lately, so I know exactly how to 
do what you're asking!

At the start of each cdiff file is a header which reads something like this:
ClamAV-Diff:24263:17164:
It's delimited with colons and can be interpreted like this:
Type of file : DB version number (or scripted update version number) : 
file size of scripted update : 

The final colon is important.  Count the number of characters up-to and 
including the final colon (unlike daily/main/bytecode cvd/cld files, the header 
doesn't appear to be a predefined length, so you'll need to count characters).  
In this case it's 24.

Now, use dd to strip the header from the file, leaving a gzip archive.  In the 
example above, you can do:

dd bs=24 skip=1 if=daily-24262.cdiff of=daily-24262.gzip

Unpack the gzip file and you've got a plain text script file listing all the 
changes.


Doing all that programmatically is left as an exercise for the reader ;-)

Mark


> On 29 Jan 2018, at 9:55 am, Al Varnell  wrote:
> 
> Just trying to figure out why anybody would ever need to. As soon as they are 
> downloaded they are immediately integrated into the appropriate .cld file 
> where they can be read.
> 
> Subscribe to the clamav-virusdb e-mail list if you want to see a list of what 
> signatures are contained in a particular .cdiff file:
> .
> 
> -Al-
> 
> On Mon, Jan 29, 2018 at 01:26 AM, Arul Raj wrote:
>> Hi Team,
>> 
>>   Can you please share, how to read the cdiff signature file in
>> human-readable format.
>> 
>> -
>> Arulraj I
>> ___

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Whither ClamAV 0.99.2.1 ?

[Mark Allan]

Hi guys,

I saw the following blog post about an interim release (ClamAV 0.99.2.1) in my 
newsreader last week
http://blog.clamav.net/2018/01/heads-up-clamav-version-09921.html

The article said you planned to release 0.99.2.1 today (24th January), however, 
the post is no longer appearing on your blog.

Have plans changed, or is still coming today?

Best regards
Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Signatures in md5sum not in sha256sum

[Mark Allan]

> On 11 Sep 2017, at 1:01 pm, Joel Esler (jesler)  wrote:
> 
> Reported them to bugzilla?

Nope - in your announcement email (copied & abbreviated below) you asked us to 
provide feedback via the list:

> On 4 Aug 2017, at 12:04 am, Joel Esler (jesler)  wrote:
> 
> ClamAV 0.99.3 beta has been released!
> 
> We ask that feedback be provided via the ClamAV mailing 
> lists.

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Signatures in md5sum not in sha256sum

[Mark Allan]

> On 8 Sep 2017, at 5:32 pm, Joel Esler (jesler)  wrote:
> 
> We don’t have a slated date yet.  We’ve had about 6000 downloads of the beta 
> package and no reported bugs so far.
> 
> 
> So far, so good.

That's not entirely true; I reported at least three bugs.

Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Another bug with ClamAV 0.99.3 beta 1

[Mark Allan]

Hi Mickey,

No, it's not working I'm afraid.  I get the same error as before:

dyld: lazy symbol binding failed: Symbol not found: _strndup
  Referenced from: /usr/local/clamav/sbin/clamd
  Expected in: /usr/lib/libSystem.B.dylib

Note that this *not* being built on 10.6.  It's being built on 10.12 with 
support for running the compiled binaries on 10.6 by way of the 
-mmacosx-version-min=10.6 compiler flag.

Cheers
Mark

> On 23 Aug 2017, at 7:15 pm, Mickey Sola <ms...@sourcefire.com> wrote:
> 
> Hi Mark,
> 
> The strnlen and strndup reworks have made it up to master if you wanted to
> take a look and make sure everything builds OK on 10.6
> 
> You'll need commits 47a544dc07b75c284e0fc475164bcdc5e9d5b18b thru
> 8cb271e25cf43bd5d6296827d2c0f25a33420fd9
> (4 in total)
> 
> -Mickey
> 
> On Mon, Aug 14, 2017 at 1:41 PM, Steven Morgan <smor...@sourcefire.com>
> wrote:
> 
>> Mark,
>> 
>> We are in the process of reworking that strndup/strnlen test. The rework
>> will use feature tests during ./configure to test for the presence of the
>> system implementations of strndup and strnlen. The operating system test
>> that is currently in place for when to use the local implementations of
>> strnlen and strndup will be going away. Thanks for writing a patch. It
>> should suffice during beta.
>> 
>> 
>> Steve
>> 
>> 
>> On Mon, Aug 14, 2017 at 9:47 AM, Mark Allan <markjal...@gmail.com> wrote:
>> 
>>> I just had another look at this today with fresh eyes and I see you've
>>> already got a static replacement of strndup for Solaris, so I've
>> included a
>>> patch which uses the same function on macOS 10.6.8 or lower.  It relies
>> on
>>> the appropriate  (-mmacosx-version-min=10.6) setting on the configure
>>> phase, but the chances are if anyone's compiling with 10.6 support, they
>>> probably ain't compiling on 10.6 so it's likely being supplied already.
>>> 
>>> 
>>> 
>>> 
>>> diff -Naurw clamav-0.99.3-beta1/clamd/localserver.c
>>> clamav-0.99.3-beta1_patched/clamd/localserver.c
>>> --- clamav-0.99.3-beta1/clamd/localserver.c 2017-07-31
>>> 19:34:32.0 +0100
>>> +++ clamav-0.99.3-beta1_patched/clamd/localserver.c 2017-08-14
>>> 14:24:08.0 +0100
>>> @@ -25,7 +25,7 @@
>>> 
>>> #include 
>>> #include 
>>> -#if defined(C_SOLARIS)
>>> +#if defined(C_SOLARIS) || (defined(__ENVIRONMENT_MAC_OS_
>> X_VERSION_MIN_REQUIRED__)
>>> && (__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ <= 1068))
>>> size_t strnlen(const char *s, size_t n) __attribute__((weak));
>>> size_t strnlen(const char *s, size_t n)
>>> {
>>> 
>>> 
>>> 
>>> Hope that's useful.
>>> 
>>> Mark
>>> 
>>> 
>>>> On 13 Aug 2017, at 10:25 pm, Mark Allan <markjal...@gmail.com> wrote:
>>>> 
>>>> Hi all,
>>>> 
>>>> Another issue with 0.99.3 beta 1.
>>>> 
>>>> The clamd process crashes on macOS 10.6.8 because it can't find the
>>> strndup symbol.  There are a couple of references to strndup in the
>> source
>>> for clamd and libclamav - should these be changed to cli_strndup or am I
>>> better to include a static replacement function of strndup in the
>>> appropriate files that would only be used on 10.6 or earlier?
>>>> 
>>>> Thanks
>>>> Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Another bug with ClamAV 0.99.3 beta 1

[Mark Allan]

I just had another look at this today with fresh eyes and I see you've already 
got a static replacement of strndup for Solaris, so I've included a patch which 
uses the same function on macOS 10.6.8 or lower.  It relies on the appropriate  
(-mmacosx-version-min=10.6) setting on the configure phase, but the chances are 
if anyone's compiling with 10.6 support, they probably ain't compiling on 10.6 
so it's likely being supplied already.




diff -Naurw clamav-0.99.3-beta1/clamd/localserver.c 
clamav-0.99.3-beta1_patched/clamd/localserver.c
--- clamav-0.99.3-beta1/clamd/localserver.c 2017-07-31 19:34:32.0 
+0100
+++ clamav-0.99.3-beta1_patched/clamd/localserver.c 2017-08-14 
14:24:08.0 +0100
@@ -25,7 +25,7 @@
 
 #include 
 #include 
-#if defined(C_SOLARIS)
+#if defined(C_SOLARIS) || 
(defined(__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__) && 
(__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ <= 1068))
 size_t strnlen(const char *s, size_t n) __attribute__((weak));
 size_t strnlen(const char *s, size_t n)
 {



Hope that's useful.

Mark


> On 13 Aug 2017, at 10:25 pm, Mark Allan <markjal...@gmail.com> wrote:
> 
> Hi all,
> 
> Another issue with 0.99.3 beta 1.
> 
> The clamd process crashes on macOS 10.6.8 because it can't find the strndup 
> symbol.  There are a couple of references to strndup in the source for clamd 
> and libclamav - should these be changed to cli_strndup or am I better to 
> include a static replacement function of strndup in the appropriate files 
> that would only be used on 10.6 or earlier?
> 
> Thanks
> Mark
> 

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Another bug with ClamAV 0.99.3 beta 1

[Mark Allan]

Hi all,

Another issue with 0.99.3 beta 1.

The clamd process crashes on macOS 10.6.8 because it can't find the strndup 
symbol.  There are a couple of references to strndup in the source for clamd 
and libclamav - should these be changed to cli_strndup or am I better to 
include a static replacement function of strndup in the appropriate files that 
would only be used on 10.6 or earlier?

Thanks
Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 beta has been released!

[Mark Allan]

Hi all

This email is two-part: an FP report and a bug report - both only concerning 
0.99.3

I just uploaded an FP which is only being detected by 0.99.3 beta 1.  The 
checksum for the submitted file (PDFSigQFormalRep.pdf) is 
1a29b1f3d6df9f1e47c8a77dde142238

It's part of Adobe Acrobat and is showing up as Heuristic.PDF.TooManyFilters.

Now the bug-report part.

I added the relevant line to a local FP file exclude.fp in the clamav database 
directory, and it correctly prevents the file from reporting as being infected, 
however the summary still shows "1 infected file".

$ clamscan  ~/Desktop/temp/PDFSigQFormalRep.pdf 

--- SCAN SUMMARY ---
Known viruses: 7305825
Engine version: 0.99.3-beta1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.22 MB
Data read: 0.45 MB (ratio 0.49:1)
Time: 21.459 sec (0 m 21 s)

Cheers
Mark


> On 4 Aug 2017, at 12:04 am, Joel Esler (jesler)  wrote:
> 
> http://blog.clamav.net/2017/08/clamav-0993-beta-has-been-released.html
> 
> ClamAV 0.99.3 beta has been released!
> Join us as we welcome ClamAV 0.99.3 beta for testing!  Be sure and grab the 
> beta release on our official ClamAV download 
> site.
> 
> Welcome to ClamAV 0.99.3. In this release, we have included many code
> submissions from the ClamAV community:
> 
> 
>  *   Interfaces to the Prelude SIEM open source package for collecting ClamAV 
> virus events.
>  *   Visual Studio 2015 for building Microsoft Windows binaries.
>  *   Support libmspack internal code or as a shared object library. The 
> internal library is the default and contains additional integrity checks.
>  *   Linking with openssl 1.1.0.
>  *   Numerous code patches, typos, and compiler warning fixes.
> 
> 
> Additionally, we have introduced important changes and new features in
> ClamAV 0.99.3, including:
> 
> 
>  *   Deprecating internal LLVM code support. The configure script has changed 
> to search the system for an installed instance of the LLVM development 
> libraries, and to otherwise use the bytecode interpreter for ClamAV bytecode 
> signatures. To use the LLVM Just-In-Time compiler for executing bytecode 
> signatures, please ensure that the LLVM development package at version 3.6 or 
> lower is installed. Using the deprecated LLVM code is possible with the 
> command: './configure --with-system-llvm=3Dno', but it no longer compile on 
> all platforms.
>  *   Compute and check PE import table hash (a.k.a. "imphash") signatures.
>  *   Support file property collection and analysis for MHTML files.
>  *   Raw scanning of PostScript files.
>  *   Fix clamsubmit to use the new virus and false positive submission web 
> interface.
>  *   Optionally, flag files with the virus "Heuristic.Limits.Exceeded" when 
> size limitations are exceeded.
>  *   Improve decoders for PDF files.
> 
> 
> The ClamAV community thanks the following individuals for their ClamAV 0.99.3 
> code submissions:
> 
> Sebastian Andrzej Siewior
> Keith Jones
> Bill Parker
> Chris Miserva
> Daniel J. Luke
> Matthew Boedicker
> Ningirsu
> Michael Pelletier
> Anthony Chan
> Stephen Welker
> 
> Following are issues discovered during release testing. For additional 
> information, please review the corresponding tickets on 
> bugzilla.clamav.net:
> 
> 11879 - cli_scanmscan() Failed to extract 4 in Windows beta when scanning cab 
> files
> 11882 - ./configure does not automatically detect libxml2 on FreeBSD 10.3 and 
> 11.0
> 11884 - 'sudo make install' on FreeBSD 10.3 and 11.0 leaves files owned by 
> root, subsequent make command fails
> 11885 - clamsubmit not building on FreeBSD 10.3 and 11.0
> 11887 - Failures of 'make check VG=1' on FreeBSD 10.3 and 11.0
> 
> We ask that feedback be provided via the ClamAV mailing 
> lists.
> 
> 
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
> 
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Main CVD and Main Cdiff have been published

[Mark Allan]

For some reason, applying the 4MB daily-23454.cdiff file took a really long 
time, even on a fast machine - 6 minutes on a 2.6 GHz intel core i7

Curiously, the main-58.cdiff took only a fraction of that time (less than 30 
seconds) to apply, despite being twice the size.

So I'm wondering, when posting a new main.cvd in the future, is there a way to 
decrease the size of the daily cdiff files by having more of them, or would 
that not help with the processing time?  Is there any way to do it without 
making it look like freshclam has hung?

Mark


> On 8 Jun 2017, at 3:43 am, Al Varnell  wrote:
> 
> main.cvd is 117,892,267 bytes
> main-58.cdiff is 8,808,462 bytes
> 
> On Wed, Jun 07, 2017 at 04:55 PM, Dennis Peterson wrote:
>> http://db.us.clamav.net/main-58.cdiff 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] New Main.cvd coming

[Mark Allan]

Hi all,

I spotted this yesterday on the ClamAV blog and was waiting for Joel (or 
someone else) to mention it here, but that may or may not happen, so...

http://blog.clamav.net/2017/05/clamav-will-be-publishing-new-maincvd.html

The gist is that a new main.cvd will be getting pushed out next month.  I'm 
wondering will this be as painful a process as last time, or will you be 
posting cdiff files to help keep bandwidth usage down?

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] No Signature updates for 30 hours?

[Mark Allan]

It looks like there's a problem with the DNS text record not updating properly. 
 It still shows the "current" version as 23343

dig -t txt current.cvd.clamav.net +short
"0.99.2:57:23343:1493638140:1:63:45876:296"

Mark

> On 1 May 2017, at 1:21 pm, Arnaud Jacques / SecuriteInfo.com 
>  wrote:
> 
> Hello,
> 
>> Hi,
>> 
>> I noticed that the list archive had no more messages since 4/28.
>> 
>> And according to the FreshClam log, the last signature update is 30 hours
>> old (times below are EDT).
>> Sun Apr 30 02:01:06 2017 -> Downloading daily-23343.cdiff [100%]
> 
> Clamav daily 23346 has been published today morning.
> It seems you have a few updates late.
> 
> -- 
> Best regards,
> 
> Arnaud Jacques
> SecuriteInfo.com
> 
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Manual cdiff update procedure

[Mark Allan]

Yes and no.  You can use sigtool to unpack and then apply the individual cdiff 
scripts in turn (check the man page for details). This will give you a 
directory full of files which is the equivalent of the current cvd file, 
however you cannot then repackage and sign the resulting database directory.

Mark

> On 5 Apr 2017, at 6:51 pm, venkat swaminathan  wrote:
> 
> Hello All,
> 
> I  am very new to clamav and trying to understand some update procedure.
> 
> I\i have daily.cvd and its new cdiff file. is there a procedure document
> where i will be able follow and update daily.cvd with newly downloaded
> cdiff files.
> 
> thanks
> Venkat.S
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] how to avoid false positive in clamAV

[Mark Allan]

To whitelist specific files this way, you need to add the m5sum to a file with 
the .fp extension.  So, in your example, it should be sigtool --md5  
my_file_name.exe >> local.fp

If you want to ignore the signature altogether, you add the signature name to a 
file with the extension ign2.

For what it's worth, this is on page 23 of the "signatures.pdf" document that 
ships with the ClamAV source code.

Best regards
Mark 

> On 5 Apr 2017, at 9:49 am, Gaurav Kumar Garg  wrote:
> 
> Hi ClamAV user, developer,
> 
> I am new to clamAV. I like its design.
> 
> While scanning i saw few false positive virus. I search on internet and found 
> out that i can avoid these false positive by writing md5 sum to local.ign 
> file and putting this file in /var/lib/clamav/*  directory. then restarting 
> clamd daemon.
> 
> 
> Its partially working, means it working when i scan false positive file with 
> clamscan -d and its not working with clamdscan.
> 
> 
> Steps for creating local.ign file:
> 
> 
> $ sigtool --md5  my_file_name.exe >> local.ign
> 
> 
> after that i put this file in /var/lib/clamav/* directory and restarted clamd 
> daemon.
> 
> 
> when i execute $ clamscan -d /var/lib/clamav/local.ign my_file_name.exe then 
> its not reporting false positive, its working perfectly.
> 
> 
> But when i scan this file using clamdscan then its still reporting false 
> positive.
> 
> 
> Could anyone help me regarding this false positive avoidance.
> 
> 
> I can not submit my false positive file because of some business ethics and 
> compliance.
> 
> 
> Thank you in advance,
> 
> 
> Regards,
> 
> Gaurav
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] SpoofedDomain FOUND

[Mark Allan]

> On 16 Feb 2017, at 1:12 pm, Reindl Harald <h.rei...@thelounge.net> wrote:
> Am 16.02.2017 um 14:09 schrieb Mark Allan:
>>> On 16 Feb 2017, at 1:03 pm, Reindl Harald <h.rei...@thelounge.net> wrote:
>>> Am 16.02.2017 um 14:00 schrieb Mark Allan:
>>>> 
>>>>> On 16 Feb 2017, at 12:48 pm, Reindl Harald <h.rei...@thelounge.net> wrote:
>>>>> 
>>>>> Am 16.02.2017 um 13:39 schrieb ellanios82:
>>>>>> 
>>>>>> - What please is correct syntax ?
>>>>> 
>>>>> unix basics :-)
>>>>> stdout versus stderr
>>>>> 
>>>>> https://en.wikipedia.org/wiki/Standard_streams 
>>>>> <https://en.wikipedia.org/wiki/Standard_streams>
>>>>> https://en.wikipedia.org/wiki/Standard_streams#Standard_output_.28stdout.29
>>>>>  
>>>>> <https://en.wikipedia.org/wiki/Standard_streams#Standard_output_.28stdout.29>
>>>>> https://en.wikipedia.org/wiki/Standard_streams#Standard_error_.28stderr.29
>>>>>  
>>>>> <https://en.wikipedia.org/wiki/Standard_streams#Standard_error_.28stderr.29>
>>>> 
>>>> A more helpful answer (which is quicker to type than digging out URLs) is 
>>>> simply to add 2>&1 to the end of your command, to redirect stderr to 
>>>> stdout.
>>>> 
>>>> clamscan --debug 
>>>> /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus 
>>>> <http://pop.gmail.com/bus> >> clamdeb.txt 2>&1
>>> 
>>> i wonder how it is more helpful when somebody blindly does copy 
>>> without understand what he is doing and so get conditioned to that with any 
>>> random stuff found on some webpage
>>> 
>>> give a man a fish and you feed him for a day; teach a man to fish and you 
>>> feed him for a lifetime
>> 
>> How is it more helpful? Because I gave the answer *and* explained what it 
>> did; you just pointed the OP at a webpage and essentially said "figure it 
>> out for yourself".
> 
> yes, because it is proven that people who are pointed in the right direction 
> and figure it out at their own *remember* things while when they also can 
> just copy the next time they still don't know what it was and how it 
> was called for google it again
> 
> so mind your own business and don't play smartass when you have no point

We're both members on this mailing list, therefore it's as much my business as 
it is yours.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] SpoofedDomain FOUND

[Mark Allan]

> On 16 Feb 2017, at 1:03 pm, Reindl Harald <h.rei...@thelounge.net> wrote:
> Am 16.02.2017 um 14:00 schrieb Mark Allan:
>> 
>>> On 16 Feb 2017, at 12:48 pm, Reindl Harald <h.rei...@thelounge.net> wrote:
>>> 
>>> Am 16.02.2017 um 13:39 schrieb ellanios82:
>>>> 
>>>> - What please is correct syntax ?
>>> 
>>> unix basics :-)
>>> stdout versus stderr
>>> 
>>> https://en.wikipedia.org/wiki/Standard_streams 
>>> <https://en.wikipedia.org/wiki/Standard_streams>
>>> https://en.wikipedia.org/wiki/Standard_streams#Standard_output_.28stdout.29 
>>> <https://en.wikipedia.org/wiki/Standard_streams#Standard_output_.28stdout.29>
>>> https://en.wikipedia.org/wiki/Standard_streams#Standard_error_.28stderr.29 
>>> <https://en.wikipedia.org/wiki/Standard_streams#Standard_error_.28stderr.29>
>> 
>> A more helpful answer (which is quicker to type than digging out URLs) is 
>> simply to add 2>&1 to the end of your command, to redirect stderr to stdout.
>> 
>> clamscan --debug 
>> /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus 
>> <http://pop.gmail.com/bus> >> clamdeb.txt 2>&1
> 
> i wonder how it is more helpful when somebody blindly does copy without 
> understand what he is doing and so get conditioned to that with any random 
> stuff found on some webpage
> 
> give a man a fish and you feed him for a day; teach a man to fish and you 
> feed him for a lifetime

How is it more helpful? Because I gave the answer *and* explained what it did; 
you just pointed the OP at a webpage and essentially said "figure it out for 
yourself".

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] SpoofedDomain FOUND

[Mark Allan]

> On 16 Feb 2017, at 12:48 pm, Reindl Harald  wrote:
> 
> Am 16.02.2017 um 13:39 schrieb ellanios82:
>> On 02/16/17 02:59, Al Varnell wrote:
>>> I'm afraid it's going to be more trouble than it's worth. You will
>>> need to turn debugging on when you scan that mailbox which will
>>> produce a huge amount of output, but includes details about exactly
>>> what was found. You would then need to search that mailbox in
>>> Thunderbird for the offending URL and decide whether you need the
>>> message or it can be deleted. A SpoofedDomain finding is not
>>> necessarily an attempt to misdirect you. It's a technique sometimes
>>> used to give a message clarity.
>> 
>> thanks Al : am trying debug to find specific message causing probs :
>> 
>> have adjusted /etc/clamd.conf to :
>> 
>> # Enable debug messages in libclamav.
>> # Default: no
>> # Feb 16, 2017
>> Debug yes
>> 
>> 
>> But , how to collect info into Log-File :
>> 
>> 
>> this does not work for me :
>> 
>> clamscan --debug
>> /home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus>>clamdeb.txt
>> 
>> 
>> - What please is correct syntax ?
> 
> unix basics :-)
> stdout versus stderr
> 
> https://en.wikipedia.org/wiki/Standard_streams 
> 
> https://en.wikipedia.org/wiki/Standard_streams#Standard_output_.28stdout.29 
> 
> https://en.wikipedia.org/wiki/Standard_streams#Standard_error_.28stderr.29 
> 

A more helpful answer (which is quicker to type than digging out URLs) is 
simply to add 2>&1 to the end of your command, to redirect stderr to stdout.

clamscan --debug 
/home/user/.thunderbird/9i9wirek.default/Mail/pop.gmail.com/bus 
 >> clamdeb.txt 2>&1

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FP with Java.Exploit.CVE_2012_1723-8

[Mark Allan]

Hi,

I've received a few reports of FPs with the signature 
Java.Exploit.CVE_2012_1723-8. I can't upload a sample because, of all places, 
it's being detected in the scan log which could contain sensitive information.

Apart from the fact that it's very generic, looking only for a single short 
string, I see it's also looking for the "ANY FILE" type (0).  I've seen this a 
number of times with FPs lately, why are java sigs written to detect filetype 0 
rather than type 12 which is specifically for Java Classes?

VIRUS NAME: Java.Exploit.CVE_2012_1723-8
TARGET TYPE: ANY FILE
OFFSET: *
DECODED SIGNATURE:
msf_/_x_/_PayloadX.class

Cheers
Mark

PS. I padded the decoded signature with underscores to avoid this email being 
detected as infected.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Win.Trojan.Toa-5368540-0 - How many people need to complain before you listen?

[Mark Allan]

> On 29 Dec 2016, at 12:06 pm, Steve Basford  
> wrote:
> 
> In clamscan there is:
> 
> --official-db-only[=yes/no(*)]   Only load official signatures
> 
> in clamd.conf there is:
> 
> OfficialDatabaseOnly#Only loading official signatures.
> 
> I suppose there could be a:
> 
> --3rd-party-db-only=[=yes/no(*)]
> 
> and the same thing in clamd.conf.
> 
> but this may not then load safebrowsing.cvd.
> 
> You may also need to keep daily.ftm as that contains filetypes.

It seems a little overkill to add a new feature for this. Couldn't you just 
delete the cvd/cld file and prevent freshclam from running? Or better yet, 
write a wrapper around freshclam so the update still takes place and then 
unpack the cvd/cld file and delete the bits you don't want to keep.

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

[Mark Allan]

> On 23 Nov 2016, at 11:23 am, Al Varnell  wrote:
> 
> Sorry, I didn't realize that Html.Malware.Agent-1834906 was part of the 
> problem. It too was dropped in daily - 22584.

Oops, you're right. I must have copied any pasted that from the wrong list. 
Sorry.

> Also, Joel mentioned something about disabling an engine, but I don't really 
> know how that is accomplished and whether it's reported to us as part of a 
> daily.cdiff.

Difficult to know, but it doesn't look like it.  Scanning the same directory 
after updating via freshclam still shows the 23 remaining FPs.

Mark


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FPs for Txt.Malware.Agent-XXXXX

[Mark Allan]

Thanks for dropping those 3, Joel, however there are still at least 24 
signatures causing problems:

Html.Malware.Agent-1835906
Txt.Malware.Agent-1835883
Txt.Malware.Agent-1835884
Txt.Malware.Agent-1835885
Txt.Malware.Agent-1835886
Txt.Malware.Agent-1835887
Txt.Malware.Agent-1835888
Txt.Malware.Agent-1835889
Txt.Malware.Agent-1835890
Txt.Malware.Agent-1835891
Txt.Malware.Agent-1835892
Txt.Malware.Agent-1835893
Txt.Malware.Agent-1835894
Txt.Malware.Agent-1835896
Txt.Malware.Agent-1835898
Txt.Malware.Agent-1835899
Txt.Malware.Agent-1835900
Txt.Malware.Agent-1835901
Txt.Malware.Agent-1835902
Txt.Malware.Agent-1835903
Txt.Malware.Agent-1835904
Txt.Malware.Agent-1835905
Txt.Malware.Agent-1838194
Txt.Malware.Agent-1838195

Given the vast majority of those are consecutive numbers, it looks like someone 
has uploaded the entire OpenLayers library and tried to report it as infected.

Best regards
Mark


> On 22 Nov 2016, at 9:42 pm, Al Varnell <alvarn...@mac.com> wrote:
> 
> I see that Daily - 22584 drops three of them:
> 
>   * Txt.Malware.Agent-1811885
> 
>   * Txt.Malware.Agent-1835895
> 
>   * Txt.Malware.Agent-1835897
> 
> -Al-
> 
> On Tue, Nov 22, 2016 at 11:17 AM, Maarten Broekman wrote:
>> 
>> I am seeing these mostly on files that comprise the OpenLayers library in
>> phpMyAdmin 4.
>> 
>> On Tue, Nov 22, 2016 at 2:11 PM, Joel Esler (jesler) <jes...@cisco.com>
>> wrote:
>> 
>>> Mark,
>>> 
>>> Thanks for the feedback, you are right, I am experiencing some high counts
>>> in the Txt.Malware.Agent family.
>>> 
>>> I’ve disabled this engine for now.
>>> 
>>> --
>>> Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com>
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Nov 22, 2016, at 12:02 PM, Mark Allan <markjal...@gmail.com>> arkjal...@gmail.com>> wrote:
>>> 
>>> Hi all,
>>> 
>>> I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7]
>>> containing a number of files which ClamAV incorrectly detects as various
>>> strains of Txt.Malware.Agent
>>> 
>>> My experience may be slightly skewed, but it seems that the rate of FPs
>>> has increased a lot lately, and they mostly appear to be being caused by
>>> hash-based signatures.  I'm wondering if this is related to Joel's recent
>>> admission that the signature generation process is almost entirely
>>> automated now.
>>> 
>>> Is it possible that someone is targeting ClamAV and reporting known-clean
>>> files as if they were infected?  To what end, I'm not sure, but I can't
>>> shake the feeling that something's not right...
>>> 
>>> Mark
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>>> 
>>> ___
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>> 
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> 
> -Al-
> -- 
> Al Varnell
> Mountain View, CA
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FPs for Txt.Malware.Agent-XXXXX

[Mark Allan]

Hi all,

I've just submitted a zip file [MD5 ec585bf6626a5a3649726bde4e00a3f7] 
containing a number of files which ClamAV incorrectly detects as various 
strains of Txt.Malware.Agent

My experience may be slightly skewed, but it seems that the rate of FPs has 
increased a lot lately, and they mostly appear to be being caused by hash-based 
signatures.  I'm wondering if this is related to Joel's recent admission that 
the signature generation process is almost entirely automated now.

Is it possible that someone is targeting ClamAV and reporting known-clean files 
as if they were infected?  To what end, I'm not sure, but I can't shake the 
feeling that something's not right...

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Issue with daily-22474

[Mark Allan]

Hi Joel,

Thanks for the explanation.  I'm still confused/surprised as to why such a 
large cdiff should cause freshclam to hang though.  What is the file size limit 
that freshclam can handle safely? Also, given the cdiff file was approximately 
the same size as the entire daily db, would it have been better simply to skip 
that cdiff, causing everyone to re-download a new daily.cvd?  Or is that not 
advisable for some reason?

Thanks.
Mark

> On 7 Nov 2016, at 1:58 pm, Joel Esler (jesler) <jes...@cisco.com> wrote:
> 
> Oh my, I apologize, it just dawned on me that I sent a note to the mirrors 
> list, but not to the users list.
> 
> A "larger than normal" cdiff to the Daily.cvd was published.  Unfortunately 
> with the timeline that we had to publish it, and my personal travel schedule, 
> I was not able to put out a note prior to it being published, but I wanted to 
> take a second to explain what happened.
> 
> The failure condition symptom in ClamAV was the message "LibClamAV Error: 
> mpool_malloc(): Attempt to allocate 8388608 bytes.", and was 
> documented as ClamAV bug 11647: 
> https://bugzilla.clamav.net/show_bug.cgi?id=11647.
> 
> This affects ClamAV versions before 0.98. There is a maximum mpool size limit 
> that was reached based on the total signatures combined in memory of ClamAV 
> holding the main and daily CVD.
> 
> Those versions of ClamAV are EOL, and we knew we wanted to continue to add 
> coverage for ClamAV users. We found a way to fit a smaller working signature 
> set within the memory limits for the unsupported older versions, while still 
> providing all signature content for supported and future versions. Therefore 
> many new signatures will be marked for ClamAV 0.98 and forward (flevel 
> increase) , and we have shifted a large number of signatures to allow prior 
> versions to load the smaller signature set.
> 
> We still strongly recommend that ClamAV users update their software in order 
> to get full coverage from ClamAV. We cannot change the hard limits of the old 
> versions, but from the comments on the mailing list and Bugzilla this should 
> smooth the upgrade path. For any users running into issues upgrading ClamAV, 
> look on the ClamAV Bugzilla for details. Several other tricky upgrade related 
> questions have already been raised and settled in the comment section.
> 
> Bottom line is, if you are using a version of ClamAV prior to 0.98.0 (0.97, 
> 0.96, etc) you need to upgrade _now_.
> 
> Please do not hesitate to ask me any questions concerning this.
> 
> Sent from my iPad
> 
> On Nov 7, 2016, at 6:52 AM, Mark Allan 
> <markjal...@gmail.com<mailto:markjal...@gmail.com>> wrote:
> 
> Hi folks,
> 
> Was "daily-22474.cdiff" supposed to be ~20MB in size? The freshclam binary 
> seems to hang whilst processing it, and if left long enough, you end up with 
> a corrupt daily.cld database.
> 
> I'm surprised no-one else has reported this here, so I'm wondering was it 
> only the UK mirrors that were affected? Has anyone any idea what went wrong?
> 
> Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Issue with daily-22474

[Mark Allan]

Hi folks,

Was "daily-22474.cdiff" supposed to be ~20MB in size? The freshclam binary 
seems to hang whilst processing it, and if left long enough, you end up with a 
corrupt daily.cld database.

I'm surprised no-one else has reported this here, so I'm wondering was it only 
the UK mirrors that were affected? Has anyone any idea what went wrong?

Mark

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Win.Trojan.Agent-1771607 FP with sftp binary on macOS 10.12

[Mark Allan]

Hi all,

I've just reported this as an FP via the web form, but just so others are 
aware, ClamAV defs update 22376 detects a false positive for the 'sftp' binary 
that ships with macOS 10.12

Malware name: Win.Trojan.Agent-1771607
MD5 (/usr/bin/sftp) = 4eebcd77c25b8a5eb13de0ec6d8fb9d5

Best regards
Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Java.Malware.Agent-1756221 false positive still detected

[Mark Allan]

Hi Andy,

As this is more closely related to ClamXav rather than ClamAV, this request 
should be directed to ClamXav's support team at 
https://www.clamxav.com/contactus rather than here.

Regards
Mark

> On 12 Oct 2016, at 4:27 pm, Andy Keller  wrote:
> 
> We’ve got the netty-all.jar that is the subject of a recent false positive 
> and subsequent fix: 
> https://www.clamxav.com/BB/viewtopic.php?f=1=4761=b5e35899ad6c2e6a132aa87031dc504c
> 
> However, despite updating our definitions via freshclam, this is still 
> hitting on that file. Has anyone else experienced something similar?  
> 

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Suggestion: Need option to "Block Skipped Files" and Scan Summary to indicate "Skipped files"

[Mark Allan]

Hi Steve,

Sorry to hijack the thread, but as you've brought it up - is there an ETA for 
0.99.3?

Mark

> On 15 Sep 2016, at 4:02 pm, Steven Morgan  wrote:
> 
> Hi,
> 
> There will be an option --block-max (clamd - BlockMax) in ClamAV 0.99.3.
> 
> Steve
> 
> On Thu, Sep 15, 2016 at 1:44 AM, Andy Schmidt 
> wrote:
> 
>> Hi,
>> 
>> 
>> 
>> I didn't know if I was supposed to use the "Bug Reporting" system, as this
>> really is reporting an issue with how the software operates "as designed".
>> 
>> 
>> 
>> Currently, ClamAV will indicate whether an infected file was found - THAT
>> condition is non-ambiguous.
>> 
>> 
>> 
>> However, when ClamAV reports:
>> 
>> 
>> 
>> --- SCAN SUMMARY ---
>> 
>> Infected files: 0
>> 
>> 
>> 
>> It actually can be highly misleading.
>> 
>> 
>> 
>> If one of the scanned files exceeded some of the limits, such as:
>> 
>> 
>> 
>> MaxScanSize 150M
>> 
>> MaxFileSize 150M
>> 
>> #MaxRecursion 16
>> 
>> #MaxFiles 1
>> 
>> then the actual "infected" status of that file is completely unknown! The
>> end-user has no warning that the file was NOT virus-scanned!
>> 
>> May I respectfully suggest:
>> 
>> a)A config option "BlockSkipped yes"
>> (equivalent to the already existing "ArchiveBlockEncrypted yes".
>> This way, the user can opt to receive a specific message indicating which
>> limit prevented a file from being scanned, rather than being "lulled" into
>> thinking that everything is "A-OK".
>> An automated process that incorporate ClamAV would be able to take a
>> different path, e.g., require the user to scrutinize the file more
>> carefully.
>> 
>> 
>> 
>> b)An appropriate line in the SCAN SUMMARY, e.g.:
>> --- SCAN SUMMARY ---
>> Infected files: 0
>> Skipped files: 1
>> Time: 1.610 sec (0 m 1 s)
>> 
>> Thank for giving this suggestion your consideration.
>> 
>> Best Regards
>> Andy Schmidt
>> 
>> 
>> 
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan not obeying the --exclude-dir directives

[Mark Allan]

Hi Adam,

Are you producing that clamscan invocation yourself? If not, and it's coming 
from something produced by ClamXav, then you should direct your question to the 
official support channel for ClamXav which can be found at 
https://www.clamxav.com/contactus

Regards
Mark

> On 14 Jun 2016, at 1:33 pm, Adam Lininger  wrote:
> 
> I run clamAV on my Mac Book (installed via clamXav). It seems to be not
> entirely obeying the --exclude and --exclude-dir flags.
> 
> I have a directory (/media/binstore) which is an sshfs mount from another
> server. I want to exclude scanning this directory to avoid excess network
> traffic. While clamscan never reports a virus in that directory, it is
> opening and reading the files in that directory. How can this be avoided?
> 
> 
> Clamscan invocation (from ps):
> /usr/local/clamXav/bin/clamscan -ri --quiet
> --log=/Users/alininge/Library/Logs/clamXav-scan.log --scan-mail=no
> --phishing-scan-urls=no --exclude="/opt/local/msf/"
> --exclude-dir="/opt/local/msf/" --exclude="/media/" --exclude-dir="/media/"
> --exclude="/media/binstore" --exclude-dir="/media/binstore"
> --exclude=^/Volumes --exclude=^/dev --exclude-dir=^/Volumes
> --exclude-dir=^/dev /
> 
> Thanks,
> Adam Lininger
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Manually applying cdiff files

[Mark Allan]

Hi all,

For a number of reasons (which I won't bore you with but can go into if 
necessary!) I'm trying to apply the cdiff update files manually to daily.cvd 
daily.cld but I can't seem to get it right.

The sigtool man page only got me half-way there, the mailing list archives got 
me a bit further but after repacking the db, I get a bunch of errors.  Here's 
what I've done so far.

mkdir /tmp/cvd
cd /tmp/cvd
sigtool --unpack-current=daily
sigtool --run-cdiff=../daily-21643.cdiff
sigtool -b daily.cld --unsigned --flevel 63
WARNING: build: Signatures in daily db files: 202849, loaded by 
libclamav: 203452
Total sigs: 203452
New sigs: 5746
Builder name: Mark Allan
Created daily.cld

That all *appears* to work OK (i.e. no errors), but I'm unable to verify the 
resulting cld file with sigtool:

sigtool -i daily.cld 
File: daily.cld
Build time: 31 May 2016 10:49 +0100
Version: 21638
Signatures: 203452
Functionality level: 63
Builder: Mark
LibClamAV Error: cli_loadinfo: Digital signature not found
LibClamAV Error: Can't load daily.info: Malformed database
LibClamAV Error: cli_tgzload: Can't load daily.info
ERROR: cvdinfo: Verification: Malformed database

I understand that it can't find the digital signature because I asked for 
--unsigned, but surely the rest ought to work regardless?

If I let 'freshclam' do the update, it verifies OK
sigtool -i daily.cld
Build time: 31 May 2016 01:20 -0400
Version: 21643
Signatures: 203452
Functionality level: 63
Builder: neo
Verification OK.

I guess I'm missing something, but I can't see it.

On a related note, how is freshclam able to create the cld file with a digital 
signature from cdiffs, and can I do the same?

Many thanks
Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Eicar test string now returning Win.Trojan.Trojan-605

[Mark Allan]

Just to confirm, I'm also seeing everything being flagged as 
Win.Trojan.Trojan-476 with the new main/daily.cvd files.

Mark

> On 17 Mar 2016, at 6:49 am, Al Varnell  wrote:
> 
> I just ran a scan against the ClamAV test files contained in the 0.99.1 
> source file and I’m getting all Win.Trojan.Trojan-476:
> 
> File Name Infection Name  Status
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/unit_tests/clam-phish-exe 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.cab 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.zip 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.arj 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.rtf 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.szdd
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tar.gz  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.chm 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.sis 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-aspack.exe  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-pespin.exe  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upx.exe 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-fsg.exe 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-mew.exe 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-nsis.exe
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-petite.exe  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-upack.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-wwpack.exe  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.pdf 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.mail
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ppt 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.tnef
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea05.exe
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ea06.exe
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.d64.zip 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.base64 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.mbox.uu 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.binhex  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.ole.doc 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.impl.zip
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.exe.html
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-be.cpio 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.bin-le.cpio 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.newc.cpio   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.odc.cpio
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-yc.exe  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_int.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_IScab_ext.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_int.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_ISmsi_ext.exe   
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.7z  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam_cache_emax.tgz  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam.iso 
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clamjol.iso  
> Win.Trojan.Trojan-476   
> /Users/avarnell/Desktop/•Download/clamav-0.99.1/test/clam-v2.rar  
> Win.Trojan.Trojan-476   
> 

Re: [clamav-users] FYI clamdmon not working - due to change in Eicar name

[Mark Allan]

Hopefully this is just a bug as the eicar test file isn't really a "win" test; 
it's just a text file.  I imagine many people will have scripts and test 
routines set up which expect the name "Eicar-Test-Signature" - I know I do!

Is there any way this can be changed back or does everyone have to update their 
test cases?

Mark

> On 17 Mar 2016, at 7:56 am, Mark Moshe Kaye  wrote:
> 
> Hi all,
> 
> I use the clamdmon utility for monitoring the health of my clamd daemon.
> 
> Since receiving the new main, daily, and bytecode this evening my clamdmon is 
> no longer working.
> 
> I found the source code for clamdmon which shows the issue. The code is 
> looking for a "Eicar-Test-Signature" string which is now 
> "Win.Test.EICAR_NDB-1". As soon as I hacked the clamdmon code and recompiled 
> it works as it did previously.
> 
> so:
> 1) FYI in case you use clamdmon as i do!
> 2) Can I rely that Win.Test.EICAR_NDB-1 is the new name going forward or is 
> this likely to change back to Eicar-Test-Signature?
> 
> Thank you,
> ~Moshe
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV will release a new main.cvd and daily.cvd this weekend.

[Mark Allan]

Will the update to main.cvd be distributed as .cdiff files or will every user 
have to download the main.cvd file in its entirety?

Mark

> On 9 Mar 2016, at 10:45 pm, Joel Esler (jesler)  wrote:
> 
> Correct.
> 
> --
> Joel Esler
> Manager, Talos Group
> 
> 
> On Mar 9, 2016, at 5:30 PM, Al Varnell 
> > wrote:
> 
> My Main.cvd (compressed) is only 64.7M so I would have to guess that the 
> majority of the current Daily will be added to Main which making it ~100M 
> compressed.
> 
> -Al-
> 
> On Wed, Mar 09, 2016 at 01:36 PM, Benny Pedersen wrote:
> 
> On 8. mar. 2016 04.00.59 "Joel Esler (jesler)" 
> > wrote:
> 
> http://blog.clamav.net/2016/03/clamav-will-release-new-maincvd-and.html
> The estimated size of these files are 100 MB and 10 MB respectively.
> 
> Daily 115M
> Main 156M
> Bytecode 402K
> 
> All in uncompressed size, so the estinated is compressed ?


___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Mark Allan]

> On 18 Feb 2016, at 3:28 pm, Joel Esler (jesler)  wrote:
> 
> 
> Bottom posting with Mail.app now.
> 
> Yeah, it’s how I did it that was the problem.  I tried to make the email nice 
> and neat, and Mail.app (prior to…  I’d say..  Yosemite?) dealt with how I did 
> it fine.  But ever since they did the rewrite  of the three pane/conversation 
> based layout, it doesn’t work correctly.

If you go to the Mail menu -> Preferences -> Viewing, there's an option to 
toggle between the new and classic layouts.  Sounds like maybe you prefer the 
Classic view.

Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How can Clam/Cisco be so irresponsibly reckless and nonchalant to Windows users?

[Mark Allan]

> On 17 Feb 2016, at 11:21 pm, Joel Esler (jesler)  wrote:
> 
> For my, I use Mail.app the majority of the time.  Apparently if I delete 
> lines and inline reply like I do in Thunderbird, Mail.app just tells me to 
> eat dust and unthreads the whole thing.  Guess I should file a bug with Apple.

That's strange. I use Mail.app as well, and as far as I'm aware, there's never 
been a problem replying to emails and keeping the threading and quoted text.

If you change something and a chunk of text gets unquoted (or your reply gets 
quoted accidentally) you can hit cmd-' to increase or cmd-opt-' to decrease the 
quote level.

Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV FP/Malware Submissions

[Mark Allan]

Thanks Joel.

Do we need to resubmit the FPs we submitted over the last week-or-so, or did 
you actually receive them OK?

Mark

> On 16 Feb 2016, at 11:48 pm, Joel Esler (jesler)  wrote:
> 
> It appears that we have resolved the issue with FP/Malware submissions on 
> ClamAV.net.  We apologize for any error and inconvenience.
> 
> Please let me know if you encounter any other errors.
> 
> --
> Joel Esler
> Manager, Talos Group
> 
> 
> 
> 
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Win.Trojan.Ramnit FPs

[Mark Allan]

I'm still getting the email saying "your sample was empty", so I'm posting here 
too.

The Ramnit series of sigs is hitting a bunch of files which have been resident 
on users' HDs and scanned as clean for many years. VT also reports ClamAV as 
the only vendor detecting an infection. To clear the infections, I'm having to 
add the following sig names in an ign2 file.

Win.Trojan.Ramnit-7261
Win.Trojan.Ramnit-7262
Win.Trojan.Ramnit-7263
Win.Trojan.Ramnit-7264
Win.Trojan.Ramnit-7265
Win.Trojan.Ramnit-7173
Win.Trojan.Ramnit-7174
Win.Trojan.Ramnit-7175
Win.Trojan.Ramnit-7176

Hashes of the samples I uploaded are:
f3c174edcbaef7cb947d6357cdfde7ff:422912:m3jp2k32.dll
881c86b65b44d8033575a402a2aa1ab1:454656:vsshdsd.dll

Cheers
Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Successfully processed

[Mark Allan]

Hi,

I've been getting this for a few days. The first time I received it, the rogue 
sig was removed from the DB shortly afterwards, so I assumed* it worked OK and 
that it was just a bug in the code that composes the email response.

Mark
* yes, yes I know what assuming does to U and me.

> On 15 Feb 2016, at 2:14 am, Gerald Venzl  wrote:
> 
> Hi all,
> 
> Since yesterday I try to submit a JavaScript malware sample but I always
> get that the sample is empty, see below.
> Does that mean that the file upload wasn't successful (which the webpage
> clearly indicates it was, otherwise I wouldn't be able to submit) or does
> that mean that it didn't find anything?
> 
> There clearly is a JavaScript Trojan in the file that gets detected by
> Kaspersky and by Defender.
> 
> Thanks,
> 
> Gerald
> 
> -- Forwarded message --
> From: 
> Date: Sun, Feb 14, 2016 at 5:57 PM
> Subject: Successfully processed
> To: gerald.ve...@gmail.com
> 
> 
> Hello Gerald Venzl,
> 
> Below are the results of your submission report.
> 
> [image: Clam logo] *ClamAV Virus Database*
> 
> 
> 
> --
> Result:
> 
> 
> The sample is empty.
> 
> Please correct the above errors and retry.
> Thank you for helping the ClamAV project.
> 
> 
> 
> --
> Back
> 
> to ClamAV
> 
> [image: Valid HTML 4.01!]
> 
> 
> Thanks,
> 
> *The Detection Response Team*
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Urgent: Php.Exploit.CVE_2015_2331-3 FP

[Mark Allan]

Hi Alain,

I've just submitted a small selection of the files being tagged as infected.

Regards
Mark

 On 27 Aug 2015, at 11:09 am, Alain Zidouemba azidoue...@sourcefire.com 
 wrote:
 
 Al,
 
 I will be pulling the signature shortly. Could you please submit a few of
 the file that are alerting here: http://www.clamav.net/report/report-fp.html
 ?
 
 Thanks,
 
 - Alain
 
 On Wed, Aug 26, 2015 at 11:21 PM, Al Varnell alvarn...@mac.com wrote:
 
 Two Mac users so far are reporting a flood of files identified as being
 infected with Php.Exploit.CVE_2015_2331.  Most of those files are
 components of OS X and it’s Unix subsystem.
 
 Although I have verified that the signature is present in the current
 database, I am unable to locate in the clamav-virusdb e-mails I have, so it
 must have been in daily 20840 which I did not receive this afternoon.
 
 I urge you to whitelist this at your earliest convenience before permanent
 damage is suffered by users who mistakenly quarantine or delete these files.
 
 
 -Al-

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [Clamav-devel] ClamAV(R): ClamAV 0.98.4rc1 is now available!

[Mark Allan]

Hi,

I've asked the user to recompile with the options below and provide feedback.  
OS X uses llvm instead of gcc, which means using lldb instead of gdb, so 
hopefully I've given him the correct command to provide a stack trace!

He said it's likely to be the weekend before he gets a chance to do it though.

I'll feed the results back here as soon as he manages to do something.

Mark

On 20 May 2014, at 08:13 pm, Steven Morgan smor...@sourcefire.com wrote:

 Hi,
 
 It would help a lot and eliminate much guesswork if someone who has this
 problem could build a debug version of clamav, as in:
 
 ./configure --enable-debug [other flags] CFLAGS='-g -O0'
 
 and reproduce the problem with clamd running under gdb (sudo gdb clamd)
 with the clamd.conf statement:
 
 Foreground yes
 
 When the crash occurs, obtain the stack trace(bt) and also print(p)
 relevant variable values surrounding the crash location.
 
 Either that, or send in some files that we can use to reproduce the problem.
 
 Thanks,
 Steve
 
 
 On Tue, May 20, 2014 at 1:54 PM, Al Varnell alvarn...@mac.com wrote:
 
 I think there may be some confusion here.  There have been three users
 report crashed clamd with Thunderbird, but I believe the INBOX files
 concerned were all less than the 25MB limit at the time.  In my case, I had
 never used Thunderbird and installed it simply for test purposes.  So as
 the INBOX was growing there were many scans required as new messages
 flooded in which resulted in multiple clamdscan processes being spawned
 against that same INBOX mailbox.  That’s when the clamd crash occurred
 leaving a could of clamdscan processes running at high CPU usage.  After
 the INBOX grew to 1.15GB and clamd was restarted, there were no more
 crashes, but the logs show no more scans of the INBOX which is consistent
 with the 25MB limit.
 
 At least one of the other two users has four accounts with INBOX files
 below 25MB.  Both that user and myself are still using 0.98.3.
 
 The third user compiled and ran his own copy of 0.98.4rc1 and is still
 seeing clamd crashes and high CPU usage daily.  He has not yet reported the
 size or number of INBOX files he has and as Mark said, has been asked to
 supply his crash log.
 
 My theory is that it’s the initial flood of messages at Thunderbird
 startup that’s initiating this and not my huge INBOX.
 
 
 -Al-
 --
 Al Varnell
 Mountain View, CA
 
 On May 20, 2014, at 6:14 AM, Shawn Webb sw...@sourcefire.com wrote:
 
 Hey Mark,
 
 Is there a way you could get me the sample?
 
 Thanks,
 
 Shawn
 
 
 On Tue, May 20, 2014 at 6:49 AM, Mark Allan markjal...@blueyonder.co.uk
 wrote:
 
 I may have been a bit hasty with this.  It appears there's another issue
 with clamd.
 
 I'm receiving reports of clamd crashing when attempting to parse email
 in
 an incredibly large (1.15 GB) Thunderbird mailbox file.
 
 This particular report is from 0.98.3, but the user is reporting it
 still
 happens when testing against 0.98.4-rc1.  I'll attempt to get a crash
 log
 from the user.
 
 Exception Type: EXC_BAD_ACCESS (SIGSEGV)
 Exception Codes: KERN_INVALID_ADDRESS at 0x000117ff
 
 Thread 2 Crashed:
 0 libclamav.6.dylib 0x00010004fa6c parseEmailBody + 4668
 1 libclamav.6.dylib 0x00010004d701 cli_mbox + 1057
 2 libclamav.6.dylib 0x000100048b97 cli_scanmail + 119
 3 libclamav.6.dylib 0x000100044349 magic_scandesc + 8537
 4 libclamav.6.dylib 0x000100042142 cli_base_scandesc + 242
 5 libclamav.6.dylib 0x000100046360 scan_common + 416
 6 libclamav.6.dylib 0x0001000465d8 cl_scanfile_callback + 88
 7 clamd 0x0001c62d scan_callback + 749
 8 libclamav.6.dylib 0x0001006c966c handle_entry + 252
 9 libclamav.6.dylib 0x0001006c9388 cli_ftw + 424
 10 clamd 0x00017363 command + 1331
 11 clamd 0x0001bd38 scanner_thread + 56
 12 clamd 0x0001918a thrmgr_worker + 938
 13 libsystem_c.dylib 0x7fff8cb7b772 _pthread_start + 327
 14 libsystem_c.dylib 0x7fff8cb681a1 thread_start + 13
 
 I'm aware the offsets won't be too useful, but at least the method names
 ought to help I think.
 
 Mark
 
 On 16 May 2014, at 03:03 pm, Mark Allan markjal...@gmail.com wrote:
 
 All works fine for me on OS X 10.6 - 10.9.
 
 For info, compiled on 10.9.2 with support for 10.6 onwards.
 
 CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch
 x86_64 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64
 -mmacosx-version-min=10.6
 -arch x86_64 ./configure --disable-dependency-tracking  --enable-llvm
 --enable-clamdtop --with-user=_clamav --with-group=_clamav
 --enable-all-jit-targets
 
 Mark
 
 On 16 May 2014, at 02:01 pm, Joel Esler (jesler) jes...@cisco.com
 wrote:
 
 http://blog.clamav.net/2014/05/clamav-0984rc1-is-now-available.html
 
 ClamAV 0.98.4rc1 is now available for download.  Shown below are the
 notes concerning this release:
 
 
 0.98.4rc1
 --
 
 ClamAV 0.98.4 is a bug fix release. The following issues are now
 resolved:
 
 - Various build problems on Solaris

Re: [clamav-users] [Clamav-devel] ClamAV®: ClamAV 0.98.4rc1 is now available!

[Mark Allan]

I may have been a bit hasty with this.  It appears there's another issue with 
clamd.

I'm receiving reports of clamd crashing when attempting to parse email in an 
incredibly large (1.15 GB) Thunderbird mailbox file.

This particular report is from 0.98.3, but the user is reporting it still 
happens when testing against 0.98.4-rc1.  I'll attempt to get a crash log from 
the user.

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000117ff

Thread 2 Crashed:
0 libclamav.6.dylib 0x00010004fa6c parseEmailBody + 4668
1 libclamav.6.dylib 0x00010004d701 cli_mbox + 1057
2 libclamav.6.dylib 0x000100048b97 cli_scanmail + 119
3 libclamav.6.dylib 0x000100044349 magic_scandesc + 8537
4 libclamav.6.dylib 0x000100042142 cli_base_scandesc + 242
5 libclamav.6.dylib 0x000100046360 scan_common + 416
6 libclamav.6.dylib 0x0001000465d8 cl_scanfile_callback + 88
7 clamd 0x0001c62d scan_callback + 749
8 libclamav.6.dylib 0x0001006c966c handle_entry + 252
9 libclamav.6.dylib 0x0001006c9388 cli_ftw + 424
10 clamd 0x00017363 command + 1331
11 clamd 0x0001bd38 scanner_thread + 56
12 clamd 0x0001918a thrmgr_worker + 938
13 libsystem_c.dylib 0x7fff8cb7b772 _pthread_start + 327
14 libsystem_c.dylib 0x7fff8cb681a1 thread_start + 13

I'm aware the offsets won't be too useful, but at least the method names ought 
to help I think.

Mark

On 16 May 2014, at 03:03 pm, Mark Allan markjal...@gmail.com wrote:

 All works fine for me on OS X 10.6 - 10.9.
 
 For info, compiled on 10.9.2 with support for 10.6 onwards.
 
 CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 
 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6  -arch 
 x86_64 ./configure --disable-dependency-tracking  --enable-llvm 
 --enable-clamdtop --with-user=_clamav --with-group=_clamav 
 --enable-all-jit-targets
 
 Mark
 
 On 16 May 2014, at 02:01 pm, Joel Esler (jesler) jes...@cisco.com wrote:
 
 http://blog.clamav.net/2014/05/clamav-0984rc1-is-now-available.html
 
 ClamAV 0.98.4rc1 is now available for download.  Shown below are the notes 
 concerning this release:
 
 
 0.98.4rc1
 --
 
 ClamAV 0.98.4 is a bug fix release. The following issues are now resolved:
 
 - Various build problems on Solaris, OpenBSD, AIX.
 
 - Crashes of clamd on Windows and Mac OS X platforms when reloading
 the virus signature database.
 
 - Infinite loop in clamdscan when clamd is not running.
 
 - Freshclam failure on Solaris 10.
 
 - Buffer underruns when handling multi-part MIME email attachments.
 
 - Configuration of OpenSSL on various platforms.
 
 
 
 ClamAV 0.98.4rc1 is available for download here: 
 http://sourceforge.net/projects/clamav/files/RC/clamav-0.98.4-rc1/.  Please 
 download, test, and provide feedback to the mailing list here:
 
 http://lists.clamav.net/mailman/listinfo/clamav-users

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] [Clamav-devel] ClamAV(R): ClamAV 0.98.4rc1 is now available!

[Mark Allan]

Hi Shawn,

By the sample do you mean the 1.15 GB file?  If so, that's the user's 
personal email mailbox so I can't imagine he'd be willing to share it.

If you mean a 0.98.4-rc1 crash log, I've just asked him again, so hopefully 
he'll be able to find it.

Mark


On 20 May 2014, at 02:14 pm, Shawn Webb sw...@sourcefire.com wrote:

 Hey Mark,
 
 Is there a way you could get me the sample?
 
 Thanks,
 
 Shawn
 
 
 On Tue, May 20, 2014 at 6:49 AM, Mark Allan 
 markjal...@blueyonder.co.ukwrote:
 
 I may have been a bit hasty with this.  It appears there's another issue
 with clamd.
 
 I'm receiving reports of clamd crashing when attempting to parse email in
 an incredibly large (1.15 GB) Thunderbird mailbox file.
 
 This particular report is from 0.98.3, but the user is reporting it still
 happens when testing against 0.98.4-rc1.  I'll attempt to get a crash log
 from the user.
 
 Exception Type: EXC_BAD_ACCESS (SIGSEGV)
 Exception Codes: KERN_INVALID_ADDRESS at 0x000117ff
 
 Thread 2 Crashed:
 0 libclamav.6.dylib 0x00010004fa6c parseEmailBody + 4668
 1 libclamav.6.dylib 0x00010004d701 cli_mbox + 1057
 2 libclamav.6.dylib 0x000100048b97 cli_scanmail + 119
 3 libclamav.6.dylib 0x000100044349 magic_scandesc + 8537
 4 libclamav.6.dylib 0x000100042142 cli_base_scandesc + 242
 5 libclamav.6.dylib 0x000100046360 scan_common + 416
 6 libclamav.6.dylib 0x0001000465d8 cl_scanfile_callback + 88
 7 clamd 0x0001c62d scan_callback + 749
 8 libclamav.6.dylib 0x0001006c966c handle_entry + 252
 9 libclamav.6.dylib 0x0001006c9388 cli_ftw + 424
 10 clamd 0x00017363 command + 1331
 11 clamd 0x0001bd38 scanner_thread + 56
 12 clamd 0x0001918a thrmgr_worker + 938
 13 libsystem_c.dylib 0x7fff8cb7b772 _pthread_start + 327
 14 libsystem_c.dylib 0x7fff8cb681a1 thread_start + 13
 
 I'm aware the offsets won't be too useful, but at least the method names
 ought to help I think.
 
 Mark
 
 On 16 May 2014, at 03:03 pm, Mark Allan markjal...@gmail.com wrote:
 
 All works fine for me on OS X 10.6 - 10.9.
 
 For info, compiled on 10.9.2 with support for 10.6 onwards.
 
 CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch
 x86_64 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6
 -arch x86_64 ./configure --disable-dependency-tracking  --enable-llvm
 --enable-clamdtop --with-user=_clamav --with-group=_clamav
 --enable-all-jit-targets
 
 Mark
 
 On 16 May 2014, at 02:01 pm, Joel Esler (jesler) jes...@cisco.com
 wrote:
 
 http://blog.clamav.net/2014/05/clamav-0984rc1-is-now-available.html
 
 ClamAV 0.98.4rc1 is now available for download.  Shown below are the
 notes concerning this release:
 
 
 0.98.4rc1
 --
 
 ClamAV 0.98.4 is a bug fix release. The following issues are now
 resolved:
 
 - Various build problems on Solaris, OpenBSD, AIX.
 
 - Crashes of clamd on Windows and Mac OS X platforms when reloading
 the virus signature database.
 
 - Infinite loop in clamdscan when clamd is not running.
 
 - Freshclam failure on Solaris 10.
 
 - Buffer underruns when handling multi-part MIME email attachments.
 
 - Configuration of OpenSSL on various platforms.
 
 
 
 ClamAV 0.98.4rc1 is available for download here:
 http://sourceforge.net/projects/clamav/files/RC/clamav-0.98.4-rc1/.
 Please download, test, and provide feedback to the mailing list here:
 
 http://lists.clamav.net/mailman/listinfo/clamav-users
 
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 http://www.clamav.net/support/ml
 
 ___
 Help us build a comprehensive ClamAV guide:
 https://github.com/vrtadmin/clamav-faq
 http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] [Clamav-devel] ClamAV®: ClamAV 0.98.4rc1 is now available!

[Mark Allan]

Sent this the other day to the clamav-devel mailing list but it doesn't look 
like it came through.

Mark

On 16 May 2014, at 03:03 pm, Mark Allan markjal...@gmail.com wrote:

 All works fine for me on OS X 10.6 - 10.9.
 
 For info, compiled on 10.9.2 with support for 10.6 onwards.
 
 CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 
 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6  -arch 
 x86_64 ./configure --disable-dependency-tracking  --enable-llvm 
 --enable-clamdtop --with-user=_clamav --with-group=_clamav 
 --enable-all-jit-targets
 
 Mark
 
 On 16 May 2014, at 02:01 pm, Joel Esler (jesler) jes...@cisco.com wrote:
 
 http://blog.clamav.net/2014/05/clamav-0984rc1-is-now-available.html
 
 ClamAV 0.98.4rc1 is now available for download.  Shown below are the notes 
 concerning this release:
 
 
 0.98.4rc1
 --
 
 ClamAV 0.98.4 is a bug fix release. The following issues are now resolved:
 
 - Various build problems on Solaris, OpenBSD, AIX.
 
 - Crashes of clamd on Windows and Mac OS X platforms when reloading
 the virus signature database.
 
 - Infinite loop in clamdscan when clamd is not running.
 
 - Freshclam failure on Solaris 10.
 
 - Buffer underruns when handling multi-part MIME email attachments.
 
 - Configuration of OpenSSL on various platforms.
 
 
 
 ClamAV 0.98.4rc1 is available for download here: 
 http://sourceforge.net/projects/clamav/files/RC/clamav-0.98.4-rc1/.  Please 
 download, test, and provide feedback to the mailing list here:
 
 http://lists.clamav.net/mailman/listinfo/clamav-users

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] ClamAV®: ClamXAv in the top ten free Apps in the Mac OSX App Store!

[Mark Allan]

Ha! That's brilliant.  Thanks very much for the shout-out.  It's much 
appreciated.

Mark

On 23 Apr 2014, at 11:55 pm, Joel Esler (jesler) jes...@cisco.com wrote:

 http://blog.clamav.net/2014/04/clamxav-in-top-ten-free-apps-in-mac-osx.html
 
 ClamXAv in the top ten free Apps in the Mac OSX App Store!
 Congratulations to Mark Allan, developer of the 
 ClamXavhttp://www.clamxav.com/ project (the OSX GUI front-end to ClamAV) 
 for making the top ten list in the free App section of the OSX App Store!
 
 It's great to see a free tool and great contribution by the community being 
 used by thousands of users and being recognized!
 
 Great work Mark!

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV

[Mark Allan]

As this is first time ClamAV has had an external dependency, would it be worth 
making it an opt-out configure option for people who can't get it to compile or 
who have to rely on an older/incompatible version of OpenSSL?

Mark

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Re: [clamav-users] Android port for ClamAV

[Mark Allan]

Is android development not done in Java?  ClamAV is written in C; porting would 
not be a simple matter.

M

On 1 Aug 2012, at 19:33, james henrydoss james.henryd...@gmail.com wrote:

 Has anyone attempted ClamAV porting to android using NDK.
 
 Please let me know.
 
 I am looking for a open source security scan app for an Android device.
 
 James Henrydoss
 ___
 Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
 http://www.clamav.net/support/ml

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] My outdated Clam

[Mark Allan]

On 6 Mar 2012, at 14:49, G.W. Haywood wrote:
 On Tue, 6 Mar 2012, Steve Kirkby wrote:
 
 I can't get through the tech. complexity of upgrading my ClamAV,
 version 2.2.2. I am not a computer engineer, just a user. ...
 ...
 What to do please? (Perhaps Clam is too unfriendly for ordinary
 users.)
 Thanks for any help (but no unix code or complex multi-step
 instructions please).
 
 1. Find someone who will do the work for you for a fee.
 2. Pay him.
 
 No Unix code, not complex, only two steps. :)

As the developer of ClamXav (not ClamAV), that person would be me.  I'll be 
releasing a new version including ClamAV 0.97.3 shortly.

Mark
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Downloading daily.cvd seems to be corrupt

[Mark Allan]

Hi folks,

The daily.cvd file appears to be corrupt.  The diff files are ok, so scripted 
updates still work fine, but for people who have scripted updates turned off 
(or have no defs to begin with) running freshclam fails.

Mark

[colossus] mark% freshclam -v
Current working dir is /usr/local/share/clamav
Max retries == 3
ClamAV update process started at Tue Mar 15 23:01:04 2011
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 444
Software version from DNS: 0.97
main.cvd version from DNS: 53
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Retrieving http://database.clamav.net/daily.cvd
Trying to download http://database.clamav.net/daily.cvd (IP: 217.135.32.99)
Downloading daily.cvd [100%]
ERROR: Verification: Can't verify database integrity
Trying again in 5 secs...
ClamAV update process started at Tue Mar 15 23:01:10 2011
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 439
Software version from DNS: 0.97
main.cvd version from DNS: 53
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Retrieving http://database.clamav.net/daily.cvd
Trying to download http://database.clamav.net/daily.cvd (IP: 163.1.3.8)
Downloading daily.cvd [100%]
ERROR: Verification: Can't verify database integrity
Trying again in 5 secs...
ClamAV update process started at Tue Mar 15 23:01:15 2011
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 433
Software version from DNS: 0.97
main.cvd version from DNS: 53
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
Retrieving http://database.clamav.net/daily.cvd
Trying to download http://database.clamav.net/daily.cvd (IP: 81.91.100.173)
Downloading daily.cvd [100%]
ERROR: Verification: Can't verify database integrity
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in 
/usr/local/etc/freshclam.conf is working. Check 
http://www.clamav.net/support/mirror-problem for possible reasons.
[colossus] mark% 


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Downloading daily.cvd seems to be corrupt [ignore last]

[Mark Allan]

...and of course, it's working again now - before my message even hits the 
mailing list.

Sorry!

Mark
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] OSX configure command

[Mark Allan]

On 14 Nov 2010, at 12:54 am, TR Shaw wrote:

On Nov 13, 2010, at 7:46 PM, Larry Stone wrote:

On 11/13/10 5:35 PM, TR Shaw at ts...@oitc.com wrote:
I just got around to compiling 0.96.4 and no joy. My configure  
command no
longer is working properly. I have xcode install and my search  
path is


/Developer/usr/share:/Developer/usr/sbin:/Developer/usr/lib:/ 
Developer/usr/bin
:/Library/Frameworks/GDAL.framework/Programs:/usr/bin:/bin:/usr/ 
sbin:/sbin:/us

r/local/bin:/usr/X11/bin:/opt/local/bin:/usr/local/git/bin

Running on 10.6

Any help would be appreciated,


No problem for me. Did you ever think that the specific error  
message you
are getting might just possibly be relevant and worth posting  
(sarcasm
intended)? I doubt the path has anything to do with it (except  
maybe to
break things) as I have not modified my path to include any of that  
junk you

have and my compile worked just fine.

--

Well

Raven:clamav-0.96.4 tshaw$ ./configure
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/Users/tshaw/Sites/clamav/clamav-0.96.4':
configure: error: C compiler cannot create executables

configure:4029: checking whether the C compiler works
configure:4051: gccconftest.c  5
ld: library not found for -lcrt1.10.6.o


First thing to do is make sure you're using the most recent version of  
the publicly available developer tools from http://developer.apple.com  
and reinstall them before trying again.  Looks like a required library  
may be missing.


Also, for what it's worth, I've not been able to do a vanilla ./ 
configure  for a while now...that said, I've not tried it without any  
extra flags for a while, but I'm fairly sure you need to specify the  
location of gcc-4.2 as well as g++-4.2.  If you're using bash as your  
shell, try configuring with this:


CC=/usr/bin/gcc-4.2 CXX=/usr/bin/g++-4.2 CFLAGS=-O2 -g - 
D_FILE_OFFSET_BITS=64 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 ./ 
configure --disable-dependency-tracking --enable-llvm --enable- 
clamdtop --with-user=_clamav --with-group=_clamav


Mark
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Latest daily file crashes ClamAV on PowerPC Macintosh

[Mark Allan]

On 10 Sep 2010, at 7:50 am, Török Edwin wrote:

On Thu, 9 Sep 2010 22:17:07 +0100 Mark Allan wrote:

On 9 Sep 2010, at 9:53 pm, Mark Allan wrote:

On 9 Sep 2010, at 8:11 pm, Török Edwin wrote:

On Thu, 9 Sep 2010 19:01:28 +0100, Mark Allan wrote:

On 17 Jun 2010, at 5:24 pm, Larry Stone wrote:

On Thu, 17 Jun 2010, Török Edwin wrote:

Here is a new patch for Mac OS X/PPC:
https://wwws.clamav.net/bugzilla/attachment.cgi?id=1333

It reverts my previous patch, and applies my patch from LLVM
PR5201
(which isn't finished, but appears to work better than the
previous).


Seems to have done it. And I saw the parallel discussion in
bugzilla so will keep it there should there be a recurrence (I
should only be on a PPC Macintosh for a few more months as I am
planning on replacing it with an Intel iMac sometime this
summer).



A similar bug has just cropped up again but it's happening in
0.96.2 on Intel Macs this time around - PPC Macs appear to be
unaffected. It only started happening with a very recent update.
As of an update from about 09:00 (GMT) today everything was
fine.  It's now 17:55 (GMT) and having updated via freshclam I'm
now receiving the following output from clamscan:

clamscan -v /Users/mark/Desktop/ats.xjnlp.jnlp
libclamav JIT: Attempt to call external function __bzero
libclamav JIT: *** FATAL error encountered during bytecode
generation
Scanning /Users/mark/Desktop/ats.xjnlp.jnlp
/Users/mark/Desktop/ats.xjnlp.jnlp: OK


At least it didn't crash :)

Does this patch help?
https://wiki.clamav.net/pub/Main/UpgradeNotes0962/bzero.patch


Hehe, you're right, it didn't crash.  0.96.1 did but I guess
that's old news now!

That did appear to fix the problem on my Intel machine, thanks.
Even though PPC builds aren't affected, I presume I should rebuild
for PPC with the patch as well, yes?


As long as your Intel and PPC boxes both run same version of Mac OS X
(darwin10) then yes you should. However isn't darwin10 intel-only  
maybe?


The binaries I build can be used on anything from OS X 10.4 to 10.6  
(Darwin 8 to Darwin 10 respectively).  You're right that Darwin 10 is  
Intel-only but 8 and 9 can be used on both PPC or Intel, so  
unfortunately I still have to support both.



BTW, I've noticed these warnings in every 0.96.x build and am still
getting them after applying that patch.  Is it related and if so,
does that mean the patch hasn't fully fixed the problem?
ld warning: in ../../libclamav/libclamav.map, file is not of
required architecture


libclamav.map is a linker script, it doesn't have an architecture so I
don't know why ld is complaining. But it has nothing to do with the
__bzero problem.


Ah ok, good to know.  I'll continue to ignore it then!

Many thanks
Mark
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Latest daily file crashes ClamAV on PowerPC Macintosh

[Mark Allan]

On 9 Sep 2010, at 8:11 pm, Török Edwin wrote:

On Thu, 9 Sep 2010 19:01:28 +0100, Mark Allan wrote:

On 17 Jun 2010, at 5:24 pm, Larry Stone wrote:

On Thu, 17 Jun 2010, Török Edwin wrote:

Here is a new patch for Mac OS X/PPC:
https://wwws.clamav.net/bugzilla/attachment.cgi?id=1333

It reverts my previous patch, and applies my patch from LLVM PR5201
(which isn't finished, but appears to work better than the
previous).


Seems to have done it. And I saw the parallel discussion in
bugzilla so will keep it there should there be a recurrence (I
should only be on a PPC Macintosh for a few more months as I am
planning on replacing it with an Intel iMac sometime this summer).



A similar bug has just cropped up again but it's happening in 0.96.2
on Intel Macs this time around - PPC Macs appear to be unaffected.
It only started happening with a very recent update.  As of an
update from about 09:00 (GMT) today everything was fine.  It's now
17:55 (GMT) and having updated via freshclam I'm now receiving the
following output from clamscan:

clamscan -v /Users/mark/Desktop/ats.xjnlp.jnlp
libclamav JIT: Attempt to call external function __bzero
libclamav JIT: *** FATAL error encountered during bytecode generation
Scanning /Users/mark/Desktop/ats.xjnlp.jnlp
/Users/mark/Desktop/ats.xjnlp.jnlp: OK


At least it didn't crash :)

Does this patch help?
https://wiki.clamav.net/pub/Main/UpgradeNotes0962/bzero.patch


Hehe, you're right, it didn't crash.  0.96.1 did but I guess that's  
old news now!


That did appear to fix the problem on my Intel machine, thanks.  Even  
though PPC builds aren't affected, I presume I should rebuild for PPC  
with the patch as well, yes?


Cheers
Mark
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Latest daily file crashes ClamAV on PowerPC Macintosh

[Mark Allan]

On 9 Sep 2010, at 9:53 pm, Mark Allan wrote:

On 9 Sep 2010, at 8:11 pm, Török Edwin wrote:

On Thu, 9 Sep 2010 19:01:28 +0100, Mark Allan wrote:

On 17 Jun 2010, at 5:24 pm, Larry Stone wrote:

On Thu, 17 Jun 2010, Török Edwin wrote:

Here is a new patch for Mac OS X/PPC:
https://wwws.clamav.net/bugzilla/attachment.cgi?id=1333

It reverts my previous patch, and applies my patch from LLVM  
PR5201

(which isn't finished, but appears to work better than the
previous).


Seems to have done it. And I saw the parallel discussion in
bugzilla so will keep it there should there be a recurrence (I
should only be on a PPC Macintosh for a few more months as I am
planning on replacing it with an Intel iMac sometime this summer).



A similar bug has just cropped up again but it's happening in 0.96.2
on Intel Macs this time around - PPC Macs appear to be unaffected.
It only started happening with a very recent update.  As of an
update from about 09:00 (GMT) today everything was fine.  It's now
17:55 (GMT) and having updated via freshclam I'm now receiving the
following output from clamscan:

clamscan -v /Users/mark/Desktop/ats.xjnlp.jnlp
libclamav JIT: Attempt to call external function __bzero
libclamav JIT: *** FATAL error encountered during bytecode  
generation

Scanning /Users/mark/Desktop/ats.xjnlp.jnlp
/Users/mark/Desktop/ats.xjnlp.jnlp: OK


At least it didn't crash :)

Does this patch help?
https://wiki.clamav.net/pub/Main/UpgradeNotes0962/bzero.patch


Hehe, you're right, it didn't crash.  0.96.1 did but I guess that's  
old news now!


That did appear to fix the problem on my Intel machine, thanks.   
Even though PPC builds aren't affected, I presume I should rebuild  
for PPC with the patch as well, yes?


BTW, I've noticed these warnings in every 0.96.x build and am still  
getting them after applying that patch.  Is it related and if so, does  
that mean the patch hasn't fully fixed the problem?
	ld warning: in ../../libclamav/libclamav.map, file is not of required  
architecture


The penny only dropped this time because I still had my previous build  
directories lying around, so 'make' only rebuilt libclamav.


Mark
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Latest daily file crashes ClamAV on PowerPC Macintosh

[Mark Allan]

On 16 Jun 2010, at 10:26 pm, Larry Stone wrote:

On Thu, 17 Jun 2010, Török Edwin wrote:
On 06/16/2010 11:58 PM, Larry Stone wrote:

This is on a PowerPC Macintosh runing OS X 10.5.8 and ClamAV 0.96.1.


Are you sure it is 0.96.1? Did you restart clamd after the upgrade?


Yes, it's 0.96.1. Even when I was running 0.96, it had the patch for  
1921 applied.


Same here on 0.96.1 on PPC.  Removing the bytecode definitions file  
(bytecode.cld) causes the crash to go away.


Here's the relevant part of the crash log from clamd
Thread 0 Crashed:
0   libSystem.B.dylib   0x973b0b50 __kill + 12
1   libSystem.B.dylib   0x9744bbfc abort + 84
2   libstdc++.6.dylib   0x93c0d7d0 __eprintf + 76
3   libclamav.6.dylib 	0x00e391c8  
llvm::PPCJITInfo::relocate(void*, llvm::MachineRelocation*, unsigned  
int, unsigned char*) + 328
4   libclamav.6.dylib 	0x00d381a0 (anonymous  
namespace)::JITEmitter::finishFunction(llvm::MachineFunction) + 4000
5   libclamav.6.dylib 	0x00e04068 (anonymous  
namespace 
)::PPCCodeEmitter::runOnMachineFunction(llvm::MachineFunction) + 840
6   libclamav.6.dylib 	0x00f25474  
llvm::FPPassManager::runOnFunction(llvm::Function) + 484
7   libclamav.6.dylib 	0x00f25674  
llvm::FunctionPassManagerImpl::run(llvm::Function) + 132
8   libclamav.6.dylib 	0x00f25948  
llvm::FunctionPassManager::run(llvm::Function) + 184
9   libclamav.6.dylib 	0x00d2571c  
llvm::JIT::runJITOnFunctionUnlocked(llvm::Function*, llvm::MutexGuard  
const) + 92
10  libclamav.6.dylib 	0x00d2609c  
llvm::JIT::getPointerToFunction(llvm::Function*) + 1196
11  libclamav.6.dylib 	0x00df0e28 (anonymous  
namespace)::LLVMCodegen::generate() + 23720
12  libclamav.6.dylib 	0x00df2644 cli_bytecode_prepare_jit  
+ 4756
13  libclamav.6.dylib 	0x00b1b378 cli_bytecode_prepare +  
40 (bytecode.c:1921)
14  libclamav.6.dylib 	0x00aa557c cl_engine_compile + 540  
(readdb.c:3031)

15  clamd   0x6b9c main + 3324 (clamd.c:460)
16  clamd   0x2708 _start + 756
17  clamd   0x240c start + 44

It also crashes clamscan
Thread 0 Crashed:
0   libSystem.B.dylib   0x973b0b50 __kill + 12
1   libSystem.B.dylib   0x9744bbfc abort + 84
2   libstdc++.6.dylib   0x93c0d7d0 __eprintf + 76
3   libclamav.6.dylib 	0x00e391c8  
llvm::PPCJITInfo::relocate(void*, llvm::MachineRelocation*, unsigned  
int, unsigned char*) + 328
4   libclamav.6.dylib 	0x00d381a0 (anonymous  
namespace)::JITEmitter::finishFunction(llvm::MachineFunction) + 4000
5   libclamav.6.dylib 	0x00e04068 (anonymous  
namespace 
)::PPCCodeEmitter::runOnMachineFunction(llvm::MachineFunction) + 840
6   libclamav.6.dylib 	0x00f25474  
llvm::FPPassManager::runOnFunction(llvm::Function) + 484
7   libclamav.6.dylib 	0x00f25674  
llvm::FunctionPassManagerImpl::run(llvm::Function) + 132
8   libclamav.6.dylib 	0x00f25948  
llvm::FunctionPassManager::run(llvm::Function) + 184
9   libclamav.6.dylib 	0x00d2571c  
llvm::JIT::runJITOnFunctionUnlocked(llvm::Function*, llvm::MutexGuard  
const) + 92
10  libclamav.6.dylib 	0x00d2609c  
llvm::JIT::getPointerToFunction(llvm::Function*) + 1196
11  libclamav.6.dylib 	0x00df0e28 (anonymous  
namespace)::LLVMCodegen::generate() + 23720
12  libclamav.6.dylib 	0x00df2644 cli_bytecode_prepare_jit  
+ 4756
13  libclamav.6.dylib 	0x00b1b378 cli_bytecode_prepare +  
40 (bytecode.c:1921)
14  libclamav.6.dylib 	0x00aa557c cl_engine_compile + 540  
(readdb.c:3031)
15  clamscan  	0x7980 scanmanager + 1328  
(manager.c:435)
16  clamscan  	0x68cc main + 748 (clamscan.c: 
150)

17  clamscan0x2688 _start + 756
18  clamscan0x238c start + 44
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Latest daily file crashes ClamAV on PowerPC Macintosh

[Mark Allan]

On 16 Jun 2010, at 10:26 pm, Larry Stone wrote:

On Thu, 17 Jun 2010, Török Edwin wrote:
On 06/16/2010 11:58 PM, Larry Stone wrote:

This is on a PowerPC Macintosh runing OS X 10.5.8 and ClamAV 0.96.1.


Are you sure it is 0.96.1? Did you restart clamd after the upgrade?


Yes, it's 0.96.1. Even when I was running 0.96, it had the patch for  
1921 applied.


Same here on 0.96.1 on PPC.  Removing the bytecode definitions file  
(bytecode.cld) causes the crash to go away.


Here's the relevant part of the crash log from clamd
Thread 0 Crashed:
0   libSystem.B.dylib   0x973b0b50 __kill + 12
1   libSystem.B.dylib   0x9744bbfc abort + 84
2   libstdc++.6.dylib   0x93c0d7d0 __eprintf + 76
3   libclamav.6.dylib 	0x00e391c8  
llvm::PPCJITInfo::relocate(void*, llvm::MachineRelocation*, unsigned  
int, unsigned char*) + 328
4   libclamav.6.dylib 	0x00d381a0 (anonymous  
namespace)::JITEmitter::finishFunction(llvm::MachineFunction) + 4000
5   libclamav.6.dylib 	0x00e04068 (anonymous  
namespace 
)::PPCCodeEmitter::runOnMachineFunction(llvm::MachineFunction) + 840
6   libclamav.6.dylib 	0x00f25474  
llvm::FPPassManager::runOnFunction(llvm::Function) + 484
7   libclamav.6.dylib 	0x00f25674  
llvm::FunctionPassManagerImpl::run(llvm::Function) + 132
8   libclamav.6.dylib 	0x00f25948  
llvm::FunctionPassManager::run(llvm::Function) + 184
9   libclamav.6.dylib 	0x00d2571c  
llvm::JIT::runJITOnFunctionUnlocked(llvm::Function*, llvm::MutexGuard  
const) + 92
10  libclamav.6.dylib 	0x00d2609c  
llvm::JIT::getPointerToFunction(llvm::Function*) + 1196
11  libclamav.6.dylib 	0x00df0e28 (anonymous  
namespace)::LLVMCodegen::generate() + 23720
12  libclamav.6.dylib 	0x00df2644 cli_bytecode_prepare_jit  
+ 4756
13  libclamav.6.dylib 	0x00b1b378 cli_bytecode_prepare +  
40 (bytecode.c:1921)
14  libclamav.6.dylib 	0x00aa557c cl_engine_compile + 540  
(readdb.c:3031)

15  clamd   0x6b9c main + 3324 (clamd.c:460)
16  clamd   0x2708 _start + 756
17  clamd   0x240c start + 44

It also crashes clamscan
Thread 0 Crashed:
0   libSystem.B.dylib   0x973b0b50 __kill + 12
1   libSystem.B.dylib   0x9744bbfc abort + 84
2   libstdc++.6.dylib   0x93c0d7d0 __eprintf + 76
3   libclamav.6.dylib 	0x00e391c8  
llvm::PPCJITInfo::relocate(void*, llvm::MachineRelocation*, unsigned  
int, unsigned char*) + 328
4   libclamav.6.dylib 	0x00d381a0 (anonymous  
namespace)::JITEmitter::finishFunction(llvm::MachineFunction) + 4000
5   libclamav.6.dylib 	0x00e04068 (anonymous  
namespace 
)::PPCCodeEmitter::runOnMachineFunction(llvm::MachineFunction) + 840
6   libclamav.6.dylib 	0x00f25474  
llvm::FPPassManager::runOnFunction(llvm::Function) + 484
7   libclamav.6.dylib 	0x00f25674  
llvm::FunctionPassManagerImpl::run(llvm::Function) + 132
8   libclamav.6.dylib 	0x00f25948  
llvm::FunctionPassManager::run(llvm::Function) + 184
9   libclamav.6.dylib 	0x00d2571c  
llvm::JIT::runJITOnFunctionUnlocked(llvm::Function*, llvm::MutexGuard  
const) + 92
10  libclamav.6.dylib 	0x00d2609c  
llvm::JIT::getPointerToFunction(llvm::Function*) + 1196
11  libclamav.6.dylib 	0x00df0e28 (anonymous  
namespace)::LLVMCodegen::generate() + 23720
12  libclamav.6.dylib 	0x00df2644 cli_bytecode_prepare_jit  
+ 4756
13  libclamav.6.dylib 	0x00b1b378 cli_bytecode_prepare +  
40 (bytecode.c:1921)
14  libclamav.6.dylib 	0x00aa557c cl_engine_compile + 540  
(readdb.c:3031)
15  clamscan  	0x7980 scanmanager + 1328  
(manager.c:435)
16  clamscan  	0x68cc main + 748 (clamscan.c: 
150)

17  clamscan0x2688 _start + 756
18  clamscan0x238c start + 44
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Aborting clamdscan with ctrl-c

[Mark Allan]

On 8 Mar 2007, at 01:29am, Tomasz Kojm wrote:


On Thu, 8 Mar 2007 01:18:19 +
Mark Allan [EMAIL PROTECTED] wrote:


When I cancel clamdscan by using ctrl-c or killall clamdscan  the
clamdscan process dies but clamd continues to scan the file it's
currently on.


clamd will automatically detect that clamdscan disconnected and  
terminate the

session while attempting to scan the next file in directory.


Thanks Tomasz, I've just tried that but it's still not doing the  
right thing.  Here's what I've done:


Started clamd
clamdscan /Users/mark/someReallyLargeFile.dmg
CTRL-C to cancel

At this point, clamd is still using lots of CPU cycles and when I  
check to see which files are in use, it shows someReallyLargeFile.dmg  
as still being open by clamd.


I then tried clamdscan /Users/mark/someTiny3KBfile.txt which scanned  
and correctly returned no infection but someReallyLargeFile.dmg is  
still open and in use by clamd which is still taking up some 60% CPU  
time.


Thanks,
Mark
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Aborting clamdscan with ctrl-c

[Mark Allan]

On 8 Mar 2007, at 16:57pm, Tomasz Kojm wrote:

On Thu, 8 Mar 2007 16:46:04 +
Mark Allan [EMAIL PROTECTED] wrote:


On 8 Mar 2007, at 01:29am, Tomasz Kojm wrote:


On Thu, 8 Mar 2007 01:18:19 +
Mark Allan [EMAIL PROTECTED] wrote:


When I cancel clamdscan by using ctrl-c or killall clamdscan  the
clamdscan process dies but clamd continues to scan the file it's
currently on.


clamd will automatically detect that clamdscan disconnected and
terminate the
session while attempting to scan the next file in directory.


Thanks Tomasz, I've just tried that but it's still not doing the
right thing.  Here's what I've done:

Started clamd
clamdscan /Users/mark/someReallyLargeFile.dmg
CTRL-C to cancel

At this point, clamd is still using lots of CPU cycles and when I
check to see which files are in use, it shows someReallyLargeFile.dmg
as still being open by clamd.


clamd should terminate the session as soon as the scan of  
someReallyLargeFile

is finished.


That's precisely the scan I'm trying to abort though.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Aborting clamdscan with ctrl-c

[Mark Allan]

Hi,

When I cancel clamdscan by using ctrl-c or killall clamdscan  the  
clamdscan process dies but clamd continues to scan the file it's  
currently on.


Can someone please tell me if there is any way to tell clamd to abort  
the files it's currently scanning?  Just now the only way I can see  
to do it is call kill -9 with clamd's pid and then relaunch clamd,  
but that's not really ideal.  Is there a cleaner way?


For what it's worth, I'm running ClamAV 0.90.1 on OS X 10.4

Many thanks
Mark

PS. I've searched the wiki and archives for this issue and the  
closest I came up with http://lurker.clamav.net/message/ 
19700101.01.19c46afa.en.html but it doesn't answer my question.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Minor bug on the home page

[Mark Allan]

On 16 Feb 2007, at 17:00pm, Robert Allerstorfer wrote:

Hi,

On Fri, 16 Feb 2007, 11:35 GMT-05 Rick Macdougall wrote:

When I click on the Support link, the page displays in Italian  
instead

of English as all the other pages do.


I have these issues all the time when i click around through the new
website. The languages are changing randomly, sometimes it appears in
japanese, then italian, than german... Sure, the new site looks nice,
but this multi-language techniqe is somehow broken.


Yes, same here.

OS X 10.4 using Safari and occasionally Firefox although not  
repeatable on demand unfortunately.


Mark
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] [mac os x] compilation failed 0.9 on mac os x 10.3.9 server

[Mark Allan]

The compile works if you remove the   -arch i386   flags from the  
Makefiles. I think it appears more than once: in the root Makefile  
and twice in the libclamav subdirectory, but I can't remember exactly.


Mark


On 15 Feb 2007, at 12:36pm, Léonard Bouchet wrote:


Hi all,

I can't make clamav-0.9 to compile on my mac os x 10.3.9 server  
machine. Here is the error I get:


/bin/sh ../libtool --tag=CC --mode=link gcc  -g -O2   -o  
libclamav.la -rpath /usr/lib -version-info 1:40:0 -no-undefined  
matcher-ac.lo matcher-bm.lo matcher-ncore.lo matcher.lo md5.lo  
others.lo readdb.lo cvd.lo dsig.lo str.lo scanners.lo filetypes.lo  
rtf.lo blob.lo mbox.lo message.lo snprintf.lo table.lo text.lo  
ole2_extract.lo vba_extract.lo msexpand.lo pe.lo upx.lo htmlnorm.lo  
chmunpack.lo rebuildpe.lo petite.lo wwunpack.lo suecrypt.lo unsp.lo  
packlibs.lo fsg.lo mew.lo upack.lo line.lo untar.lo unzip.lo  
special.lo binhex.lo is_tar.lo tnef.lo unrar15.lo unrarvm.lo  
unrar.lo unrarfilter.lo unrarppm.lo unrar20.lo unrarcmd.lo pdf.lo  
spin.lo yc.lo elf.lo sis.lo uuencode.lo phishcheck.lo  
phish_domaincheck_db.lo phish_whitelist.lo regex_list.lo sha256.lo  
mspack.lo cab.lo entconv.lo hashtab.lo dconf.lo lockdb.lo -liconv - 
lz -lbz2 -lgmp -L/usr/lib -lcurl -arch i386 -arch ppc -lz -lssl - 
lcrypto -lz
gcc -dynamiclib  -o .libs/libclamav.1.0.40.dylib  .libs/matcher- 
ac.o .libs/matcher-bm.o .libs/matcher-ncore.o .libs/matcher.o .libs/ 
md5.o .libs/others.o .libs/readdb.o .libs/cvd.o .libs/dsig.o .libs/ 
str.o .libs/scanners.o .libs/filetypes.o .libs/rtf.o .libs/ 
blob.o .libs/mbox.o .libs/message.o .libs/snprintf.o .libs/ 
table.o .libs/text.o .libs/ole2_extract.o .libs/vba_extract.o .libs/ 
msexpand.o .libs/pe.o .libs/upx.o .libs/htmlnorm.o .libs/ 
chmunpack.o .libs/rebuildpe.o .libs/petite.o .libs/wwunpack.o .libs/ 
suecrypt.o .libs/unsp.o .libs/packlibs.o .libs/fsg.o .libs/ 
mew.o .libs/upack.o .libs/line.o .libs/untar.o .libs/unzip.o .libs/ 
special.o .libs/binhex.o .libs/is_tar.o .libs/tnef.o .libs/ 
unrar15.o .libs/unrarvm.o .libs/unrar.o .libs/unrarfilter.o .libs/ 
unrarppm.o .libs/unrar20.o .libs/unrarcmd.o .libs/pdf.o .libs/ 
spin.o .libs/yc.o .libs/elf.o .libs/sis.o .libs/uuencode.o .libs/ 
phishcheck.o .libs/phish_domaincheck_db.o .libs/ 
phish_whitelist.o .libs/regex_list.o .libs/sha256.o .libs/ 
mspack.o .libs/cab.o .libs/entconv.o .libs/hashtab.o .libs/ 
dconf.o .libs/lockdb.o  /usr/lib/libiconv.dylib -lbz2 /usr/lib/ 
libgmp.dylib -L/usr/lib -lcurl -lssl -lcrypto -lz  -arch i386 -arch  
ppc -install_name  /usr/lib/libclamav.1.dylib -Wl,- 
compatibility_version -Wl,2 -Wl,-current_version -Wl,2.40

/usr/bin/libtool: no library created (no object files in input files)
make[2]: *** [libclamav.la] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

I didn't find any information on this list about a comparable issue  
(all versions from 0.80 to 0.88.7 compiled just fine). Can someone  
help me?


Thanks,

-l
___
Help us build a comprehensive ClamAV guide: visit http:// 
wiki.clamav.net

http://lurker.clamav.net/list/clamav-users.html


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Why no Include and Exclude options with clamd?

[Mark Allan]

Hi all,

I suspect cross-posting is not allowed so if this is the wrong list,  
let me know and I'll send it to clamav-devel instead.


I write a GUI for ClamAV and am changing things so it uses clamd/ 
clamdscan rather than clamscan but can't get clamd to use the -- 
include and --exclude patterns.  If I add them as switches to  
clamdscan I get an error back saying:

WARNING: Ignoring option --exclude: please edit clamd.conf instead

I've tried editing clamd.conf but can see no option for include/ 
exclude other than clamuko which can't be used.  Simply adding  
exclude RegExPattern to clamd.conf doesn't work either as I then  
get the following error from clamd:

ERROR: Parse error at line 6: Unknown option exclude.
ERROR: Can't parse the configuration file.

Can someone please tell me what I'm doing wrongly, or if indeed the  
option even exists; the output from clamdscan would seem to suggest  
it does exist but I can't see how to use it.


Many thanks

Mark
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html