Re: [clamav-users] [ext] instream bug
* Jonathan Lee via clamav-users : > instream(local): vhxtdQ.sigs.InterServer.net.SHA256.21881.UNOFFICIAL FOUND # sigtool --find-sig=vhxtdQ.sigs.InterServer.net.SHA256.21881 [interserver256.hdb] 90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21:17174:vhxtdQ.sigs.InterServer.net.SHA256.21881 in this case, "vhxtdQ.sigs.InterServer.net.SHA256.21881" is a signature, based on a SHA256 checksum of a file. > instream(local): > sigs.InterServer.net.HEX.Topline.194.150.117.29.371.UNOFFICIAL FOUND # sigtool --find-sig=sigs.InterServer.net.HEX.Topline.194.150.117.29.371 [interservertopline.db] sigs.InterServer.net.HEX.Topline.194.150.117.29.371=32615f6269727375686964772e706870 this can be decoded: # sigtool --find-sig=sigs.InterServer.net.HEX.Topline.194.150.117.29.371 | sigtool --decode-sigs VIRUS NAME: sigs.InterServer.net.HEX.Topline.194.150.117.29.371 DECODED SIGNATURE: 2a_birsuhidw.php -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] (no subject)
> kubernetes that run and add log files to /tmp. /tmp is being actively > monitored and must be monitored by clamav. The log file shows these > error messages Where does clamav drop it's tempfiles (check the config option "TemporaryDirectory")? I hope it's not /tmp -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] Re: Scanning memory mapped files
> I am not using clamonacc. I run my own program that uses fanotify, just like > clamonacc does, and gets list of files that are modifed\added. > I send that list to clamscan or clamdscan. A bit like incrond (which uses inotify() ) > The problem is limitation of fanotify which is that "The fanotify API does > not report file accesses and modifications that may occur because of mmap(2), > msync(2), and munmap(2)." Same goes for inotify() -- just checked. So whenever a process alters a file using mmap()/munmap() or msync(), your program (or rather inotify/fanotify) doesn't detect any change, and thus the file wont be in the list passed to clamscan or clamdscan. > Now my assumption is mmap, msync, munmap deals with memory mapped files. So > questions I have are: > "does clamav scan memory mapped files?" Yes: After all, a file is just a file. In the end, it's all on disk. > Further details: If run clamscan or clamdscan on "/"; it would scan all files > so it does not matter. > But how does clamonacc overcomes this limitation since it uses fanotify? I doesn't (from the clamonacc man page): The clamonacc daemon registers for file access notifications from the Linux kernel and in response, submits scans to the clamd scanning daemon for a verdict. On-Access requires a kernel version >= 3.8, because it leverages a kernel api called --> fanotify <-- to block processes from attempting to access malicious files. > If it does, is there a way to ask clamav to scan just memory mapped files? I'm not sure if this can easily be detected. I guess one could monitor mmap() calls via dtrace, but I'm just guessing! -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ClamAV 1.4.0 release candidate now available!
* Micah Snyder (micasnyd) via clamav-users : > The ClamAV 1.4.0 release candidate is now available. I upgraded today and got a log message I've never seen before: Mon May 13 17:18:37 2024 -> WARNING: Last cf-ray not present in freshclam.dat. Mon May 13 17:18:37 2024 -> freshclam daemon 1.4.0-rc (OS: Linux, ARCH: x86_64, CPU: x86_64) Mon May 13 17:18:37 2024 -> ClamAV update process started at Mon May 13 17:18:37 2024 "WARNING: Last cf-ray not present in freshclam.dat" This seems to be a Cloudflare-Ray-Id: https://github.com/Cisco-Talos/clamav/issues/1066 but should I worry if it's not present? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Bytecode run timed out in interpreter after 5000 opcodes
* Micah Snyder (micasnyd) : > There are 3 bytecode rules for detecting CVE's that seem to take a > rather long time to run, particularly as the file grows in size. I'm > discussing with our threat research team if we can remove them as > CVE's are old enough that no one should reasonably still be affected > by the vulnerabilities. > > I am curious though - what are your MaxFileSize / MaxScanSize > settings? I wonder if you're seeing timeouts with the default settings > or if you increased them. MaxFileSize 100M MaxScanSize 200M MaxScanTime 12 -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] Bytecode run timed out in interpreter after 5000 opcodes
In yesterdays logs I found this:
Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode run
timed out in interpreter after 5000 opcodes
Feb 19 12:18:35 mail-cbf-int clamd[4147902]: LibClamAV Warning: Bytecode
'BC.Img.Exploit.CVE-2017-16386-6404655-1.{}' (id: 77) failed to run: Exceeded
time limit
is this a bad Bytecode rule?
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] Announcing Fangfrisch release 1.8.0
> - Sanesecurity (https://sanesecurity.com) provider default > configuration overhaul. Switch to a less congested mirror site, > add/remove several signature URLs. Thanks for that! -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] Yara rule for Anydesk files...
Hi! I found this YARA ruleset https://raw.githubusercontent.com/mmorgens/yara/main/gen_anydesk_compromised_cert_additional_rules_feb23.yar unfortunately it uses "import "pe"" which is not supported by the yara parser in clamav. But can those two rules be rewritten in such a way as to be usable from withn clamav (1.3.0)? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] ClamAV 1.3.0 second release candidate published!
> You can find the source code and installers for this release on > t<https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc2>he > clamav.net/downloads page or the ClamAV GitHub > rele<https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc2>ase > page<https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc>. https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.2.0-rc2 returns a 404. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] Compressing log files with clamav
* Vu, Hong-Duc V. via clamav-users :
> Hello everyone,
>
> I'm running clamav 103.9 on RHEL8 and RHEL7 from the EPEL repository. I
> notice the configuration file has a feature that rotates logs when it reaches
> a size I can configure: LogFileMaxSize. Is there an option in the
> configuration file that also compresses the log file when it rotates? I
> understand the logrotate service can do this but I would prefer if I could
> configure this in the clamav configuration file /etc/clamd.d/scan.conf along
> with LogFileMaxSize.
>
> Can this be added to a future release?
Use logrotate:
==
/var/log/clamav/clamav.log {
rotate 7
daily
compress
delaycompress
create 640 clamav adm
postrotate
if [ -d /run/systemd/system ]; then
systemctl -q is-active clamav-daemon && systemctl kill --signal=SIGHUP
clamav-daemon || true
else
invoke-rc.d clamav-daemon reload-log > /dev/null || true
fi
endscript
}
/var/log/clamav/freshclam.log {
rotate 28
daily
compress
delaycompress
missingok
create 640 clamav adm
postrotate
if [ -d /run/systemd/system ]; then
systemctl -q is-active clamav-freshclam && systemctl kill
--signal=SIGHUP clamav-freshclam || true
else
invoke-rc.d clamav-freshclam reload-log > /dev/null ||true
fi
endscript
}
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
Invalidenstraße 120/121 | D-10115 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] Re: Cannot "decode" a SHA256 signature
* Al Varnell via clamav-users : > Sent from my iPad > > On Sep 12, 2023, at 01:29, Ralf Hildebrandt via clamav-users > wrote: > > should sigtool --decode-sigs really throw an error in that case? > > Perhaps not, but it's been the case for as long as I've been using > clamav...decades now. Yeah, I never tried that before on a SHA256 signature, so it's a first for me. > Just my approach, but I always start with -f (or --find-signs) and only move > to --decode-sigs if I feel the need to do so. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] Cannot "decode" a SHA256 signature
I found a rejection based on vhxtdQ.sigs.InterServer.net.SHA256.21881 in my mail.log and wanted to check what the signature searches for. So I took out ye olde sigtool - and failed: # /usr/local/bin/sigtool --find-sigs vhxtdQ.sigs.InterServer.net.SHA256.21881 | /usr/local/bin/sigtool --decode-sigs ERROR: decodesig: Invalid or not supported signature format TOKENS COUNT: 3 # /usr/local/bin/sigtool --find-sigs vhxtdQ.sigs.InterServer.net.SHA256.21881 [interserver256.hdb] 90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21:17174:vhxtdQ.sigs.InterServer.net.SHA256.21881 The source of which is: https://rbldata.interserver.net/interserver256.hdb looking at that file I realised that these signatures ar merely SHA256 checksums, so there's not much to decode. But should sigtool --decode-sigs really throw an error in that case? I'm using the official deb packages from clamav.net: # dpkg -l |fgrep clam ii clamav 1.2.0-1 amd64 ClamAV open source email, web, and end-point anti-virus toolkit. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] CVE-2023-20032 how to identify and solve
* Jorge Bastos : > I think i got hit by CVE-2023-20032 [1], anyone knows how to indentify if > yes, and how to remove it? How did you find out your were hit by CVE-2023-20032? To summarize what CVE-2023-20032 is: "An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition" I assume you use ClamAV for Mail scanning. This means somebody needs to send you an HFS+ partition file AS ATTACHMENT. This needs to be scanned by clamav. Did you find such incidents in your log (I assume you're logging attachment types)? > https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html Yes, it has been patched for quite some time yet. Did you install the patched version? > I have a lot of data passing clamsmtp that started two days ago, and i have > thousands of this every minute, but still didn't figured out where it is > being executed. > > Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.bRD1ml: > sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(59b7bfb602fb2d583ffac90d71155fe0:618) > FOUND > Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.yhhE0l: > sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(144eec09fe09ec3ecb66c5c1daab6da0:618) > FOUND > Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.Hsneas: > sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(5c452a43ebfb8b4a5a3f67310d64e1f3:618) > FOUND > Fri Sep 1 11:50:51 2023 -> /var/spool/clamsmtp/clamsmtpd.72Tre8: > sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720.UNOFFICIAL(39a30e65fe97a7b95352f20f1fa2dbfc:618)> > FOUND These indicate that clamav found "sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720". What does this have to do with CVE-2023-20032? # sigtool --find-sigs=sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 | sigtool --decode-sig VIRUS NAME: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.720 DECODED SIGNATURE: ecpms.net So, this basically matches "ecpms.net" -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] Clamav 1.0.1 and email scan failed
* Fiorenza Meini via clamav-users : > > Hi there, > I have a Debian 12 VM, clamav installed at version 1.0.1. > I configured it to work with Postfix. > When email is received and it's passed to ClamaV, this is the error > received: > Sun Jul 30 23:37:29 2023 -> WARNING: File path check failure for: > /var/spool/amavis/tmp/maia-20230730T233718-2282052/parts That is just a warning. > It isn't a permission problem, it seems that the message cannot be divided > into its parts: nothing is created under parts directory. That would be an amavis issue (since amavis does the unpacking) More logging is needed for the message in question. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] ClamAV and Cohesity
* steven aldenkamp : > In Cohesity I see: > > Version > ClamAV 0.102.2 > Antivirus Signature Database Bytecode: 333, Daily: 26439, Main: 62 > Last updated: 2/1/22, 12:30 PM https://endoflife.date/clamav I guess 0.102.x is EOLsince Jan 2022 (thus the "Last updated") https://docs.clamav.net/faq/faq-eol.html So best would be if there was an update to ClamAV 0.103 or better still 1.0 "Each LTS feature release will be supported with access to download signatures for the duration of the three year support period plus one additional year." and "Non-LTS feature releases will be allowed access to download signatures until at least four (4) months after the next-next feature release is published." -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] ClamAV and Cohesity
> We use Cohesity a lot here in Belgium and inform our customers about the > app usage of ClamAV. > This has worked fine in the past but recently we experience at multiple > customers that the app does no longer renew the signature database. Which version of clamav is being used? And: How are the updates done? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] Segfaults with database version 26908
* Matthias Rieber : > Hello List, > > since the update to version 26908 we observe a high amount of segfaults. Same here. > As far as I can tell this happens in > > 0x7fdfd44c377d > > We use version 0.103.8+dfsg-0+deb11u1 on debian bullseye. > > Has anyone seen this, too? I've seen this with 1.1.0-1 as well. Maybe they're related to the "pattern issue" I posted a while ago -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
clamav-1.1.0-1:
===
May 16 10:00:23 de freshclam[864]: Tue May 16 10:00:23 2023 -> daily database
available for update (local version: 26907, remote version: 26908)
May 16 10:00:23 de freshclam[864]: WARNING: Tue May 16 10:00:23 2023 ->
*** RESULT 200, SIZE: 7213 ***
Why does an 200 return code ("OK") warrant a warning?
May 16 10:00:24 de freshclam[864]: Tue May 16 10:00:24 2023 -> Testing
database:
'/var/lib/clamav/tmp.c022cc91c3/clamav-9a70f6b397596656b8338e5caf1d6bc7.tmp-daily.cld'
...
May 16 10:00:27 de freshclam[816014]: Tue May 16 10:00:27 2023 -> [LibClamAV]
Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
May 16 10:00:27 de freshclam[816014]: Tue May 16 10:00:27 2023 -> [LibClamAV]
cli_ac_addsig: cannot use filter for trie
Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
sounds a bit worrying...
May 16 10:00:29 de freshclam[864]: Tue May 16 10:00:29 2023 -> Database test
passed.
but alas, despite errors the Database test passed?
May 16 10:00:29 de freshclam[864]: Tue May 16 10:00:29 2023 -> daily.cld
updated (version: 26908, sigs: 2034816, f-level: 90, builder: raynman)
May 16 10:00:29 de freshclam[864]: Tue May 16 10:00:29 2023 -> Clamd
successfully notified about the update.
May 16 10:00:33 de clamd[686]: LibClamAV Warning: Don't know how to create
filter for: Win.Downloader.LNKAgent-10001628-0
May 16 10:00:33 de clamd[686]: LibClamAV Warning: cli_ac_addsig: cannot use
filter for trie
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] ppa for ClamAV for Ubuntu 22.04.1
* newcomer01 via clamav-users : > does everyone know, if exists an ppa to install always the current stable > version of ClamAV for Ubuntu 22.04.1? > The Ubuntu releases are so slow ... I use the official releases (installing them over the Ubunt clamav) and then use this script to map the binaries: #!/bin/sh rm /usr/bin/freshclam ln -s /usr/local/bin/freshclam /usr/bin/freshclam rm /usr/local/etc/freshclam.conf ln -s /etc/clamav/freshclam.conf /usr/local/etc/freshclam.conf rm /usr/sbin/clamd ln -s /usr/local/sbin/clamd /usr/sbin/clamd rm /usr/local/etc/clamd.conf ln -s /etc/clamav/clamd.conf /usr/local/etc/clamd.conf service clamav-freshclam restart service clamav-daemon restart -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] Re: parallel processes fail at startup when clamd is running
* JOHN URBAN : > Not quite as easy to set up as I made it sound, as lots of pieces and people > involved but that is exactly one of the tests we hope to run today; thanks! Yes, ths sounds like hours of fun :/ But the insight gained will be rewarding :) -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] Re: parallel processes fail at startup when clamd is running
* JOHN URBAN via clamav-users : > Doing a scan of the entire locally attached storage on Linux nodes, > including /tmp and /var; and the problem is basically that MPI > programs trying to launch while that full scan is running fail to > start up. Once the programs start they do not commonly fail; but a > very high number of jobs trying to start up when the scan is progress > fail to start properly. Memory is not a problem; all nodes have >128GB > of memory. Since it's so easy to reproduce, why not start those programs using strace to see which syscalls are failing: strace --failed-only $program -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] Re: ClamAV 1.0.0 release candidate now available
* Joel Esler : > You wouldn’t download the cld from the server. Or am I reading this thread > wrong. No, but the debian package (*.deb), instead of building it myself (like Yasuhiro did). What I'm trying to say: The prebuilt package suffers from the same issue :) > > Ah, interesting. I'm using the *.deb from > > http://www.clamav.net/downloads/production/clamav-1.0.0-rc.linux.x86_64.deb -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] ClamAV 1.0.0 release candidate now available
* Yasuhiro Kimura : > I experienced same problem while I'm working to update FreeBSD ClamAV > port to 1.0.0-rc. It happens if ClamAV is built with external > TomsFastMath library (that is, ENABLE_EXTERNAL_TOMSFASTMATH option is > ON). > > See issue #736 for more detail. > > https://github.com/Cisco-Talos/clamav/issues/736 Ah, interesting. I'm using the *.deb from http://www.clamav.net/downloads/production/clamav-1.0.0-rc.linux.x86_64.deb -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available
> Fri Oct 28 09:07:10 2022 -> -- > Fri Oct 28 09:07:10 2022 -> freshclam daemon 1.0.0-rc (OS: Linux, ARCH: > x86_64, CPU: x86_64) > Fri Oct 28 09:07:10 2022 -> ClamAV update process started at Fri Oct 28 > 09:07:10 2022 > Fri Oct 28 09:07:10 2022 -> daily database available for update (local > version: 26700, remote version: 26701) > Fri Oct 28 09:07:10 2022 -> WARNING: [LibClamAV] CVD verification failed for: > daily.cld > Fri Oct 28 09:07:10 2022 -> ERROR: mkdir_and_chdir_for_cdiff_tmp: Can't > unpack daily.cld into > /var/lib/clamav/tmp.3bbb7ed4d7/clamav-bfba84844f1170e4c4210f03d1759097.tmp > Fri Oct 28 09:07:10 2022 -> The database server doesn't have the latest patch > for the daily database (version 26701). The server will likely have updated > if you check again in a few hours. > Fri Oct 28 09:07:10 2022 -> main.cvd database is up-to-date (version: 62, > sigs: 6647427, f-level: 90, builder: sigmgr) > Fri Oct 28 09:07:10 2022 -> bytecode.cvd database is up-to-date (version: > 333, sigs: 92, f-level: 63, builder: awillia2) > Fri Oct 28 09:07:10 2022 -> -- Another data point - I checked another machine which successfully updated to 26701 (yesterday already!): Thu Oct 27 10:00:06 2022 -> -- Thu Oct 27 11:00:06 2022 -> Received signal: wake up Thu Oct 27 11:00:06 2022 -> ClamAV update process started at Thu Oct 27 11:00:06 2022 Thu Oct 27 11:00:06 2022 -> daily database available for update (local version: 26699, remote version: 26701) Thu Oct 27 11:00:06 2022 -> WARNING: [LibClamAV] CVD verification failed for: daily.cld Thu Oct 27 11:00:06 2022 -> ERROR: mkdir_and_chdir_for_cdiff_tmp: Can't unpack daily.cld into /var/lib/clamav/tmp.bfd8f6c0fe/clamav-91f69d4433a1975076fd9905e1f5ca06.tmp Thu Oct 27 11:00:06 2022 -> WARNING: Incremental update failed, trying to download daily.cvd Thu Oct 27 11:00:09 2022 -> Testing database: '/var/lib/clamav/tmp.bfd8f6c0fe/clamav-4ad0a44cd8a0ebe2bf630a0b92819105.tmp-daily.cvd'... Thu Oct 27 11:00:19 2022 -> Database test passed. Thu Oct 27 11:00:19 2022 -> daily.cvd updated (version: 26701, sigs: 2009238, f-level: 90, builder: raynman) Thu Oct 27 11:00:19 2022 -> main.cld database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) Thu Oct 27 11:00:19 2022 -> bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2) Thu Oct 27 11:00:19 2022 -> ------ So the issue is with the incremenatal update daily.cld only, once it falls back to daily.cvd it's working as it should -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] ClamAV 1.0.0 release candidate now available
* Micah Snyder (micasnyd) via clamav-users : > We are excited to announce the ClamAV 1.0.0 release candidate! I'm seeing log entries like this for the machines with 1.0.0-rc indicating the daily.cld update failed: Oct 28 00:06:46 de freshclam[1878609]: Fri Oct 28 00:06:46 2022 -> daily database available for update (local version: 26700, remote version: 26701) Oct 28 00:06:48 de freshclam[1878609]: WARNING: Fri Oct 28 00:06:48 2022 -> [LibClamAV] CVD verification failed for: daily.cld Oct 28 00:06:48 de freshclam[1878609]: ERROR: Fri Oct 28 00:06:48 2022 -> mkdir_and_chdir_for_cdiff_tmp: Can't unpack daily.cld into /var/lib/clamav/tmp.1e2a6b8a16/clamav-09a73c546a48c9737e48f49fcc7d4195.tmp Oct 28 00:06:48 de freshclam[1878609]: Fri Oct 28 00:06:48 2022 -> The database server doesn't have the latest patch for the daily database (version 26701). The server will likely have updated if you check again in a few hours. Checking the permissions on /var/lib/clamav/: # ls -ld /var/lib/clamav/ drwxr-xr-x 3 clamav clamav 4096 Okt 28 08:49 /var/lib/clamav/ Checking the current state of affairs (it's 09:00am here): == # clamd --version ClamAV 1.0.0-rc/26700/Wed Oct 26 09:55:46 2022 checked apparmor (removed the profile to be on the safe side for the tests): Oct 28 09:06:15 de kernel: [1525842.556230] audit: type=1400 audit(1666940775.160:86): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="/usr/bin/freshclam" pid=2535488 comm="apparmor_parser" I restarted freshclam to see what happens: Fri Oct 28 09:07:10 2022 -> -- Fri Oct 28 09:07:10 2022 -> freshclam daemon 1.0.0-rc (OS: Linux, ARCH: x86_64, CPU: x86_64) Fri Oct 28 09:07:10 2022 -> ClamAV update process started at Fri Oct 28 09:07:10 2022 Fri Oct 28 09:07:10 2022 -> daily database available for update (local version: 26700, remote version: 26701) Fri Oct 28 09:07:10 2022 -> WARNING: [LibClamAV] CVD verification failed for: daily.cld Fri Oct 28 09:07:10 2022 -> ERROR: mkdir_and_chdir_for_cdiff_tmp: Can't unpack daily.cld into /var/lib/clamav/tmp.3bbb7ed4d7/clamav-bfba84844f1170e4c4210f03d1759097.tmp Fri Oct 28 09:07:10 2022 -> The database server doesn't have the latest patch for the daily database (version 26701). The server will likely have updated if you check again in a few hours. Fri Oct 28 09:07:10 2022 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) Fri Oct 28 09:07:10 2022 -> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2) Fri Oct 28 09:07:10 2022 -> -- Still failing. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] PDF scan
* Tsutomu Oyamada : > Hi, all. > > I hava a question about ClamAV 0.104.2 on IBM AIX7.3 system. > It takes time to scan PDF files by clamdscan. > it takes about 8 seconds to scan PDF file(total 645 page). All files or just THIS file? 645 pages is quite long. > (sample file is here: https://www.uinet.or.jp/LPBB0010-10.pdf) Scanning it here: # clamdscan -v /tmp/LPBB0010-10.pdf /tmp/LPBB0010-10.pdf: OK --- SCAN SUMMARY --- Infected files: 0 Time: 6.818 sec (0 m 6 s) Start Date: 2022:09:20 09:40:36 End Date: 2022:09:20 09:40:43 # clamdscan -V /tmp/LPBB0010-10.pdf ClamAV 0.105.1/26663/Mon Sep 19 09:56:35 2022 -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] More info about detected virus
* Zvi Kave via clamav-users : >Hi, > >Where can I find more information about ClamAV detected virus like >Win.Trojan.N-68 > >or another name ? You can decode the signature using this command: # sigtool -fWin.Trojan.N-68 | sigtool --decode-sigs Basically it finds an email containing a BASE64 encoded "readme.exe" using the content type "audio/x-wav"... Maybe this helps: VIRUS NAME: Win.Trojan.N-68 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE: REMOVED A MIME BOUNDARY HERE Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Fuzzy image signatures, Y U no work?
* Ralf Hildebrandt via clamav-users : > Today I installed 0.105.0 to test the new fuzzy image signatures. I'm a moron: "Added image fuzzy hash sub-signatures for logical signatures" -- thus it must be an LDB file :/ > Alas, I started up my trusty editor an generated an rezeptfrei.hdb > signature file containing: With rezeptfrei.ldb it's working ok. Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
[clamav-users] Fuzzy image signatures, Y U no work?
Today I installed 0.105.0 to test the new fuzzy image signatures. I was able to determine the fuzzy hash for a set of given pictures of questionable content using: sigtool --fuzzy-img pr0npic.jpg Alas, I started up my trusty editor an generated an rezeptfrei.hdb signature file containing: pr0n1.jpg;Engine:150-255,Target:0;0;fuzzy_img#cb32363464cb5bca pr0n1.jpg-2;Engine:150-255,Target:0;0&1;49484452;fuzzy_img#cb32363464cb5bca and clamscan would bail with: = LibClamAV Error: cli_loadhash: Invalid value for the size field LibClamAV Error: cli_loadhash: Problem parsing database at line 1 LibClamAV Error: Can't load /var/lib/clamav/rezeptfrei.hdb: Malformed database LibClamAV Error: cli_loaddbdir: error loading database /var/lib/clamav/rezeptfrei.hdb ERROR: Malformed database I then tried the exact example from https://blog.clamav.net/2022/03/clamav-01050-release-candidate-now.html which reads: --- snip --- For example: logo.png;Engine:150-255,Target:0;0;fuzzy_img#af2ad01ed42993c7 logo.png-2;Engine:150-255,Target:0;0&1;49484452;fuzzy_img#af2ad01ed42993c7 --- snip --- alas, this one fails as well, with the same error message: == LibClamAV Error: cli_loadhash: Invalid value for the size field LibClamAV Error: cli_loadhash: Problem parsing database at line 1 LibClamAV Error: Can't load /var/lib/clamav/rezeptfrei.hdb: Malformed database LibClamAV Error: cli_loaddbdir: error loading database /var/lib/clamav/rezeptfrei.hdb ERROR: Malformed database So what IS the correct syntax? -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] [ext] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd
* Arnaud Jacques via clamav-users : > Is it just me, or? Same here: # clamdscan -V ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021 # sigtool -l|tail Doc.Malware.Valyria-6923115-0 Xls.Malware.Generic-6923116-0 Doc.Malware.00536d-6923117-0 Doc.Malware.Valyria-6923118-0 Xls.Malware.Sload-6923119-0 Xls.Downloader.Powload-6923120-0 ERROR: listdb: Malformed pattern line 32300 (file /tmp/clamav-2aa50bd01844b36b876433804b298d0b.tmp/main.ldb) ERROR: listdb: Error listing database /tmp/clamav-2aa50bd01844b36b876433804b298d0b.tmp/main.ldb ERROR: listdb: Can't list directory /var/lib/clamav/main.cld ERROR: listdb: Error listing database /var/lib/clamav/main.cld Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.104.0 Second Release Candidate is here!
* Joel Esler (jesler) via clamav-users : > [cid:7F6A7E38-0C10-460C-A542-B8AD5C969E5E-L0-001] Indeed; I installed clamav-0.104.0-rc2.linux.x86_64.deb, and then checked - it seems to be missing: $ dpkg -L clamav |fgrep -i milter /usr/local/share/man/man5/clamav-milter.conf.5 /usr/local/share/man/man8/clamav-milter.8 $ dpkg -L clamav |egrep -i "/(bin|lib)/" /usr/local/bin/clamav-config /usr/local/bin/clambc /usr/local/bin/clamconf /usr/local/bin/clamdscan /usr/local/bin/clamdtop /usr/local/bin/clamscan /usr/local/bin/clamsubmit /usr/local/bin/freshclam /usr/local/bin/sigtool /usr/local/lib/libclamav.so.9.1.0 /usr/local/lib/libclammspack.so.0.8.0 /usr/local/lib/libclamunrar.so.5.7.5 /usr/local/lib/libclamunrar_iface.so.9.1.0 /usr/local/lib/libfreshclam.so.2.0.2 /usr/local/lib/pkgconfig /usr/local/lib/pkgconfig/libclamav.pc /usr/local/lib/libclamav.so /usr/local/lib/libclamav.so.9 /usr/local/lib/libclammspack.so /usr/local/lib/libclammspack.so.0 /usr/local/lib/libclamunrar.so /usr/local/lib/libclamunrar.so.5 /usr/local/lib/libclamunrar_iface.so /usr/local/lib/libclamunrar_iface.so.9 /usr/local/lib/libfreshclam.so /usr/local/lib/libfreshclam.so.2 Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: ClamAV® blog: Are you still attempting to download safebrowsing.cvd?
* Vladislav Kurz via clamav-users : > How about just making the file empty? I think this causes an error in clamav/clamd Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: Regarding ClamAV code coverage metrics with help of existing unit-test cases
> > I usually rebuild from a recent debian source (hah!) > > that's what I recommend. > > with changing version to something lower than 0.103 e.g. 0.103~backport > - it gets upgraded to ubuntu-provided version when it's available. Same here. Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: Regarding ClamAV code coverage metrics with help of existing unit-test cases
* Matus UHLAR - fantomas : > On 26.11.20 02:55, Satish Kumar via clamav-users wrote: > > I would like to build the ClamAV software from source code on an ubuntu > > machine > > why? > ubuntu provides clamav itself, integrated. But an old version (last time I looked) > Do you want to take care of it since now (forever)? > > It is possible, but it should be easier to backport clamav e.g. version > 0.103 from hirsute. That way, when newer version appears in ubuntu > repository, it may get upgraded so you won't have to care. I usually rebuild from a recent debian source (hah!) Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects
In my log I'm seeing a lot of: Sep 18 11:27:34 proxy-cbf-1 clamd[791]: LibClamAV Error: pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects. Sep 18 11:46:45 proxy-cbf-1 clamd[791]: LibClamAV Error: pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects. Sep 18 11:47:55 proxy-cbf-1 clamd[791]: LibClamAV Error: pdf_find_and_extract_objs: Timeout reached in the PDF parser while extracting objects. What is the timeout value? Can it be configured? Is there any way of preserving the files for further analysis? Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Xls.Malware.Sagent-7132944-0
* Matt Campbell via clamav-users :
> Hello,
>
> I have an XLSM spreadsheet that ClamAV is detecting malware in. Its popping
> up as Xls.Malware.Sagent-7132944-0 and I have not been able to find any
> information related to this definition. Can anyone shed some light on what
> this relates to?
# sigtool --find-sigs Xls.Malware.Sagent-7132944-0 | sigtool --decode-sigs
VIRUS NAME: Xls.Malware.Sagent-7132944-0
TDB: Engine:51-255,Target:2
LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
0{00020819---C000-0046}
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
CallByName
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
ThisWorkbook
This means subsignatur 0, 1 and 2 must all match.
0: contain "0{00020819---C000-0046}" anywhere
1: contain "CallByName" anywhere
2: contain "ThisWorkbook" anywhere
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk
Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Becoming disillusioned
* Kurt Fitzner : > ClamAV has, I'm afraid, become worse than nothing. Nothing doesn't take > up memory, storage space, and execution resources but nets the same > result. Nothing, by definition, doesn't come with that implied "it's > better than nothing" which ClamAV does and clearly isn't. > > What can be done as a community to fix this? Is there anything that can > be done? Is it time to fork and abandon? I looked at my mailserver and created some statistics (Sophos & clamav) over the last week, TOP 25 detections: 1134 "CXmail/OleDl-AD 370 "CXmail/MalPE-AC 162 "CXmail/MalPE-AW 109 "Sanesecurity.Spam.12724.UNOFFICIAL 109 "Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL 77 "CXmail/RtfObf-D 53 "SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL 52 "CXmail/IsoDl-A 47 "Sanesecurity.Malware.27301.RtfHeur.BadVer.UNOFFICIAL 41 "CXmail/OleDl-BI 35 "CXmail/MalPE-U 33 "SecuriteInfo.com.FakeRTF-2.UNOFFICIAL 31 "Win.Downloader.WannaMine-6442440-2 29 "CXmail/MalPE-B 28 "SecuriteInfo.com.Malware.XML.Autoload-1.UNOFFICIAL 28 "Mal/BredoZp-B 27 "CXmail/MalPE-AU 22 "CXmail/MalPE-G 19 "Mal/DrodZp-A 18 "CXmail/OleDl-AL 17 "CXmail/MalPE-AZ 16 "Sanesecurity.Malware.27382.Rar5Heur.UNOFFICIAL 14 "Sanesecurity.Foxhole.Iso_fs915.UNOFFICIAL 13 "Sanesecurity.Malware.27342.RarHeur.v5.HideExt.UNOFFICIAL 13 "CXmail/MalPE-H Most detections come from sophos (the ones with a "/" in the name), the ones with UNOFFICIAL are from clamav, but use unofficial pattern sources (like Sanesecurity and to lesser extent SecuriteInfo). The only offical "hit" in the top 25 is "Win.Downloader.WannaMine-6442440-2" I see the extensibility as a major advantage. Just the other day I created a set of patterns to detect EPOCH3 EMOTET files. But to some extent I agree to the point you're making. -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] ClamAV Development Release: Cannot compile, no configure-script available...
* Heino Backhaus : > Hi Foulks, > > i'm using a script on multiple Email-AV-Gateways to keep the > ClamAV-Dev-Release uptodate. This seamlessly worked for decades...but > somehow the configure-Script seems to be gone since 17. July 2020... > Do i have to generate it? So it seems: https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.103/INSTALL.md says "The file configure.ac (or configure.in) is used to create configure by a program called autoconf. You need configure.ac if you want to change it or regenerate configure using a newer version of autoconf." Remove autotools generated files, add autogen.sh 26 days ago Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: ClamAV® blog: Freshclam, cdiffs and bandwidth are your friends
* Paul Kosinski via clamav-users : > "...we also only release updates once a day." > > Are there *never* any urgent virus updates released in between? In > other words, is it always useless to check the TXT record more often? I was wondering about this wording as well! But then I checked: Mon Jul 20 17:00:17 2020 -> daily.cld updated (version: 25879, sigs: 3519456, f-level: 63, builder: raynman) Tue Jul 21 17:14:19 2020 -> daily.cld updated (version: 25880, sigs: 3548222, f-level: 63, builder: raynman) Wed Jul 22 17:14:33 2020 -> daily.cld updated (version: 25881, sigs: 3573651, f-level: 63, builder: raynman) Thu Jul 23 17:14:47 2020 -> daily.cld updated (version: 25882, sigs: 3584533, f-level: 63, builder: raynman) Fri Jul 24 17:15:02 2020 -> daily.cld updated (version: 25883, sigs: 3609907, f-level: 63, builder: raynman) Sat Jul 25 17:15:18 2020 -> daily.cld updated (version: 25884, sigs: 3663341, f-level: 63, builder: raynman) Sun Jul 26 17:00:15 2020 -> daily.cld updated (version: 25885, sigs: 3668554, f-level: 63, builder: raynman) Mon Jul 27 18:00:38 2020 -> daily.cld updated (version: 25886, sigs: 3678125, f-level: 63, builder: raynman) Tue Jul 28 18:00:53 2020 -> daily.cld updated (version: 25887, sigs: 3681654, f-level: 63, builder: raynman) Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] About Madeba-8019734
* Michel GALLE : > Hi Everyone, > > it's my first post here. > > I try to get information about "Xls.Malware.Madeba-8019734-0". > > Clamav informed me a previously clean (or supposedly to be clean) xls file > is in fact infected by Xls.Malware.Madeba-8019734-0. > > The file was not modified or edited. > > I found that Malware.Madeba-8019734-0 definition was added to Clamav the 13 > june 2020 or so, in Version 25842 of clamav signatures. > > My question is : where I can find more information about > Malware.Madeba-8019734-0 ? Is there a better website/service referencing all > malwares known ? # sigtool --find-sigs Xls.Malware.Madeba-8019734-0 | sigtool --decode-sigs VIRUS NAME: Xls.Malware.Madeba-8019734-0 TDB: Engine:51-255,Target:2 LOGICAL EXPRESSION: 0&1&2&3&4&5 * SUBSIG ID 0 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: -- Limits in place 2004-09-23 ... * SUBSIG ID 1 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: Dim RABJI1 As String * SUBSIG ID 2 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: Dim words(100) As String * SUBSIG ID 3 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: FLITIES = words(DOZAL * SUBSIG ID 4 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: If PAST4 > 0 Then * SUBSIG ID 5 +-> OFFSET: ANY +-> SIGMOD: NONE +-> DECODED SUBSIGNATURE: words(85 So, as you can see the signature consists of 6 subsignatures numbered 0-5, ll of which must match. It sort-of looks highly specific to me. Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] SelfCheck: Database modification detected. Forcing reload.
* Cliff Hayes via clamav-users : > I have a daily cron job that runs around 3am that: > - shuts down clamd > - runs freshclam > - starts clamd Why? freshclam usually runs all the time, updating and signalling clamd on demand. But you do have a point... Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] rpm files question [was: ClamAV 0.101.2 announcement?]
* Micah Snyder (micasnyd) via clamav-users : > This won't help you right now, but our team has been discussing > publishing ClamAV on Linux using Snapcraft at the time of each > release. Snapcraft sounds like it may be a good option to make ClamAV > accessible faster. > > Would you, and others here, be interested in installing a ClamAV > snap in the future? That definitely sounds interesting! -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] What kind of mails is clam* checking? Only mails with attachments / mailflow
* Stefan Bauer :
> Dear Users,
>
> my mailflow is following:
>
> amavis -> 15-av_scanners ->
> ['ClamAV-clamd',
>\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
>qr/\bOK$/m, qr/\bFOUND$/m,
>qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
>
> What kind of mails are forwarded to clamd for scanning/checking?
Usually ALL mails.
> Or What kind mails are checked by clam*?
Usually ALL mails.
> Only mails with attachments?
amavis decomposes the mail into it's text parts and attachments and
usually scans the whose mail "as is" and the text parts and
attachments sperately.
> As clam* can also do URL checks and stuff, also mails withouth attachments
> can be infected.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] MBL_17713260 false positive!
* Al Varnell : > I cannot argue that malware does not show up in Google Docs which is > wide open to anybody that wants to post there, Amen to that! > as I know it has occurred. Not sure how big a problem it has become for > Google to police. I think it would be better if malwarepatrol were to > list the specific site where the malware was reportedly found, rather > than condemning the entire sub-domain. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: MBL_17713260 false positive!
* Alex : > Hi, > > Thought I'd follow up with the response from Malwarepatrol: > > "The classification of a sample hosted on that domain, according to > MBL# 17713260 (MD5: 88a1265b2f954a1fb06b6a67f198645e9617007e), is > backed by 12 anti-virus products. Therefore, this is not a false > positive. > > There is no reason to believe that the Google infrastructure doesn't > host malware. In case you still don't want or can't block such domain, > we advise you to whitelist it before applying our block lists." Fucking idiots. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] MBL_17713260 false positive!
* Alex : > Another malwarepatrol fp for docs.google.com > > # sigtool --find-sigs MBL_17713260 |sigtool --decode-sigs > VIRUS NAME: MBL_17713260 > TARGET TYPE: ANY FILE > OFFSET: * > DECODED SIGNATURE: > https://docs.google.com > > I don't even know what to do anymore. Is it worth it to keep malwarepatrol? I'm wondering this as well. That stuff pops up every other day. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: Malwarepatrol false positive
* Paul Stead : > Yet another Malwarepatrol FP: > > MBL_14437114 - https://drive.google.com That's a recurring FP. Happens every week. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: WARNING: Local version: 0.99.4 Recommended version: 0.100.0
* Philip : > Has this been released yet by the major Distros? I'm using Debian 9 and > can't get any higher than 0.99.x Debian has 0.100: https://packages.debian.org/buster/clamav I used that source package to rebuild for my Ubuntu installaions. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: Question regarding SIGUSR2 and clamd
* Maarten Broekman : > You might be able to open the socket that clamd is listening on and attempt > to ping it. I forget if it replies with PONG while it's in the middle of > reloading. It's been a while since I tried to do that. Thanks: # echo PING | socat - /var/run/clamav/clamd.ctl PONG # echo RELOAD | socat - /var/run/clamav/clamd.ctl RELOADING # echo PING | socat - /var/run/clamav/clamd.ctl # echo PING | socat - /var/run/clamav/clamd.ctl PONG Yeah! -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Question regarding SIGUSR2 and clamd
One can send SIGUSR2 to a running clamd instance to reload the signatures. But how can I (from a script) determine, if the signatures have been reloaded? I can of course try "sleep 30" which will suffice in most cases (from my experiene) but is there a script based approach apart from trying to parse the logfile? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Announcement missing
* Joel Esler (jesler) : > You're right. That's my fault. I'll correct that here in a second after I > read through all the emails in my ClamAV folder. OK, tomorrow then :) -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* Reindl Harald : > > > Am 26.01.2018 um 13:40 schrieb Ralf Hildebrandt: > > * maxal : > > > nobody of clamav/cisco reading this list? > > > > It's 7:45AM on the east coast > > so what - i don't get how such updates slip through at all - it's not rocket > science load them on a test-machine and fire up a script that pies a > test-corups against clamd and *read* stderr/stdout/logs for "warning" and > "error" If I had to guess: they used the beta for testing, but the release versions (both 0.99.2 and 0.99.3!) fail to operate properly... -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* lukn : > As ClamAV/Thalos is owned by Cisco I assume all ClamAV employees are > located in Silicon Valley area and therefore still enjoying a good > Californian night's sleep. Or maybe in Philadelphia. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* maxal : > nobody of clamav/cisco reading this list? It's 7:45AM on the east coast. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
> Arguably if a bug in the signatures can lead to such massive problems > then that is in itself a bug in the software, which might be (but > apparently so far isn't) fixed in a later version. Amen to that. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* Dianne Skoll :
> Hi,
>
> Something went badly wrong with clamd recently; it's stuck with
> hundreds/thousands of open files per process and interrupting mail flow.
>
> When a scanning thread finishes, I see this in the strace output.
> (I ran clamdscan /etc/hosts as a test):
>
> [pid 3707] 02:11:01 sendto(295, "/etc/hosts: OK\n", 15, 0, NULL, 0) = 15
> [pid 3707] 02:11:01 shutdown(295, SHUT_RDWR) = 0
> [pid 3707] 02:11:01 close(295) = 0
> [pid 3707] 02:11:01 futex(0x1933c3c,
> FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 387, {1516950691, 0},
> ) = -1 ETIMEDOUT (Connection timed out)
> [pid 3707] 02:11:31 futex(0x1933c10, FUTEX_WAKE_PRIVATE, 1) = 0
> [pid 3707] 02:11:31 madvise(0x7fae6affe000, 8368128, MADV_DONTNEED) = 0
> [pid 3707] 02:11:31 _exit(0) = ?
> [pid 3707] 02:11:31 +++ exited with 0 +++
clamd is leaking filedescriptors for temporary files - ls /proc/`pidof
clamd`/fd shows a
lot of:
lrwx-- 1 root root 64 Jan 26 10:38 993 ->
/tmp/clamav-736a3d0d2a944a0a79d465671fb754d5.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 10:38 994 ->
/tmp/clamav-59b5548fe87bc9a454486cbe37d5c89b.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 10:38 995 ->
/tmp/clamav-0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted)
...
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* Reindl Harald : > sounds like an issue with the official signatures given that you are not the > first reporter and that we don't use them and have no problems Thought so. Must be a recent signature in daily.cvd. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?
* Karl Pielorz : > This ends up with a lot of wedged mail processes (and we slowly run out of > fd's as the process table fills up). Same here on Ubuntu 16.04 with official patterns. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.
> I used "strace -c -p 2906" and issued a "kill -SIGUSR2 2906" in > another window and got these stats for the reload of the signatures: Also did a "ltrace -c -p 2906": ^C% time seconds usecs/call calls function -- --- --- - 55.85 109.107849 252564 432 pthread_cond_timedwait 7.34 14.341060 19618 731 poll 7.27 14.2110432362 6016 pthread_mutex_lock 6.30 12.31573412315734 1 cl_load 4.699.1633001522 6019 pthread_mutex_unlock 3.607.039098 16034 439 cl_scandesc_callback 2.945.747335 5747335 1 pthread_cond_wait 1.783.480168 660 5268 strncmp 0.951.865339 1865339 1 cl_engine_compile 0.951.854321 791 2344 time 0.861.679799 574 2924 pthread_cond_signal 0.801.564059 508 3075 pthread_once 0.791.551365 503 3080 pthread_getspecific 0.651.260493 478 2634 sigdelset 0.450.877795 609 1441 malloc 0.430.838784 952 881 fcntl ... -- --- --- - 100.00 195.366582 47161 total -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.
> 1. Does clamd scan memory during startup and/or restart?[1] The >problem seems to occur less with less committed memory in the VM. I'm not authoritative on this, but I doubt it. > 3. Does ClamAV use more than one CPU core during startup/reload? Just tried that, I don't see more then 100%, so it's merely using one core. >Because if my problem occurs, htop shows a load of more than 100% >for the ClamAV process, sometimes up to 500. Odd. Dec 28 08:06:12 proxy-cbf-2 clamd[56735]: SelfCheck: Database modification detected. Forcing reload. Dec 28 08:06:12 proxy-cbf-2 clamd[56735]: Reading databases from /var/lib/clamav ... Dec 28 08:06:24 proxy-cbf-2 clamd[56735]: Database correctly reloaded (6534998 signatures) and: Dec 28 14:07:12 proxy-cbf-2 clamd[56735]: SelfCheck: Database modification detected. Forcing reload. Dec 28 14:07:12 proxy-cbf-2 clamd[56735]: Reading databases from /var/lib/clamav Dec 28 14:07:24 proxy-cbf-2 clamd[56735]: Database correctly reloaded (6535004 signatures) so it takes about 12s on a Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz on a busy proxy (physical hardware). > 5. What should be most likely the bottleneck during startup/reload, >available time on one CPU core or I/O to read sigs? I don't seem to >have any reasonable I/O when the high CPU load occurs. Maybe it's a memory issue? I've had some machines with low memeory which took a long time to reload sigs. I used "strace -c -p 2906" and issued a "kill -SIGUSR2 2906" in another window and got these stats for the reload of the signatures: % time seconds usecs/call callserrors syscall -- --- --- - - 99.670.102712 194 529 1 poll 0.240.000248 0 2096 munmap 0.080.80 0 32141 read 0.010.10 0 2094 mmap 0.000.00 0 7 write 0.000.00 037 open 0.000.00 043 close 0.000.00 032 stat 0.000.00 043 fstat 0.000.00 0 143 lseek 0.000.00 0 3 mprotect 0.000.00 0 6 brk 0.000.00 0 1 1 rt_sigreturn 0.000.00 0 4 4 ioctl 0.000.00 0 8 6 access 0.000.00 0 6 dup 0.000.00 0 341 recvmsg 0.000.00 0 1 uname 0.000.00 0 6 fcntl 0.000.00 0 6 getdents 0.000.00 0 2 getcwd 0.000.00 0 480 futex 0.000.00 0 1 restart_syscall -- --- --- - - ---- 100.000.103050 3803012 total -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Win.Exploit.CVE_2016_3301-6210129-0 detected. Could this be a false positive?
* ANANT S ATHAVALE : > Hi List, > > One of the .pptx file which was attached is getting detected as VIRUS: > Win.Exploit.CVE_2016_3301-6210129-0. As it is a official document and can't > to uploaded for submission. How to manually verify? What do you want to verify? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Grizzly Steppe
* Andrew McGrath : > I'm being asked a question by our security team that I am struggling > to answer. The question is "Does ClamAV detect Grizzly Steppe?". > > I've hunted around the archives, support pages and google, but do not > see any discussion about this, could anyone comment? They probably mean the exploit code used in operation Grizzly Steppe ATP 29, APT 28, Cozybear, Fancybear, Sandworm, Sofacy etc. https://www.dhs.gov/news/2016/12/30/executive-summary-grizzly-steppe-findings-homeland-security-assistant-secretary -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Porting LibClamAV for Android
* Bengt H. : > Unsubscribe please List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/options/clamav-users>, -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2
* Ralf Hildebrandt : > * Al Varnell : > > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > > > * Al Varnell : > > >> Has anybody submitted a PDF yet? > > > > > > Of course. > > > > Hash? > > 8d62c398679ab6c7b85749eacf7a9a80 generated by md5sum -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2
* Al Varnell : > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? 8d62c398679ab6c7b85749eacf7a9a80 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2
* Al Varnell : > Has anybody submitted a PDF yet? Of course. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2
* Hajo Locke : > Hello, > > unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 > Customer was testing at virustotal and only clamav is finding a virus. > Unfortunately i can not do a FP-Report. All PDFs are property of costumers > and not public. I already did a FP report. It happened with PDFs from "Springer Medical". had to diable that signature. > I hope there are some additional FP-Reports from other people regarding this > virus to review this signature. Yep. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] One final clamd Frage
* Brad Scalio : > When a clamscan is ran from cmdline or via cron is the virus signature > database checked before scanning commences It is loaded, thus the long startup time. > in a fashion that if we aren't using clamdscan then is there a need for > clamd to run, No. clamdscan together with clamd eliminated the long startup time. > does it provide any added features or functionality not already present > with freshclam + clamscan running on-demand from cronjobs? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: CRDF Joins the ClamAV Signature Partner Program!
* Joel Esler (jesler) : > > > http://blog.clamav.net/2016/07/crdf-joins-clamav-signature-partner.html Are these signatures already active? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem with mirrors overnight?
* Matthias Hank : > Hi, > > On Thu, Mar 17, 2016 at 12:49:11PM +, Joel Esler (jesler) wrote: > > It's possible they are overloaded. We released a new main.cvd and daily > > late last night. > > But why are always the same 3 of 13 german mirrors are probed from freshclam? > All of them are failing since last night on all of our servers. > > Probed are: > 178.63.73.246 > 84.39.110.99 > 88.198.17.100 http://lutz.donnerhacke.de/Blog/ClamAV-aktualisiert-sich-nicht-mehr -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Bad detection rate
* Dennis Peterson : > The OP brought up several points, none of which were addressed. > > 1. Nevertheless, the detection rate of viruses, trojans, etc. is not > very good. Almost every time I submit a sample file on virustotal.com > ClamAV can not detect the virus or malware. > > 2. Up to now, I never got a notification, although "Notify me" was checked. Indeed. I also submitted quite a lot of malware and never got a notification (in years!) > 3. Why shall we not post more than two sample files per day ? I also wondered about that. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] An FP?
* Gene Heskett : > > It's an UNOFFICIAL pattern, not a core clamav pattern > > Still, is it not un-needed noise? It's obviously a FP, but calling it un-needed noise is a bit off. If the pattern were correct and would find a real virus, is it not un-needed noise? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] An FP?
* Gene Heskett : > Greetings; > > The daily system scan is fussing about > /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.12.6/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.8.3/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.12.9/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.4.36/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.0.69/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > > But https://virustotal.com thinks otherwise. It's an UNOFFICIAL pattern, not a core clamav pattern -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Error build clamav 0.98
* Константин Белозеров : > *** > *** clamd did not detect all testfiles correctly! > *** > > SKIP: check5_clamd_vg.sh (exit: 77) > === > > *** valgrind not found, skipping test That's no error, it's merely skipping the test since you don't have valgrind installed -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Error build clamav 0.98
* Константин Белозеров : > Errors are listed in log file. Would you mind pasting them here? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Error build clamav 0.98
* Константин Белозеров : > Hello. > > Error when building from source anti-virus in the operating system > GNU/Linux Debian 7.1 Performed make check VG=1. But to no avail. But which error are you getting? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Major new false positive? BC.Exploit.CVE_2012_0184
* Joel Esler : > Please run Freshclam. This has already been cleared up. Thanks for the heads up. Time to release stuff from the quarantine. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Major new false positive? BC.Exploit.CVE_2012_0184
* Cedric Knight : > Hi > > I'm seeing BC.Exploit.CVE_2012_0184 hit a wide variety of attachments as > of 14:40 UTC this afternoon. Will submit a sample the usual way, but > wanted to warn that it just seems to be quite extensive. (also > possibly BC.Exploit.CVE_2012_0165). > > Anyone else seeing this? Yes, I'm also seeing a lot of FP's for BC.Exploit.CVE_2012_0184 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Solved: False positive submission page down (for a few days now)?
> Could you PLEASE check the server's logs? I solved it. Your server doesn't like the "X-Forwarded-For: unknown" header! See http://www.squid-cache.org/Doc/config/forwarded_for/ On our squids it was set to: forwarded_for off which results in "X-Forwarded-For: unknown" and a subsequent error page from varnish. Setting it to "delete", "on" or "truncate" make the page http://cgi.clamav.net/sendfp.cgi work again. Only "off" causes the page to fail. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Luca Gibelli : > Most likely your proxy is issuing a HTTP/1.0 request upstream? Could you PLEASE check the server's logs? We're definitely sending HTTP/1.1 requests with all the headers, see below: output from tcpdump: GET /sendfp.cgi HTTP/1.1 Host: cgi.clamav.net Pragma: no-cache User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.168 Chrome/18.0.1025.168 Safari/535.19 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: de,en;q=0.8,en-US;q=0.6 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=165234925.7124351.1326790435.1336028009.1336053668.11; __utmz=165234925.1326790435.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Via: 1.1 proxy-cbf-1 (squid/3.1.19-20120418-r10444) X-Forwarded-For: unknown Cache-Control: max-age=0 Connection: keep-alive answer: HTTP/1.1 503 Service Unavailable Server: Varnish Content-Type: text/html; charset=utf-8 Retry-After: 5 Content-Length: 284 Accept-Ranges: bytes Date: Fri, 04 May 2012 10:29:21 GMT X-Varnish: 221993613 Age: 0 Via: 1.1 varnish Connection: close -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down
* G.W. Haywood : > Mt. Hildebrandt, you are being unreasonable. > > The problem has been clearly explained to you, and it is your problem > to solve. You must not expect people who are managing a Web resource > which may have many thousands of clients to solve problems for every > individual client. It "does not scale". It cannot be done. > > You need to access the Website using HTTP/1.1 not the old HTTP/1.0. I did that. > You need to ensure that the client requesting the resources tells the > host which virtual host it wishes to contact. That is the purpose of > the "Host:" header. It does that. Only from a very limited IP address range I'm getting this "Maintenance" error message. Thus my reasonable request to check the server's logs. > If your client does not send the correct headers, the software which > receives the requests cannot pass them to the right server instance > because your client has not told it which one it wants to talk to. It's not a client issue. It depends on my source IP. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Luca Gibelli : > Hello Ralf, > > > $ telnet proxy.charite.de 8080 > > Trying 141.42.1.205... > > Connected to proxy.charite.de. > > Escape character is '^]'. > > GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 > > we use name based virtual hosting, you must switch to HTTP/1.1 and > send a Host: header as well > > See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html and > http://www8.org/w8-papers/5c-protocols/key/key.html > > Most likely your proxy is issuing a HTTP/1.0 request upstream? It's still not working and unfortunately your admin is not willing to check the logs to see whats being logged for my source IP. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
> Does it work if you append a random GET parameter to the URL (like
> ?unused=test).
Nope, still the same. Maybe somebody configured varnish to give my IP
address range (193.175.73.20x) a 503: Service Unavailable?
$ wget -nd -S "http://cgi.clamav.net/sendfp.cgi?unused=test";
--2012-04-19 15:50:26-- http://cgi.clamav.net/sendfp.cgi?unused=test
Resolving proxy.charite.de (proxy.charite.de)... 141.42.1.205
Connecting to proxy.charite.de
(proxy.charite.de)|141.42.1.205|:8080... connected.
Proxy request sent, awaiting response...
HTTP/1.0 503 Service Unavailable
Server: Varnish
Content-Type: text/html; charset=utf-8
Retry-After: 5
Content-Length: 284
Accept-Ranges: bytes
Date: Thu, 19 Apr 2012 13:50:26 GMT
X-Varnish: 216817722
Age: 0
Via: 1.1 varnish
X-Cache: MISS from proxy-cvk-1
Connection: keep-alive
2012-04-19 15:50:27 ERROR 503: Service Unavailable.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Ralf Hildebrandt : > * Török Edwin : > > > Can you try flushing your varnish cache, and trying again? > > It's your varnish cache :) (we don't have any here) > > I already restarted my squid servers, no change. It's very odd. Now I emptied my cache partitions as well: Still the same. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Török Edwin : > Can you try flushing your varnish cache, and trying again? It's your varnish cache :) (we don't have any here) I already restarted my squid servers, no change. It's very odd. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
> GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 > > HTTP/1.0 503 Service Unavailable > Server: Varnish > Content-Type: text/html; charset=utf-8 > Retry-After: 5 > Content-Length: 284 > Accept-Ranges: bytes > Date: Thu, 19 Apr 2012 13:20:02 GMT > X-Varnish: 216808379 > Age: 0 > X-Cache: MISS from proxy-cvk-1 > Via: 1.1 varnish, 1.0 proxy-cvk-1 (squid/3.1.19-20120412-r10444) > Connection: close This happens if I access the site via a proxy. From the proxy machine itself, I'm getting this: GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 HTTP/1.1 200 OK Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g Vary: Accept-Encoding Content-Type: text/html; charset=ISO-8859-1 X-Cacheable: VarnishResNoCacheHost Content-Length: 2495 Accept-Ranges: bytes Date: Thu, 19 Apr 2012 13:23:34 GMT X-Varnish: 216809483 Age: 0 Via: 1.1 varnish Connection: close ... remained of page sent correctly ... The FP submission page used to work for us uptill now. Hm. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
> > How big is the file that you're trying to upload? > > I'm not getting a form, all I get is "Under maintenance. Try again > later." - must be a cachin issue somewhere Varnish (reverse proxy) is giving my this: $ telnet proxy.charite.de 8080 Trying 141.42.1.205... Connected to proxy.charite.de. Escape character is '^]'. GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 HTTP/1.0 503 Service Unavailable Server: Varnish Content-Type: text/html; charset=utf-8 Retry-After: 5 Content-Length: 284 Accept-Ranges: bytes Date: Thu, 19 Apr 2012 13:20:02 GMT X-Varnish: 216808379 Age: 0 X-Cache: MISS from proxy-cvk-1 Via: 1.1 varnish, 1.0 proxy-cvk-1 (squid/3.1.19-20120412-r10444) Connection: close http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"; Maintenance Under maintenance. Try again later. Connection closed by foreign host. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Török Edwin : > On 04/19/2012 04:10 PM, Ralf Hildebrandt wrote: > > > >> I just tested and it worked fine for me. > >> > >> What's exactly the problem on your side? > > > > I keep getting: > > > > Under maintenance. Try again later. > > > > How big is the file that you're trying to upload? I'm not getting a form, all I get is "Under maintenance. Try again later." - must be a cachin issue somewhere -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
> I just tested and it worked fine for me. > > What's exactly the problem on your side? I keep getting: Under maintenance. Try again later. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Török Edwin : > On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote: > > Is there an alternative way of submitting FP's? > > > > Are you using this page? > http://www.clamav.net/lang/en/sendvirus/submit-fp/ Yep. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] False positive submission page down (for a few days now)?
Is there an alternative way of submitting FP's? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Tomasz Kojm :
> On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment wrote:
>
> > I have manually patched 0.97.3, re-compiled, re-installed and restarted
> > clamd, but the ign2 file is still being ignored.
> >
> > [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2
> > BC.Exploit.CVE_2011_3412
>
> The entry is not complete. The correct one is:
>
> BC.Exploit.CVE_2011_3412.{CVE_2011_3412}
After applying your fix, correct?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Unit Testing
* Jan-Pieter Cornet : > I haven't got any experience with IRIX, but I do wonder: why are you > using tits for testing purposes? That seems inappropriate. No, he's using un-tits. Everything but tits. E.g. a canary would be an un-tit. Like an undead is anything but dead. PS ;-) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Lyle Giese : > The format of local.ign is not very inituitive, IMHO. It's local.ign2 according to the docs. "Creating signatures for ClamAV" http://www.clamav.net/doc/latest/signatures.pdf 3.8 Whitelist databases To whitelist a specific signature from the database you just add its name into a local file called --> local.ign2 <-- stored inside the database directory. You can additionally follow the signature name with the MD5 of the entire database entry for this signature, eg: Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c In such a case, the signature will no longer be whitelisted when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). > INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com > > The first entry is the name of the file the definition is in(minus > the file extension). The second is the line number that the > definition is on. And the third is the name of the definition. > These fields are separated by ':' as you can see. Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Bill Maidment : > > What am I doing wrong here? Running clamv 0.97.3 > > It's the same story here. We've had to switch off all bytecode rules in > the conf file. Not ideal. Sound like one cannot whitelist a bytecode signature? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Alain Zidouemba : > Ralf, > > We got your FP reports and will address them today. Thanks :) But the original question remains in case I need to whitelist a signature. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
Hi!
I'm trying to disable this signature, since it's giving my FPs for
some XLS files (yes, I already submitted it as FP today):
mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412
[0001114551.cbc BYTECODE]
BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(0&1);0:d0cf11e0a1b11ae1;*:1c000404
mail2:/var/lib/clamav# cat local.ign2
BC.Exploit.CVE_2011_3412.{CVE_2011_3412}
BC.Exploit.CVE_2011_3412
CVE_2011_3412
(I tried 3 different ways of disabling the signature)
I restarted clamd, but still the mails are stopped as infected:
Tue Feb 7 13:33:09 2012 ->
/var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004:
BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND
Tue Feb 7 13:33:09 2012 ->
/var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002:
BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND
What am I doing wrong here? Running clamv 0.97.3
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Fwd: Re: AV timeout?
* Török Edwin : > On 2011-06-29 17:01, Michael Scheidell wrote: > > > > > > On 6/29/11 9:24 AM, Michael Scheidell wrote: > >> Ok, so not just me. > >> > >> I am going to ask Ralf Hildebrandt what version of os he is using. > >> maybe we can track this down. > >> > > so, its not just on amd64, freebsd 7.3. > > he answered this: > > > >> freebsd? amd64? what version of Freebsd? > > > > Debian Linux Testing, i386! > > > > Can you ask him to attach gdb to it? > Or to run gcore ? I'll do it once it happens :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamd DLP(Data Loss Prevention) w/Postfix
* W S : > Folks, > > I have a simple relayer running Postfix and would like to enable ClamAV's > portion of DLP. > Does anyone knows - what I have to modify within mail.cf and master.cf ?? > I would like to quarantine emails with SSN and CC numbers (just basic ascii > digits in Subject or Body) You'd probably need to use amavisd-new -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] DNS server "blocks" database.clamav.net?
* Arancaytar : > Further investigation showed that the primary DNS server in my settings > (85.255.112.204) inexplicably resolves database.clamav.net to 127.0.0.1, > which effectively blocks the domain from being accessed. You can see > this for yourself by running nslookup database.clamav.net 85.255.112.204: > > $ nslookup database.clamav.net 85.255.112.204 > Server: 85.255.112.204 > Address: 85.255.112.204#53 Why don't you ask your ISP? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12200 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
