Re: [clamav-users] Block all EXE/SRC or MS-EXE/DLL file
Need to write an anti virus that uses the NIST NSRL database and operate it as a white list based AV. The db contains some 100 million hashes of known good binary files. I tried to crowd fund to do this but no one was interested. Disclaimer: use at own risk, sold (for free) as seen/0 day warranty, do not use on production systems etc... Download this: https://www.dropbox.com/s/dixgff1oteisy0d/unique.7z It contains two files. sanewhitelist.fp: 577,808 whitelist NIST hashes (exe/gz/msi/com/cab only) sanestopexe.ndb : block exe only (need to add others) clamscan --database=sanestopexe.ndb --database=sanewhitelist.fp *.exe In order words: Sanesecurity.POC.EXEBLOCK will detect ALL EXE's unless it's in the sanewhitelist.fp database. Just a POC ;) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Block all EXE/SRC or MS-EXE/DLL file
Hello Steve, In this way I can stop EXE/Executable into ZIP/Archive file and as attachment (without change any other settings into mailserver config) Shouldn't be an issue. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Block all EXE/SRC or MS-EXE/DLL file
Which is the best solution/way to block all EXE/executable files? You could use these... http://sanesecurity.com/foxhole-databases/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] An FP?
The daily system scan is fussing about /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND Hi, Just seen your post on LKML, so before this get's any more out of hand than it already has, here's why you'll find MBL_400944 detected in gadget_multi.txt. Background: MBL signatures (malwarepatrol.net) are Third Party addon signatures to ClamAV. While they have the .UNOFFICIAL at then end of the signature name, they aren't distributed on the Sanesecurity mirrors and are out of my control. Research: Having registered with MBL to download their delayed signatures, I checked to see what the MBL_400944 signature is actually trying to match, so save anyone doing this it's: MBL_400944=772e6e6972736f66742e6e65742f7574696c73 which decodes to: www DOT nirsoft DOT net/utils (change the DOT to .) Now let's take a look at the current kernel document: https://www.kernel.org/doc/Documentation/usb/gadget_multi.txt The document contains the following text: * Footnotes [8] http://www DOT nirsoft DOT net/utils/usb_devices_view.html (change the DOT to .) So, if you scan gadget_multi.txt, using the MBL signatures, you will *always* find it gets detected as MBL_400944. If you: grep nirsoft /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt You'll see that the text, matches the text MBL_400944 is looking for. In short: a) there's isn't any malware in gadget_multi.txt on their website b) there's isn't any malware in the gadget_multi.txt's on your system c) It's a false positive and should be report to MBL as such d) Where's my coffee ;) Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Possible FP
Hi Clamav Users, I'm getting a FP-Alert from a customer regarding the following sig: main.hdb:15c9c9ed5046a885d241afd2159c236a:43180:Junk.Corrupted-50 The scan is done on our inbound authenticated mail host, which rejects our customer's mail with the following error-message: Hi, The above signature is just an md5 hash of a file, that's 43,180 long... ie: VirusTotal info (DHL report DOT zip) https://www.virustotal.com/en/file/4616d4fced326d3b638598bc516f80b9fefb23ad97394aa529797800c509e92c/analysis/ Sorry I can't help more... Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] An FP?
c) It's a false positive and should be report to MBL as such And their contact address is? To report false positives or list problems: fp (_a_t_) malwarepatrol.net Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] An FP?
Now, since the real thing is considered a high level threat to a win32 system, perhaps the thing to do is edit the .'s to DOT's, make a patch and submit it to lkml? I might see if its accepted. Sorry, forgot to add this: http://www DOT nirsoft DOT net/false_positive_report.html fwiw, I use Nirsoft tools now and again and they have been very useful, they can, like most PUA's be misused and AV's misreported.. but that's another story. Anyway, enough list noise. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] An FP?
Greetings; The daily system scan is fussing about /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND Hi... http://www.malwarepatrol.net/cgi/search.pl?id=400944 To report false positives: fp (_a_t_) malwarepatrol.net *or* printf MBL_400944 local_ignore.ign2 copy local_ignore.ign2 to db directory restart clamd Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] One last Q (I hope) And an FP report
Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND And while its marked up txt, it doesn't look like it should be a problem. Can it be verified? MBL#: 400944 PSWTool.Win32.PassViewer.av Insertion date: 00:51:45 27/03/2013 UTC URL http://www.nirsoft.net/utils/sanitized Malware MD5: 8b1f0996435099ba28dee7eefda05bdf Malware SHA1: fb1bd423c047fb459c3bf8eea389abae38e409fb To report false positives or list problems: fp (_a_t_) malwarepatrol.net Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VERSION 0.98.1
Someone @ ClamAV needs to add this to daily.ftm filetypes... Just to close this... daily.ftm has now been updated, so XZ files should now be scanned correctly. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VERSION 0.98.1
I have just compiled and installed version 0.98.1 of Clam on my computer. According to the documentation, this version should support decompression and scanning of files in the Xz compression format. However, when I run clamscan to check an Xz file which I know contains a virus (the EICAR test virus) it fails to detect it. Running it with the debug option, I get an entry in the log saying the file was recognised as a binary. Here's the windows view... :( eicar.com: Eicar-Test-Signature FOUND eicar.com.xz: OK --- SCAN SUMMARY --- Known viruses: 3082027 Engine version: 0.98.1 Scanned directories: 1 Scanned files: 2 Infected files: 1 LibClamAV debug:* Submodule XZ: On LibClamAV debug: Bytecode: 42 bytecode prepared with JIT LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized binary data LibClamAV debug: cache_check: 3904dfb8e6bda8ad4c87c6319dc5f766 is negative LibClamAV debug: in cli_check_mydoom_log() LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cli_magic_scandesc: returning 0 at line 2902 LibClamAV debug: cache_add: 3904dfb8e6bda8ad4c87c6319dc5f766 (level 0) c:\07\eicar.com.xz: OK LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up --- SCAN SUMMARY --- Known viruses: 3082027 Engine version: 0.98.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 14.266 sec (0 m 14 s) test 1... Creating an md5 of eicar works so it's decompression is ok... sigtool --md5 eicar.com testdb.hdb e7e5fa40569514ec442bbdf755d89c2f:70:eicar.com clamscan eicar.com.xz --database=testdb.hdb eicar.com.xz: eicar.com.UNOFFICIAL FOUND test 2 clamscan eicar.com.xz --database=main.ndb eicar.com.xz: OK test 3 grep -i EICAR main.ndb test.ndb clamscan eicar.com.xz --database=test.ndb eicar.com.xz: Eicar-Test-Signature.UNOFFICIAL FOUND huh? Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VERSION 0.98.1
Thanks Steve for this reply; this is helpful. Hi Bill, Sorted I think. Someone @ ClamAV needs to add this to daily.ftm filetypes... 0:0:FD377A585A00:XZ container file:CL_TYPE_ANY:CL_TYPE_XZ:75 It's in the source defaults (filetypes_int.h) but when daily.cvd gets loaded, it uses the daily.ftm one.. which doesn't have CL_TYPE_XZ currently, so won't find a XZ archive. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] QUESTION ABOUT XZ SUPPORT IN VERSION 0.98.1
Someone @ ClamAV needs to add this to daily.ftm filetypes... These are missing too, unless it's still in devel... 1:EOF-512:6b6f6c79:DMG container file:CL_TYPE_ANY:CL_TYPE_DMG:75 0:0:78617221:XAR container file:CL_TYPE_ANY:CL_TYPE_XAR:75 4:1024:482B0004:HFS+ partition:CL_TYPE_PART_ANY:CL_TYPE_PART_HFSPLUS:75 4:1024:48580005:HFSX partition:CL_TYPE_PART_ANY:CL_TYPE_PART_HFSPLUS:75 0:0:FD377A585A00:XZ container file:CL_TYPE_ANY:CL_TYPE_XZ:75 Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ClamAV v0.98.1
Looks like 0.98.1 is out... Change log: https://raw.github.com/vrtadmin/clamav-devel/0.98.1/ChangeLog Sources: http://www.clamav.net/lang/en/download/sources/ Windows binaries (.msi format): http://sourceforge.net/projects/clamav/files/clamav/0.98.1/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] False positive - CRDF.Malware-Generic.3661413036.UNOFFICIAL
Hello, I found a problem with false positive malware CRDF.Malware-Generic.3661413036.UNOFFICIAL. I wanted to decode and bypass this signature but it looks like this can be an image signature or another type of signature Hi Pawel CRDF.Malware-Generic.3661413036 was whitelisted/removed early this morning, so update crdfam.clamav.hdb if you still have issues. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] False positive - CRDF.Malware-Generic.3661413036.UNOFFICIAL
Finally I found where this signature is located sigwhitelist.ign2:CRDF.Malware-Generic.3661413036 Does someone know how can I bypass this signature? Which command? Hi Pawel, Just to add, that seeing the signature in sigwhitelist.ign2 means that signature is in your whitelist already.. However, you must be using an older version of the download script, as ONLY the newest version of the script will use sigwhitelist.ign2 to whitelist sigs: Eg: Version 3.7.2 (updated 2013-08-25) - Added Sanesecurity signature whitelist sigwhitelist.ign2 file to the list of default databases in the config file. Download available here: http://sourceforge.net/projects/unofficial-sigs/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] sigwhitelist.ign2 whitelist not working
We added a file local.ign2 containing one line: Worm.Bagle.H-zippwd-1 clamscan called again and - nothing changed. Still marked as virus... Any hints/ideas? Hi Andreas, Make sure you don't have a space at the end of the sig name in the .ign2 file: Sanesecurity.Malware.22454.ZipHeur works Sanesecurity.Malware.22454.ZipHeur fails Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] How is Worm.Bagle.H-zippwd-1 detected? (was: sigwhitelist.ign2 whitelist not working)
clamav@debian-vm-07:~/clamav-devel$ sigtool --find-sigs=Worm.Bagle.H-zip [main.db] Worm.Bagle.H-zippwd-1 What makes this one a special case is the extra (Clam) at the end of the signature name. This is an old sig. Hi Dave, Thanks for the detailed write-up, the issue was a bit confusing ;) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] sigwhitelist.ign2 whitelist not working
freebsd FreeBSD mx1.hctc.net 7.2-RELEASE clamav-0.95.1 (yeah, I know) Hi, According to the changelog... 0.95.1 came out... Wed Apr 8 16:49:32 CEST 2009 .ign2 was added: Mon Sep 28 19:29:32 CEST 2009 (tk) -- * libclamav: new signature blacklisting format (bb#1625) * libclamav: allow arbitrary names for .ign/.ign2 files (bb#1683) So, you'd need to upgrade ClamAV for the .ign2 format to work. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] sigwhitelist.ign2 whitelist not working
So, you'd need to upgrade ClamAV for the .ign2 format to work. ... But...just looking back in time... local.ign... FileName:Line#:SigName so...try create a local.ign file with... junk.ndb:50779:Sanesecurity.Junk.50779 scam.ndb:11957:Sanesecurity.Spam.11957.WCM (if it doesn't work add .UNOFFICIAL at the end of the signature name. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] ArchiveBlockEncrypted confusion
Hi, This is nothing new but I've had a few off-list emails regarding this, so thought I'd throw out to the list. ArchiveBlockEncrypted (clamd.conf) or --block-encrypted=yes blocks encrypted zip/rar etc. archives which is fine... but it also blocked Encrypted PDF files.. Eg: readme.zip: Heuristics.Encrypted.Zip FOUND readme_enc_40bit.pdf: Heuristics.Encrypted.PDF FOUND readme_enc_aes_128bit.pdf: Heuristics.Encrypted.PDF FOUND Just to see how this has a knock-on issue: http://www.sophos.com/en-us/support/knowledgebase/2450/2800/4550/116206.aspx http://forum.proxmox.com/threads/7443-Virus-Info-Heuristics-Encrypted-PDF So, to let encrypted PDF's through you either have to: a) set ArchiveBlockEncrypted to off b) set ScanPDF to off c) I guess you could also create a local.ign file with: Heuristics.Encrypted.PDF as an entry to whitelist. Perhaps a better solution would be to modify clamd.conf setting: ArchiveBlockEncrypted yes: blocks zips/exes ONLY PDFBlockEncrypted yes: blocks PDFs ONLY **new option** clamscan --block-encrypted=yes should be zip/exes ONLY and a new option --block-encrypted-pdf=no should be added Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] 0.98 and PUA
Joel thanks, is this list still correct.. https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md Hi Martin, I think it's slightly outdated... just looking at the daily ones PUA.Crypt.ScriptCryptor PUA.CVE_2007_0214 PUA.CVE_2007_0325 PUA.CVE_2007_1498 PUA.CVE_2011_3397 PUA.CVE_2012_1419 PUA.CVE_2012_1421 PUA.CVE_2012_1423 PUA.CVE_2012_1430 PUA.CVE_2012_1431 PUA.EmbeddedJSinOCXinWordDoc PUA.Everyzone PUA.Exploit.HeapSpray PUA.EXPLOIT_CVE_2006_4701 PUA.Game PUA.HTML PUA.IRC PUA.JS PUA.Keylogger-1 PUA.Keylogger-2 PUA.Keylogger-3 PUA.Keylogger-4 PUA.Liveplayer PUA.Liveplayer-1 PUA.Liveplayer-2 PUA.Mydoomer PUA.NetTool PUA.OLE.EmbeddedPDF PUA.Packed PUA.PDF PUA.PwTool PUA.RAT PUA.Reboot PUA.RelevantKnowledge PUA.RelevantKnowledge-1 PUA.RFT.EmbeddedOLE PUA.Script PUA.Server.PsyBNC PUA.Spy PUA.Tool PUA.Trojan.PHP PUA.USBCillin PUA.VmAvoid PUA.Win32.Packer.22bAnti Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Scan Engine version number
I have downloaded the prebuilt installation of ClamAV 0.98 for Win-32 from sourceforge. However, when I issue the command clamscan -V, I get the response ClamAV devel-clamav-0.97-408-ge11f7cc Is this what I should expect to get, or have I somehow got my hands on an older version of ClamAV for Win32? Same here... http://sourceforge.net/projects/clamav/files/clamav/win32/0.98/ It reports a devel version... C:\Program Files\Sourcefire Inc\ClamAV\clamscan --version ClamAV devel-clamav-0.97-408-ge11f7cc Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] filename ignore uppercase
On 17/09/2013 20:05, Alejandro Rodriguez wrote: How I can ignore uppercase in a filename. Right now i´m using foxhole_all.cdb to block .exe files inside .zip archives However if the zip contain archive.EXE (in uppercase) the scan miss. Hi, Sorry for the delay, been away for a few days. I've now updated foxhole_all.cdb to cover the case issue, thanks for pointing it out. If you need any additional dangerous extensions added (in malware you are seeing) let me know off-list. Cheers, Steve Sanesecurity.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] detected zipped exe as virus
Hi, have a look on the sanesecurity.com site for the foxhole signature databases. cheers, Steve Rajesh M 24x7ser...@24x7server.net wrote: hi i wish to know the steps to prepare signature so that clamav will detect all zipped files containing files with extensions pif, scr, exe, com, bat, cmd, vbs, lnk, cpl, vbs as virus -- immaterial of whether they contain virus or not. what is the process for this. is there is any documentation which describes this ? thank you very much. rajesh ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] regex to skip certain files
I'm running clamav 0.97.3 (I know it's old, working on that) on Linux. I want to exclude files (via clamd) based on a regex and can't seem to figure out how. I can ignore paths just fine (ExcludePath ^/tmp) but I want to ignore all log files. I've tried many different variations of the following, including ones not listed and can't seem to get antying working. Can someone please tell me how I can scan the root filesystem and ignore all files appended with a .log? Seem to remember something like these worked for me... ymmv ExcludePath \.log *or* ExcludePath log Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] false positives
Hi Andre, NB: I'm copying this to the ClamAV users list, as a heads-up. The ClamAV EXT list currently contains a number (eleven) of false positive entries. They all match the string :// (without the quotes), which clearly matches any email containing any URL. This is a very serious error, that has been blocking most emails on my server today. The entries are not in any of the other ClamAV lists. Here's a snippet from the list at https://www.malwarepatrol.net/cgi/submit?action=list_clamav_ext Just checked now and looks like they fixed it Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] false positives
Finally I would like to know why these subscriptions were implemented? Who can answer this question? I had a report the this sig causing an issue, sigs were removed and domain whitelisted. Problem was a big spam run from those domain, but root was incorrectly flagged Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] MBL fps - update
MBL sigs are now fixed, just had contact with them We sincerely apologize for the trouble caused by these faulty signatures. An update to our system was applied this morning and, unfortunately, it had this unwanted side effect. The update was reverted and signatures should be fixed now. We'll work to determine what happened and how we can avoid problems like this in the future. Thank you for alerting us about this issue. Best regards, André Malware Patrol Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
I've done some analysis of ClamAV with just this signature set, and the
loading is simply slowing down as it runs through the list. This is mainly
because of the significant amounts of overlap at the beginnings of these
strings and the length thereafter.
Hi David,
Thanks for the info.. and looking into the issue.
Here's a few tests using the bofhland_cracked_URL.ndb but using various
combos:
Sig: (B)772E
db.log:Time: 6.281 sec (0 m 6 s)
db.tmp:LibClamAV debug: pool memory used: 29.425 MB
Start Sig: (B)77{1}
Time: 6.281 sec (0 m 6 s)
LibClamAV debug: pool memory used: 39.624 MB
Start Sig: (B)77??
Time: 70.875 sec (1 m 10 s)
LibClamAV debug: pool memory used: 29.413 MB
Start Sig: (B)77??772E
Time: 9.578 sec (0 m 9 s)
LibClamAV debug: pool memory used: 29.417 MB
Start Sig: (B){2}
Time: 6.234 sec (0 m 6 s)
LibClamAV debug: pool memory used: 39.304 MB
Start Sig: (B)??2E
Time: 6.328 sec (0 m 6 s)
LibClamAV debug: pool memory used: 29.425 MB
Seems for me anyway, that (B)??2E is the best for speed/memory...
Cheers,
Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
I've done some analysis of ClamAV with just this signature set, and the loading is simply slowing down as it runs through the list. * Third Party dbs * Hi, While looking into the database loading time issue, thought it might be an idea to quickly scan the same small file with each database, just to see what scanning time each database took and the amount of memory the *single* database used. When using multiple db's it's not the whole story... but just in case it's useful bofhland_cracked_URL.ndb: Time: 6.593 sec bofhland_cracked_URL.ndb: Memory: 29.777 MB bofhland_malware_attach.hdb: Time: 0.047 sec bofhland_malware_attach.hdb: Memory: 4.331 MB bofhland_malware_URL.ndb: Time: 0.125 sec bofhland_malware_URL.ndb: Memory: 7.816 MB bofhland_phishing_URL.ndb: Time: 0.047 sec bofhland_phishing_URL.ndb: Memory: 4.741 MB crdfam.clamav.hdb: Time: 0.062 sec crdfam.clamav.hdb: Memory: 5.046 MB foxhole_all.ccdb: Time: 0.046 sec foxhole_all.cdb: Memory: 4.308 MB foxhole_filename.ccdb: Time: 0.047 sec foxhole_filename.cdb: Memory: 4.308 MB foxhole_generic.ccdb: Time: 0.047 sec foxhole_generic.cdb: Memory: 4.312 MB junk.ndb: Time: 0.860 sec junk.ndb: Memory: 18.866 MB jurlbl.ndb: Time: 0.078 sec jurlbl.ndb: Memory: 5.281 MB jurlbla.ndb: Time: 0.125 sec jurlbla.ndb: Memory: 6.386 MB lott.ndb: Time: 0.078 sec lott.ndb: Memory: 5.206 MB phish.ndb: Time: 2.390 sec phish.ndb: Memory: 14.546 MB phishtank.ndb: Time: 0.157 sec phishtank.ndb: Memory: 5.699 MB porcupine.ndb: Time: 0.078 sec porcupine.ndb: Memory: 5.898 MB rogue.hdb: Time: 0.047 sec rogue.hdb: Memory: 4.652 MB scam.ndb: Time: 0.407 sec scam.ndb: Memory: 11.585 MB scamnailer.ndb: Time: 4.609 sec scamnailer.ndb: Memory: 22.085 MB spam.lcdb: Time: 0.047 sec spam.ldb: Memory: 4.515 MB spamattach.hdb: Time: 0.047 sec spamattach.hdb: Memory: 4.308 MB spamimg.hdb: Time: 0.047 sec spamimg.hdb: Memory: 4.398 MB spear.ndb: Time: 0.610 sec spear.ndb: Memory: 12.140 MB spearl.ndb: Time: 0.063 sec spearl.ndb: Memory: 5.089 MB winnow.attachments.hdb: Time: 0.047 sec winnow.attachments.hdb: Memory: 4.370 MB winnow.complex.patterns.lcdb: Time: 0.047 sec winnow.complex.patterns.ldb: Memory: 4.320 MB winnow_bad_cw.hdb: Time: 0.046 sec winnow_bad_cw.hdb: Memory: 4.308 MB winnow_extended_malware.hdb: Time: 0.109 sec winnow_extended_malware.hdb: Memory: 7.413 MB winnow_extended_malware_links.ndb: Time: 0.046 sec winnow_extended_malware_links.ndb: Memory: 4.308 MB winnow_malware.hdb: Time: 0.110 sec winnow_malware.hdb: Memory: 7.777 MB winnow_malware_links.ndb: Time: 0.125 sec winnow_malware_links.ndb: Memory: 7.128 MB winnow_phish_complete.ndb: Time: 4.907 sec winnow_phish_complete.ndb: Memory: 7.577 MB winnow_phish_complete_url.ndb: Time: 4.922 sec winnow_phish_complete_url.ndb: Memory: 7.577 MB winnow_spam_complete.ndb: Time: 0.125 sec winnow_spam_complete.ndb: Memory: 7.097 MB Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
OK...I'll do some testing tomorrow and see if we can't come up with some information for you. Matt in the last few days a lot of spam is (ab)using t.co shortened URLs in the payload, so these are ending up in bofhland_cracked_URL.ndb (~7K distinct URLs atm) Sorry for the cross post... Hi, In doing a very small single file test using the bofhland_cracked_URL.ndb, it look ** 66 seconds ** to scan the file. Having a quick look at repeating pattens in the file, 77 (www) was common, so just for testing I tried this... sed s/(B)772E/2E/g bofhland_cracked_URL.ndb bofhland_cracked_URL_test.ndb This will remove the beginning boundary check and the www. bit... and replace with a single ., which hopefully will be a simple boundary separator: If I now scan the same file, but using the bofhland_cracked_URL_test.ndb database, it only takes ** 5 seconds ** :O Not sure if this is the workaround... but certainly food for thought. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
OK...I'll do some testing tomorrow and see if we can't come up with some information for you. Hi Matt In additional testing: a) Replacing (B)772E with (B)772E also brings the speed down... (6.5 secs) b) Replacing (B)772E with (B)77??772E also brings the speed down...(10.2 secs) c) Replacing (B)772E with 772E (w.) also brings the speed down... (10.5 secs) very odd.. but maybe option a) could be used, instead of (B)772E which slows down db loading times. Cheers, Steve Sanesecurity Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
OK, we've been able to reproduce the problem and it is, as you all suspected revolving around the www. matching. I've asked one of the developers to look at it, and we should be able to provide some best-practice guidelines on how to construct rules to avoid this situation. Thanks Matt, glad you'd spotted an issue too. We'll also review if code changes are appropriate, but given how the tree operates, I don't immediately expect that to be the case. Out of interest are there any roadmaps/future improvements for ClamAV that are being discussed, as the last changelog update was May (before the takeover)? Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] news: Cisco Announces Agreement to Acquire Sourcefire
just in case anyone missed it... The best news in all of this, especially for our partners, customers and open source users, is that Cisco is committed to accelerate the realization of our vision into the market. Well be able to more quickly innovate, develop and provide products and technologies that continue to solve your biggest security challenges. And not just for commercial and government solutions they are committed to continued innovation and support of our open source projects, too. Source: http://blog.sourcefire.com/Post/2013/07/23/1374581400-cisco--sourcefire--now-bigger-stronger-faster/ Source: http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/sourcefire.html Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV 0.97.8 has been released!
Dear ClamAV users, ClamAV 0.97.8 addresses several reported potential security bugs. Thanks to Felix Groebert of the Google Security Team for finding and reporting these issues. Download: http://downloads.sourceforge.net/clamav/clamav-0.97.8.tar.gz PGP sig: http://downloads.sourceforge.net/clamav/clamav-0.97.7.tar.gz.sig ChangeLog: https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog The PGP sig should be: http://sourceforge.net/projects/clamav/files/clamav/0.97.8/clamav-0.97.8.tar.gz.sig/download .. and the Windows binaries are here: http://sourceforge.net/projects/clamav/files/clamav/win32/0.97.8/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV 0.97.8 has been released!
Sorry about that, I had it right in my post, but when the email went out, it didn't take. No problem, just thought I'd point it out in case anyone thought there had been a security issue with the file. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] GTUBE message detection
Given that a large proportion of the Sanesecurity sigs detect spam, phishing, and other junk mail (and folks use them as such), wouldn't it be useful to include a standard spam test signature by default? It seems to be very controversial if ClamAV should include signatures for other things than classic malware. Why not have some kind of classification of the signatures and let us control what we download via Freshclam? Hi, Just to clear up any confusion: 1) GTUBE isn't in ClamAV official signatures 2) GTUBE isn't in Sanesecurity signatures but later *may* have a separate Sanesecurity distributed gtube.ndb file that people can specify to use, probably not by default. 3) Sanesecurity signatures aren't available by freshclam 4) classification... a) Offical sigs: could be news soon: We are in the process of streamlining our signatures names (we will have an announcement soon) Source: http://www.gossamer-threads.com/lists/clamav/users/57914#57914 b) Sanesecurity... most database names reflect what type of stuff it's going to block. Phish.ndb confusingly though.. does block malware and phishing but the signature names DO reflect what it hasblocked. rogue.hdb does block *very* new malware received.. if you want to know more about the current databases: http://sanesecurity.com/usage/signatures/ If people want different classifications/GTUBE support on Sanesecurity sigs, we can discuss on the Sanesecurity list, so it's not polluting things here. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] GTUBE message detection
On 4/8/13 1:40 PM, Andrew Beverley wrote: Some time ago there was a discussion that resulted in the GTUBE test spam message being added to the Clamav signatures[1]. ... [1] http://lurker.clamav.net/message/20090924.234610.57310ea1.en.html According to the second message in your footnoted reference, it was added to the Sanesecurity unofficial signature database, not ClamAV's. Every time it comes up I have tried to test it and it always fails. Now I know why. Hi All, Couple of updates.. I've just check end the Sanesecurity.TestSig.GTUBE signature name had accidentally been renamed to Sanesecurity.TestSig.10616 I have, however, removed the checks for GTUBE, so at least ClamAV and Third-Party sigs are now consistent. If people really want to check they can use something like this: printf Sanesecurity.TestSig.GTUBE:0:*:584a53 2a43344a44425141444e312e4e53424e332a3249444e454e2a47545542452d5354414e444152442d414e54492d5542452d544553542d454d41494c2a432e333458 gtube.ndb (remove the line wraps) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] W32/Autorun.worm.aaeh not found in ClamAV ?
Al, Just now I restored and submitted autorun.inf as well to submit malware in clamav.net From sigtool I got this MD5 signature; 3b19da4562e3729854ae6b3fe127:1123:Autorun.inf It's also worth submitting the malware to: https://www.virustotal.com/en/ Currently the Autorun hash you have isn't in it's database. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] looking for Bill Landry b...@inetmsg.com
Hi all, Bill Landry is the developer of clamav-unofficial-sigs and since I'm the Debian maintainer of that, I need to discuss some things with him but his domain inetmsg.com doesn't respond to HTTP or SMTP connections. Does anyone know what happened to him or if he moved to a different domain? Hi, Bill decided (Jul 2012) that due to more travelling with his job he could no longer provide time to provide update sigs or support. Here's the announce at the time: http://www.freelists.org/post/sanesecurity/database-changes The existing script can be modified/download from here: http://sourceforge.net/projects/unofficial-sigs/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV 0.97.7 available?
FYI, Win32 now available too... http://sourceforge.net/projects/clamav/files/clamav/win32/0.97.7/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Block files type inside attached files
How could I block some files type that are inside a zip or rar files attached into an e-mail received? Here's an example: create a blockext.zmd: Sanesecurity.Blocked.Zip.xxx.exe:0:\.(doc|xls|wpd|txt|jpg|jpeg|htm|html|pdf|pif|scr).exe$:*:*:*:*:*:* (watch the wrap after the 0:\. bit) This will blocked certain double extensions, ending in exe, in zip files, you can do same for rar files (.rmd) See sig docs: http://www.clamav.net/doc/latest/signatures.pdf Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL
These rules must have a common signature? Old downloads suddenly trigger positives. Hi Jari, These sigs need to be reported as FP's to: false_positive AT crdf.fr In the mean time, I've whitelisted on the mirrors, until they can take a look. One thing to double check is to submit one of the suspected files to virustotal, and confirm if it's definitely a fp. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positives with CRDF.Malware.Win32.PEx.*.426953001.UNOFFICIAL
Jari Fredriksson skrev den 25-11-2012 17:10: These rules must have a common signature? Old downloads suddenly trigger positives. unofficial sigs, what should clamav team do about them ? Well, I've tried to explain what to do with FP's like this... http://sanesecurity.co.uk/fps.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] question about sanesecurity
Are signatures for Belgian or Dutch bank-phishing mails (ING, BNP-Paribas-Fortis, Belfius, etc) included in these databases? I've replied off-list Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] missed virus
OK, I'm stumped as to why clamav-milter did not catch this virus. It was from this address, being masked as from UPS: File: Invoices-14-2012.htm Hi Jamen, I've been seeing these java/htm combos over the last few days and been adding detection to phish.ndb. The other bad stuff coming in should be detected with: phish.ndb, rogue.hdb and blurl.ndb OITC's sigs are also recommended. More details here: http://www.sanesecurity.com/clamav/databases.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Spam No Longer ID'd as Virus
Unless something has changed again that I missed, the INetMsg signatures are no longer maintained. That's still correct... just in case anyone else missed the updates, here's the last two announcements, as there were a few new databases too: http://www.freelists.org/post/sanesecurity/database-changes http://www.freelists.org/post/sanesecurity/New-database-winnow-bad-cwhdb Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positives
I will Alain, But I want a quick way to whitelist as a shortcut, because our users are complaining. :( Put the problem signature name in a file called local.ign2 and restart clamd. eg: MBL_303159 MBL_312128 Worm.Mydoom-20009 etc. etc. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ZIP/Bredolab.A!Camelot
Hi, just was informed that some mails with ZIP/Bredolab.A!Camelot slipped through up2date clamav gateway , detected by Microsoft Forefront Hi, Did they slip past the Sanesecurity phish.ndb/rogue.hdb ones too? Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clam virus database for test purposes
Thank you for your reply. The suggested solution doesn't solve the problem as I am trying to communicate with clamav-daemon which (as far as I can tell) checks for the cvd databases and doesn't take a database argument. Any other suggestions? Create the test.ndb file as shown earlier... and copy to your database area, eg /var/lib/clamav Restart clamd clamdscan eircar.com Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Windows packaging
Your best bet is to ask on the ClamWin forum. Here is the forum site http://forums.clamwin.com/ I'm not sure if he's talking about the binaries here, auto-built by ClamAV Team (not the version by the ClamWin team) http://sourceforge.net/projects/clamav/files/clamav/win32/ The builds used to be .zip files... now gone over to .MSI While I can see the MSI installer being useful to some people... I'd prefer to have the .ZIPs back (or have both built), as I've got to run the MSI installer, find where the files have been installed and them copy them out, so I can play with config files/test etc. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Windows packaging
On Mon, Jun 25, 2012 at 08:13:58AM +0100, Steve Basford wrote: While I can see the MSI installer being useful to some people... I'd prefer to have the .ZIPs back (or have both built), as I've got to run the MSI installer, find where the files have been installed and them copy them out, so I can play with config files/test etc. Lmgtfy.. http://www.tech-recipes.com/rx/2557/vista_how_to_extract_content_from_msi_files/ Came across that gem yesterday... but fails for me on both win7 and vista: Something along the lines ofthe installer has encountered an unexpected error installing this package. the error code is 2203 Also to note that when you do manually extract the file...you get a devel version.. not a stable version of sigtool/clamscan etc. ie: ClamAV devel-clamav-0.97.5-1-gb66fba6 Hopefully that can be sorted (ClamAV-x86-0.97.5.msi) Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Windows packaging
VisualStudio does not have a target to build a ZIP file, we could also build a cab file if this would help. Hi Tom, Any use? http://markkemper1.blogspot.co.uk/2010/10/zipping-build-outputs-using-build-file.html http://stackoverflow.com/questions/4794503/is-there-a-zip-project-in-visual-studio If not... at least a .cab file would be great. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [sanesecurity] Re: Long DB refresh times
I think I'm missing some context here: which DB files are slow to load? The official ones? Just the sanesecurity ones? Any particular DB from the sanesecurity ones? Hi Edwin, I'm emailed you off-list... but think I've found the issue and work-around. Sorry for the cross-post to clamav-users. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] ClamAv 0.97.4 win32/64 binaries
Hi, Any eta on an update to v0.97.4 here... http://sourceforge.net/projects/clamav/files/clamav/win32/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] false positives with MBL_207346?
I started seeing a bunch of these this morning, essentially trashing around... I don't know, 80 or 90% of our mail. The signature is definitely in our database but I can't find anything about it via google aside from pages that have apparently been updated to no longer mention it. Any ideas here? Anyone else seeing this? ~$ sigtool --list-sigs | grep MBL_207346 MBL_207346 Hi John, Their signature currently points to: www DOT thinkertec DOT com/trial Thinkertec SpyPal spy software - Invisible keylogger Might be worth doing a decode-sigs to see if it matched the above? eg: grep MBL_207346 | sigtool --decode-sigs If it's still an issue for you, you can use a whitelist db file.. printf MBL_207346 localbl.ign2 restart clamd Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] false positives with MBL_207346?
Oh, and I now realize that this is outside of freshclam's control, being a sanesecurity signature. I removed the mbl.db and disabled that cronjob until we sort this out... Hi John, Actually, just to clarify... it's not a Sanesecurity signature and it's not distributed by Sanesecurity either, it's a Malware patrol signature, which can be downloaded using one of the download scripts. What download script are you using? I'm wondering if either the download from malware patrol failed and you only got the www. bit of the signature, they pushed out a faulty signature or you are running out of memory/resources and clamd didn't fully load all the signature. Bit hard to say really... but I'd start by re-downloading the dbs and then using sigtool to check the sig again, before restarting clamd. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] undetected virus
Dear list, We received a virus not detected by Clamav. VirusTotal shows a 23/43 detection ratio. Trend Micro recogises it as TROJ_GEN.R06C8AN. Yesterday I submitted a sample to Clamav. But till now it's not detected. https://www.virustotal.com/file/d6a2ae622adae26cc7988e68edfa6898364b423a47b8eeebb3d917459cd99a68/analysis/ What should be the reason of this? Hi, I've added a quick hash into Sanesecurity's rogue.hdb... if you aren't using Sanesecurity signatures, just add this line into a .hdb file, for example localmalware.hdb and restart clamd: 0479013c040882b2b287c2bad1dbd8a6:39765:Sanesecurity.Rogue.2340 Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Finding false positives
Can someone help me understand why the issue with securesites.net is, and why this email was blocked because of it? Hi Alex, The domain was blocked by a Third Party ClamAV database produced by InetMsg. I've removed the signature for them and it will be removed from the mirrors in the next 15 mins. Thanks for reporting... In case this help in the future: http://www.sanesecurity.com/clamav/fps.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Scan files by date
I have a large number of files (9TB) with over a million files and thousands of directories. I would like to scan the group one time so I have a good baseline. After that I would like to scan files that are less than 365 days old. Can I use clamscan to scan files by date? Along these lines, pdf files changed in the last 2 days find *.pdf -mtime -2 -type f -print0 | xargs -0 clamdscan Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Yet Another US Mirror Issue
On Wed, 14 Sep 2011, Dan wrote: http://www.downforeveryoneorjustme.com/88.198.67.125 Says it's up. Received responses: 53 Ok 5 Fail http://host-tracker.com/check_res_ajx/8730391-0/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False Positive - INetMsg.SpamDomain-2w.dl_dropbox_com.UNOFFICIAL
This is a message I hand created with a valid link to a dropbox file. 4e1653aa.432.e8be7950.c618...@mc3computerclub.org Message contains an infected attachment (INetMsg.SpamDomain-2w.dl_dropbox_com.UNOFFICIAL) Hi, I've removed the signature from the mirrors and have also notified Bill (InetMsg) to whitelist. Thanks for the report. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] announcing ClamAV 0.97.1
On Thu, 9 Jun 2011, Luca Gibelli wrote: Dear ClamAV users, This is a bugfix release recommended for all users. Please refer to the ChangeLog file for details. Download : http://downloads.sourceforge.net/clamav/clamav-0.97.1.tar.gz Can't see the windows binaries for 0.97.1 yet? http://sourceforge.net/projects/clamav/files/clamav/win32/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] HOW to whitelist XF.Sic.L
I know that XF.SIC.L detected files are not virus i want clamav to ignore this kind for viruses . i also also created file local.ign2 in the the database dir with folowing content # cat local.ign2 XF.Sic.E XF.Sic.L but got error after restarting the clamd service How about? printf XF.Sic.E\nXF.Sic.F example.ign2 Change output filename and or use instead. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
On 04/17/11 05:05, Dennis Peterson wrote: Adding the hard-coded UNOFFICIAL reduces some liability from the Clamav team. That! And lots of daily annoyances with FP reports too. Which is why the suffix won't go away nor an option will be available to get rid of it. I receive .UNOFFICIAL reports too, which aren't produced by Sanesecurity, so instead I forward them on and/or whitelist. This page shows FP contact details for all the .UNOFFICIAL ones http://www.sanesecurity.com/clamav/fps.htm A small suggestion could Luca now modify the SI to report any .UNOFFICAL fp's direct to the above contacts and a copy to myself? In that way, it keeps the ClamAV team free from the daily annoyances and directs the problem report direct to the people that can do something about it. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
Thanks I ad put in MBL_200562.UNOFFICIAL instead of MBL_200562 I reloaded clamav and now it works. Glad you got it sorted. Just to clarify, don't add the .UNOFFICIAL to *any* signature names that you wish to whitelist (add to the .ign2 file) It confused me at first too, why sigs didn't whitelist.. but once you know ;) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Access has been denied page
Hello, I have a user that receives an email from a legitimate online newspaper site and since Monday they click on links in that email address and DG blocks the page with the following message Virus MBL_200562.UNOFFICIAL found Hi, Although it's a not a Sanesecurity signature but another Third-Party database, I've whitelisted the signature for Sanesecurity users that use current scripts, which auto-download the sigwhitelist.ign2 file. Status page updated: http://www.sanesecurity.com/status.htm Thanks for the report. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Problem with sanesecurity-winnow_phish_complete.ndb
Disregard the message found this was and OLD database file that was causing problems. Hi Ken, Thanks for the report and glad you sorted out the problem. For reference, here's the contact details for the Sanesecurity/Sanesecurity Distributed signatures: http://sanesecurity.co.uk/fps.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [0.97rc] 3rd party DB securiteinfohtml.hdb: Malformed database
Hello again, Probably expected, the above mentioned 3rd party database can't be loaded with this version, 0.96 had no such problem. I've just done a quick download of the current file and this item is causing the problem for me: LibClamAV Error: cli_loadhash: Invalid value for the size field ie. the 0 (size) in the signature: d41d8cd98f00b204e9800998ecf8427e:0:HTML-SecuriteInfo.com.HTML.Malware.737 Hopefully they'll remove/fix the signature soon. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] OT: best ClamAV changelog entry
[NSFW] http://git.clamav.net/gitweb?p=clamav-devel.git;a=commit;h=42ab31d897c0d67b89467cfe34532c8b421d2c95 Lol, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Tracking false positives
Alex wrote: Hi, We had a user report that their email was tagged with winnow.botnets.zu.zeus.4637.UNOFFICIAL, according to the logs. How can I track this, and determine which database it was that contains this pattern, and why it considered this email to contain this virus? Hi Alex, As other posts have indicated, this signature is a Third-Party ClamAV signature, mainly downloaded with one of the download scripts, used with the Sanesecurity signatures. For further reference, there are the Third-Party databases: http://www.sanesecurity.com/clamav/databases.htm And this explains who to contact regarding a FP: http://www.sanesecurity.com/clamav/fps.htm In addition, there a brilliant Third-Party signature decoder here, which will easily show you the content of the Third-Party signature, just cut/paste or type in the signature name and it'll decode it: http://www.sanesecurity.com/clamav/decodesigs.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] concerning new virus
the actual file name is Xerox_doc.exe i have submitted this on the clam website several times but there seems to be no update on this Could somebody check this out and help please. Just to add that Sanesecurity signatures from phish.ndb should be catching that one already... add in rogue.hdb (for mass spammed exe's updated hourly) and also winnow's winnow_malware.hdb should help a little. More info: http://sanesecurity.co.uk/download_scripts_linux.htm http://sanesecurity.co.uk/databases.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.96.2 freezing with sane security update script on one of 2 linux systems
Can you run it with --debug to see where it hangs? Then open a bugreport please (and attach junk.ndb). Not that this really helps, but I've tried the official win32 windows port from here: http://sourceforge.net/projects/clamav/files/clamav/win32/ And in doing a quick test - loading ALL current Sanesecurity databases together - they all run fine with clamscan. Let me know the bugzilla number to keep an eye on things. Cheers for the report, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] 0.96.2 freezing with sane security update script on one of 2 linux systems
OK. Here's debug AND the fix at least from my solution: Recompiled with ./configure --disable-llvm make make install Thanks for reporting back.. it's odd though, as the test file you are scanning is only a small ascii file out of interest does the same thing happen with llvm enabled and one of the other database files -or- does it ONLY fail with the junk.ndb file? Over to edwin though ;) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] MSRBL signatures?
Hi all, I was thinking of implementing the MSRBL signatures, as they are described on the sanesecurity site, but it appears they haven't been updated in quite some time. I wouldn't have considered it, except that they are listed on the sanesecurity site. Are they still effective? Perhaps they are updated and I just haven't found where the latest versions are? Hi Alex, MSRBL signatures haven't been update in a while, the last bit of news was this blog post, explaining the reason why: http://msrbl.blogspot.com/2010/01/msrbl-status-update-as-some-of-you-have.html I'm hoping to find a bit of time to update the list of databases on the site, to reflect this, so I'd leave them off, until they come back. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] MSRBL signatures?
I've discontinued using them because of the lack of activity. I've also shut off SecuriteInfo and because of false positives, InetMsg signatures. Hi Dennis, If any FP's are reported here: false_positive AT sanesecurity DOT me DOT uk I then remove and forward on the the right person to take a look at it and hopefully they can be whitelisted to avoid any further problems. The main FP reporting page is here: http://sanesecurity.co.uk/fps.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Feedback on clamav + sanesecurity experience
Eric Rostetter wrote: I recently had a false positive also (a base64 encoded pdf string that happened to match on a certain drug name). But, the FP rate is probable about 1 per year, so all in all not bad at all if you either reject them or quarantine them (as opposed to tossing them in the bit-bucket). Hi All, Thanks for all the feedback... just a reminder if you do receive a FP, please report. Here's the main FP reporting page: http://www.sanesecurity.com/clamav/fps.htm file:///D:/DCIM/101_PANA Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] PUA.HTML.Infected.WebPage-1
Yep, please open a ticket in our bugzilla Entry added: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2063 BTW, might be an idea to add Sigtool to the component options page on Bugzilla. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] PUA.HTML.Infected.WebPage-1
Ooops... forgot the sigtool un-pack bit (note: daily file only) sigtool --unpack-current=daily grep PUA.HTML.Infected.WebPage daily.* -h sig.tmp sigtool --decode-sigs sig.tmp decodedsig.tmp cat decodedsig.tmp Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] PUA.HTML.Infected.WebPage-1
You can use 'sigtool -fPUA.HTML.Infected.WebPage' to find and print the sigs, no need to unpack. Nice... thanks Edwin: sigtool -fPUA.HTML.Infected.WebPage | sigtool --decode-sigs :) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] PUA.HTML.Infected.WebPage-1
You can use 'sigtool -fPUA.HTML.Infected.WebPage' to find and print the sigs, no need to unpack. Also works for: sigtool -fSanesecurity.Phishing.Fake.13780 | sigtool --decode-sigs Could a --database type option be added to sigtool, for loading databases outside the normal DatabaseDirectory area from the clamd.conf file? Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] FreshClam claims installation is OUTDATED
If someone can point me to the solution ?! WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.96 Recommended version: 0.96.1 # clamd -V ClamAV 0.96/11056/Thu May 20 08:33:06 2010 You are using 0.96.. the latest being 0.96.1, released yesterday: http://lurker.clamav.net/message/20100519.150330.91387f9d.en.html Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to remove my domain from your safebrowsing database
For some reason your program has my domain (mwrinc.com) listed as bad, and as a result some of our clients cannot receive our emails. How can I remove my domain from your list. It is not on google's safe browsing list, nor is it blocked by any other spam/virus program that I am aware of This is our google safe browsing hash DD277B39D915A9A881E42A864F5DDBD56BD6AA628C2811AC7CDC694EA378DBD0 Not ideal but...You should be able to fix this *locally* by creating a local.gdb file: S:W:DD277B39D915A9A881E42A864F5DDBD56BD6AA628C2811AC7CDC694EA378DBD0 Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] bytecode.cvd problem again?
Hi, Just had clamd 0.96 win32 port crash... LibClamAV debug: 767942.cbc loaded LibClamAV debug: Loading trusted bytecode LibClamAV debug: bytecode using API 66, but highest API known to libclamav is 45 , skipping LibClamAV debug: 767944.cbc loaded LibClamAV debug: Loading trusted bytecode LibClamAV debug: bytecode using API 51, but highest API known to libclamav is 45 , skipping LibClamAV debug: 782872.cbc loaded LibClamAV Error: cli_tgzload: File 782872.cbc not correctly loaded LibClamAV Error: Can't load C:\Clamav\database\bytecode.cld: Malformed database LibClamAV debug: cli_loaddbdir(): error loading database C:\Clamav\database\byte code.cld ERROR: Malformed database LibClamAV debug: hashtab: Freeing hashset, elements: 3147, capacity: 65536 LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up bytecode.cld updated (version: 20, sigs: 3, f-level: 51, builder: nervous) Database updated (773404 signatures) from db.gb.clamav.net (IP: 217.135.32.99) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] bytecode.cvd problem again?
Török Edwin wrote: Please update to latest from 0.96 branch/master, and it should work. Just downloading and re-compiling now... I need a faster machine :( Thanks for looking into it... Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] FP on Sanesecurity.Junk.23771
We've had a couple of legitimate messages hit on Sanesecurity.Junk.23771 within the last week or so. Hi Adam, Signature fixed. Sanesecurity False Positives should be reported to: false_positive AT sanesecurity DOT me DOT uk. More information here: http://sanesecurity.co.uk/fps.htm Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
I meant that the other day there was a URL in the body of an email that passed through as ham when in fact it ended in 'ecard.exe' and, should the recipient download it, would be shown to be a trojan. Doesn't clamav block stuff like this, I thought? Hi Alex, If you still have a copy of the headers body, could you send me a sample: samples AT sanesecurity DOT me DOT uk I'll run it against the dbs I've got here. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
If you still have a copy of the headers body, could you send me a sample: Attachment sent. Thanks for the sample Alex. It's already being detected as: Sanesecurity.Malware.8830.UNOFFICIAL So, you should already be covered :) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Resources for integrating with spamassassin+amavisd
No, I can run rsync right afterwards and it succeeds, like this: # rsync -v rsync://ns.km33603.keymachine.de/sanesecurity/ Here's the output from the clamav-unofficial-sigs.sh script immediately after: Hi Alex, If you run rsync manually and then run the script after, you'll no doubt get a block from the server...as some mirrors only allow one rsync hit per hour... Just to try this out... 1. run the above rsync command manually 2. run the above rsync command *again*, manually Does the first one work.. and the second one fail? If that's the case, wait 5 mins or so and run the script again, by that time, you should hit a different mirror. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus
Noel Jones wrote: Clam must scan the whole email message because (as you know) some signatures only trigger on files that look like a mail message. To have both attachment blocking and full email scanning, the mail ends up being scanned twice. Maybe I'll put in a request for a don't scan decoded parts feature ... I've updated the page here with the new info: http://www.sanesecurity.com/clamav/problems.htm In order to get the best out of the Sanesecurity signatures the FULL message must be passed to ClamAV, as a lot of the signatures use From header/Subject/Others Headers and combination of header/body. As for performance, I'd agree it not double-scan would be a good idea. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] (no subject)
+1 +0x1 but if you *really* must... http://www.acepolls.com/polls/1116421-clamav-eol-what-do-you-think Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] HTML.IFrame-39 (www.apple.com, lenovo.com, ...)
I guess this is a false positive? decodes to: width=1 height=1 f*r*a*m*e*b*o*r*d*e*r=0/i*f*r*a*m*e (remove *'s) I guess this might hit on If you are using 0.96 and want to whitelist it: 1. create a whitelist.ign2 file (for example) 2. insert the text: HTML.IFrame-39 3. restart clamd 4. Submit a sample and click the False Positive box: http://cgi.clamav.net/sendvirus.cgi Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] No debian woody support anymore?
After the last signature update, clam av stopped working on our woody installation. Could be this... This move is needed to push more people to upgrade to 0.95 See: http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] HTML.IFrame-39 (www.apple.com, lenovo.com, ...)
We use clamav within a webscanner. The sample is the webpage itself: - http://www.alice-dsl.de/ - http://www.lenovo.com/us/en/ - http://www.sky.de/web/cms/de/abonnieren-paket-info.jsp - http://www.apple.com/ Yep, the signature will match those, as it's quite generic. So, it hits those doubleclick.net adverts/tracking iframes. That's the one of the issues with email use vs web use of some signatures. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Clubbing a deceased equine
Christopher X. Candreva wrote: I disagree with that statement because it's incomplete.. The purpose of this update was to make running software break WITH A DESCRIPTIVE ERROR . Important difference. The alternative being breaking with an incomprehensable hex ump I think that's sums it up... that, to me, seemed like the ONLY aim. I even contacted ISC the day before and gave them a reminder: http://isc.sans.org/diary.html?storyid=8635rss I did see an interesting idea on the devel mailing list from David I have a feature suggestion: Incorporate the version number in your DNS TXT records and download URLs. Your download mirrors can use symlinks in most cases (when versions are completely compatible) and you can easily stop older machines from attempting to download by stopping updates on the 0.96.whatever.clamav.net TXT record. Source: http://lurker.clamav.net/message/20100408.011105.c584f530.en.html Would this idea help minimise any future issues like this? Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV on Windows Server 2003
Does anyone know if there is still a Windows compilation which will run on Windows Server 2003 SP2? ClamAV (clam-latest-32.exe) refuses to install on this operating system and ClamWin seems to have mutated into a desktop product which lacks clamd and clamdscan etc. Hi Tim, Have you tried these: http://hideout.ath.cx/clamav/ http://sourceforge.net/projects/clamav/files/clamav/win32/ http://oss.netfarm.it/clamav/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV on Windows Server 2003
Does anyone know if there is still a Windows compilation which will run on Windows Server 2003 SP2? ClamAV (clam-latest-32.exe) refuses to install on this operating system and ClamWin seems to have mutated into a desktop product which lacks clamd and clamdscan etc. Speaking of the clam-latest-32.exe file, I think the main website http://www.clamav.net/lang/en/about/win32/ could be made a littler clearer... Windows GUI (desktop users version) Location 1: http://www.clamav.net/win32/clam-latest-32.exe Location 2: http://www.clamav.net/win32/clam-latest-64.exe Note: This version is a cloud based product and currently doesn't include clamd/freshclam or support for Third-Party signatures. Windows Command line (server use) Location: http://sourceforge.net/projects/clamav/files/clamav/win32/ Something like that.. but obviously better ;) Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] www.clamav.net down?
Hi, www.clamav.net seems to have been down for short periods of time today, is there extra load due to the EOL announce on the site? Example here: http://host-tracker.com/check_res_ajx/4730986-0/ Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] The EOL tweets
Hi, Just for interest.. feedback on EOL... http://search.twitter.com/search?q=clamav Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
