Re: [clamav-users] LibClamAV Warning: Unsupported message format `http'

[Steven Morgan]

Tilman,

Please attach here:

https://bugzilla.clamav.net/show_bug.cgi?id=12002

Thanks,
Steve


On Fri, Dec 22, 2017 at 9:35 AM, Steven Morgan <smor...@sourcefire.com>
wrote:

> Tilman,
>
> Thanks for the notification, we will check out the code. I'll open a bug
> report where you can post your sample.
>
> Steve
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Warning: Unsupported message format `http'

[Steven Morgan]

Tilman,

Thanks for the notification, we will check out the code. I'll open a bug
report where you can post your sample.

Steve

On Fri, Dec 22, 2017 at 9:03 AM, Tilman Schmidt 
wrote:

> ClamAV running on Ubuntu Xenial, package version
> 0.99.2+dfsg-0ubuntu0.16.04.2, emits the following warning message when
> scanning one of my Thunderbird IMAP mail folders:
>
> LibClamAV Warning: Unsupported message format `http' - if you believe
> this file contains a virus, submit it to www.clamav.net
>
> I whittled it down to a specific mail message which contained in its
> body an HTTP header including the line "Content-Type: message/http"
> (quite legitimately - it was a discussion of a web server's behaviour)
> and have produced a minimal file (25 lines, 773 bytes) exhibiting the
> problem.
>
> IMHO this warning is spurious. The file in question does not in fact
> contain anything in "message format `http'".
>
> How can I contribute to getting this fixed?
> Anyone interested in my minimal sample file?
>
> Thanks,
> Tilman
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Counting scanned objects with clamdscan?

[Steven Morgan]

Dan,

There is a ticket about this. I am not sure whether the needed info is
always available to clamdscan.
https://bugzilla.clamav.net/show_bug.cgi?id=11922

Steve

On Tue, Dec 19, 2017 at 11:02 AM, Dan Rawson  wrote:

> How can I count the files/objects scanned?  This works fine with clamscan
> ("-v --stdout -r"); I get a summary showing the number of files, etc.  But
> when I do the same with clamdscan, all I get is:
>
> # clamdscan -v --stdout
> /home/drawson/Downloads/eicar.com: Eicar-Test-Signature FOUND
>
> --- SCAN SUMMARY ---
> Infected files: 1
> Time: 1363.550 sec (22 m 43 s)
>
> I did set LogVerbose to "yes" in clamd.conf, but it didn't make any
> difference
>
> Thanks!
>
> Dan
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.3 beta2 has been released!

[Steven Morgan]

https://bugzilla.clamav.net/show_bug.cgi?id=12000 is the ticket.

Steve

On Tue, Dec 19, 2017 at 10:59 AM, Joel Esler (jesler) 
wrote:

> Can you please open a ticket in bugzilla.clamav.net bugzilla.clamav.net>?
>
>
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
>
>
>
>
>
>
> On Dec 19, 2017, at 7:29 AM, Andreas Schulze  mailto:andreas.schu...@datev.de>> wrote:
>
> Am 18.12.2017 um 18:06 schrieb Joel Esler (jesler):
> ClamAV 0.99.3 beta2 has been released!
>
> hello,
>
> I upgraded some lab servers from beta1 to beta2.
> Now I receive messages from cron containing the text "debug enabled"
> That happen on reloads where yara rules are active.
>
> I found the string in "libclamav/yara_lexer.c" and
> "libclamav/yara_lexer.l".
>
> what's going on there?
>
>
> --
> A. Schulze
> DATEV eG
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Improving clamscan speed?

[Steven Morgan]

Dan,

I have opened ticket https://bugzilla.clamav.net/show_bug.cgi?id=11990 to
track ClamAV performance issues.

Please post any additional ClamAV performance related info there.

Steve
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to abort a scan

[Steven Morgan]

Hi Chaitanya,

You can send the SHUTDOWN command to terminate clamd, Other than that, once
the scanning engine is passed a scan request, it needs to complete so that
system resources are properly released. There also some clamd configuration
parameters to limit the amount of scanning (see MaxScansize, MaxFilesize,
MaxFiles, MaxRecursion). These may reduce the amount of resources.

Hope this helps,

Steve
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE fix status

[Steven Morgan]

Zetan,

I've added you to the cc list. Please try it now.

Steve

On Tue, Nov 21, 2017 at 11:58 AM, Zetan Drableg 
wrote:

> Thank you. After signing up with bugzilla I still get the message " You are
> not authorized to access bug #11961. "
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CVE fix status

[Steven Morgan]

I think some may be fixed already. I've opened ticket 11961 in the ClamAV
bugzilla for followup and tracking.

Steve


On Mon, Nov 20, 2017 at 2:54 PM, Zetan Drableg 
wrote:

> Hi,
> Anyone know when these CVEs will be fixed? Does clamav provide a 0.99.2
> security fix branch or I need to consume 0.99.3 devel? Does EPEL backport
> fixes?
>
> CVE-2017-6418
> CVE-2017-6419
> CVE-2017-6420
>
> It was discovered that ClamAV incorrectly handled parsing certain e-mail
> messages. A remote attacker could possibly use this issue to cause ClamAV
> to crash, resulting in a denial of service. (CVE-2017-6418
> )
>
> It was discovered that ClamAV incorrectly handled certain malformed CHM
> files. A remote attacker could use this issue to cause ClamAV to crash,
> resulting in a denial of service, or possibly execute arbitrary code. This
> issue only affected Ubuntu 14.04 LTS. In the default installation,
> attackers would be isolated by the ClamAV AppArmor profile. (CVE-2017-6419
> )
> It was discovered that ClamAV incorrectly handled parsing certain PE files
> with WWPack compression. A remote attacker could possibly use this issue to
> cause ClamAV to crash, resulting in a denial of service. (CVE-2017-6420
> )
>
> Thank you
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Virus Malvare not detected

[Steven Morgan]

Mark,

Please open a bug report about this issue at bugzilla.clamav.net. Please
include your file and we can look into the issues.

Thanks,
Steve



On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley  wrote:

> I'm going to continue piggybacking onto this thread as it deals with
> Clamav's
> non-discovery of the malware attached to messages with the subject "Invoice
> ...". Although, I don't know if this is the same type of attachment.
>
> The attachments I've been getting are .docx file named as .doc files. In
> examining the contents of these archives I find:
>
> $ unzip -l InvoiceZGC3020188.doc
> Archive:  InvoiceZGC3020188.doc
>   Length  DateTimeName
> -  -- -   
>  1510  01-01-1980 00:00   [Content_Types].xml
>   590  01-01-1980 00:00   _rels/.rels
>  1226  01-01-1980 00:00   word/_rels/document.xml.rels
>  5097  01-01-1980 00:00   word/document.xml
>  5424  01-01-1980 00:00   word/media/image1.emf
>132276  01-01-1980 00:00   word/media/image2.png
>  6850  01-01-1980 00:00   word/theme/theme1.xml
>  6144  01-01-1980 00:00   word/embeddings/oleObject1.bin
>  4809  01-01-1980 00:00   word/settings.xml
>  1299  01-01-1980 00:00   word/fontTable.xml
>   576  01-01-1980 00:00   word/webSettings.xml
>   995  01-01-1980 00:00   docProps/app.xml
> 29121  01-01-1980 00:00   word/styles.xml
>   732  01-01-1980 00:00   docProps/core.xml
> - ---
>196649 14 files
>
> "Normal" .docx files do not have the oleObject1.bin as an archive members.
> I do
> have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting
> this
> oleObject1.bin member?
>
> (To where should I submit a sample of this attachment?)
>
> --Mark
>
> -Original Message-
> From: Mark Foley 
> Date: Wed, 15 Nov 2017 13:18:23 -0500
> Organization: Novatec Software Engineering, LLC
> To: clamav-users@lists.clamav.net
>
> I'm having this same issue. The problem as I see it is that the .doc
> attached to
> these "Invoice" message is encrypted and clamav does not see what's
> inside. I'm
> discussing this encrypted attachment issue in my thread, subject: "password
> protected encrypted .docx files". I'm continuing to research this.
>
> --Mark
>
> On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel 
> wrote:
>
> > Other virus not detected
> >
> > https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f
> 78103d2e87bd4331654bc65c0daeb176dd/detection
> >
> >
> > El 14/11/17 a las 09:52, Emanuel escribió:
> > > Scan the attachment, clamav not detect this file.
> > >
> > >
> > > El 14/11/17 a las 09:51, Al Varnell escribió:
> > >> You mentioned two attachments. Kaspersky and ClamXAV appear to catch
> > >> the first one, but neither catch the second one you showed us. The
> > >> SHA246 for a file is the same no matter what scanner is used.
> > >>
> > >> -Al-
> > >>
> > >> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
> > >>> the first scan is with kaspersky online
> > >>>
> > >>>
> > >>> El 14/11/17 a las 09:31, Al Varnell escribió:
> >  That's not the same file you showed before. The SHA256 is different.
> > 
> >  -Al-
> > 
> >  On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> > > Please see
> > >
> > > https://www.virustotal.com/es-ar/file/
> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/
> > >  323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/>
> > >  323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/
> > >  323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/>>
> > >
> > >
> > >
> > > El 14/11/17 a las 09:00, Al Varnell escribió:
> > >> According to VirusTotal, ClamAV does detect it as
> > >> Doc.Dropper.Agent-6369707-0
> > >>  142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> > >>  142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> >
> > >>  142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> > >>  142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> >>>
> > >>
> > >>
> > >> but go ahead and try to submit it anyway.
> > >>
> > >> -Al-
> > >>
> > >> On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:
> > >>> Hello,
> > >>>
> > >>> I received two docs files in a email with the Subject "Invoice".
> > >>> The attachment is a malware virus, clamav not detected this.
> > >>>
> 

Re: [clamav-users] LibClamAV Warning

[Steven Morgan]

Hi,

Thanks for the report. Tracking the issue here:

https://bugzilla.clamav.net/show_bug.cgi?id=11930


Steve


On Tue, Oct 17, 2017 at 2:46 AM, Hajo Locke  wrote:

> Hello,
>
> today i see a warning when starting a manuell clamscan:
>
> # clamscan -ir
> LibClamAV Warning: Don't know how to create filter for:
> Win.Trojan.Dovs-6343034-0
> LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie
>
>
> Version is 0.99.2  included in Ubuntu 16.04
>
> Thanks,
> Hajo
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Injection Vulnerability in 0.99.2

[Steven Morgan]

Hi,

The fact that using clamd over TCP has insecurities has come up before. If
using clamd, it is recommended to use the local socket option rather than a
TCP socket.

# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.

Until it is fixed, only use TCP sockets on externally secured networks.
Also check the TCPAddr clamd configuration statement:

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr 127.0.0.1

Steve

On Thu, Sep 28, 2017 at 4:47 PM, Al Varnell  wrote:

> The URL was corrupted in the e-mail I received. See if this works:
>  1.4.1.25623.1.0.105762>
>
> And quoting the info found there:
> > Test ID:  1.3.6.1.4.1.25623.1.0.105762
> > Category: General
> > Title:ClamAV `Service Commands` Injection Vulnerability
> > Summary:  ClamAV 0.99.2, and possibly other previous versions, allow
> the execution of clamav commands SCAN and SHUTDOWN without authentication.
> > Description:  Summary:
> > ClamAV 0.99.2, and possibly other previous versions, allow the execution
> of clamav commands SCAN and SHUTDOWN without authentication.
> >
> > CVSS Score:
> > 5.0
> >
> > CVSS Vector:
> > AV:N/AC:L/Au:N/C:P/I:N/A:N
> >
> > Copyright Copyright (C) 2016 Greenbone Networks GmbH
>
> -Al-
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV SegFault on Reload - 0.99.3-beta1

[Steven Morgan]

Michael,

Since this is intermittent, adding a custom diagnostic patch may be the
best way to proceed. If you can work with this, I'll write something and
send it to you. It would be great to get to the bottom of this before
releasing 0.99.3.

Thanks,
Steve

On Mon, Sep 25, 2017 at 8:11 PM, Michael D.  wrote:

> Hi Steven,
>
> Tried running "clamdscan --reload" throughout the night - no segfaults so
> far.
>
> I have been running "clamav-unofficial-sigs.sh" via. cron every hour - and
> it's the reload invoked by that script that sometimes triggers the segfault.
>
> I'll examine my logs to see if I can narrow down on any specific DB-Update
> that might cause the fault.
>
> And thanks for your reply :)
>
> Best regards
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV SegFault on Reload - 0.99.3-beta1

[Steven Morgan]

Michael,

Sorry for not replying sooner. I reviewed the segfault, gdb output, and
code on Friday. Are you able to reproduce the problem with 'clamdscan
--reload'?

Thanks,
Steve

On Sun, Sep 24, 2017 at 8:10 AM, Michael D.  wrote:

> Hi,
>
> I twice tried to reach out to the ClamAV Developers regarding this error,
> but been ignored.
>
> Anyone?
>
> Best regards
>
>Michael
>
>
> Latest segfaults since rebooting 8 days ago:
>
> Sep 21 16:42:49 Boomer kernel: clamd[4208]: segfault at 7f27d5dd7780 ip
> 7f27c56650b2 sp 7ffd818b8280 error 4 in
> libclamav.so.7.1.1[7f27c562b000+1cf000]
> Sep 21 21:39:25 Boomer kernel: clamd[8589]: segfault at 14cf977 ip
> 7f64092b7086 sp 7ffc215e33c0 error 4 in
> libclamav.so.7.1.1[7f640927d000+1cf000]
> Sep 22 10:39:26 Boomer kernel: clamd[28493]: segfault at 15f56e6 ip
> 7fbcbed4c086 sp 7ffd451b9ff0 error 4 in
> libclamav.so.7.1.1[7fbcbed12000+1cf000]
> Sep 22 17:40:35 Boomer kernel: clamd[26125]: segfault at 2c561cd ip
> 7fb8586691c5 sp 7fffee7a7cd8 error 4 in
> libclamav.so.7.1.1[7fb8585aa000+1cf000]
> Sep 23 06:38:17 Boomer kernel: clamd[29676]: segfault at f2e99de ip
> 7f9f243090b2 sp 7ffd90a09bf0 error 4 in
> libclamav.so.7.1.1[7f9f242cf000+1cf000]
> Sep 23 18:38:53 Boomer kernel: clamd[20460]: segfault at 32de7d5 ip
> 7f3f518481c5 sp 7ffda4178b98 error 4 in
> libclamav.so.7.1.1[7f3f51789000+1cf000]
> Sep 23 23:42:25 Boomer kernel: clamd[9637]: segfault at 33ac956 ip
> 7fc4ddb881c5 sp 7ffe1457f378 error 4 in
> libclamav.so.7.1.1[7fc4ddac9000+1cf000]
> Sep 24 09:38:53 Boomer kernel: clamd[13548]: segfault at 6 ip
> 7f28c1c5 sp 7fffb209c748 error 4 in
> libclamav.so.7.1.1[7f28bbafd000+1cf000]
> Sep 24 11:44:37 Boomer kernel: clamd[17253]: segfault at 6 ip
> 7f3af21b41c5 sp 7ffe2c059ad8 error 4 in
> libclamav.so.7.1.1[7f3af20f5000+1cf000]
> Sep 24 13:42:53 Boomer kernel: clamd[22657]: segfault at 1c0d12b ip
> 7efbfdf2f1c5 sp 7fff0b092628 error 4 in
> libclamav.so.7.1.1[7efbfde7+1cf000]
>
>
>
> On 09/22/2017 05:50 PM, Michael D. wrote:
>
>> Hi,
>>
>> The Clamd process still SegFault on reload after upgrading to
>> 0.99.3-beta1.
>>
>> Sep 21 16:42:49 Boomer kernel: clamd[4208]: segfault at 7f27d5dd7780 ip
>> 7f27c56650b2 sp 7ffd818b8280 error 4 in
>> libclamav.so.7.1.1[7f27c562b000+1cf000]
>> Sep 21 21:39:25 Boomer kernel: clamd[8589]: segfault at 14cf977 ip
>> 7f64092b7086 sp 7ffc215e33c0 error 4 in
>> libclamav.so.7.1.1[7f640927d000+1cf000]
>> Sep 22 10:39:26 Boomer kernel: clamd[28493]: segfault at 15f56e6 ip
>> 7fbcbed4c086 sp 7ffd451b9ff0 error 4 in
>> libclamav.so.7.1.1[7fbcbed12000+1cf000]
>>
>> Anything I can do to help narrowing down on the fault?
>>
>> Best regards
>>  Michael
>>
>>
>> On 07/03/2017 12:50 PM, Michael D. wrote:
>>
>>> Hi,
>>>
>>> I've been running the Development Version of ClamAV for a while, and the
>>> only problem I've encountered is that sometimes when it's instructed to
>>> reload the databases (clamscan --reload) it SegFaults:
>>>
>>> Jun 18 15:25:04 Boomer kernel: clamd[3414]: segfault at 1de2 ip
>>> 7f618669d345 sp 7ffe57c51d28 error 4 in
>>> libclamav.so.7.1.1[7f61865e+1b7000]
>>> Jun 19 01:44:17 Boomer kernel: clamd[3423]: segfault at 15f0d1 ip
>>> 7f30e1010345 sp 7ffdb449ccb8 error 4 in
>>> libclamav.so.7.1.1[7f30e0f53000+1b7000]
>>> Jun 30 22:41:08 Boomer kernel: clamd[3723]: segfault at 748334 ip
>>> 7f16a9c04066 sp 7ffc68399d80 error 4 in
>>> libclamav.so.7.1.1[7f16a9bca000+1cf000]
>>>
>>> To get more information I installed gdb, and ran it like this:
>>>
>>> root@Boomer [ ~ ]# gdb /usr/sbin/clamd
>>> gdb) run --debug -c /etc/clamav/clamd.conf
>>> Starting program: /usr/sbin/clamd --debug -c /etc/clamav/clamd.conf
>>> warning: Unable to find libthread_db matching inferior's thread library,
>>> thread debugging will not be available.
>>> LibClamAV debug: Initialized devel-clamav-0.99-beta1-683-g5a0b148b4
>>> engine
>>> LibClamAV debug: Initializing phishcheck module
>>> 
>>>
>>>
>>> After a while I got this: (Along with a Core Dump)
>>>
>>> $Received POLLIN|POLLHUP on fd 7
>>> $fds_poll_recv: timeout after 5 seconds
>>> $Received POLLIN|POLLHUP on fd 11
>>> $got command RELOAD (7, 2), argument:
>>> $Receive thread: closing conn (FD 11), group finished
>>> $Consumed entire command
>>>
>>> Thread 1 "clamd" received signal SIGSEGV, Segmentation fault.
>>> mpool_free (mp=0x77fa6000, ptr=0x1) at mpool.c:698
>>> 698  f = allocbase_fromfrag(f);
>>> (gdb)
>>> (gdb)
>>> (gdb)
>>> (gdb) bt
>>> #0  mpool_free (mp=0x77fa6000, ptr=0x1) at mpool.c:698
>>> #1  0x77a2c038 in hm_free (root=root@entry=0x75289168) at
>>> matcher-hash.c:315
>>> #2  0x77a3d242 in cl_engine_free (engine=engine@entry=0x6b9b40)
>>> at readdb.c:4989
>>> #3  0x0040e65d in reload_db (ret=,
>>> do_check=0, opts=0x62e010, dboptions=8202, engine=0x6b9b40) at
>>> 

Re: [clamav-users] ArchiveBlockEncrypted and PDF

[Steven Morgan]

OK, thanks.

Steve

On Thu, Sep 14, 2017 at 5:40 AM, Gandalf Corvotempesta <
gandalf.corvotempe...@gmail.com> wrote:

> Opened https://bugzilla.clamav.net/show_bug.cgi?id=11911
>
> 2017-09-13 19:01 GMT+02:00 Steven Morgan <smor...@sourcefire.com>:
> > OK, open a ticket and we can look at it.
> >
> > On Wed, Sep 13, 2017 at 12:57 PM, Gandalf Corvotempesta <
> > gandalf.corvotempe...@gmail.com> wrote:
> >
> >> Ok, but why clam is treating encrypted pdf as encrypted archive ?
> >> I've set ArchiveBlockEncrypted to yes, but, as wrote in the setting
> >> name, I would like to block encrypted *archives*.
> >> A PDF is not an archive, thus it should not be blocked.
> >>
> >> I think this is a bug.
> >>
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

[Steven Morgan]

ClamAV contains an iso9660 parser.

The clamscan --debug option may give a clue as to why it is not being
scanned.

Steven Morgan

On Wed, Sep 13, 2017 at 10:52 PM, Al Varnell <alvarn...@mac.com> wrote:

> On Wed, Sep 13, 2017 at 06:13 PM, Paul Kosinski wrote:
> > On Tue, 12 Sep 2017 21:49:17 -0800 kristen R wrote:
> >>
> >> The file is an image. Open the image up and then scan. Does clamscan
> >> open images itself and then preform a scan?
> >
> > YES! It scans *inside* ZIP, TAR, RAR etc.
>
> But does etc. include .iso's? There are many encoding formats that clamav
> is unable to scan inside of, including some oddball .zips I've run across.
> Although .dmg image scanning was added a few years back, I've experienced
> mixed results with detections unless the image is first mounted.
>
> It's also possible that .iso's are included in the list of files to skip.
> Have you looked into that?
>
> Sorry I don't have time at the moment to check into this for you. Perhaps
> later
>
> -Al-
> --
> Al Varnell
> Mountain View, CA
>
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

[Steven Morgan]

OK, open a ticket and we can look at it.

On Wed, Sep 13, 2017 at 12:57 PM, Gandalf Corvotempesta <
gandalf.corvotempe...@gmail.com> wrote:

> Ok, but why clam is treating encrypted pdf as encrypted archive ?
> I've set ArchiveBlockEncrypted to yes, but, as wrote in the setting
> name, I would like to block encrypted *archives*.
> A PDF is not an archive, thus it should not be blocked.
>
> I think this is a bug.
>
> 2017-09-13 16:09 GMT+02:00 Reindl Harald :
> >
> >
> > Am 13.09.2017 um 15:57 schrieb Gandalf Corvotempesta:
> >>
> >> So, the only way to block encrypted ZIP is also to block any encrypted
> or
> >> password protected PDF?
> >
> >
> > with one clamd instance yes
> >
> > on a smart setup you run two instances and one is just used for scoring
> in
> > spamassassin (or in my case i edited the sa-clamav plugin to support
> > multiple instances instead the ugly hardcoding) - both are scoring high
> and
> > at the end the second clamd is also wired with the milter and jectes
> > undocnditional while the PDF stuff combined with a well mainatined bayes
> has
> > no problems to distinct bewteen junk and ham
> >
> >
> >> Il 13 set 2017 3:49 PM, "Reindl Harald"  ha
> >> scritto:
> >>
> >>>
> >>>
> >>> Am 13.09.2017 um 15:45 schrieb Gandalf Corvotempesta:
> >>>
>  Hi to all
>  I would like to block any encrypted/password protected ZIP/RAR, 
>  and so on but *NOT* blocking any encrypted PDF.
>  Currently, ClamAV is blocking any encrypted PDF with
>  Heuristics.Encrypted.PDF
> 
>  How can I only block real archived and not PDF (that are not archives)
> 
> >>>
> >>> short answer: you can't and you can stop seeking around - and yes
> that's
> >>> terrible as most of the Heuristics options which are thrwoing the child
> >>> out
> >>> with the bath
> >
> >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV can't scan DVD-size ISO files

[Steven Morgan]

Paul,

in addition to max-filesize, try max-scansize.

Steve

On Tue, Sep 12, 2017 at 11:50 PM, Paul Kosinski 
wrote:

> Clamscan read the entire ISO, but didn't scan any of it!
> I thought 21st century software was finally in the 64-bit era.
>
> ---
>
> ~/Downloads/Linux/Knoppix> ls -l KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
> -rw-r--r-- 1 ime users 4660914176 Sep 12 19:40
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
>
> ~/Downloads/Linux/Knoppix> clamscan --max-filesize=M
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso
> WARNING: Numerical value for option max-filesize too high, resetting to 4G
> KNOPPIX_V7.7.1DVD-2016-10-22-EN.iso: OK
>
> --- SCAN SUMMARY ---
> Known viruses: 6303545
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: .99 MB (ratio 0.00:1)
> Time: 10.255 sec (0 m 10 s)
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ArchiveBlockEncrypted and PDF

[Steven Morgan]

Please open a ticket for this at bugzilla.clamav.net.

Steve

On Wed, Sep 13, 2017 at 10:09 AM, Reindl Harald 
wrote:

>
>
> Am 13.09.2017 um 15:57 schrieb Gandalf Corvotempesta:
>
>> So, the only way to block encrypted ZIP is also to block any encrypted or
>> password protected PDF?
>>
>
> with one clamd instance yes
>
> on a smart setup you run two instances and one is just used for scoring in
> spamassassin (or in my case i edited the sa-clamav plugin to support
> multiple instances instead the ugly hardcoding) - both are scoring high and
> at the end the second clamd is also wired with the milter and jectes
> undocnditional while the PDF stuff combined with a well mainatined bayes
> has no problems to distinct bewteen junk and ham
>
>
> Il 13 set 2017 3:49 PM, "Reindl Harald"  ha
>> scritto:
>>
>>
>>>
>>> Am 13.09.2017 um 15:45 schrieb Gandalf Corvotempesta:
>>>
>>> Hi to all
 I would like to block any encrypted/password protected ZIP/RAR, 
 and so on but *NOT* blocking any encrypted PDF.
 Currently, ClamAV is blocking any encrypted PDF with
 Heuristics.Encrypted.PDF

 How can I only block real archived and not PDF (that are not archives)


>>> short answer: you can't and you can stop seeking around - and yes that's
>>> terrible as most of the Heuristics options which are thrwoing the child
>>> out
>>> with the bath
>>>
>>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV not picking up Eicar file...

[Steven Morgan]

Colin,

Is it possible that icap has changed the file in some way? Is it possible
to set up a test to verify what is sent to ClamAV?

You could also try using the clamd.conf parameters LeaveTemporaryFiles and
TemporaryDirectory. Then run your file through your squidclamav
configuration and inspect the file(s) left in the temporary directory.
Hopefully, it will contain a file that looks something like the eicar. If
nothing is left there, try it with eicar inside of a zip file.

Steve

On Wed, Aug 30, 2017 at 2:40 PM, Colin Rogers 
wrote:

> I also get signature found when I run clamscan against the file but not
> when going through icap. I can see in my c-icap/access.log file that clam
> considers the file good to go:
>
> ubuntu-icap:~$ clamscan eicar.com.txt
> eicar.com.txt: Eicar-Test-Signature FOUND
>
> --- SCAN SUMMARY ---
> Known viruses: 6303395
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 9.843 sec (0 m 9 s)
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV not picking up Eicar file...

[Steven Morgan]

Colin,

Please open a bug report @ bugzilla.clamav.net. In the report, please
attach the exact eicar files that you are using.

Steve

On Wed, Aug 30, 2017 at 1:01 PM, Colin Rogers 
wrote:

> Hello everyone,
>
> I am having some trouble getting my clamav setup to detect infected files
> suddenly. I have downloaded various eicar test files and each one is let
> through clamav without any issues. Im pretty new to this but would greatly
> appreciate some assistance.
>
> Please let me know what I can provide to get to the bottom of this.
>
> Thank you in advance,
>
> Colin
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam

[Steven Morgan]

Hi!

Did you install from the ClamAV source code or from packages?

Steve

On Wed, Aug 16, 2017 at 4:02 PM, Walter Neumann <
wal...@buerostudio-neumann.at> wrote:

> Hello,
>
> I installed version 0.99.2 on my webserver. But there is not installed
> freshclam. Where can I find it or is there an other way to update the
> database?
>
> Thank you for help.
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.3 beta has been released!

[Steven Morgan]

Mark,

Thanks for the report. I've opened
https://bugzilla.clamav.net/show_bug.cgi?id=11896 for tracking. Please
attach your "TooManyFilters" file there as well.

Steve

On Sat, Aug 12, 2017 at 4:29 PM, Mark Allan  wrote:

> Hi all
>
> This email is two-part: an FP report and a bug report - both only
> concerning 0.99.3
>
> I just uploaded an FP which is only being detected by 0.99.3 beta 1.  The
> checksum for the submitted file (PDFSigQFormalRep.pdf) is
> 1a29b1f3d6df9f1e47c8a77dde142238
>
> It's part of Adobe Acrobat and is showing up as
> Heuristic.PDF.TooManyFilters.
>
> Now the bug-report part.
>
> I added the relevant line to a local FP file exclude.fp in the clamav
> database directory, and it correctly prevents the file from reporting as
> being infected, however the summary still shows "1 infected file".
>
> $ clamscan  ~/Desktop/temp/PDFSigQFormalRep.pdf
>
> --- SCAN SUMMARY ---
> Known viruses: 7305825
> Engine version: 0.99.3-beta1
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.22 MB
> Data read: 0.45 MB (ratio 0.49:1)
> Time: 21.459 sec (0 m 21 s)
>
> Cheers
> Mark
>
>
> > On 4 Aug 2017, at 12:04 am, Joel Esler (jesler) 
> wrote:
> >
> > http://blog.clamav.net/2017/08/clamav-0993-beta-has-been-released.html
> >
> > ClamAV 0.99.3 beta has been released!
> > Join us as we welcome ClamAV 0.99.3 beta for testing!  Be sure and grab
> the beta release on our official ClamAV download site<
> http://www.clamav.net/downloads>.
> >
> > Welcome to ClamAV 0.99.3. In this release, we have included many code
> > submissions from the ClamAV community:
> >
> >
> >  *   Interfaces to the Prelude SIEM open source package for collecting
> ClamAV virus events.
> >  *   Visual Studio 2015 for building Microsoft Windows binaries.
> >  *   Support libmspack internal code or as a shared object library. The
> internal library is the default and contains additional integrity checks.
> >  *   Linking with openssl 1.1.0.
> >  *   Numerous code patches, typos, and compiler warning fixes.
> >
> >
> > Additionally, we have introduced important changes and new features in
> > ClamAV 0.99.3, including:
> >
> >
> >  *   Deprecating internal LLVM code support. The configure script has
> changed to search the system for an installed instance of the LLVM
> development libraries, and to otherwise use the bytecode interpreter for
> ClamAV bytecode signatures. To use the LLVM Just-In-Time compiler for
> executing bytecode signatures, please ensure that the LLVM development
> package at version 3.6 or lower is installed. Using the deprecated LLVM
> code is possible with the command: './configure --with-system-llvm=3Dno',
> but it no longer compile on all platforms.
> >  *   Compute and check PE import table hash (a.k.a. "imphash")
> signatures.
> >  *   Support file property collection and analysis for MHTML files.
> >  *   Raw scanning of PostScript files.
> >  *   Fix clamsubmit to use the new virus and false positive submission
> web interface.
> >  *   Optionally, flag files with the virus "Heuristic.Limits.Exceeded"
> when size limitations are exceeded.
> >  *   Improve decoders for PDF files.
> >
> >
> > The ClamAV community thanks the following individuals for their ClamAV
> 0.99.3 code submissions:
> >
> > Sebastian Andrzej Siewior
> > Keith Jones
> > Bill Parker
> > Chris Miserva
> > Daniel J. Luke
> > Matthew Boedicker
> > Ningirsu
> > Michael Pelletier
> > Anthony Chan
> > Stephen Welker
> >
> > Following are issues discovered during release testing. For additional
> information, please review the corresponding tickets on
> bugzilla.clamav.net:
> >
> > 11879 - cli_scanmscan() Failed to extract 4 in Windows beta when
> scanning cab files
> > 11882 - ./configure does not automatically detect libxml2 on FreeBSD
> 10.3 and 11.0
> > 11884 - 'sudo make install' on FreeBSD 10.3 and 11.0 leaves files owned
> by root, subsequent make command fails
> > 11885 - clamsubmit not building on FreeBSD 10.3 and 11.0
> > 11887 - Failures of 'make check VG=1' on FreeBSD 10.3 and 11.0
> >
> > We ask that feedback be provided via the ClamAV mailing lists<
> http://www.clamav.net/contact#ml>.
> >
> >
> > --
> > Joel Esler | Talos: Manager | jes...@cisco.com
> >
> >
> >
> >
> >
> >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> 

Re: [clamav-users] Another bug with ClamAV 0.99.3 beta 1

[Steven Morgan]

Mark,

We are in the process of reworking that strndup/strnlen test. The rework
will use feature tests during ./configure to test for the presence of the
system implementations of strndup and strnlen. The operating system test
that is currently in place for when to use the local implementations of
strnlen and strndup will be going away. Thanks for writing a patch. It
should suffice during beta.


Steve


On Mon, Aug 14, 2017 at 9:47 AM, Mark Allan  wrote:

> I just had another look at this today with fresh eyes and I see you've
> already got a static replacement of strndup for Solaris, so I've included a
> patch which uses the same function on macOS 10.6.8 or lower.  It relies on
> the appropriate  (-mmacosx-version-min=10.6) setting on the configure
> phase, but the chances are if anyone's compiling with 10.6 support, they
> probably ain't compiling on 10.6 so it's likely being supplied already.
>
>
>
>
> diff -Naurw clamav-0.99.3-beta1/clamd/localserver.c
> clamav-0.99.3-beta1_patched/clamd/localserver.c
> --- clamav-0.99.3-beta1/clamd/localserver.c 2017-07-31
> 19:34:32.0 +0100
> +++ clamav-0.99.3-beta1_patched/clamd/localserver.c 2017-08-14
> 14:24:08.0 +0100
> @@ -25,7 +25,7 @@
>
>  #include 
>  #include 
> -#if defined(C_SOLARIS)
> +#if defined(C_SOLARIS) || 
> (defined(__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__)
> && (__ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ <= 1068))
>  size_t strnlen(const char *s, size_t n) __attribute__((weak));
>  size_t strnlen(const char *s, size_t n)
>  {
>
>
>
> Hope that's useful.
>
> Mark
>
>
> > On 13 Aug 2017, at 10:25 pm, Mark Allan  wrote:
> >
> > Hi all,
> >
> > Another issue with 0.99.3 beta 1.
> >
> > The clamd process crashes on macOS 10.6.8 because it can't find the
> strndup symbol.  There are a couple of references to strndup in the source
> for clamd and libclamav - should these be changed to cli_strndup or am I
> better to include a static replacement function of strndup in the
> appropriate files that would only be used on 10.6 or earlier?
> >
> > Thanks
> > Mark
> >
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] "ERROR: Malformed database" for local.ign2 with Windows Newlines

[Steven Morgan]

Thanks, we will look into this issue. For tracking purposes, please see
https://bugzilla.clamav.net/show_bug.cgi?id=11880 .

Steve

On Tue, Aug 1, 2017 at 2:20 PM, Andy Schmidt 
wrote:

> I just confirmed that the Windows builds of ClamAV 0.99.2 will fail to
> start
> ClamD if a "local.ign2" file exists in the database folder that (naturally)
> was created under Windows, using the standard Notepad applet.
>
> The default newline sequence for Windows is CR+LF.
> The default newline sequence for Unix is LF.
> (I think previous versions of Apple's operating systems had yet other
> combinations, but that may no longer be an issue with OS/X and/or iOS)
>
> The problem appears to be that ClamAV is not properly looking for any
> newline sequence to, but rather is hard-coded to expect signature names
> being separated by a single LF character, and will report a "Malformed
> database" if any other newline character is encountered in local.ign2.
>
> One I installed and used a suitable third-part software in place of the
> standard Windows "Notepad", I finally was able to create a file with
> UNIX-style line endings, and then ClamD was able to start again.
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error: upgrading Clamav

[Steven Morgan]

You need to set up /usr/local/etc/freshclam.conf. By default, the ClamAV
supplies a sample configuration file named freshclam.conf.sample. Rename or
copy this file to freshclam.conf. You will need to comment out the line
near the top of the file containing "Example".

Hope this helps,
Steve

On Fri, Jul 28, 2017 at 4:09 AM, Ravi Raj  wrote:

> Hi
>
> I have read the documentation for clamav upgrading, when i run the
> commands for upgrade i.e. 'freshclam' & 'freshclam -d' i get the
> following Error output:
>
> [root@localhost ~]# freshclam
> ERROR: Can't open/parse the config file /usr/local/etc/freshclam.conf
> [root@localhost ~]# freshclam -d
> ERROR: Can't open/parse the config file /usr/local/etc/freshclam.conf
>
>
> What to do? How to upgrade clamav?
>
> Thanks
>
> Ravi Raj
>
> 7503506584
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Bytecode run timed out

[Steven Morgan]

The default is 6 milliseconds. What clamscan parameters are you using?
I am seeing file names by default.

Steve

On Thu, Jul 20, 2017 at 12:06 PM, Mark Foley <mfo...@novatec-inc.com> wrote:

> It doesn't give any file names, even in the logfiles.  It happens when I'm
> running clamscan.
>
> I am running it on lots of files, 124,681 to be exact (IMAP mail files).
>
> What is the default for --bytecode-timeout? If I get it again I'll
> increase it.
>
> Thanks, --Mark
>
> On Thu, 20 Jul 2017 11:34:10 -0400 Steven Morgan <smor...@sourcefire.com>
> wrote:
> >
> > When ClamAV runs bytecode signatures, it uses a timer to limit the amount
> > of processing.
> >
> > Are you seeing it on a lot of files? If that is the case, the bytecode
> > signature may require attention.
> >
> > You can try increasing the timeout limit. --bytecode-timeout for clamscan
> > and BytecodeTimeout for clamd.
> >
> > Steve
> >
> > On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley <mfo...@novatec-inc.com>
> wrote:
> >
> > > What is this? I just started happening.
> > >
> > > LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout
> flag set
> > > LibClamAV Warning: [Bytecode JIT]: recovered from error
> > > LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime
> error!
> > > LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
> > >
> > > Thanks, Mark
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Bytecode run timed out

[Steven Morgan]

When ClamAV runs bytecode signatures, it uses a timer to limit the amount
of processing.

Are you seeing it on a lot of files? If that is the case, the bytecode
signature may require attention.

You can try increasing the timeout limit. --bytecode-timeout for clamscan
and BytecodeTimeout for clamd.

Steve

On Thu, Jul 20, 2017 at 9:47 AM, Mark Foley  wrote:

> What is this? I just started happening.
>
> LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
> LibClamAV Warning: [Bytecode JIT]: recovered from error
> LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error!
> LibClamAV Warning: Bytcode 5 failed to run: Time limit reached
>
> Thanks, Mark
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] scanning mp3-files with clamscan

[Steven Morgan]

Paul,

I don't know how an MP3 file would contain malware, other than possible
exploits of MP3 player/processor flaws.

If you want to have MP3 files scanned anyway, it is possible to change the
file type signatures for MP3 so they are not ignored. Also, I don't know of
any signatures for MP3.

Steve

On Mon, Jul 17, 2017 at 11:45 PM, Paul Kosinski <clamav-us...@iment.com>
wrote:

> Are MP3 files ignored because it is impossible that MP3 software ever
> has buffer overflows or other security flaws???
>
> Or is it because MP3 files are compressed (i.e., random-looking) and
> thus may cause false positives? What about all the other compressed or
> encrypted file types which might do the same?
>
> In other words, I don't understand why they all would be ignored.
>
>
> On Mon, 17 Jul 2017 17:22:52 -0400
> Steven Morgan <smor...@sourcefire.com> wrote:
>
> > Rosika,
> >
> > The reason the MP3 file is not scanned is because the file type
> > signatures for MP3 direct that they are ignored. Particularly:
> >
> >  "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED"
> >   and
> > "0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED"
> >
> > These definitions are in the daily.ftm file of the ClamAV virus
> > database.
> >
> > Steve
> > ​
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] scanning mp3-files with clamscan

[Steven Morgan]

Rosika,

The reason the MP3 file is not scanned is because the file type signatures
for MP3 direct that they are ignored. Particularly:

 "0:0:494433:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED"
  and
"0:0:fffb90:MP3:CL_TYPE_ANY:CL_TYPE_IGNORED"

These definitions are in the daily.ftm file of the ClamAV virus database.

Steve
​

On Sun, Jul 9, 2017 at 10:04 AM, Christian  wrote:

> Hi,
>
> I want to scan an mp3-file (about 60 MB in size).
> My command is:
>
> clamscan
> /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3
>
> Yet I get the message: "Data scanned: 0.00 MB"
> First I thought that the file was too large, so I used a new command:
>
> clamscan --max-filesize=300M --max-scansize=300M
> /home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_Holmes/hörspiel.mp3
>
> But this didn´t work either.
> In the meantime I think that´s due to the nature of the respective file.
> The file being mp3.
> Could this be the case?
>
> I also tried:
>
> dd
> if=/home/rosika/Schreibtisch/Dokumente/Hörspiele/Sherlock_
> Holmes/hörspiel.mp3
> | clamscan -
>
> Output:
>
> 126592+1 Datensätze ein
> 126592+1 Datensätze aus
> 64815503 bytes (65 MB, 62 MiB) copied, 10,9642 s, 5,9 MB/s
> stdin: OK
>
> --- SCAN SUMMARY ---
> Known viruses: 6299938
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 61.81 MB (ratio 0.00:1)
> Time: 11.596 sec (0 m 11 s)
>
> Is there any way of scanning mp3-files with clamscan?
>
> Greetings.
> Rosika
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Segmentation fault (core dumped) for clamscan & clamdscan for large zip files

[Steven Morgan]

Hi Ravi,

Thanks for reporting this. Is it possible to upload the file to dropbox (or
other) for testing?

Steve

On Thu, Jul 13, 2017 at 5:24 AM, Ravi  wrote:

> Hi,
>
> We observed that segfaults causing clamd crash when scanning a zip
> file(around 190 MB) which gets extracted by clamd in /tmp which goes upto
> around 4.3 GB which is crossing hardlimits(*set to filesize and scanszie of
> 4294967295 bytes in clamd.conf*). The system(OEL Virtual Machine) has
> around 12 GB total memory & free memory of around 9 GB when the scan was
> run. Below is the more info. Need help here to resolve since previously we
> had scanned files of around 5GB which was not causing the issues.
>
> OS version : Oracle Linux Server release 7.2
> System: CPU Core : 4, Memory: 12GB
> ClamAV version: ClamAV 0.99.2/23555/Wed Jul 12 07:00:09 2017
>
> *# clamconf*
>
> *Config file: clamd.conf*
> *---*
> *LogFile disabled*
> *StatsHostID disabled*
> *StatsEnabled disabled*
> *StatsPEDisabled disabled*
> *StatsTimeout disabled*
> *LogFileUnlock disabled*
> *LogFileMaxSize = "1048576"*
> *LogTime disabled*
> *LogClean disabled*
> *LogSyslog = "yes"*
> *LogFacility = "LOG_LOCAL6"*
> *LogVerbose disabled*
> *LogRotate disabled*
> *ExtendedDetectionInfo disabled*
> *PidFile = "/var/run/clamd.scan/clamd.pid"*
> *TemporaryDirectory disabled*
> *DatabaseDirectory = "/var/lib/clamav"*
> *OfficialDatabaseOnly disabled*
> *LocalSocket = "/var/run/clamd.scan/clamd.sock"*
> *LocalSocketGroup disabled*
> *LocalSocketMode disabled*
> *FixStaleSocket = "yes"*
> *TCPSocket = "3310"*
> *TCPAddr = "127.0.0.1"*
> *MaxConnectionQueueLength = "30"*
> *StreamMaxLength = "26214400"*
> *StreamMinPort = "1024"*
> *StreamMaxPort = "2048"*
> *MaxThreads = "50"*
> *ReadTimeout = "300"*
> *CommandReadTimeout = "5"*
> *SendBufTimeout = "500"*
> *MaxQueue = "100"*
> *IdleTimeout = "30"*
> *ExcludePath disabled*
> *MaxDirectoryRecursion = "15"*
> *FollowDirectorySymlinks disabled*
> *FollowFileSymlinks disabled*
> *CrossFilesystems = "yes"*
> *SelfCheck = "600"*
> *DisableCache disabled*
> *VirusEvent disabled*
> *ExitOnOOM disabled*
> *AllowAllMatchScan = "yes"*
> *Foreground disabled*
> *Debug disabled*
> *LeaveTemporaryFiles disabled*
> *User = "clamav"*
> *AllowSupplementaryGroups = "yes"*
> *Bytecode = "yes"*
> *BytecodeSecurity = "TrustSigned"*
> *BytecodeTimeout = "5000"*
> *BytecodeUnsigned disabled*
> *BytecodeMode = "ForceInterpreter"*
> *DetectPUA disabled*
> *ExcludePUA disabled*
> *IncludePUA disabled*
> *AlgorithmicDetection = "yes"*
> *ScanPE = "yes"*
> *ScanELF = "yes"*
> *DetectBrokenExecutables = "yes"*
> *ScanMail = "yes"*
> *ScanPartialMessages disabled*
> *PhishingSignatures = "yes"*
> *PhishingScanURLs = "yes"*
> *PhishingAlwaysBlockCloak disabled*
> *PhishingAlwaysBlockSSLMismatch disabled*
> *PartitionIntersection disabled*
> *HeuristicScanPrecedence disabled*
> *StructuredDataDetection disabled*
> *StructuredMinCreditCardCount = "3"*
> *StructuredMinSSNCount = "3"*
> *StructuredSSNFormatNormal = "yes"*
> *StructuredSSNFormatStripped disabled*
> *ScanHTML = "yes"*
> *ScanOLE2 = "yes"*
> *OLE2BlockMacros disabled*
> *ScanPDF = "yes"*
> *ScanSWF = "yes"*
> *ScanXMLDOCS = "yes"*
> *ScanHWP3 = "yes"*
> *ScanArchive = "yes"*
> *ArchiveBlockEncrypted disabled*
> *ForceToDisk disabled*
> *MaxScanSize = "4294967295"*
> *MaxFileSize = "4294967295"*
> *MaxRecursion = "16"*
> *MaxFiles = "1"*
> *MaxEmbeddedPE = "10485760"*
> *MaxHTMLNormalize = "10485760"*
> *MaxHTMLNoTags = "2097152"*
> *MaxScriptNormalize = "5242880"*
> *MaxZipTypeRcg = "1048576"*
> *MaxPartitions = "50"*
> *MaxIconsPE = "100"*
> *MaxRecHWP3 = "16"*
> *PCREMatchLimit = "1"*
> *PCRERecMatchLimit = "5000"*
> *PCREMaxFileSize = "26214400"*
> *ScanOnAccess disabled*
> *OnAccessMountPath disabled*
> *OnAccessIncludePath disabled*
> *OnAccessExcludePath disabled*
> *OnAccessExcludeUID disabled*
> *OnAccessMaxFileSize = "5242880"*
> *OnAccessDisableDDD disabled*
> *OnAccessPrevention disabled*
> *OnAccessExtraScanning disabled*
> *DevACOnly disabled*
> *DevACDepth disabled*
> *DevPerformance disabled*
> *DevLiblog disabled*
> *DisableCertCheck disabled*
>
> *Config file: freshclam.conf*
> *---*
> *StatsHostID disabled*
> *StatsEnabled disabled*
> *StatsTimeout disabled*
> *LogFileMaxSize = "1048576"*
> *LogTime disabled*
> *LogSyslog = "yes"*
> *LogFacility = "LOG_LOCAL6"*
> *LogVerbose disabled*
> *LogRotate disabled*
> *PidFile disabled*
> *DatabaseDirectory = "/var/lib/clamav"*
> *Foreground disabled*
> *Debug disabled*
> *AllowSupplementaryGroups disabled*
> *UpdateLogFile = "/var/log/clamav/freshclam.log"*
> *DatabaseOwner = "clamav"*
> *Checks = "12"*
> *DNSDatabaseInfo = "current.cvd.clamav.net  >"*
> *DatabaseMirror = "db.us.clamav.net "*
> *PrivateMirror disabled*
> *MaxAttempts = "3"*
> *ScriptedUpdates = "yes"*
> *TestDatabases = "yes"*
> 

Re: [clamav-users] temporary directories left in /var/lib/clamav

[Steven Morgan]

David,

Thanks, so when you say freshclam "completed successfully" you mean there
were no temp files left?

Steve

On Tue, Jun 20, 2017 at 11:21 AM, David Pullman <david.pull...@gmail.com>
wrote:

> Steve,
>
> Yes, we run freshclam and then clamscan once each day at 00:03 UTC. There
> were many days of tmp directories. We ran the freshclam utility by hand
> yesterday, on the instance the logs are from, at about 22:00 UTC, and it
> completed the download. The subsequent update at 00:03 this morning
> completed successfully as well.
>
> The version is the package install on Ubuntu of clamav and
> clamav-freshclam: 0.99.2+addedllvm-0ubuntu0.14.04.1.
>
> Thanks!
>
> David
>
> On Tue, Jun 20, 2017 at 11:03 AM, Steven Morgan <smor...@sourcefire.com>
> wrote:
>
> > David,
> >
> > So freshclam runs every day at ~00:03:00, and to confirm, the temp
> > directories/files are left for each of these runs?
> >
> > Which version of ClamAV are you using?
> >
> > Steve
> >
> > On Tue, Jun 20, 2017 at 7:51 AM, David Pullman <david.pull...@gmail.com>
> > wrote:
> >
> > > Hi Steve,
> > >
> > > I've gathered some logs from one of the servers that had a bunch of the
> > > clamor-nn.tmp directories over a number of days. I've
> aggregated
> > > seven days of them below (we rotate the log daily). We run freshclam
> from
> > > cron each day.
> > >
> > > Please let me know if there's any suggestion on how I can get a
> > definitive
> > > reason for this, or correcting this? We have two issues, one is of
> course
> > > that the sigs are not updated, but also on some of the smaller
> instances
> > > the disk space is affected by the tmp files left in /var/lib/clamav.
> > >
> > > Thanks very much for any suggestions or help!
> > >
> > > Tue Jun 13 00:03:01 2017 -> --
> > > Tue Jun 13 00:03:01 2017 -> ClamAV update process started at Tue Jun 13
> > > 00:03:01 2017
> > > Tue Jun 13 00:03:01 2017 -> main.cld is up to date (version: 58, sigs:
> > > 4566249, f-level: 60, builder: sigmgr)
> > > Tue Jun 13 00:03:09 2017 -> Downloading daily-23452.cdiff [100%]
> > > Tue Jun 13 00:03:10 2017 -> Downloading daily-23453.cdiff [100%]
> > > Tue Jun 13 00:03:13 2017 -> Downloading daily-23454.cdiff [100%]
> > > Wed Jun 14 00:03:02 2017 -> --
> > > Wed Jun 14 00:03:02 2017 -> ClamAV update process started at Wed Jun 14
> > > 00:03:02 2017
> > > Wed Jun 14 00:03:02 2017 -> main.cld is up to date (version: 58, sigs:
> > > 4566249, f-level: 60, builder: sigmgr)
> > > Wed Jun 14 00:03:38 2017 -> nonblock_connect: connect timing out (30
> > secs)
> > >
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] temporary directories left in /var/lib/clamav

[Steven Morgan]

David,

So freshclam runs every day at ~00:03:00, and to confirm, the temp
directories/files are left for each of these runs?

Which version of ClamAV are you using?

Steve

On Tue, Jun 20, 2017 at 7:51 AM, David Pullman 
wrote:

> Hi Steve,
>
> I've gathered some logs from one of the servers that had a bunch of the
> clamor-nn.tmp directories over a number of days. I've aggregated
> seven days of them below (we rotate the log daily). We run freshclam from
> cron each day.
>
> Please let me know if there's any suggestion on how I can get a definitive
> reason for this, or correcting this? We have two issues, one is of course
> that the sigs are not updated, but also on some of the smaller instances
> the disk space is affected by the tmp files left in /var/lib/clamav.
>
> Thanks very much for any suggestions or help!
>
> Tue Jun 13 00:03:01 2017 -> --
> Tue Jun 13 00:03:01 2017 -> ClamAV update process started at Tue Jun 13
> 00:03:01 2017
> Tue Jun 13 00:03:01 2017 -> main.cld is up to date (version: 58, sigs:
> 4566249, f-level: 60, builder: sigmgr)
> Tue Jun 13 00:03:09 2017 -> Downloading daily-23452.cdiff [100%]
> Tue Jun 13 00:03:10 2017 -> Downloading daily-23453.cdiff [100%]
> Tue Jun 13 00:03:13 2017 -> Downloading daily-23454.cdiff [100%]
> Wed Jun 14 00:03:02 2017 -> --
> Wed Jun 14 00:03:02 2017 -> ClamAV update process started at Wed Jun 14
> 00:03:02 2017
> Wed Jun 14 00:03:02 2017 -> main.cld is up to date (version: 58, sigs:
> 4566249, f-level: 60, builder: sigmgr)
> Wed Jun 14 00:03:38 2017 -> nonblock_connect: connect timing out (30 secs)
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] temporary directories left in /var/lib/clamav

[Steven Morgan]

Hi,

Any temporary files left by "normal" ClamAV processing is considered to be
a bug. Temporary files may be left if a ClamAV component terminates
ungracefully. Do you have any other logs or know of any other events from
June 3 that may provide additional info about these files left in the temp
directory?

Steve

On Mon, Jun 19, 2017 at 8:01 AM, David Pullman 
wrote:

> Hi,
>
> We're seeing cases on some servers where tmp directories are possibly being
> left behind in /var/lib/clamav. The following is one example, there are
> some where more than one tmp dir is occurring.
>
> Is this a sign of a failure to clean up after a download? Is there
> something I can check in logs or in configuration regarding this? Or is it
> simply a need to run a clean up process?
>
> Thanks very much!
>
> David
>
> $ ls -alR /var/lib/clamav/clamav-12a37b16fb99966eac0b8cc6f66d5d8c.tmp/
> /var/lib/clamav/clamav-12a37b16fb99966eac0b8cc6f66d5d8c.tmp/:
> total 12
> drwxr-xr-x 3 clamav clamav 4096 Jun 19 11:16 .
> drwxr-xr-x 3 clamav clamav 4096 Jun 19 00:05 ..
> drwxr-xr-x 2 clamav clamav 4096 Jun  3 00:03
> clamav-6ef20391b3924221fc3fce4a535e157e.tmp
>
> /var/lib/clamav/clamav-12a37b16fb99966eac0b8cc6f66d5d8c.tmp/clamav-
> 6ef20391b3924221fc3fce4a535e157e.tmp:
> total 145216
> drwxr-xr-x 2 clamav clamav  4096 Jun  3 00:03 .
> drwxr-xr-x 3 clamav clamav  4096 Jun 19 11:16 ..
> -rw-r--r-- 1 clamav clamav 17992 Jun  3 00:03 COPYING
> -rw-r--r-- 1 clamav clamav   557 Jun  3 00:03 daily.cdb
> -rw-r--r-- 1 clamav clamav   424 Jun  3 00:03 daily.cfg
> -rw-r--r-- 1 clamav clamav  6040 Jun  3 00:03 daily.crb
> -rw-r--r-- 1 clamav clamav 26043 Jun  3 00:03 daily.fp
> -rw-r--r-- 1 clamav clamav  9965 Jun  3 00:03 daily.ftm
> -rw-r--r-- 1 clamav clamav  29125847 Jun  3 00:03 daily.hdb
> -rw-r--r-- 1 clamav clamav  3530 Jun  3 00:03 daily.hdu
> -rw-r--r-- 1 clamav clamav 112488731 Jun  3 00:03 daily.hsb
> -rw-r--r-- 1 clamav clamav89 Jun  3 00:03 daily.hsu
> -rw-r--r-- 1 clamav clamav 36126 Jun  3 00:03 daily.idb
> -rw-r--r-- 1 clamav clamav  5709 Jun  3 00:03 daily.ign
> -rw-r--r-- 1 clamav clamav  4235 Jun  3 00:03 daily.ign2
> -rw-r--r-- 1 clamav clamav  2271 Jun  3 00:03 daily.info
> -rw-r--r-- 1 clamav clamav849664 Jun  3 00:03 daily.ldb
> -rw-r--r-- 1 clamav clamav199116 Jun  3 00:03 daily.ldu
> -rw-r--r-- 1 clamav clamav   4847600 Jun  3 00:03 daily.mdb
> -rw-r--r-- 1 clamav clamav 69427 Jun  3 00:03 daily.mdu
> -rw-r--r-- 1 clamav clamav92 Jun  3 00:03 daily.msb
> -rw-r--r-- 1 clamav clamav92 Jun  3 00:03 daily.msu
> -rw-r--r-- 1 clamav clamav 97624 Jun  3 00:03 daily.ndb
> -rw-r--r-- 1 clamav clamav823647 Jun  3 00:03 daily.ndu
> -rw-r--r-- 1 clamav clamav  4094 Jun  3 00:03 daily.pdb
> -rw-r--r-- 1 clamav clamav87 Jun  3 00:03 daily.sfp
> -rw-r--r-- 1 clamav clamav 10095 Jun  3 00:03 daily.wdb
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Lots of "fmap_readpage" errors with ClamAV 0.99.2 on centos 7

[Steven Morgan]

Hello,

I looked at the debug trace and reviewed the clamd.conf. Can you try
setting clamd's TemporaryDirectory to somewhere that is not under your
onaccess mount path? Also, can you try running clamscan rather than clamd
(to test if the behavior is the same)?

Steve
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav daemon quitting unexpectedly

[Steven Morgan]

Hi,

Try adding "Debug true"  to clamd.conf. It may provide some insight into
what is going on.

Steve


On Wed, Jun 14, 2017 at 2:08 AM, Fabrizio Mazzoni 
wrote:

> Good Morning too all!
>
> I’m having an issue whereas clamp is quitting unexpectedly and I have no
> clue what is causing this. There is not trace in the logs.
>
> I had thought it was due to space issues in /tmp as my tmp is only 500MB
> and it was full of clam files.
>
>
>
> I changed the clams.conf to read:
>
> TemporaryDirectory /clamtmp
>
> And created the directory with permissions 1777
>
> but that does not seem to solve the problem.
>
> Any help appreciated!
>
>
> Fabrizio Mazzoni - ICT Consultant
>  +255 755 46 88 26    mazzofab.tz
>    www.fsm.co.tz <
> https://fsm.co.tz/>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Steven Morgan]

'kill -9 6776', verify the 6776 is gone, followed by starting clamd again
should fix this.

Steve

On Mon, May 15, 2017 at 5:22 PM, Kishore Pawar  wrote:

> Thanks Steve. Here's the output of lsof.
>
> # clamd status
> ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another
> process.
>
> # lsof | grep clamd.socket
> clamd 6776clamav5u unix 0xc3692480   0t0
> 72993 /var/run/clamav/clamd.socket
>
> # ps -ef | grep 6776
> clamav6776 1  0 15:57 ?00:00:00 clamd
> root  6889  2739  0 16:20 pts/100:00:00 grep 6776
>
> Thanks
> Kishore
>
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Malware/ransomware and Yara signatures with clamav

[Steven Morgan]

For some additional info about running YARA rules in ClamAV, please see
section 3.11 in the ClamAV signatures manual:

https://github.com/vrtadmin/clamav-devel/blob/master/docs/signatures.pdf




On Mon, May 15, 2017 at 4:04 PM, Mark Foley  wrote:

> On Mon May 15 15:06:07 2017 "Eric Tykwinski" 
> wrote:
> >
> > Here's links to sample files, ie use at your own risk:
> > https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
> >
> > Sincerely,
> >
> > Eric Tykwinski
> > TrueNet, Inc.
> > P: 610-429-8300
> >
>
> Well, it does seem to try and use the yara rule. Using one of the samples
> on the
> link you gave me:
>
> $ clamscan CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8
> e080e41aa.EXE
> LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 non-ascii
> character
> LibClamAV Error: yyerror(): /var/lib/clamav/wannaCry.yar line 3 syntax
> error, unexpected $end, expecting _CONDITION_
> LibClamAV Error: cli_loadyara: failed to parse rules file
> /var/lib/clamav/wannaCry.yar, error count 2
>
> When I fixed the non-ascii character thing I got:
>
> > clamscan
> CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
>
> CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE:
> Win.Trojan.Agent-6312832-0 FOUND
>
> --- SCAN SUMMARY ---
> Known viruses: 6284809
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 3.49 MB
> Data read: 3.35 MB (ratio 1.04:1)
> Time: 6.828 sec (0 m 6 s)
>
> The yara rule didn't find anything.
>
> I used sample .hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d0
> 1bf5f1071661840480439c6e5babe8e080e41aa.EXE
>
> The page is headed, "WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered
> Ransomware Worm"
> so I would imagine the samples on this page are for wannaCry, right?
>
> --Mark
>
> > -Original Message-
> > From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf
> > Of Mark Foley
> > Sent: Monday, May 15, 2017 2:58 PM
> > To: clamav-users@lists.clamav.net
> > Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with
> > clamav
> >
> > On Sat May 13 13:25:07 2017 From: Alain Zidouemba
> >  wrote:
> > >
> > > Yara rules have been supported by ClamAV since 2015:
> > > http://blog.clamav.net/2015/06/clamav-099b-meets-yara.html
> > >
> > > - Alain
> >
> > I'm following these instructions now.  The instruction say, "just place
> your
> > YARA rule files into the ClamAV virus database location." I've copied the
> > Homland Security yara script to a file, wannaCry.yar, in my
> /var/lib/clamav
> > directory.
> >
> > Is that it? No clamscan switch or config setting? Is there any way to
> > confirm this rule is being used?
> >
> > I also downloaded and looked at the yara repo on github.  There are over
> 400
> > rules in the zipfile.  To use some or all of them would I just unzip
> into my
> > database location?
> >
> > The instructions also say, "Regular expressions in both YARA rules and
> > ClamAV logical signatures require the Perl Compatible Regular Expressions
> > (PCRE) library." Is there a way to see if my clamAV was built with this?
> >
> > Thanks, Mark
> >
> > >
> > > On Sat, May 13, 2017 at 1:16 PM, Alex  wrote:
> > >
> > > > Hi,
> > > >
> > > > So you've probably heard of the latest ransomware dubbed WannaCry.
> > > > I'm wondering if anyone has figured out a way to integrate the yara
> > > > signatures for these types of exploits with spamassassin?
> > > >
> > > > https://www.us-cert.gov/ncas/alerts/TA17-132A
> > > >
> > > > What is the status of development of integration of yara rules into
> > clamav?
> > > >
> > > > [deleted]
> > > >
> > > > Thanks,
> > > > Alex
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> 

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Steven Morgan]

OK, try the 'lsof' command to identify what is using
/var/run/clamav/clamd.socket.

Steve

On Mon, May 15, 2017 at 1:29 PM, Kishore Pawar  wrote:

> Thanks Steve. Yes, I tried removing them and kill the running clamd process
> and start it again but still the clamd status doesn't show anything other
> than the error.
>
> # clamd status
> ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another
> process.
>
> 
>
> There is probably another clamd running. If not, try deleting
> /var/run/clamav/clamd.socket.
>
> Steve
>
> On Mon, May 15, 2017 at 11:58 AM, Kishore Pawar  wrote:
>
> > Hi Steve
> >
> > Thank you very much for the reply and your suggestion. I rebuild it with
> > the options (--enable-llvm=no) provided by you and it seems to be ok now.
> > But now I am unable to stop/start the clamd and am not able to get the
> > status of clamd.
> >
> >
> > # clamd status
> > ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by
> > another process.
> >
> > # ls -lrt /var/run/clamav/
> > total 12
> > srw-rw-rw-. 1 clamav clamav 0 May 15 11:29 clamd.socket
> > -rw-rw-r--. 1 clamav clamav 5 May 15 11:29 clamd.pid
> > -rw-rw. 1 clamav clamav 5 May 15 11:29 freshclam.pid
> > srw-r--r--. 1 clamav root   0 May 15 11:46 clamav-milter.socket
> > -rw-rw-r--. 1 clamav clamav 5 May 15 11:46 clamav-milter.pid
> >
> > I observed that the 'clamav-milter.socket' is started by root and not
> > clamav user. I am not sure if that's how it is supposed to be. If it
> needs
> > to be started by clamav, where should I do the changes?
> >
> > Thanks
> > Kishore
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Steven Morgan]

There is probably another clamd running. If not, try deleting
/var/run/clamav/clamd.socket.

Steve

On Mon, May 15, 2017 at 12:58 PM, Kishore Pawar  wrote:

> Hi Steve
>
> Thank you very much for the reply and your suggestion. I rebuild it with
> the options (--enable-llvm=no) provided by you and it seems to be ok now.
> But now I am unable to stop/start the clamd and am not able to get the
> status of clamd.
>
>
> # clamd status
> ERROR: LOCAL: Socket file /var/run/clamav/clamd.socket is in use by another
> process.
>
> # ls -lrt /var/run/clamav/
> total 12
> srw-rw-rw-. 1 clamav clamav 0 May 15 11:29 clamd.socket
> -rw-rw-r--. 1 clamav clamav 5 May 15 11:29 clamd.pid
> -rw-rw. 1 clamav clamav 5 May 15 11:29 freshclam.pid
> srw-r--r--. 1 clamav root   0 May 15 11:46 clamav-milter.socket
> -rw-rw-r--. 1 clamav clamav 5 May 15 11:46 clamav-milter.pid
>
> I observed that the 'clamav-milter.socket' is started by root and not
> clamav user. I am not sure if that's how it is supposed to be. If it needs
> to be started by clamav, where should I do the changes?
>
> Thanks
> Kishore
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Steven Morgan]

OK, thanks. Is it possible to rebuild? If so, please try to include
--enable-llvm=no on your ./configure. This will use the internal bytecode
interpreter rather than the llvm jit.

Steve

On Fri, May 12, 2017 at 6:13 PM, Kishore Pawar  wrote:

> Hi Steve
>
> I tried to run the freshclam today too but getting the same errors. The
> debug output is as follows:
>
> # `freshclam --verbose --debug` output
> LibClamAV debug: in cli_untgz()
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/COPYING
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/
> bytecode.info
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986282.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986224.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986214.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/4306157.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986236.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986221.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986310.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986216.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986233.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986222.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/4416867.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/4310114.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986231.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986212.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986321.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986187.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986328.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986259.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986249.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986318.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986219.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/4510302.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986303.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> c8.tmp/clamav-f737a3544567723efec18f3185af6d41.tmp/3986301.cbc
> LibClamAV debug: cli_untgz: Unpacking
> /usr/local/share/clamav/clamav-20d22218e1780410bf11d524113297
> 

Re: [clamav-users] ClamAV on RHEL 6.8 (IBM Power 8 -PPC64)

[Steven Morgan]

There was a bytecode signature issue a few days ago which is now fixed (not
sure it is related). Did you try freshclam today? if it is still a problem,
try 'fresclam --debug' to determine which signature caused the problem.

Steve


On Fri, May 12, 2017 at 2:25 PM, Kishore Pawar  wrote:

> No update till now from anyone:(. Appreciate if someone can assist me in
> resolving this issue. Thanks in advance.
>
> On Mon, May 8, 2017 at 10:06 PM, Kishore Pawar  wrote:
>
> > Hello Friends
> >
> > I am not sure if this is the right place to send the request to the
> issues
> > that I am facing.
> >
> > I had ClamAV 0.97.1 running on  RHEL (2.6.32-642.6.1.el6.ppc64) on our
> IBM
> > Power 7 system since many years. Today I upgraded it to ClamAV 0.99.2
> > (Source code). Unfortunately the DB is no loading and giving the
> following
> > error. I searched online for this error but couldn't find much
> information
> > on ClamAV, Redhat or IBM.
> >
> > ERROR: During database load : freshclam: llvm/lib/Target/PowerPC/
> PPCCodeEmitter.cpp:156:
> > unsigned int::PPCCodeEmitter::getMachineOpValue(const
> > llvm::MachineInstr&, const llvm::MachineOperand&): Assertion
> > `MovePCtoLROffset && "MovePCtoLR not seen yet?"' failed.
> > ERROR: Database load killed by signal 6
> > ERROR: Failed to load new database
> >
> >
> >
> > Appreciate if someone can help me in right direction to get it up and
> > running again. Let me know if you need any further information & I'll be
> > glad to send it.
> >
> > Thanks
> > Kishore
> >
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question about ClamScan

[Steven Morgan]

Hello,

Not strictly single threaded, there is a timer thread for bytecode for
example.

You can search over the source code to see pthread_* function calls. You
will see that the ClamAV engine also contains pthread resource
serialization calls.

Hope this helps,
Steve


On Fri, May 12, 2017 at 1:29 AM, crazy thinker 
wrote:

> Hi ClamAV Developers, Users
>
> I think Clamscan is a Single Thread Application. Am i right?. i inspected
> this for a little bit time. it  doesn't have read any config file to read
> some thing before it about to start.
>
>
> Thanks,
> Crazy Thinker, Inc
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TCP FIN Packet Received Before Data

[Steven Morgan]

On Mon, May 8, 2017 at 5:07 PM, Cory Parrish 
wrote:

> Please find the pcap file attached. This particular run had 19 failures and
> then the 20 time I received the expected response. I'll analyze it on my
> end too but don't have much experience at this so a little help is
> definitely appreciated.
>
>
 I did not receive the pcaps. Can you send them directly or post them
somewhere?

Steve
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TCP FIN Packet Received Before Data

[Steven Morgan]

... and / or CommandReadTimeout.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TCP FIN Packet Received Before Data

[Steven Morgan]

On Mon, May 8, 2017 at 4:43 PM, Cory Parrish 
wrote:

> Thanks for the response Steven. I will get the information that you are
> looking for.
>
> What I have done in the meantime, is setup a retry of the scan with a 50 ms
> delay until I receive an expected response (i.e. non FIN packet). What I
> have found is that I always eventually get the expected response within 10
> tries.
>
> *Is There A Timing Issue?*
> I am immediately sending data after I get an ack back that I am connected
> on the socket. So I don't think there is a timing issue but it would be
> nice to find a way to test this. Do you know if there is a configuration I
> can set to increase this wait time? I haven't seen one in the
> configurations.
>
>
> ReadTimeout looks like the right thing.

Steve
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] TCP FIN Packet Received Before Data

[Steven Morgan]

Cory,

If you can capture the tcp network traffic for a successful and a failed
session and send me the pcap files, I'd be glad to take a look at them.

I have noticed that clamd only allows a short delay following tcp
connection establishment before receiving a clamd command or else it sends
a fin. Is it possible that there is a timing issue?

Steve

On Mon, May 8, 2017 at 11:35 AM, Cory Parrish 
wrote:

> Hello, I'm trying to stream a file to clamav (V 0.99.2) using the TCP
> Connection from a NodeJS server. Sometimes data is being sent back but
> other times I am receiving the "FIN" packet before any data. Every time I
> send a stream to be scanned, I see the result in the clamav logs, but for
> some reason the result is not getting sent back on the socket consistently.
> Oddly enough, if I make clamav send back an error response, I will get the
> response 100% of the time. I only see inconsistency when clamav executes
> the scan successfully, both when it finds a virus and when it does not find
> a virus.
>
> *A couple things that I have tried:*
>
> 1. I was wondering if this happens on very small files. So I increased the
> size of the file to over 500k and I still saw the same results.
>
> 2. Next I was wondering if it might happen when clamav uses its cache to
> determine that a file has already been scanned. So I changed the
> DisableCache configuration to 'yes' and still saw the same thing.
>
> Has anyone seen a problem like this in the past? Are there tests proving
> the socket communication is working correctly? Please let me know what
> information you would need to assist.
>
> *Attachments*
> clamd.conf - configuration used for the clam daemon.
> test-file.txt - the file I am streaming to clamav.
>
> Thanks so much for any help you can provide!
>
> --
> Cory Parrish
> Owner, Developer, and Fellow Geek
> StriveNine
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems with 3rd party sigs

[Steven Morgan]

They can be ignored. For yara rules, ClamAV currently ignores any
containing errors or unsupported features.

Steve

On Fri, Mar 31, 2017 at 2:30 PM, Mark Foley <mfo...@novatec-inc.com> wrote:

> On Fri, 31 Mar 2017 14:01:29 -0400 Steven Morgan <smor...@sourcefire.com>
> wrote:
> >
>
> Thanks Steve. Is then there a way to disable the pe rules or do I just
> have to
> ignore these messages?
>
> --Mark
>
> > Mark,
> >
> > The pe import module of yara rules is not currently implemented in
> ClamAV.
> > Other specifics of using yara rules in Clam may be found in
> > docs/signatures.pdf. Also, looks like errors in EMAIL_Cryptowall.yar yara
> > rule?
> >
> > Hope this helps,
> > Steve
> >
> > On Fri, Mar 31, 2017 at 1:45 PM, Mark Foley <mfo...@novatec-inc.com>
> wrote:
> >
> > > Per advice on this list, I downloaded and installed the
> > > clamav-unofficial-sigs
> > > scripts from the link on Sanesecurity.
> > >
> > > I've not been able to get it running. Two problems:
> > >
> > > 1. The /etc/cron.d/clamav-unofficial-sigs cron script won't run from
> > > crond. I get an email:
> > >
> > > /bin/sh: clamav: command not found
> > >
> > > I've searched the computer and the clamav-unofficial-sigs.sh script
> > > looking for a
> > > reference to a clamav command and simply cannot find such a command.
> I've
> > > sprinkles `echo` statements throughout clamav-unofficial-sigs.sh and
> > > redirected
> > > the cron script's output to a log file. I never get anything in the
> > > logfile.
> > > Yet, if I run clamav-unofficial-sigs.sh as root manually, it runs fine.
> > >
> > > 2. I run a cron'd clamscan job to scan mail folders several time a
> day. I
> > > get
> > > the following errors which are new since installing the
> unofficial-sigs:
> > >
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 497
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 512
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 528
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 544
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 557
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 603
> > > undefined identifier "pe"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line
> 614
> > > undefined identifier "pe"
> > > LibClamAV Error: cli_loadyara: failed to parse rules file
> > > /var/lib/clamav/antidebug_antivm.yar, error count 7
> > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line
> 34
> > > duplicate identifier "CryptoWall_Resume_phish"
> > > LibClamAV Error: yyerror(): /var/lib/clamav/EMAIL_Cryptowall.yar line
> 52
> > > duplicate identifier "docx_macro"
> > > LibClamAV Error: cli_loadyara: failed to parse rules file
> > > /var/lib/clamav/EMAIL_Cryptowall.yar, error count 2
> > >
> > > The lines at /var/lib/clamav/antidebug_antivm.yar line 497 are:
> > >
> > > 496 contition:
> > > 497 pe.imports("kernel32.dll","
> CheckRemoteDebuggerPresent")
> > > and
> > > 498 pe.imports("kernel32.dll","IsDebuggerPresent")
> > >
> > > These seem like rather basic programming bugs.  Nevertheless, it does
> > > appear to
> > > catch new signatures, e.g.:
> > >
> > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1463485456.
> > > M955042P32209.mail,S=13067,W=13269:2,S: Sanesecurity.Foxhole.Zip_
> fs226.UNOFFICIAL
> > > FOUND
> > > /home/HPRS/mpress/Maildir/.Deleted Items/cur/1460374151.
> > > M124643P21974.mail,S=30684,W=31217:2,S: Sanesecurity.Spam.12404.Ml.
> UNOFFICIAL
> > > FOUND
> > > /home/HPRS/shay/Maildir/.Trash/cur/1485781802.
> M776532P6090.mail,S=2905,W=
> > > 2971:2,S!(1)MAIL:mixedtextportion: Sanesecurity.Junk.33365.UNOFFICIAL
> > > FOUND
> > > /home/HPRS/shay/Maildir/.Trash/cur/1486393658.
> M60634P26487.mail,S=48881,W=49823:2,S:
> > > Sa

Re: [clamav-users] MailFollowUrl alternative?

[Steven Morgan]

Mauro,

It is not clear what MailFollowURL did. Have a look at
docs/phishsigs_howto.pdf for a description of how to scan for URLs. This
may have subsumed MailFollowURL.

Steve

On Fri, Mar 31, 2017 at 12:34 PM, Mauro Celli 
wrote:

> Hi,
> i need to scan link in email, in the past i use MailFollowUrl but now is
> deprecated,
> There are an alternative to make this test?
> Thanks
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Daily 23161 broke Clam

[Steven Morgan]

Hi Aaron and Leonardo,

What are the versions of libpcre on your systems?

Thanks,
Steve
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav and DLP

[Steven Morgan]

Hi Alex,

There aren't any other external controls for DLP beside the configuration
parameters. Customization of the source code (libclamav/dlp.c) is possible
via C programming. There are currently no active DLP development plans.

Hope this helps,
Steve

On Mon, Feb 20, 2017 at 7:54 PM, Alex  wrote:

> Hi,
>
> I'm interested in using clamav on fedora25 for data loss prevention in
> addition to the virus scanning we're already doing. Is there any
> documentation on how this all works other than enabling the DLP
> options in the config file?
>
> How do I add my own credit card patterns to be tagged? How about
> excluding them? What are the default patterns that are included?
>
> Is there active development going on with clamav in this area?
>
> Thanks,
> Alex
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam exit codes

[Steven Morgan]

Hi,

It looks like return code 1 means the virus database is up to date (#define
FC_UPTODATE 1 from freshclamcodes.h). Please advise if this is incorrect or
inconsistent. The man page needs to be updated.

Thanks,
Steve

On Thu, Feb 16, 2017 at 4:27 AM, Andreas Schulze 
wrote:

> Hello,
>
> consider this setup. the goal is to run a separate clamav instance using
> *only* our database files
> to speedup clamav reload times.
>
> # cat custom-freshclam.conf
> DatabaseCustomURL http://our.clamav.mirror/local_foo.ndb
> DatabaseDirectory /path/to/custom_clamdir/
> # required but not relevant here
> DatabaseMirror our.clamav.mirror
>
> # freshclam --config-file=/path/to/custom-freshclam.conf
> --update-db=custom
> ...
>
> # echo $?
> 1
>
> unfortunately the exit code is *always* 1 ("man freshclam" doesn't
> describe 1 as exit code at all ...)
> normaly freshclam return 0 if some files where updated or if all files are
> uptodate.
> Am I using freshclam wrongly or should I consider this as a bug ?
> ( version 0.99.2 )
>
> --
> A. Schulze
> DATEV eG
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamdscan mail file

[Steven Morgan]

Hi,

Can you try 'clamscan --phishing-scan-urls' ?

Thanks,
Steve

On Mon, Feb 13, 2017 at 7:05 AM, TBits.net, Mailinglists <
mailingli...@tbits.net> wrote:

> Hi @all,
>
> clamav-milter identify an email as infected by
> Heuristics.Phishing.Email.SSL-Spoof.
>
> This is correct, but when I scan this file in the quarantine with
> clamdscan or clamscan the file is clean.
> It seams that the clamscan or clamdscan do not scan this file for Phishing.
> Is it possible to scan a text file as a mail to identify with phishing?
>
> Regards
> Andreas
>
> 
> Diese Nachricht wurde versandt mit Webmail von www.tbits.net.
> This message was sent using webmail of www.tbits.net.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] error: 'os_generic' undeclared

[Steven Morgan]

Hi,

The os_generic was missing from the operating system enumeration. Here is a
patch to fix that:

diff --git a/libclamav/bytecode_detect.h b/libclamav/bytecode_detect.h
index 6f56908..b09c940 100644
--- a/libclamav/bytecode_detect.h
+++ b/libclamav/bytecode_detect.h
@@ -64,6 +64,7 @@ enum os_kind_conf {
   os_solaris,
   os_win32,
   os_win64,
+  os_generic,
   os_ANY = 0xff
 };

This should get you through that particular compile error.

Good luck,
Steve


On Thu, Dec 22, 2016 at 12:40 AM, crazy thinker 
wrote:

> Hi  all,
>
> i tried to build clamav source code with ndk tools for android platform
>  and x86 cpu architecture
>
>
>
>  please find below my build script info
> *#!/bin/bash*
> *export NDK=/home/crazythinker-admin/Android/Sdk/ndk-bundle*
>
> *$NDK/build/tools/make-standalone-toolchain.sh --platform=android-9
> --toolchain=x86-4.9  --install-dir=`pwd`/i686-linux-android --force*
> *export TOOLCHAIN_PATH=`pwd`/i686-linux-android/bin*
> *export TOOL=i686-linux-android*
>
> *export NDK_TOOLCHAIN_BASENAME=${TOOLCHAIN_PATH}/${TOOL}*
>
> *export CC=$NDK_TOOLCHAIN_BASENAME-gcc*
> *export CXX=$NDK_TOOLCHAIN_BASENAME-g++*
> *export LINK=${CXX}*
> *export LD=$NDK_TOOLCHAIN_BASENAME-ld*
> *export AR=$NDK_TOOLCHAIN_BASENAME-ar*
> *export RANLIB=$NDK_TOOLCHAIN_BASENAME-ranlib*
> *export STRIP=$NDK_TOOLCHAIN_BASENAME-strip*
>
> *export ARCH_FLAGS="-march=i686 -msse3 -mstackrealign -mfpmath=sse"*
> *export ARCH_LINK=*
> *export CPPFLAGS=" ${ARCH_FLAGS} -fpic -ffunction-sections -funwind-tables
> -fstack-protector -fno-strict-aliasing -finline-limit=64 "*
> *export CXXFLAGS=" ${ARCH_FLAGS} -fpic -ffunction-sections -funwind-tables
> -fstack-protector -fno-strict-aliasing -finline-limit=64 -frtti
> -fexceptions "*
> *export CFLAGS=" ${ARCH_FLAGS} -fpic -ffunction-sections -funwind-tables
> -fstack-protector -fno-strict-aliasing -finline-limit=64 "*
> *export LDFLAGS=" ${ARCH_LINK} "*
>
>
> *#export
> CC="$NDK/toolchains/-4.9/prebuilt/linux-i686-linux-
> android_64/bin/i686-linux-android-clang
>  --sysroot=$SYSROOT"*
> *#export
> AR="$NDK/toolchains/-4.9/prebuilt/linux-i686-linux-
> android_64/bin/i686-linux-android-clang-ar
>  --sysroot=$SYSROOT"*
> *./configure --host=x86 --disable-shared --disable-pthreads
> --with-openssl=/home/crazythinker-admin/Downloads/
> ClamAVNDK/OpenSSL/openssl-1.0.2
>
>  --with-pcre=/home/crazythinker-admin/Downloads/
> ClamAVNDK/pcre2-10.22/PCREx86
>  --with-zlib=/home/crazythinker-admin/Downloads/
> ClamAVNDK/zlib-1.2.8/ZLIBx86
> --with-libncurses-prefix=/home/crazythinker-admin/
> Downloads/ClamAVNDK/ncurses-gittup/NCURSESx86
>  --prefix=$(pwd)/ClamAVx86  --disable-llvm --disable-quikdtop
> --disable-clamav  --disable-yara --disable-bzip2 --disable-unrar
> --disable-fanotify
> --with-libcurl=/home/crazythinker-admin/Downloads/
> ClamAVNDK/curl-7.51.0/CURLx86*
> *make clean*
>
> *make*
> *make install*
>
>
> my intention is i need to get clamav engine library for android plaatform
> so i tried build it using cross compilation mechanisim but i got below
> error.
>
>
> *GEN  version.h*
> *  CC   libclamav_la-version.lo*
> *  CC   libclamav_la-mpool.lo*
> *  CC   libclamav_la-filtering.lo*
> *  CC   libclamav_la-fmap.lo*
> *  CC   libclamav_la-perflogging.lo*
> *  CC   libclamav_la-bytecode.lo*
> *  CC   libclamav_la-bytecode_vm.lo*
> *  CC   libclamav_la-cpio.lo*
> *  CC   libclamav_la-macho.lo*
> *  CC   libclamav_la-ishield.lo*
> *  CC   libclamav_la-bytecode_api.lo*
> *  CC   libclamav_la-bytecode_api_decl.lo*
> *  CC   libclamav_la-cache.lo*
> *  CC   libclamav_la-bytecode_detect.lo*
> *bytecode_detect.c: In function 'cli_detect_environment':*
> *bytecode_detect.c:243:24: error: 'os_generic' undeclared (first use in
> this function)*
> * env->os_category = os_generic;*
> *^*
> *bytecode_detect.c:243:24: note: each undeclared identifier is reported
> only once for each function it appears in*
> *make[4]: *** [libclamav_la-bytecode_detect.lo] Error 1*
>
>
> *could you please help me to find root casue and resolve this error*
>
> any help/suggestions would be appreciated
>
>
> Thanks,
> Crazy Thinker
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd/clamdscan and IPv6

[Steven Morgan]

Thanks, there was a little coding error. Following the connect() failure on
the local socket, the code was not checking if the TCPAddr option is
enabled.

Steve

On Wed, Dec 14, 2016 at 3:12 AM, Christoph Pleger 
wrote:

> Hello Steve,
>
> > Looking at the code, it appears that the error message occurs when the
> > clamd/clamdscan parameter "LocalSocket" is disabled, or it is enabled and
> > the socket connect() call fails, and also the TCPAddr parameter is
> > specified.
>
> Thank you for that hint. It brought me to the finding that, close to the
> time of the ISP change, I must have made an update of the clamav package
> that changed user and group ownership of the local socket without my
> knowledge.
>
> But TCPAddr was and is not enabled; clamconf says:
>
> TCPSocket
> disabled
> TCPAddr disabled
>
> Regards
>   Christoph
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd/clamdscan and IPv6

[Steven Morgan]

Hello Christoph,

Looking at the code, it appears that the error message occurs when the
clamd/clamdscan parameter "LocalSocket" is disabled, or it is enabled and
the socket connect() call fails, and also the TCPAddr parameter is
specified.

Can you inspect and/or send the output of the 'clamconf' command?

Steve
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Hi I haver been using clamav for my linux system I use 12.04Ltd i have a query

[Steven Morgan]

On Sat, Dec 10, 2016 at 6:23 PM, Beth Macdougal 
wrote:

> now i am not positive about this whether it is a virus or not but i ran the
>
> clamscan -r --bell -i /
>
> and when it finished it said
>
> LibClamAV Warning: fmap_readpage: pread fail: asked for 4085 bytes @ offset
>
[...]

This warning message does not indicate the presence of a virus. If you take
out the -i flag, you should be able to determine the file where the warning
occurred.

Hope this helps,
Steve
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems with safe browsing

[Steven Morgan]

Hi Tom,

Is it an email file? Looks like the safebrowsing checks only occur during
email file parsing.

Hope this helps,
Steve
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Building issues with libclamav

[Steven Morgan]

Hi Michael,

Thanks for you report. Building ClamAV with Visual Studio 2015 will not be
supported until 0.99.3. That said, this work is considered complete with
the latest ClamAV sources from github.com/vrtadmin/clamav-devel. Please try
it using the master and/or 0.99.3 branch(es) from
github.com/vrtadmin/clamav-devel. We would appreciate your feedback on
building ClamAV with VS2015 using these sources.

Thank you,
Steve Morgan

On Wed, Nov 2, 2016 at 4:14 PM, Michael Mckeown 
wrote:

> Using VS2015, errors:
>
> > 1>c:\...\visual studio
> > 2015\projects\clamav-0.99.2\win32\3rdparty\pthreads\ptw32_
> relmillisecs.c(80):
> > error C2037: left of 'tv_sec' specifies undefined struct/union 'timespec'
> > 1>c:\...\visual studio
> > 2015\projects\clamav-0.99.2\win32\3rdparty\pthreads\ptw32_
> relmillisecs.c(81):
> > error C2037: left of 'tv_nsec' specifies undefined struct/union
> 'timespec'
> > 1>c:\...\visual studio
> > 2015\projects\clamav-0.99.2\win32\3rdparty\pthreads\
> pthread_delay_np.c(96):
> > error C2037: left of 'tv_sec' specifies undefined struct/union 'timespec'
> > 1>c:\...\visual studio
> > 2015\projects\clamav-0.99.2\win32\3rdparty\pthreads\
> pthread_delay_np.c(96):
> > error C2037: left of 'tv_nsec' specifies undefined struct/union
> 'timespec'
> > 1>c:\...\visual studio
> > 2015\projects\clamav-0.99.2\win32\3rdparty\pthreads\
> pthread_delay_np.c(105):
> > error C2037: left of 'tv_sec' specifies undefined struct/union 'timespec'
> > 1>c:\...\visual studio
> > 2015\projects\clamav-0.99.2\win32\3rdparty\pthreads\
> pthread_delay_np.c(108):
> > error C2037: left of 'tv_nsec' specifies undefined struct/union
> 'timespec'
>
> only building libclamav and using visual studio 2013 as the platform
> toolset as 2015 gives lots of the following:
>
> > fatal error C1189: #error: Macro definition of snprintf conflicts with
> > Standard Library function declaration
>
> Can anyone help me out with this?
>
> Also when I eventually get this working must it be a .dll thats built
> rather than a .lib?
>
> Thank you.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV libclamunrar bug ?

[Steven Morgan]

Hi,

Thanks for reporting this.

Could you please open a bug report at bugzilla.clamav.net. Please also
attach the rar file to the bugzilla ticket.

Thanks,
Steve Morgan

On Mon, Oct 31, 2016 at 9:04 PM, Qmail  wrote:

> There's a new Javascript malware floating around in a RAR archive that
> somehow kills scanrar I believe.
> The virus gets properly detected when decompressed as:
> Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL FOUND
> When the .js file is recompressed on my desktop to a .rar it also gets
> properly detected in the .rar file.
> However the original .rar file that arrived in the e-mail doesn't get
> flagged at all.
> I am running version 0.99.2 on CentOS 6.7.
> Running clamscan in debug mode shows some kind of corruption when reading
> the e-mail .rar file, although unrar unpacks it without problems:
> LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
> LibClamAV debug: Descriptor[3]: Can't unpack some data
> Anyone else saw this ? Is it a bug within libclamunrar ?
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] swift.doc Doc.Dropper.Agent-1776597

[Steven Morgan]

The problem report for this issue is
https://bugzilla.clamav.net/show_bug.cgi?id=11651.

Steve

On Wed, Oct 19, 2016 at 5:29 PM, Joel Esler (jesler) 
wrote:

> Yup, that’s one of mine.  Glad to see my system is working ;)
>
> As far as why it didn’t work, I’ll have to defer this to Steve on the dev
> team.
>
> --
> Joel Esler | Talos: Manager| jes...@cisco.com
>
>
>
>
>
> On Oct 19, 2016, at 10:16 AM, Steve Basford  com> wrote:
>
>
> On Wed, October 19, 2016 3:12 pm, Joel Esler (jesler) wrote:
> Heino,
>
>
> Can you clarify which sig caught it?
>
>
> Doc.Dropper.Agent-177659 is not an actual sig number.
>
> Damn cut and paste... it's: Doc.Dropper.Agent-1776597
> (a hash)
>
> --
> Cheers,
>
> Steve
> Twitter: @sanesecurity
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Suggestion: Need option to "Block Skipped Files" and Scan Summary to indicate "Skipped files"

[Steven Morgan]

Mark,

No, but you can get the latest code from github.com/vrtadmin/clamav-devel.
There you will find clamscan --block-max. Clamd BlockMax and documentation
is coming soon.

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Suggestion: Need option to "Block Skipped Files" and Scan Summary to indicate "Skipped files"

[Steven Morgan]

Hi,

There will be an option --block-max (clamd - BlockMax) in ClamAV 0.99.3.

Steve

On Thu, Sep 15, 2016 at 1:44 AM, Andy Schmidt 
wrote:

> Hi,
>
>
>
> I didn't know if I was supposed to use the "Bug Reporting" system, as this
> really is reporting an issue with how the software operates "as designed".
>
>
>
> Currently, ClamAV will indicate whether an infected file was found - THAT
> condition is non-ambiguous.
>
>
>
> However, when ClamAV reports:
>
>
>
> --- SCAN SUMMARY ---
>
> Infected files: 0
>
>
>
> It actually can be highly misleading.
>
>
>
> If one of the scanned files exceeded some of the limits, such as:
>
>
>
> MaxScanSize 150M
>
> MaxFileSize 150M
>
> #MaxRecursion 16
>
> #MaxFiles 1
>
> then the actual "infected" status of that file is completely unknown! The
> end-user has no warning that the file was NOT virus-scanned!
>
> May I respectfully suggest:
>
> a)A config option "BlockSkipped yes"
> (equivalent to the already existing "ArchiveBlockEncrypted yes".
> This way, the user can opt to receive a specific message indicating which
> limit prevented a file from being scanned, rather than being "lulled" into
> thinking that everything is "A-OK".
> An automated process that incorporate ClamAV would be able to take a
> different path, e.g., require the user to scrutinize the file more
> carefully.
>
>
>
> b)An appropriate line in the SCAN SUMMARY, e.g.:
> --- SCAN SUMMARY ---
> Infected files: 0
> Skipped files: 1
> Time: 1.610 sec (0 m 1 s)
>
> Thank for giving this suggestion your consideration.
>
> Best Regards
> Andy Schmidt
>
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Match on raw .wsf file?

[Steven Morgan]

Please try clamscan --scan-html=no to turn off normalization.

Hope this helps,
Steve

On Tue, Aug 30, 2016 at 4:36 PM, Kris Deugau  wrote:

> Is there a way to force matching on the raw file, or at least control
> the normalization to some degree so that formatting and details in the
> original code aren't lost?
>
> I've been coming across .wsf files in .zip files, which are essentially
> Javascript wrapped in a very thin wrapper:
>
> 
> [insert nasty Javascript here]
> 
>
> However, signatures I've created based on the raw file never match, and
> I finally figured out a few months ago that I'd have to use clamscan
> --leave-temps to dig up the normalized text Clam was actually running
> pattern matches against.
>
> Unfortunately I've just discovered a flaw in this process, in that the
> normalizing process is also stripping off some of the key JS-obfuscation.
>
> I've posted the raw first ~8 lines of one of these files, and the
> normalized version of that same chunk of text:
>
> http://deepnet.cx/clamfrags/raw-wsf-01
> http://deepnet.cx/clamfrags/norm-wsf-01
>
> In this case, one of the key things I'd like to match on is the
> "br"+"o"+"ken" strings in their broken form, but that information is
> wiped away in the normalized version.
>
> -kgd
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Error: yyerror(): test.yar line 6 undefined identifier "filename"

[Steven Morgan]

filename does not appear as a yara keyword:

http://yara.readthedocs.io/en/latest/writingrules.html

Is it a new keyword not yet in a released version of yara? Did you mean
filesize?

On Thu, Aug 11, 2016 at 5:21 AM, Axb  wrote:

> Guys,
>
> clamscan --database=test.yar blah.html
> LibClamAV Error: yyerror(): test.yar line 6 undefined identifier
> "filename"
> LibClamAV Error: cli_loadyara: failed to parse rules file test.yar, error
> count 1
> test.yar: OK
> blah.html: OK
>
> test.yar
> rule TEST_BLAH_FILENAME
> {
> strings:
> $BLAH = "blah"
>  condition:
>  $BLAH and filename == "blah.html"
> }
>
> Am I missing something? or is filename unsupported by ClamAV's YARA engine?
>
> Thanks!
> Axb
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] YARA: filesize condition

[Steven Morgan]

On Thu, Jun 30, 2016 at 2:27 PM, Paul Kosinski ize < 200KB

>
> Shouldn't exactly one 'and' be an 'or' in:
>
> "($abc and not $abc) and filesize < 200KB"
>

Yes, the first 'and' must be an 'or'. Thank you!

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] YARA: filesize condition

[Steven Morgan]

On Thu, Jun 30, 2016 at 10:06 AM, Axb  wrote:

>
> When trying to use filesize conidtion in a Yara sig
>
> rule FileSize_200KB
> {
> condition:
>filesize < 200KB
> }
>
>
Hi,

That is correct. ClamAV uses matching of yara strings to drive the yara
condition. filesize will work in a yara condition in ClamAV, but only when
there is a string match. I'd suppose something like this should work:

rule Filesize_200KB
{
strings:
 $abc = "abc"

condition:
($abc and not $abc) and filesize < 200KB
}


Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] fake mp3, real malware.

[Steven Morgan]

Sorry, try it now.

On Mon, Jun 6, 2016 at 3:30 PM, Benny Pedersen <m...@junc.eu> wrote:

> On 2016-06-06 18:12, Steven Morgan wrote:
>
>> Tracking with https://bugzilla.clamav.net/show_bug.cgi?id=11582.
>>
>
> You are not authorized to access bug #11582.
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] fake mp3, real malware.

[Steven Morgan]

Tracking with https://bugzilla.clamav.net/show_bug.cgi?id=11582.

On Sat, Jun 4, 2016 at 10:21 AM, Arnaud Jacques / SecuriteInfo.com <
webmas...@securiteinfo.com> wrote:

> Hello Clamav,
>
> A new malware is an ascii text begining by "ID3 = ".
> Clamav see it as an MP3 file :
>
> clamscan --debug SecuriteInfo.com.JS.Downloader.Agent.15736.18211.371
> (...)
> LibClamAV debug: Recognized MP3 file
> (...)
>
> clamscan -V
> ClamAV 0.99.2/21668/Sat Jun  4 11:35:05 2016
>
> The problem is this ascii malware cannot be normalised, but it should be.
>
> The sample has been sent to http://www.clamav.net/reports/malware
>
> md5sum of malware sent is : 023bff926f5852ba0e58a72c10e77f2a
>
> --
> Best regards,
>
> Arnaud Jacques
> SecuriteInfo.com
>
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Installing ClamAV in Amazon Linux with yum

[Steven Morgan]

Hi Mich,

You should contact your package maintainers. You can also install ClamAV
from source. ./configure will attempt to locate pcre in the usual places.
You can also use ./configure --with-pcre=[pcre path] if that doesn't work.

Hope this helps,
Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] sigtool reports an error

[Steven Morgan]

Hi Arnaud, I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11553
for  a fix.

Thanks for your report,
Steve

On Thu, Apr 14, 2016 at 11:03 AM, Arnaud Jacques / SecuriteInfo.com <
webmas...@securiteinfo.com> wrote:

> Hello,
>
> Using sigtool -l always reports this error :
>
> ERROR: listdb: Malformed pattern line 1 (file /tmp/clamav-
> c57a51d1b297cd6a8b2ca0810c9776f9.tmp/daily.cdb)
> ERROR: listdb: Error listing database
> /tmp/clamav-c57a51d1b297cd6a8b2ca0810c9776f9.tmp/daily.cdb
> ERROR: listdb: Can't list directory /var/lib/clamav/daily.cld
> ERROR: listdb: Error listing database /var/lib/clamav/daily.cld
>
> Tested on 3 different servers. /tmp is not full.
>
> sigtool -V
> ClamAV 0.99/21492/Thu Apr 14 04:35:17 2016
>
> Any clue ?
>
> --
> Best regards,
>
> Arnaud Jacques
> SecuriteInfo.com
>
> Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
> Twitter : @SecuriteInfoCom
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error in Make - How to get patch 59d05bf.patch

[Steven Morgan]

I think the patch he's talking about is here:

https://bugzilla.clamav.net/attachment.cgi?id=5481=diff

Although it is for an old version of ClamAV (0.98). Is that the version you
are using?

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error in Make -

[Steven Morgan]

Yes, gmake is recommended (although bsd make generally works except for
'make check'). At mbox.c:2816, I have:

break;

Mine is in the function rfc2047(), not rfc1341(). What is your version of
ClamAV? Is it possible that your mbox.c is corrupted?

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Strange problem with custom Yara rule

[Steven Morgan]

Hi,

Thanks for the example. I've opened bug
https://bugzilla.clamav.net/show_bug.cgi?id=11552 to track.

Thanks again,
Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Strange problem with custom Yara rule

[Steven Morgan]

Hi,

The first question is: Do you have pcre installed and was it found by
ClamAV .\configure? You should see something like:

  pcre: /usr

near the end of the ./configure output.

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error in Make -

[Steven Morgan]

Hi,

gcc is needed to compile ClamAV on AIX. Web search "gcc aix" to get info on
installing gcc.

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Warning: cli_tnef: file truncated, returning CLEAN

[Steven Morgan]

Hi,

Looking in the code, the file was truncated, as the warning message states.
The message is issued by the TNEF file parser. Returning CLEAN from the
parser tells the caller(the TNEF scanner) to scan all of the previously
extracted parts of the TNEF message for viruses.

Hope this helps,
Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Curious clamd behavior

[Steven Morgan]

Hi Dave,

I opened https://bugzilla.clamav.net/show_bug.cgi?id=11544 to track this
issue. Can you attach your mail file(s) and pdb signature(s) the bugzilla
ticket please? I'd also like to know the details of MTA you are using and
whether it uses milter or the clamd protocol directly.

Thanks,
Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] C++ Compiler for IBM AIX-6100

[Steven Morgan]

I've used gcc 4.6.3 and 4.8.4 (and others) with success, although not on
AIX.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam error

[Steven Morgan]

This is a wild guess, but try to configure ClamAV with --enable-llvm=no.

Otherwise, open a bug at bugzilla.clamav.net.

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam error

[Steven Morgan]

I'm thinking this is the same problem as
https://bugzilla.clamav.net/show_bug.cgi?id=11309 . You'll find a few other
./configure options there.

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why does this happen?

[Steven Morgan]

Scott,

In that case, please open a bug report.

On Tue, Mar 15, 2016 at 5:37 PM, Scott Galambos <sco...@particlesoftware.com
> wrote:

> testfile.pdf is an encrypted and password protected file.  I have
> "ArchiveBlockEncrypted No" in clamd.conf.
>
> And a scan still finds it infected.
>
> server(/tmp): clamdscan --config-file=/apps/clamav/etc/clamd.conf
> testfile.pdf
> /temp/testfile.pdf: Heuristics.Encrypted.PDF FOUND
>
> Why?  How do I stop this?
>
>
>
> On 2016-03-15 2:13 PM, Steven Morgan wrote:
>
>> Hi,
>>
>> I took a quick look at the code. The "Heuristics.Encrypted.PDF" is off by
>> default. Try clamscan --block-encrypted. If you have
>> 'ArchiveBlockEncrypted
>> yes' in your clamd.conf, it would explain the results you are seeing with
>> clamdscan.
>>
>> Is testfile.pdf encrypted?
>>
>> Check these things out and if it still does not make sense, please open a
>> bug report at bugzilla.clamav.net.
>>
>> On Tue, Mar 15, 2016 at 2:07 PM, Scott Galambos <
>> sco...@particlesoftware.com
>>
>>> wrote:
>>>
>>
>> Trying to wrap my head around this.
>>>
>>> central(/temp): clamdscan testfile.pdf
>>> /temp/testfile.pdf: Heuristics.Encrypted.PDF FOUND
>>>
>>> central(/temp): clamscan testfile.pdf
>>> testfile.pdf: OK
>>>
>>>
>>> Why does clamdscan find a virus, but clamscan not??
>>>
>>> ___
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Why does this happen?

[Steven Morgan]

Hi,

I took a quick look at the code. The "Heuristics.Encrypted.PDF" is off by
default. Try clamscan --block-encrypted. If you have 'ArchiveBlockEncrypted
yes' in your clamd.conf, it would explain the results you are seeing with
clamdscan.

Is testfile.pdf encrypted?

Check these things out and if it still does not make sense, please open a
bug report at bugzilla.clamav.net.

On Tue, Mar 15, 2016 at 2:07 PM, Scott Galambos  wrote:

> Trying to wrap my head around this.
>
> central(/temp): clamdscan testfile.pdf
> /temp/testfile.pdf: Heuristics.Encrypted.PDF FOUND
>
> central(/temp): clamscan testfile.pdf
> testfile.pdf: OK
>
>
> Why does clamdscan find a virus, but clamscan not??
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Couple problems

[Steven Morgan]

Hi,

I took a quick look at the code. The "Heuristics.Encrypted.PDF" is off by
default. Try clamscan --block-encrypted. If you have 'ArchiveBlockEncrypted
yes' in your clamd.conf, it would explain the results you are seeing with
milter.

Is testfile.pdf encrypted?

Check these things out and if it still does not make sense, please open a
bug report at bugzilla.clamav.net.

Heuristic signatures cannot be whitelisted. There is a bugzilla enhancement
request for this already. May be in a future release.

Steve
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] What does TargetType 10 for a signature mean ?

[Steven Morgan]

Hi,

Could you please open a bug report at bugzilla.clamav.net? Please attach
the sample(s) and signatures(s) that you are using.

I'd like to make sure this is tracked for investigation and possible code
and documentation improvements. Sounds like there are some things to sort
out here...

Thanks,
Steve

On Sun, Feb 28, 2016 at 9:20 AM, David Shrimpton 
wrote:

> Hi,
>
> I wrote a signature against one of the temporary files clamav
> pulled out of a pdf when --scan-pdf=yes.
>
> (The signature does not hit when --scan-pdf=no.)
>
> If the signature is TargetType 10 = PDF it was not hit.
>
> If it was type 0 = any file, it was hit.   But it would also be hit
> by other files not related to the pdf  eg text or html,
> which I don't want.  I only want to match
> files pulled out of a pdf by --scan-pdf.
>
> (clamav --debug reports the file from the pdf as ascii , but Target Type 7
> for normalized ascii file does not work.)
>
> This is similar confusion to what type 2 means.
>
> signatures.pdf says type 2 is file inside an OLE2 container but it actually
> appears to denote an OLE2 container itself and not a file inside one
> unless that file is itself an OLE2 container.
>
> It seems to me that having additional types may be helpful: eg any file
> inside an OLE2  or any 'file' inside a pdf in addition to type 2 and 10.
>
>
> PS it appears -z does not work when there is a hit on a 'file' inside a
> PDF.  Other signatures that match the pdf itself are not reported as being
> hit.  This is a similar problem to -z not working when there are hits on
> macros
> inside OLE2 or a hit on Heuristics.OLE2.ContainsMacros.
>
> --
> David Shrimpton
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] heuristic-scan-precedence is broken

[Steven Morgan]

David,

Thanks for your report. Tracking here:

https://bugzilla.clamav.net/show_bug.cgi?id=11512

Steve


On Sun, Feb 28, 2016 at 6:10 AM, David Shrimpton 
wrote:

> Hi,
>
> --heuristic-scan-precedence=no is broken in clamav-0.99
>
> eg  create a test encrypted zip /tmp/abcdef.zip
>
> clamscan -z --database=/tmp/test.ndb  --block-encrypted=yes /tmp/abcdef.zip
> /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND
>
> clamscan -z --database=/tmp/test.ndb --block-encrypted=no /tmp/abcdef.zip
> /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND
> /tmp/abcdef.zip: testsig.1.UNOFFICIAL FOUND
>
> clamscan -z --database=/tmp/test.ndb --block-encrypted=yes
> --heuristic-scan-precedence=no /tmp/abcdef.zip
> /tmp/abcdef.zip: Heuristics.Encrypted.Zip FOUND
>
>
>
> With --heuristic-scan-precedence=no  testsig.1.UNOFFICIAL should have been
> returned and not Heuristics.Encrypted.Zip .
>
> With -z --heuristic-scan-precedence=no , both testsig.1.UNOFFICIAL
> and Heuristics.Encrypted.Zip should have been returned.
>
> This is same problem as occurs with clamdscan and OLE2BlockMacros yes.
> Heuristics.OLE2.ContainsMacros gets returned and not any real sigs that
> also might match.
>
> I suspect --heuristic-scan-precedence=no might not work for any heuristic
> detection.
>
> If heuristic-scan-precedence=no worked , you could parse the returned
> virus name and treat files that only matched Heuristics sig eg
> pdf or encrypted zip or ole2 with macros, differently to files that matched
> a real sig.  eg do logging only instead of discarding.
>
> --
> David Shrimpton
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] windows cache

[Steven Morgan]

Hi,

Caching is supported in windows and enabled by default.

Clamd local socket is not supported in windows.


On Fri, Feb 26, 2016 at 6:55 AM, fdff affg  wrote:

> Hi!
> Does the cache engine(caching scanned files to increase performance
> and no scanning again) work on windows version(official windows
> build)?
> Is it enabled by default?
> Is it possible to run clamd with local option not tcp socket(on windows)?
> Clamav version:0.99
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Steven Morgan]

Whoops, I take that back. The code used in ClamAV appears more similar to
the "BSD library." Comments state:

 * This code is derived from OpenBSD's libc/regex, original license follows:
 *
 * Copyright (c) 1992, 1993, 1994 Henry Spencer.
 * Copyright (c) 1992, 1993, 1994
 *The Regents of the University of California.  All rights reserved.
 *
 * This code is derived from software contributed to Berkeley by
 * Henry Spencer.
 *

So, I can't say for sure what is the POSIX support without additional
research. Best bet is to follow Steve Basford's sanesecurity example to get
you going. I don't see any .cdb in the official ClamAV virus database.

Steve

On Thu, Feb 18, 2016 at 6:13 PM, Steven Morgan <smor...@sourcefire.com>
wrote:

> Please see https://garyhouston.github.io/regex/.
>
> Looks like ClamAV uses what is called the "old library." I don't think
> this is POSIX compliant with regard to regular expressions.
>
> Hope this helps,
> Steve
>
> On Thu, Feb 18, 2016 at 3:12 PM, Mehmet Avcioglu <meh...@activecom.net>
> wrote:
>
>>
>> > On Feb 18, 2016, at 8:14 PM, Steven Morgan <smor...@sourcefire.com>
>> wrote:
>> >
>> > cdb signatures use a regex library known as "Henry Spencer's regular
>> > expressions." Googling documentation for that should give what you want.
>>
>> Thank you for the information. I searched out for that and found
>> documentation, but am not able to get the desired outcome. Henry Spencer’s
>> regular expressions are supposed to be POSIX compliment and "\s" is valid
>> for space but I cannot get it to work.
>>
>> For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but
>> "^New\sDoc.*" or "^New Doc.*" does not.
>>
>> Thanks
>>
>> --
>> Mehmet Avcioglu
>> meh...@activecom.net
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Steven Morgan]

Please see https://garyhouston.github.io/regex/.

Looks like ClamAV uses what is called the "old library." I don't think this
is POSIX compliant with regard to regular expressions.

Hope this helps,
Steve

On Thu, Feb 18, 2016 at 3:12 PM, Mehmet Avcioglu <meh...@activecom.net>
wrote:

>
> > On Feb 18, 2016, at 8:14 PM, Steven Morgan <smor...@sourcefire.com>
> wrote:
> >
> > cdb signatures use a regex library known as "Henry Spencer's regular
> > expressions." Googling documentation for that should give what you want.
>
> Thank you for the information. I searched out for that and found
> documentation, but am not able to get the desired outcome. Henry Spencer’s
> regular expressions are supposed to be POSIX compliment and "\s" is valid
> for space but I cannot get it to work.
>
> For example I am able to use "^New.Doc.*" to match for "New Doc.xls" but
> "^New\sDoc.*" or "^New Doc.*" does not.
>
> Thanks
>
> --
> Mehmet Avcioglu
> meh...@activecom.net
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Filename Regex

[Steven Morgan]

cdb signatures use a regex library known as "Henry Spencer's regular
expressions." Googling documentation for that should give what you want.

Steve

On Thu, Feb 18, 2016 at 6:39 AM, Mehmet Avcioglu 
wrote:

>
> What is the format for Filename Regex pattern used in cdb signature files?
>
> I have not been able to find a documentation for this and some of the
> valid regex strings I use are not recognized. For example I cannot find a
> way to match for '@' character, or use '\s' for white space.
>
> Thanks
>
> --
> Mehmet Avcioglu
> meh...@activecom.net
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV automation question

[Steven Morgan]

Edwin,

Sounds like on-access scanning with clamd may be useful in your case.

You will need ClamAV 0.99. Here is some additional info:

http://blog.clamav.net/2015/09/clamav-099b2-on-access-scanning-now.html

Steve



On Wed, Feb 10, 2016 at 3:58 AM, Edwin Nguku 
wrote:

> Hi, what commands can I run as root to configure ClamAV to carry out real
> time checks and block malware from being uploaded on to the server?
>
> In which case should a malicious file be detected, it should be
> blocked/quarantined and an email sent to the user regarding the event.
>
> Kindly assist on how I can configure this.
>
> --
>
> Regards,
> Edwin
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

[Steven Morgan]

David,

I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11498 to
investigate and track the issue. Plz sign up for an account at
https://bugzilla.clamav.net and send me the user id and I will CC you on
the bug. Once that is done, I will need for you to attach your signatures
and sample files to the bug report.

Thanks,
Steve

On Mon, Feb 8, 2016 at 11:01 AM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:

>
> On Mon, February 8, 2016 3:48 pm, David Shrimpton wrote:
> > Hi Steve,
> >
> >
> > When I remove all my local database files problem goes away.
> > So problem appears to be in a local database.
> >
> Ah ok...
>
> > BAD_SIGNATURE.ldb.macro.19;Target:2;1;41747472;0:(0)/./ri
>
> For info, I've used this against my *ham* folder full good word/excel
> macro docs and it hits a few of them :(
>
> Cheers,
>
> Steve
> Web : sanesecurity.com
> Blog: sanesecurity.blogspot.com
> Twitter: @sanesecurity
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ScanOLE2 yes disables macro virus detection

[Steven Morgan]

Hi Benny,

We use bugzilla as the primary bug tracker.

We know about github too, but bugzilla is preferred. This is mainly because
bugs that are ClamAV vulnerabilities(crashes and other denial of service)
should not be widely disclosed until fixed within a released version for
obvious reasons. In our bugzilla, effective mechanisms toward that end are
in place.

Try it now.

We do want your bug reports!

Thanks,
Steve


On Mon, Feb 8, 2016 at 4:42 PM, Benny Pedersen <m...@junc.eu> wrote:

> On 2016-02-08 22:26, Steven Morgan wrote:
>
> I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11498 to
>> investigate and track the issue. Plz sign up for an account at
>> https://bugzilla.clamav.net and send me the user id and I will CC you on
>> the bug. Once that is done, I will need for you to attach your signatures
>> and sample files to the bug report.
>>
>
> arg :(
>
> clamav is on github, so there is 2 bugtrackers ?
>
> You are not authorized to access bug, graet way to say we dont want your
> bugs
>
> https://github.com/vrtadmin/clamav-devel/issues
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM

[Steven Morgan]

Allmatch will not work with clamd fd passing either. Please open a buzilla
request for allmatch when using fd passing or instream. bugzilla.clamav.net.

Thanks,
Steve

On Wed, Feb 3, 2016 at 12:09 PM, Torge Husfeldt <torge.husfe...@1und1.de>
wrote:

> Hi,
>
> what about passing an (alredy open) filehandle through the clamd-socket?
> Currently we're facing the tradeoff between giving the clamd-process
> more permissons or running multiple instances of the scanning-engine
> (clamd + clamscan) and parsing the output of clamscan with "tainted"
> filenames.
>
> Thanks
>
> Am 01.02.2016 um 21:54 schrieb Steven Morgan:
> > Bernhard,
> >
> > Clamd does not currently support ALLMATCH mode with the INSTREAM
> protocol.
> > The only other suggestion I can offer is to preserve those files found to
> > contain viruses and research them separately using ALLMATCH.
> >
> > Steve
> >
> > On Mon, Feb 1, 2016 at 5:27 AM, Bernhard Vogel <bernhard.vo...@1und1.de>
> > wrote:
> >
> >> Hi,
> >>
> >> is there an option in clamd to combine INSTREAM and ALLMATCHSCAN?
> >>
> >> We scan files which have already been locked (permission: 200 or
> similar)
> >> by another process/shellscript. Clamd runs with user "clamav"
> priviledges.
> >> At the moment we stream the content of the locked files to CLAMD with
> the
> >> INSTREAM option.
> >>
> >> Since I also require to do an allmatchscan to review our malware
> >> signatures, I need to combine INSTREAM and ALLMATCHSCAN.
> >>
> >> How can I ALLMATCHSCAN  files only accesible by root, without doing
> >> something like "sudo clamscan -z "
> >>
> >>
> >>
> >>
> >> Regards,
> >> Bernhard
> >> ___
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >>
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
> --
> Torge Husfeldt
>
> Senior Anti-Abuse Engineer
> Hosting Security
>
> 1&1 Internet Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany
> Phone: +49 721 91374-4795
> E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de
>
> Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141
>
> Geschäftsführer: Christian Bigatà Joseph, Hans-Henning Kettler, Uwe Lamnek
>
>
> Member of United Internet
>
> Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte
> Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat
> sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte
> den Absender und vernichten Sie diese E-Mail. Anderen als dem
> bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern,
> weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden.
>
> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient of this e-mail, you are hereby
> notified that saving, distribution or use of the content of this e-mail
> in any way is prohibited. If you have received this e-mail in error,
> please notify the sender and delete the e-mail.
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] combine ALLMATCHSCAN and INSTREAM

[Steven Morgan]

Bernhard,

Clamd does not currently support ALLMATCH mode with the INSTREAM protocol.
The only other suggestion I can offer is to preserve those files found to
contain viruses and research them separately using ALLMATCH.

Steve

On Mon, Feb 1, 2016 at 5:27 AM, Bernhard Vogel 
wrote:

> Hi,
>
> is there an option in clamd to combine INSTREAM and ALLMATCHSCAN?
>
> We scan files which have already been locked (permission: 200 or similar)
> by another process/shellscript. Clamd runs with user "clamav" priviledges.
> At the moment we stream the content of the locked files to CLAMD with the
> INSTREAM option.
>
> Since I also require to do an allmatchscan to review our malware
> signatures, I need to combine INSTREAM and ALLMATCHSCAN.
>
> How can I ALLMATCHSCAN  files only accesible by root, without doing
> something like "sudo clamscan -z "
>
>
>
>
> Regards,
> Bernhard
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter crash

[Steven Morgan]

If this is still a problem with the most current software on github, please
create a bug report at http://bugzilla.clamav.net.

Please attach samples that result in the crash.

Steve


On Tue, Jan 26, 2016 at 9:26 AM, Benny Pedersen  wrote:

> i have seen it do this so many times now that i like to know if its just
> me that use it or its known problem
>
> upgrade to 0.99 does not help, currently on the stable gentoo 0.98.7
>
> is there a github version of clamav ?
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Error: cl_load(): No such file or directory

[Steven Morgan]

Hi,

Do you have a /home/user/programming/clamav/share/clamav? Also, did you run
run freshclam?

Steve

On Tue, Jan 5, 2016 at 8:58 AM, im zkoko  wrote:

> Hello
>
> I asked the following question on github (
> https://github.com/vrtadmin/clamav-devel/issues/46 ), and I waited for ~1
> month  without receiving any answer. It seems that the community is not
> active in this site :)
>
> I installed clamav as mentioned in the section 3.2 Installing on shell
> account, using the following commands
>
>  ./configure --prefix=/home/user/programming/clamav --disable-clamav
>  make
>  make install
>
> As you see it doesn't work for me.
>
> ./clamscan ~
> LibClamAV Error: cl_load(): No such file or directory:
> /home/user/programming/clamav/share/clamav
> ERROR: Can't get file status--- SCAN SUMMARY ---Known
> viruses: 0Engine version: devel-20151207Scanned directories: 0Scanned
> files: 0Infected files: 0Data scanned: 0.00 MBData read: 0.00 MB
> (ratio 0.00:1)Time: 0.011 sec (0 m 0 s)
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem configuring clamav-0.99

[Steven Morgan]

Ali / Todd,

Thanks for the updates, I am looking into what is the possible cause for
the "Structure packing" error.

What are your compiler versions?

Steve

On Wed, Dec 16, 2015 at 2:53 PM, Todd Aiken <todd.ai...@ubishops.ca> wrote:

> HI Steve, thanks for your reply.
>
> I did install a new version of PCRE to the directory /usr/local/pcre
> (configured it with --prefix=/usr/local/prce so as to not interfere with
> the older installed pcre), and told clamav's configure to use it with the
> line --with-pcre=/usr/local/pcre.  This is what got me to the "configure:
> error: Structure packing seems to be available, but is not working with
> this compiler", which is the same issue that ali atik is having.
>
>
>
> Todd A. Aiken
> Systems Analyst & Administrator
> ITS Department
> BISHOP'S UNIVERSITY
> 2600 College Street
> Sherbrooke, Quebec
> CANADA   J1M 1Z7
>
>
>
>
>
>
>
>
> -Original Message-
> From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of
> Steven Morgan <smor...@sourcefire.com>
> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
> Date: Wednesday, December 16, 2015 at 2:43 PM
> To: ClamAV users ML <clamav-users@lists.clamav.net>
> Subject: Re: [clamav-users] Problem configuring clamav-0.99
>
> >Todd,
> >
> >PCRE support is new in ClamAV 0.99 and ./configure looks for it by
> default.
> >So in your case it found an old version of pcre which is incompatible with
> >ClamAV 0.99. Minimum PCRE version checks have been added for the upcoming
> >0.99.1 release. For installing 0.99 on your system, you will either need
> to
> >use './configure --with-pcre=no ...' or install a more current version of
> >PCRE.
> >
> >Steve
> >
> >On Mon, Dec 7, 2015 at 1:25 PM, Todd Aiken <todd.ai...@ubishops.ca>
> wrote:
> >
> >> -Original Message-
> >>
> >>
> >> From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf
> of "
> >> a...@cerist.dz" <a...@cerist.dz>
> >> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
> >> Date: Monday, December 7, 2015 at 12:25 PM
> >> To: ClamAV users ML <clamav-users@lists.clamav.net>
> >> Subject: Re: [clamav-users] Problem configuring clamav-0.99
> >>
> >> >checking bzlib.h presence... yes
> >> >checking for bzlib.h... yes
> >> >checking for CVE-2008-1372... linkfailed
> >> >configure: WARNING: ** Unable to link bzip2 testcase
> >> >configure: WARNING: ** You may be affected by CVE-2008-1372 bug,
> but I
> >> >need to be able to link a testcase to verify
> >> >configure: WARNING: ** It is recommended to fix your build
> environment
> >> >so that we can run the testcase!
> >> >configure: WARNING: ** Please do not report stability problems to
> the
> >> >ClamAV developers!
> >> >checking for CVE-2010-0405... linkfailed
> >> >configure: WARNING: ** Unable to link bzip2 testcase
> >> >configure: WARNING: ** You may be affected by CVE-2010-0405 bug,
> but I
> >> >need to be able to link a testcase to verify
> >> >configure: WARNING: ** It is recommended to fix your build
> environment
> >> >so that we can run the testcase!
> >> >configure: WARNING: ** Please do not report stability problems to
> the
> >> >ClamAV developers!
> >> >checking for getaddrinfo... no
> >>
> >> -snip-
> >>
> >> >checking for type aligning via __attribute__((aligned))... yes
> >> >checking that structure packing works... no
> >> >configure: error: Structure packing seems to be available, but is not
> >> >working with this compiler
> >>
> >> I am having the exact same issue with trying to compile on an old
> >> Slackware server (running Slackware 10.2.0).  I had to install an
> updated
> >> version of pcre in order to get past a different compiling issue, and
> >> installed the new version to /usr/local/pcre with the configure
> parameter
> >> --prefix=/usr/local/pcre, but when I try to configure clamav-0.99 using
> >> --with-pcre=/usr/local/pcre, I get this same structure error.  Here is
> the
> >> full configure line I am using for clamav-0.99:
> >>
> >> ./configure --prefix=/usr --sysconfdir=/etc --disable-llvm
> --disable-ipv6
> >> --with-openssl=/usr/local/ssl --with-pcre=/usr/local/pcre
> >>
> >> Removing 

Re: [clamav-users] Problem configuring clamav-0.99

[Steven Morgan]

Todd,

PCRE support is new in ClamAV 0.99 and ./configure looks for it by default.
So in your case it found an old version of pcre which is incompatible with
ClamAV 0.99. Minimum PCRE version checks have been added for the upcoming
0.99.1 release. For installing 0.99 on your system, you will either need to
use './configure --with-pcre=no ...' or install a more current version of
PCRE.

Steve

On Mon, Dec 7, 2015 at 1:25 PM, Todd Aiken  wrote:

> -Original Message-
>
>
> From: clamav-users  on behalf of "
> a...@cerist.dz" 
> Reply-To: ClamAV users ML 
> Date: Monday, December 7, 2015 at 12:25 PM
> To: ClamAV users ML 
> Subject: Re: [clamav-users] Problem configuring clamav-0.99
>
> >checking bzlib.h presence... yes
> >checking for bzlib.h... yes
> >checking for CVE-2008-1372... linkfailed
> >configure: WARNING: ** Unable to link bzip2 testcase
> >configure: WARNING: ** You may be affected by CVE-2008-1372 bug, but I
> >need to be able to link a testcase to verify
> >configure: WARNING: ** It is recommended to fix your build environment
> >so that we can run the testcase!
> >configure: WARNING: ** Please do not report stability problems to the
> >ClamAV developers!
> >checking for CVE-2010-0405... linkfailed
> >configure: WARNING: ** Unable to link bzip2 testcase
> >configure: WARNING: ** You may be affected by CVE-2010-0405 bug, but I
> >need to be able to link a testcase to verify
> >configure: WARNING: ** It is recommended to fix your build environment
> >so that we can run the testcase!
> >configure: WARNING: ** Please do not report stability problems to the
> >ClamAV developers!
> >checking for getaddrinfo... no
>
> -snip-
>
> >checking for type aligning via __attribute__((aligned))... yes
> >checking that structure packing works... no
> >configure: error: Structure packing seems to be available, but is not
> >working with this compiler
>
> I am having the exact same issue with trying to compile on an old
> Slackware server (running Slackware 10.2.0).  I had to install an updated
> version of pcre in order to get past a different compiling issue, and
> installed the new version to /usr/local/pcre with the configure parameter
> --prefix=/usr/local/pcre, but when I try to configure clamav-0.99 using
> --with-pcre=/usr/local/pcre, I get this same structure error.  Here is the
> full configure line I am using for clamav-0.99:
>
> ./configure --prefix=/usr --sysconfdir=/etc --disable-llvm --disable-ipv6
> --with-openssl=/usr/local/ssl --with-pcre=/usr/local/pcre
>
> Removing --with-pcre=/usr/local/pcre, configure completes successfully,
> but then I get this when I run make:
>
> CC libclamav_la-matcher-pcre.lo
> matcher-pcre.c: In function `cli_pcre_scanbuf':
> matcher-pcre.c:740: error: `PCRE_ERROR_RECURSIONLIMIT' undeclared (first
> use in this function)
> matcher-pcre.c:740: error: (Each undeclared identifier is reported only
> once
> matcher-pcre.c:740: error: for each function it appears in.)
> make[4]: *** [libclamav_la-matcher-pcre.lo] Error 1
> make[4]: Leaving directory `/usr/src/software/clamav-0.99/libclamav'
> make[3]: *** [all-recursive] Error 1
> make[3]: Leaving directory `/usr/src/software/clamav-0.99/libclamav'
> make[2]: *** [all] Error 2
> make[2]: Leaving directory `/usr/src/software/clamav-0.99/libclamav'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/usr/src/software/clamav-0.99'
> make: *** [all] Error 2
>
> (This is with PCRE version 6.4 that came with Slackware 10.2.0)
>
> As with the original poster, clamav-0.98.7 compiled fine on this same
> server and is currently running there.
>
>
> Thanks.
>
>
> Todd A. Aiken
> Systems Analyst & Administrator
> ITS Department
> BISHOP'S UNIVERSITY
> 2600 College Street
> Sherbrooke, Quebec
> CANADA   J1M 1Z7
>
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem configuring clamav-0.99

[Steven Morgan]

Ali,

Please look in your config.log file for Structure packing. Do you have the
same or similar error?

configure:20381: checking that structure packing works
configure:20438: gcc -o conftest -g -O2  -I/opt/pcre837/include
-L/opt/pcre837/lib -lpcre conftest.c -ldl  >&5
conftest.c:147: warning: 'packed' attribute ignored for field of type 'char'
configure:20438: $? = 0
configure:20438: ./conftest
./conftest: error while loading shared libraries: libpcre.so.1: cannot open
shared object file: No such file or directory

This is the conftest for "structure packing" failing because it cannot link
to the pcre shared library. If this is the case, I can suggest looking into
using ldconfig or setting the environment variable LD_LIBRARY_PATH to
resolve the link issue, and then configure ClamAV.

Hope this helps,
Steve

On Wed, Dec 16, 2015 at 3:00 PM, Steven Morgan <smor...@sourcefire.com>
wrote:

> Ali / Todd,
>
> Thanks for the updates, I am looking into what is the possible cause for
> the "Structure packing" error.
>
> What are your compiler versions?
>
> Steve
>
> On Wed, Dec 16, 2015 at 2:53 PM, Todd Aiken <todd.ai...@ubishops.ca>
> wrote:
>
>> HI Steve, thanks for your reply.
>>
>> I did install a new version of PCRE to the directory /usr/local/pcre
>> (configured it with --prefix=/usr/local/prce so as to not interfere with
>> the older installed pcre), and told clamav's configure to use it with the
>> line --with-pcre=/usr/local/pcre.  This is what got me to the "configure:
>> error: Structure packing seems to be available, but is not working with
>> this compiler", which is the same issue that ali atik is having.
>>
>>
>>
>> Todd A. Aiken
>> Systems Analyst & Administrator
>> ITS Department
>> BISHOP'S UNIVERSITY
>> 2600 College Street
>> Sherbrooke, Quebec
>> CANADA   J1M 1Z7
>>
>>
>>
>>
>>
>>
>>
>>
>> -Original Message-
>> From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of
>> Steven Morgan <smor...@sourcefire.com>
>> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
>> Date: Wednesday, December 16, 2015 at 2:43 PM
>> To: ClamAV users ML <clamav-users@lists.clamav.net>
>> Subject: Re: [clamav-users] Problem configuring clamav-0.99
>>
>> >Todd,
>> >
>> >PCRE support is new in ClamAV 0.99 and ./configure looks for it by
>> default.
>> >So in your case it found an old version of pcre which is incompatible
>> with
>> >ClamAV 0.99. Minimum PCRE version checks have been added for the upcoming
>> >0.99.1 release. For installing 0.99 on your system, you will either need
>> to
>> >use './configure --with-pcre=no ...' or install a more current version of
>> >PCRE.
>> >
>> >Steve
>> >
>> >On Mon, Dec 7, 2015 at 1:25 PM, Todd Aiken <todd.ai...@ubishops.ca>
>> wrote:
>> >
>> >> -Original Message-
>> >>
>> >>
>> >> From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf
>> of "
>> >> a...@cerist.dz" <a...@cerist.dz>
>> >> Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
>> >> Date: Monday, December 7, 2015 at 12:25 PM
>> >> To: ClamAV users ML <clamav-users@lists.clamav.net>
>> >> Subject: Re: [clamav-users] Problem configuring clamav-0.99
>> >>
>> >> >checking bzlib.h presence... yes
>> >> >checking for bzlib.h... yes
>> >> >checking for CVE-2008-1372... linkfailed
>> >> >configure: WARNING: ** Unable to link bzip2 testcase
>> >> >configure: WARNING: ** You may be affected by CVE-2008-1372 bug,
>> but I
>> >> >need to be able to link a testcase to verify
>> >> >configure: WARNING: ** It is recommended to fix your build
>> environment
>> >> >so that we can run the testcase!
>> >> >configure: WARNING: ** Please do not report stability problems to
>> the
>> >> >ClamAV developers!
>> >> >checking for CVE-2010-0405... linkfailed
>> >> >configure: WARNING: ** Unable to link bzip2 testcase
>> >> >configure: WARNING: ** You may be affected by CVE-2010-0405 bug,
>> but I
>> >> >need to be able to link a testcase to verify
>> >> >configure: WARNING: ** It is recommended to fix your build
>> environment
>> >> >so that we can run the testcase!
>> >

Re: [clamav-users] Problem configuring clamav-0.99

[Steven Morgan]

bzip2 1.0.5 looks kind of old. Can you try a more current version?

On Mon, Dec 7, 2015 at 12:25 PM,  wrote:

> > Hi Ali,
> >
> > Can you heck to see that you have installed the development versions of
> > bzip2 and check rpms (bzip2-devel-*.rpm / check-devel-*rpm)?
> >
> > Steve
>
> Hi Steve,
>
> I have checked my  installation, and yes the package check was installed
> from source,  the other package bzip2-devel was  already installed: so i
> have launched the installation of the package check from repository
> now
> i can say that both packages are there:
>
> [root@mail clamav-0.99]# rpm -q check check-devel
> check-0.9.8-1.1.el6.i686
> check-devel-0.9.8-1.1.el6.i686
>
> [root@mail clamav-0.99]# rpm -q bzip2 bzip2-devel
> bzip2-1.0.5-7.el6_0.i686
> bzip2-devel-1.0.5-7.el6_0.i686
>
> when i restarted the configuration the error regarding the check module
> disappeared (bravo!)
>
> but unfortunately the second issue is always  there as you can see below:
>
> [root@mail clamav-0.99]# ./configure --enable-llvm --enable-check
> --enable-clamdtop --with-user=clamav --with-group=clamav
> --enable-experimental
> checking build system type... i686-pc-linux-gnu
> checking host system type... i686-pc-linux-gnu
> checking target system type... i686-pc-linux-gnu
> creating target.h - canonical system defines
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... /bin/mkdir -p
> checking for gawk... gawk
> checking whether make sets $(MAKE)... yes
> checking how to create a ustar tar archive... gnutar
> checking whether make supports nested variables... yes
> checking for style of include used by make... GNU
> checking for gcc... gcc
> checking whether the C compiler works... yes
> checking for C compiler default output file name... a.out
> checking for suffix of executables...
> checking whether we are cross compiling... no
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking dependency style of gcc... gcc3
> checking how to run the C preprocessor... gcc -E
> checking for grep that handles long lines and -e... /bin/grep
> checking for egrep... /bin/grep -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking minix/config.h usability... no
> checking minix/config.h presence... no
> checking for minix/config.h... no
> checking whether it is safe to define __EXTENSIONS__... yes
> checking how to print strings... printf
> checking for a sed that does not truncate output... /bin/sed
> checking for fgrep... /bin/grep -F
> checking for ld used by gcc... /usr/bin/ld
> checking if the linker (/usr/bin/ld) is GNU ld... yes
> checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
> checking the name lister (/usr/bin/nm -B) interface... BSD nm
> checking whether ln -s works... yes
> checking the maximum length of command line arguments... 1966080
> checking whether the shell understands some XSI constructs... yes
> checking whether the shell understands "+="... yes
> checking how to convert i686-pc-linux-gnu file names to i686-pc-linux-gnu
> format... func_convert_file_noop
> checking how to convert i686-pc-linux-gnu file names to toolchain
> format... func_convert_file_noop
> checking for /usr/bin/ld option to reload object files... -r
> checking for objdump... objdump
> checking how to recognize dependent libraries... pass_all
> checking for dlltool... no
> checking how to associate runtime and link libraries... printf %s\n
> checking for ar... ar
> checking for archiver @FILE support... @
> checking for strip... strip
> checking for ranlib... ranlib
> checking command to parse /usr/bin/nm -B output from gcc object... ok
> checking for sysroot... no
> checking for mt... no
> checking if : is a manifest tool... no
> checking for dlfcn.h... yes
> checking for objdir... .libs
> checking if gcc supports -fno-rtti -fno-exceptions... no
> checking for gcc option to produce PIC... -fPIC -DPIC
> checking if gcc PIC flag -fPIC -DPIC works... yes
> checking if gcc static flag -static works... no
> checking if gcc supports -c -o file.o... yes
> checking if gcc supports -c -o file.o... (cached) yes
> checking whether the gcc linker (/usr/bin/ld) supports shared libraries...
> yes
> checking whether -lc should be explicitly linked in... no
> checking dynamic linker characteristics... GNU/Linux ld.so
> checking how to hardcode library paths into programs... immediate
> checking for shl_load... no
> checking for shl_load in -ldld... no
> checking for dlopen... no
>